I am able to connect successfully but when surfing the web, it just loads forever and says no internet connection. I've doublechecked firewall rules etc but not sure what's preventing it..
Please give suggestions
It is indeed possible to run a StrongSwan server on OpenWRT. The tricks required are:
- Proper firewalling. You need to allocate a subnet for the clients, and add it to /etc/config/firewall as a zone. This zone needs to be above all other zones.
- Disable NAT for the client subnet.
- Disable flow offloading, as it is not compatible with IPSec. It is still OK to reenable it via a custom rule in /etc/firewall.user for non-IPSec packets.
So, here are the relevant parts of my configs.
/etc/config/firewall:
config zone
# Important: this zone must come first!
list subnet '192.168.2.0/24'
option name 'vpn'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list masq_dest '!192.168.2.0/24'
...
config rule
option dest_port '500 4500'
option src '*'
option name 'Allow IPSEC UDP'
option target 'ACCEPT'
option proto 'udp'
config rule
option target 'ACCEPT'
option proto 'esp'
option name 'Allow IPSEC ESP'
option src '*'
config forwarding
option dest 'lan'
option src 'vpn'
config forwarding
option dest 'vpn'
option src 'lan'
config forwarding
option dest 'wan'
option src 'vpn'
In /etc/firewall.user, if you do want to use flow offloading where possible:
iptables -I FORWARD 2 -m comment --comment "!fw3:" -m conntrack --ctstate RELATED,ESTABLISHED -m policy --dir in --pol ipsec -j ACCEPT
iptables -I FORWARD 3 -m comment --comment "!fw3:" -m conntrack --ctstate RELATED,ESTABLISHED -m policy --dir out --pol ipsec -j ACCEPT
iptables -I FORWARD 4 -m comment --comment "!fw3: Traffic offloading (modified)" -m conntrack --ctstate RELATED,ESTABLISHED -m connbytes --connbytes 8 --connbytes-dir reply --connbytes-mode packets -j FLOWOFFLOAD
Also, in /etc/strongswan.d/charon/kernel-netlink.conf:
kernel-netlink {
...
# MSS to set on installed routes, 0 to disable.
mss = 1352
# MTU to set on installed routes, 0 to disable.
mtu = 1372
...
}
This results in a set of firewall rules, part of which is equivalent to
iptables -A INPUT -s 192.168.2.0/24 -j ACCEPT
The rule applies to both VPN and non-VPN traffic, no matter what the zone's name suggests.
Since the IP source address could be spoofed, this is not secure.
I tried to improve it with the following options:
option extra_src '-m policy --dir in --pol ipsec --proto esp'
option extra_dest '-m policy --dir out --pol ipsec --proto esp'
Together with an IPsec configuration for ESP tunnel mode, the IP addresses are known to be authenticated and can be relied upon for filtering.
Further, I would add
option mtu_fix '1'
to the VPN zone. It might obviate the need for the kernel-netlink settings, but I haven't done any rigorous testing.
With some more extra_src and extra_dest options it is also possible to lift the zone ordering requirement. See my previous post for details.
Thanks for the security advice. Here is my position on it.
option extra_src/dest on the vpn zone is indeed a good idea. I am not sure if I prefer the necessity to add extra option extra_src/dest to non-vpn zones, or the zone order requirement. Regarding option mtu_fix '1' on the VPN zone, I have not tested it either, but kernel-netlink settings are also useful if the other end is expected to be behind some broken firewall.