I've created an IPSEC connection to a VPN provider with StrongSwan on OpenWRT. Everything is working fine as expected and I'm able to use iptables to route a few machines out through the VPN tunnel. However, I would like to use OpenWRT web interface to do the routing but can't do it. The closest one I can find is the NAT rules but IPSEC assigned a second IP to eth1 which is only available when the VPN is connected. Is there anyway to setup a virtual interface to IPSEC tunnel. I saw people talking about vti but I did get it working.
ipsec.conf
config setup
strictcrlpolicy=yes
uniqueids = no
charondebug=all
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn vpn
keyexchange = ikev2
dpdaction=restart
dpddelay=300s
dpdtimeout=15
leftauth=eap-mschapv2
eap_identity=ivacyid
left=%defaultroute
leftsourceip=%config
right=vpn.com
rightid="OU=Domain Control Validated, OU=PositiveSSL Multi-Domain, CN=*.pointtoserver.com"
#rightid=%any
rightsubnet=0.0.0.0/0
type=tunnel
ike=aes256-sha2_256-modp1024!
esp=aes256-sha2_256
leftupdown=/etc/ipsecroute.sh
auto=start
#conn lan-passthrough
# leftsubnet=192.168.16.0/20
# rightsubnet=192.168.16.0/20
# authby=never
# type=pass
# auto=route
ipsecroute.sh
#!/bin/sh
log=/tmp/$PLUTO_CONNECTION.log
env=/tmp/ivacy_env.log
#reload routing when firewall-reload
if [ "$1" = 'firewall-reload' ]; then
if [ -z "$(iptables -t nat -S postrouting_ipsecvpn_rule|grep 'ivacyroute.sh')" ] && [ -f "$env" ] && [ -n "$(ps|grep ipsec >/dev/null 2>/dev/null&&ipsec status|grep ivacy)" ]; then
while IFS= read -r variable; do
if [ -n "$(echo $variable|grep '=')" ]; then
export "$variable"
fi
done < "$env"
else
exit 0
fi
else
env > $env
fi
if [ "$PLUTO_VERB" = "up-client" ]; then
ip rule show|grep '220:.*from all lookup 220' && ip rule del table 220 >> $log 2>&1
ip route show table 220 >> $log 2>&1
iptables -t nat -I postrouting_ipsecvpn_rule -m comment --comment "!fw3 add by ivacyroute.sh" -j SNAT --to ${PLUTO_MY_SOURCEIP} >> $log 2>&1
iptables -t mangle -I mangle_ipsecvpn_rule -o eth1 -p tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3 add by ivacyroute.sh" -j TCPMSS --set-mss 1360 >> $log 2>&1
iptables -t mangle -I FORWARD -o eth1 -p tcp -m comment --comment "!fw3 add by ivacyroute.sh" -j mangle_forward_ipsec
nameserver=$(awk '/nameserver/ {print $2;}' /tmp/resolv.conf.ipsec|head -n1)
if [ -n "$nameserver" ]; then
iptables -t nat -A prerouting_ipsecvpn_rule -p udp --dport 53 -m comment --comment "!fw3 add by ivacyroute.sh" -j DNAT --to-destination $nameserver
fi
elif [ "$PLUTO_VERB" = "down-client" ]; then
nameserver=$(awk '/nameserver/ {print $2;}' /tmp/resolv.conf.ipsec|head -n1)
if [ -n "$nameserver" ]; then
iptables -t nat -D prerouting_ipsecvpn_rule -p udp --dport 53 -m comment --comment "!fw3 add by ivacyroute.sh" -j DNAT --to-destination $nameserver
fi
iptables -t nat -D postrouting_ipsecvpn_rule -m comment --comment "!fw3 add by ivacyroute.sh" -j SNAT --to ${PLUTO_MY_SOURCEIP} >> $log 2>&1
iptables -t mangle -D mangle_ipsecvpn_rule -o eth1 -p tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3 add by ivacyroute.sh" -j TCPMSS --set-mss 1360 >> $log 2>&1
iptables -t mangle -D FORWARD -o eth1 -p tcp -m comment --comment "!fw3 add by ivacyroute.sh" -j mangle_forward_ipsec
fi
firewall.user
. /etc/routeipsec
#ipsec chains
iptables -t nat -N prerouting_ipsecvpn_rule
iptables -t nat -N postrouting_ipsecvpn_rule
# can't add mangle_ipsecvpn_rule to mangle FORWARD
# creat mangle_forward_ipsec as staging chain to add in ipsec up script
iptables -t mangle -N mangle_forward_ipsec
iptables -t mangle -N mangle_ipsecvpn_rule
route_ipsec_add 192.168.16.3
#reload ivacy routing
/etc/ipsecroute.sh firewall-reload
. /etc/routeipsec
#!/bin/sh
cmd=$1
src=$2
route_ipsec_add()
{
isrc=$1
iptables -t nat -C prerouting_rule -s $isrc -m comment --comment "!fw3 route ipsec!" -j prerouting_ipsecvpn_rule 2>/dev/null || \
iptables -t nat -I prerouting_rule -s $isrc -m comment --comment "!fw3 route ipsec!" -j prerouting_ipsecvpn_rule
iptables -t nat -C postrouting_wan_rule -s $isrc -m comment --comment "!fw3 route ipsec!" -j postrouting_ipsecvpn_rule 2>/dev/null || \
iptables -t nat -I postrouting_wan_rule -s $isrc -m comment --comment "!fw3 route ipsec!" -j postrouting_ipsecvpn_rule
iptables -t mangle -C mangle_forward_ipsec -s $isrc -m comment --comment "!fw3 route ipsec!" -j mangle_ipsecvpn_rule 2>/dev/null || \
iptables -t mangle -I mangle_forward_ipsec -s $isrc -m comment --comment "!fw3 route ipsec!" -j mangle_ipsecvpn_rule
}
route_ipsec_del()
{
isrc=$1
iptables -t nat -C prerouting_rule -s $isrc -m comment --comment "!fw3 route ipsec!" -j prerouting_ipsecvpn_rule 2>/dev/null && \
iptables -t nat -D prerouting_rule -s $isrc -m comment --comment "!fw3 route ipsec!" -j prerouting_ipsecvpn_rule
iptables -t nat -C postrouting_wan_rule -s $isrc -m comment --comment "!fw3 route ipsec!" -j postrouting_ipsecvpn_rule 2>/dev/null && \
iptables -t nat -D postrouting_wan_rule -s $isrc -m comment --comment "!fw3 route ipsec!" -j postrouting_ipsecvpn_rule
iptables -t mangle -C mangle_forward_ipsec -s $isrc -m comment --comment "!fw3 route ipsec!" -j mangle_ipsecvpn_rule 2>/dev/null && \
iptables -t mangle -D mangle_forward_ipsec -s $isrc -m comment --comment "!fw3 route ipsec!" -j mangle_ipsecvpn_rule
}
case $cmd in
"add")
[ -z "$src" ] && echo "Source ip required"&&exit 1
route_ipsec_add $src
;;
"del")
[ -z "$src" ] && echo "Source ip required"&&exit 1
route_ipsec_del $src
;;
list)
echo "IPSEC routed source ip range addresses:"
iptables -t nat -S postrouting_wan_rule|awk '/ipsec!.*postrouting_ipsecvpn_rule/{print $4}'
;;
clear)
for ip in $(iptables -t nat -S postrouting_wan_rule|awk '/ipsec.*postrouting_ipsecvpn_rule/{print $4}'); do
route_ipsec_del $ip
done
esac