Strongswan Client Router no LAN access when VPN connects

Hi, first post but been tinkering for a while with a couple of modems.

At the moment I have installed OpenWrt Snapshot 18 for the TP-Link MR3020 v3.2.

The initial install and update worked fine, no problems with opkg etc and accessing WAN and LAN.

However I spent about a week or more googling everything possible about getting Strongswan to work after I successfully got OpenVPN to work (which was leaking DNS) so gave up on that.

I've finally got Strongswan working, however it only works if I omit the leftsubnet setting and set the rightsubnet to 0.0.0.0/0. Which then for some reason means I can't connect from the LAN side.

I leave a logging script running on the router so I can see what's going on when I reboot.

In the above config, the router is connected to the VPN and assigned the VPN's IP on its WAN port, no LAN access.

If I run the command: ip route list table 220

I get:

default via 10.2.2.1 dev wlan0 proto static src <vpn.ip.address.x>

If I change the rightsubnet to x.0.0.0/8

I get:

x.0.0.0/8 via 10.2.2.1 dev wlan0 proto static src <vpn.ip.address.x>

But I can access via LAN but my IP is my ISP's address

If I add the leftsubnet of my 3020 router's LAN I get:

x.0.0.0/8 via 10.2.2.1 dev wlan0 proto static src 10.10.10.1

LAN access but ISP's IP.

wlan0 is WAN, eth0 is LAN (br-lan)

I've tried adding various routes to 220 but each time I do that I lose LAN access.

Also it's double NAT, but that doesn't prevent the strongswan connection from activating. Internet router is 10.2.2.0/24, MR3020 is 10.10.10.0/24. I set up a static WAN IP on the MR3020 by configuration on ISP modem which is used as left/leftid automatically in strongswan.

I've googled this so much that my browser stopped responding from so many open tabs lol.

Appreciate any advice or help!

From the ipsec.conf manpage:

       leftsubnet = <ip subnet>[[<proto/port>]][,...]
              private  subnet  behind  the left participant, expressed as net‐
              work/netmask; if omitted, essentially  assumed  to  be  left/32,
              signifying  that the left end of the connection goes to the left
              participant only. Configured subnets of the  peers  may  differ,
              the protocol narrows it to the greatest common subnet.

This means you cannot set leftsubnet unilaterally, but need a cooperating remote gateway.
Also see my other post about this topic.

1 Like

@mpa Hi, thanks very much for your reply.

I have actually read all the strongswan documentation for charon and ipsec.conf.

The problem is that I don't get LAN access to the VPN no matter what configuration I use for left subnet except using the VPN's DNS with mask 255.0.0.0, which allows LAN access but not to the VPN.

I'm guessing there are two possible solutions, either figuring out a way to setup a seperate LAN subnet for VPN connections.

Or figuring out how to route the VPN connection to the LAN.

However "best" config so far is leave leftsubnet blank, and rightsubent 0.0.0.0/0. But no LAN access, but from logs running on the router I can see it is connected to the VPN and getting the right VPN IP, but it becomes the default route overriding everything else.

If using x.0.0.0/8 for right subnet, I get LAN access as the VPN isn't the default route but don't know how to route to it or bridge to it.

Thanks for your help!

EDIT: So I read the post you linked to:

This is a roadwarrior-style configuration with a virtual IP address. Only packets with the 10.6.yy.yy/32 address will be able to pass through the tunnel in either direction. I can see these possible solutions:

  1. Change to a subnet-to-subnet config, if offered by your VPN provider, or if you are operating both VPN gateways yourself.
  2. Make all clients appear under a single IP address to the tunnel (SNAT, maybe also DNAT). Be sure to apply NAT to the plaintext traffic, not ESP, and map to the virtual IP address, not an arbitrary address from one of the router's interfaces. I have not tried this.

So in my situation ipsec statusall shows

VPN.IP.ADDRESS.X/32 === 0.0.0.0/0

So I don't see how I can send packets from my LAN through this address from my lan since it's assigned LAN IP's by the router /etc/config/network -> lan setup...

I don't know how to setup a subnet to subnet config? or where to set it up?

Also not sure how to setup your second option either, I guess that would be with iptables, which would probably be the better option since then LAN clients can still be assigned normal IP addresses?

EDIT 2: Is it better to use the router's internal IP for left= or the WAN IP? Either seems to work and gives me a VPN IP for the router...

@mpa So weirdly following that post you mentioned:

I added the following to my ipsec.conf:

conn lan-passthrough
    leftsubnet=10.10.10.1/24 # Replace with your LAN subnet
    rightsubnet=10.10.10.1/24 # Replace with your LAN subnet
    authby=never # No authentication necessary
    type=pass # passthrough
    auto=route # no need to ipsec up lan-passthrough

And with no leftsubnet and rightsubent=0.0.0.0/0 I was able to access the router from the LAN port which never happened before.

And also weirdly a messaging app I had open kept working, but I couldn't access any webpages at all, not even wget my IP address... so not sure how that worked.

I also have a conf %default setup in my ipsec.conf and even though I placed conn passthrough before it, it inherited those settings which I guess is normal.

conn %default
	fragmentation=yes
	rekey=yes
	keyingtries=%forever
	ikelifetime=60m
	keylife=10m
	keyexchange=ikev2
	compress=no
	dpddelay=60s
	dpdtimeout=90s
	dpdaction=restart #clear #restart
	closeaction=restart
	forceencaps=yes #???
	#route_via_internal=yes

I will try to move conn %default into the conn tunnel or then remove the % and see what happens.

EDIT: So tried various different configurations of ipsec.conf with the lan-passthrough, all the same result.

I get this in ipsec statusall:

Connections:
lan-passthrough:  %any...%any  IKEv1/2
lan-passthrough:   local:  uses public key authentication
lan-passthrough:   remote: uses public key authentication
lan-passthrough:   child:  10.10.10.0/24 === 10.10.10.0/24 PASS
...
Shunted Connections:
lan-passthrough:  10.10.10.0/24 === 10.10.10.0/24 PASS
...

Also ip route list table 220 gives:

default via 10.2.2.1 dev wlan0 proto static src <VPN.IP> 
10.10.10.0/24 dev br-lan proto static src 10.10.10.1

Surely there is a route I can create between the VPN.IP and br-lan?

What is your purpose of using the VPN:

  • access from your own LAN to the LAN behind the remote gateway?
  • access to the Internet using an IP address assigned by the remote gateway?
  • access to your LAN from elsewhere, through the VPN?
  • anonymity
  • traffic encryption and authentication?

Which machines should have access to the VPN - all devices connected to your LAN?

Are you operating the remote gateway yourself?
If not, did you get any instructions for setting up your VPN client from the remote gateway operator?

Please post your /etc/ipsec.conf.

the router is connected to the VPN

Run ipsec statusall after the tunnel has been established and post its output here.

and assigned the VPN's IP on its WAN port,

How did you check this?

no LAN access.

Does access fail from LAN to router, from LAN through the VPN tunnel, or both?

If I change the rightsubnet to x.0.0.0/8
I get:
x.0.0.0/8 via 10.2.2.1 dev wlan0 proto static src <vpn.ip.address.x>
But I can access via LAN but my IP is my ISP's address

Yes, you could use a limited rightsubnet for testing. But note that only traffic destined for this reduced subnet will pass through the tunnel. All other traffic will be sent in cleartext as if there was no VPN. So if you are using e.g. a web server to report back your own IP address, make sure to choose a rightsubnet which includes that server's IP address.

I've tried adding various routes to 220 but each time I do that I lose LAN access.

Let's look at the output of ipsec statusall first, and deal with the routes afterwards, if at all.

I don't quite understand what you are saying here.
Please post config files/parts, ipsec statusall output, and then explain what works and what doesn't with each config variant.

setup a seperate LAN subnet for VPN connections.

This could be used to separate clients which are authorized to use the VPN from those who are not.
I don't think it is going to help with fixing a non-working configuration.

Or figuring out how to route the VPN connection to the LAN.

Strongswan installs routes automatically, it's best not to change them without evidence that this is really needed.

"best" config so far is [...] rightsubnet 0.0.0.0/0 [...] but [VPN] becomes the default route overriding everything else.
If using x.0.0.0/8 for right subnet, I get LAN access as the VPN isn't the default route but don't know how to route to it or bridge to it.

IPsec itself does not support bridging.

leftsubnet and rightsubnet are authoritative about which data can be passed through the tunnel, this cannot be overridden with custom routing. So if you want to set the default route to the VPN, you need rightsubnet=0.0.0.0/0. LAN access can be kept using a passthrough policy, as you found out below.

So in my situation ipsec statusall shows
VPN.IP.ADDRESS.X/32 === 0.0.0.0/0
So I don't see how I can send packets from my LAN through this address from my lan since it's assigned LAN IP's by the router /etc/config/network -> lan setup...

Yes, there's the rub. If the tunnel is set up without leftsubnet, only the gateway itself is allowed to use it. A potential workaround is NAT (option 2 in that quoted post). Clients keep using their LAN IP addresses, but NAT in the router translates them to the single IP address which is allowed to use the VPN. I cannot say if it will work since I have not tried it.

I don't know how to setup a subnet to subnet config? or where to set it up?

This is option 1. Looks like it is actually called site-to-site. It is set up with the options leftsubnet and rightsubnet in ipsec.conf on both gateways. See Usable Examples in the strongSwan wiki.

Also not sure how to setup your second option either, I guess that would be with iptables,

Yes, iptables. Perhaps even through the OpenWrt firewall, but I cannot say if this case is supported there.

which would probably be the better option since then LAN clients can still be assigned normal IP addresses?

LAN clients keep using their normal IP addresses with either option.
Option 1 (site-to-site) is better, if allowed by the remote gateway.

Is it better to use the router's internal IP for left= or the WAN IP? Either seems to work and gives me a VPN IP for the router...

It does not matter, except for its effect on leftid.
I would leave out left and use its default of %any, then set leftid explicitly, depending on what the remote gateway expects.

leftsubnet and rightsubnet 10.10.10.0/24 would be better, but it might work either way.

And with no leftsubnet and rightsubent=0.0.0.0/0 I was able to access the router from the LAN port which never happened before.

Good.

but I couldn't access any webpages at all

Web pages on the router? On the internet?

not even wget my IP address...

???

Use ping to test network connectivity, perhaps with multiple packet sizes to probe the MTU.

As mentioned in the ipsec.conf manpage, don't use reauth=yes (the default) with any closeaction other than none.

Strongswan has sensible built-in defaults. My conn %default has just a single entry: reauth=no.

For individual conn sections, I use:

auto=route          # to establish connections on demand
dpdaction=hold      # same
# no closeaction    # might use "hold" as well

This output is missing the VPN tunnel.

Surely there is a route I can create between the VPN.IP and br-lan?

A custom route is unlikely to help here.
When the tunnel is up, the routes should be OK as well (you can check them of course).

I suggest to look at the firewall as the next step. I have also posted suggestions about this before, but all of them are based on a site-to-site configuration.

1 Like

@mpa Hi, thanks again for your help, I'll try to answer all your questions...

The VPN I am accessing is a commercial VPN provider that I have no backend access to.

The main purpose of using the VPN is to make my internet connection private.

Well actually the MR3020 router only has one ethernet port and wifi. In my case I would just like one machine connected to the ethernet port which is LAN to have access to the VPN. But it wouldn't hurt if I attached an ethernet switch to have more ports but that's not important atm.

No it's a private company operating the VPN server. But I have full control over the OpenWrt client router.

Yes I have followed the instructions. It connects fine but only the router can access the VPN tunnel. The LAN port becomes unresponsive until I added that passthrough rule to ipsec.conf.

root@OpenWrt:~# cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
	# strictcrlpolicy=yes
	uniqueids=never # yes #uniqueids=never
	charondebug="all"
	#charondebug="cfg 3, dmn 4, ike 3, net 1"

# Add connections here.

conn lan-passthrough
        leftsubnet=10.10.10.0/24 # Replace with your LAN subnet
        rightsubnet=10.10.10.0/24 # Replace with your LAN subnet
        authby=never # No authentication necessary
        type=pass # passthrough
        auto=route # no need to ipsec up lan-passthrough

conn %default
	fragmentation=yes
	rekey=yes
	keyingtries=%forever
	ikelifetime=60m
	keylife=10m
	keyexchange=ikev2
	compress=no
	dpddelay=60s
	dpdtimeout=90s
	dpdaction=restart #clear #restart
	closeaction=restart
	forceencaps=yes #moves to port 4500
	#route_via_internal=yes

conn tunnel
	eap_identity=*redacted
	authby=secret
	type=tunnel  
	ike=aes256-sha256-modp1024
	esp=aes256-sha256
	leftid=10.10.10.1 
	left=10.10.10.1 #%any
	leftauth=eap-mschapv2   
	leftfirewall=yes
	leftsourceip=%config4
      	leftsendcert=never
	rightid="OU=Domain Control Validated, OU=*redacted Multi-Domain, CN=*redacted"
	right=*redacted
	rightsubnet=0.0.0.0/0
	rightfirewall=yes
 	rightauth=pubkey
    	rightsendcert=never   
	#type=passthrough
	auto=start
root@OpenWrt:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.8.0, Linux 4.14.141, mips):
  uptime: 43 seconds, since Sep 12 09:16:15 2019
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
  loaded plugins: charon pkcs11 aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey sshkey pem opens$
Listening IP addresses:
  10.10.10.1
  fda0:94b4:ca2f::1
  10.2.2.239
Connections:
lan-passthrough:  %any...%any  IKEv1/2
lan-passthrough:   local:  uses public key authentication
lan-passthrough:   remote: uses public key authentication
lan-passthrough:   child:  10.10.10.0/24 === 10.10.10.0/24 PASS
        erup:  10.10.10.1...*redactedVPN.com  IKEv2, dpddelay=60s
        erup:   local:  [10.10.10.1] uses EAP_MSCHAPV2 authentication with EAP identity '*redacted'
        erup:   remote: [OU=Domain Control Validated, OU=*redacted Multi-Domain, CN=*redacted] uses public key authentication
        erup:   child:  dynamic === 0.0.0.0/0 TUNNEL, dpdaction=restart
Shunted Connections:
lan-passthrough:  10.10.10.0/24 === 10.10.10.0/24 PASS
Security Associations (1 up, 0 connecting):
        erup[1]: ESTABLISHED 36 seconds ago, 10.10.10.1[10.10.10.1]...*redactedVPN.IP[OU=Domain Control Validated, OU=*redacted Multi-Domain, CN=*red$
        erup[1]: IKEv2 SPIs: *redacted *redacted, EAP reauthentication in 42 minutes
        erup[1]: IKE proposal: AES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
        erup{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: *redacted *redacted  
        erup{1}:  AES_CBC_256/HMAC_SHA1_96, 158662 bytes_i (546 pkts, 1s ago), 19844 bytes_o (79 pkts, 1s ago), rekeying in 11 seconds
        erup{1}:   VPN.IP.ON.WAN/32 === 0.0.0.0/0

I run a script on the OpenWrt router in the background, amongst other things it does wget http://ipinfo.io/ip... which shows the VPN IP, not my ISP IP.

There was absolutely no access to the LAN ethernet port at all upon immediate successful connection to the VPN until I added the passthrough, but the passthrough has no internet access VPN or ISP, but at least I can login to the router.

This seems the best option but I don't know how to do it?

Webpages on the laptop connected to the LAN ethernet port of the OpenWrt router do not load, pings don't work either. Wget works on the router routed via VPN.

Output of ip route list table 220:

default via 10.2.2.1 dev wlan0 proto static src VPN.IP.ON.WAN 
10.10.10.0/24 dev br-lan proto static src 10.10.10.1

I will take a look.

Thanks for your help!

Could you set up the VPN client on that single machine, rather than the OpenWrt router?
This would result in a much simpler configuration.

Do they say anything about connecting a single machine vs. a whole site?

ike=aes256-sha256-modp1024

modp1024 is insecure.

Use at least modp2048, or even higher if you want the Diffie-Hellman strength to match the AES key size. However, this requires significant CPU power, or it will result in slow connection setup.

A faster alternative is Elliptic Curve Diffie-Hellman, if supported by the VPN provider. Try curve25519 for example.

esp=aes256-sha256

Add modp2048 or curve25519 here too. If it doesn't work, no need to worry, leave it out then.

Otherwise, ipsec statusall looks OK.

Looks OK.

1 Like

@mpa Thanks again for your reply!

Well I guess I should have specified the "machine"... I would like to use the router with a video game console and/or a video streaming box connected to a tv, neither of which can be configured to use a VPN.

I'm only using a computer at the moment to test and configure it. I have a vpn client setup on my computer and used to share that from wifi to lan for those devices and both the computer and console/box could be assigned a seperate IP and both would get VPN access.

However I'm not that comfortable having a VPN running constantly on my computer since there are a lot background processes running that send packets that I don't necessarily want to pass through the VPN, also I mainly just want to use my ISP for my computer.

No, but I can connect a mobile, tablet and computer at the same time independently.

I tried modp3072 before but it wouldn't connect, can't remember if I tried 2048. Will test some more combos.

Can you please explain a bit more about how I could try and implement this on OpenWrt? Btw, I've noticed in logread that it mentions NAT-D, Ive read about NAT-T? not really sure if that's important?

Thanks again!

EDIT:

Here's my iptables:

root@OpenWrt:~# cat /etc/firewall.user

# This file is interpreted as shell script.

# Put your custom iptables rules here, they will

# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so

# put custom rules into the root chains e.g. INPUT or FORWARD or into the

# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT

iptables -t nat -A POSTROUTING -s 10.2.2.0/24,10.10.10.0/24 -o wlan0 -m policy --dir out --pol ipsec -j ACCEPT

iptables -t nat -A POSTROUTING -s 10.2.2.0/24,10.10.10.0/24 -o wlan0 -j MASQUERADE

# above was eth0

# below duplicates?

#iptables -t nat -A POSTROUTING -m policy --pol ipsec --dir out --proto esp -j ACCEPT

#iptables -A FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT

iptables -I INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT

iptables -I FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT

iptables -I FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT

iptables -I OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT

#iptables -I INPUT -m policy --dir in --pol ipsec --proto udp --dport 500 -j ACCEPT

#iptables -I INPUT -m policy --dir in --pol ipsec --proto udp --dport 4500 -j ACCEPT

And here's the NATD I was talking about in logread:

Fri Sep 13 06:52:26 2019 daemon.info : 05[NET] sending packet: from 10.10.10.1[500] to VPN.DNS.SERVER[500] (1004 bytes)

Fri Sep 13 06:52:26 2019 daemon.info : 09[NET] received packet: from VPN.DNS.SERVER[500] to 10.10.10.1[500] (316 bytes)

Fri Sep 13 06:52:26 2019 daemon.info : 09[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]