Hi,
I am trying to setup IPsec client on my OpenWRT router using strongswan. Currently I have tried to set it up but the VPN is working only on the Router. So my devices which are connected to the Router are not connected to the VPN.
conn lan-passthrough
leftsubnet=10.10.10.1/24 # Replace with your LAN subnet
rightsubnet=10.10.10.1/24 # Replace with your LAN subnet
authby=never # No authentication necessary
type=pass # passthrough
auto=route # no need to ipsec up lan-passthrough
conn test
left=%defaultroute
leftsourceip=%config
leftauth=eap-mschapv2
eap_identity=username_here
right=xx.xx.xx.xx
rightsubnet=0.0.0.0/0
rightauth=pubkey
#rightid=%xx.xx.xx.xx
rightca=/etc/ipsec.d/cacerts/protonvpn.der
keyexchange=ikev2
rightfirewall=yes
type=tunnel
auto=start
My Router is successfully connected to the VPN Server but unable to Route the Traffic to my devices.
My firewall contains this
config rule 'ike'
option name 'ike'
option target 'ACCEPT'
option src 'wan'
option proto 'udp'
option dest_port '500'
config rule 'ipsec'
option name 'ipsec'
option target 'ACCEPT'
option src 'wan'
option proto 'udp'
option dest_port '4500'
config rule 'ah'
option name 'ah'
option target 'ACCEPT'
option src 'wan'
option proto 'ah'
config rule 'esp'
option name 'esp'
option target 'ACCEPT'
option src 'wan'
option proto 'esp'
config forwarding
option dest 'wan'
option src 'lan'
I am trying to get this from a month but unable to get it. Please help me out with it.
This is a roadwarrior-style configuration with a virtual IP address. Only packets with the 10.6.yy.yy/32 address will be able to pass through the tunnel in either direction. I can see these possible solutions:
Change to a subnet-to-subnet config, if offered by your VPN provider, or if you are operating both VPN gateways yourself.
Make all clients appear under a single IP address to the tunnel (SNAT, maybe also DNAT). Be sure to apply NAT to the plaintext traffic, not ESP, and map to the virtual IP address, not an arbitrary address from one of the router's interfaces. I have not tried this.
Sir, we are really new into this and are not able to achieve this. We are trying from months but unable to get the perfect solution. Sir do you have any documentation or a list of config files that can help us out. We will give you access to 1 month of Premium ProtonVPN membership. Thanks
I'm facing exactly same issue. I have administrator permissions on both server and client. Strongswan gateway (configured with Virtual IP pool feature) is behind NAT, the same as Strongswan clinet (also Nat'ed) ran on OpenWRT. The problem is that I can route all the traffic on OpenWRT only, in addition when firewall is disabled at all. If the firewall is enabled on OpenWRT the traffic goes through default gateway (from my ISP) rather than IPsec tunnel. The main issue is that it doesn't work for LAN clients connected to OpenWRT. I tried to set up SNAT on OpenWRT where the source address is my LAN network and the ip address for SNAT is the right one I got from IPsec pool but no luck. Will be really appreciated if someone could share with the experience how to set up Strongswan as client on OpenWRT, especially the firewall part.
PS. I'm able to set up the tunnel without any issues.
This can work, but is complicated, see the backlink under my previous post above.
Since you are the administrator of both IPsec gateways, I would recommend a site-to-site configuration instead (both left- and rightsubnet, but no virtual IP address). In this case, make sure NAT is not applied to tunneled traffic.
The thing is that server is hosted on Amazon AWS EC2 instance where you get private ip address by default and its NAT'ed to Public IP by Amazon. So this piece of setup is out of my control. The VPN is used for me as a gateway to the Internet, in this case I can't use site-to-site scenario I guess.