I am able to connect successfully but when surfing the web, it just loads forever and says no internet connection. I've doublechecked firewall rules etc but not sure what's preventing it..
Please give suggestions
I am able to connect successfully but when surfing the web, it just loads forever and says no internet connection. I've doublechecked firewall rules etc but not sure what's preventing it..
Please give suggestions
It is indeed possible to run a StrongSwan server on OpenWRT. The tricks required are:
So, here are the relevant parts of my configs.
/etc/config/firewall:
config zone
# Important: this zone must come first!
list subnet '192.168.2.0/24'
option name 'vpn'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list masq_dest '!192.168.2.0/24'
...
config rule
option dest_port '500 4500'
option src '*'
option name 'Allow IPSEC UDP'
option target 'ACCEPT'
option proto 'udp'
config rule
option target 'ACCEPT'
option proto 'esp'
option name 'Allow IPSEC ESP'
option src '*'
config forwarding
option dest 'lan'
option src 'vpn'
config forwarding
option dest 'vpn'
option src 'lan'
config forwarding
option dest 'wan'
option src 'vpn'
In /etc/firewall.user, if you do want to use flow offloading where possible:
iptables -I FORWARD 2 -m comment --comment "!fw3:" -m conntrack --ctstate RELATED,ESTABLISHED -m policy --dir in --pol ipsec -j ACCEPT
iptables -I FORWARD 3 -m comment --comment "!fw3:" -m conntrack --ctstate RELATED,ESTABLISHED -m policy --dir out --pol ipsec -j ACCEPT
iptables -I FORWARD 4 -m comment --comment "!fw3: Traffic offloading (modified)" -m conntrack --ctstate RELATED,ESTABLISHED -m connbytes --connbytes 8 --connbytes-dir reply --connbytes-mode packets -j FLOWOFFLOAD
Also, in /etc/strongswan.d/charon/kernel-netlink.conf:
kernel-netlink {
...
# MSS to set on installed routes, 0 to disable.
mss = 1352
# MTU to set on installed routes, 0 to disable.
mtu = 1372
...
}
This results in a set of firewall rules, part of which is equivalent to
iptables -A INPUT -s 192.168.2.0/24 -j ACCEPT
The rule applies to both VPN and non-VPN traffic, no matter what the zone's name suggests.
Since the IP source address could be spoofed, this is not secure.
I tried to improve it with the following options:
option extra_src '-m policy --dir in --pol ipsec --proto esp'
option extra_dest '-m policy --dir out --pol ipsec --proto esp'
Together with an IPsec configuration for ESP tunnel mode, the IP addresses are known to be authenticated and can be relied upon for filtering.
Further, I would add
option mtu_fix '1'
to the VPN zone. It might obviate the need for the kernel-netlink
settings, but I haven't done any rigorous testing.
With some more extra_src
and extra_dest
options it is also possible to lift the zone ordering requirement. See my previous post for details.
Thanks for the security advice. Here is my position on it.
option extra_src/dest
on the vpn zone is indeed a good idea. I am not sure if I prefer the necessity to add extra option extra_src/dest
to non-vpn zones, or the zone order requirement. Regarding option mtu_fix '1'
on the VPN zone, I have not tested it either, but kernel-netlink
settings are also useful if the other end is expected to be behind some broken firewall.