OpenWrt with IPsec Lan to Lan

Hi all, this is my first post so please go easy...

I have purchased a Plusnet HH5 with OpenWRT 19.07.3 pre installed onto it. I am looking to use it for my FTTP connection as a basic router but I want to add an IPsec connection to it so that I can do a lan to lan VPN. The remote end of the VPN will be a PFsense box.

I have tried, tried, and tried again to install strong swan to get it to work but to no avail and I am wondering if someone out there can give me some pointers on how to do it?


If you're starting from zero, wireguard is probably an easier option (yes, that is going to be an issue with pfsense - given that OpenBSD has merged wireguard support ~2 months ago, FreeBSD/ pfSense will probably get it as well in the future, but that will still take time). The lantiq VRX268 SOC in the Plusnet Hub One is already pretty challenged with the routing tasks themselves, wireguard might be easier to it in this regard as well (ChaCha20 vs AES) - you can't expect too much either way.

StrongSwan is fully functional on OpenWrt (I've used it as server for a roadwarrior setup until very recently myself), but there are many different configuration options (IKEv1 vs IKEv2, different cyphers, etc.) and I have no idea which of those are supported on the pfSense side. If you want to use IPsec (instead of wireguard), the easiest way is probably to start with pfSense on both sides (just for testing, on x86) and to steal its configuration for guidance (it might need changes, but it can still be used for reference) - be aware that strongswan on OpenWrt is packaged in a very modular way, so I'd start with strongswan-full and refine the requirements later on (well, the bthub5 has enough flash, so…).

1 Like

Hi slh,

Many thanks for the detailed reply. I would like to stick with IPSec if possible I already have a number of other IPSec connections which have a mixture of PFsense, draytek vigor, and TP-link routers at the remote ends so used to configuring PFsense.

I will try the full install, but once this is done, how do I configure it as I don't believe it has a gui interface?

Many thanks

You configure strongswan as you would on any other distribution, mostly using /etc/ipsec.conf and /etc/ipsec.secrets and storing the necessary certificates somewhere persistent (I used /etc/CA/ and added that location to /etc/sysupgrade.conf for safekeeping over upgrades).

Maybe helps a little (just for reference), maybe it doesn't; I used that for IKEv2 && EAP-MSCHAPv2.

1 Like