I am trying to establish a VPN between my pfSense firewall and an OpenWrt router that is meant to be used during travel. The OpenWrt router shall send all traffic from connected clients through the tunnel to pfSense.
I have decided for strongswan for two main reasons:
- IPSec is much less heavy on the CPU, which comes with performance benefits over OpenVPN.
- WireGuard is not available as a working, usable implementation on pfSense.
I guess it is the roadwarrior scenario I am looking for, where OpenWrt would be the initiator and pfSense the responder.
The server setup in pfSense is done. Now I am trying to setup the OpenWrt router as a "client" (initiator), before I can start testing. Trying to find the relevant documentation, I found the basics, and a roadwarrior scenario doc - unfortunately as a responder, not an initiator for OpenWrt. (There also appears to be a different way of configuring things on openwrt described in the strongswan wiki).
The first (basic) document starts off with talking about an init script to be created and some specific setup for the config files to follow in order to integrate strongswan into OpenWrt. However, the roadwarrior document appears to be working on a different config layout. Also, the basic document appears to be for a rather old version of OpenWrt (14.07), and the init script it suggests to create is from 2016. Having installed strongswan-full on my 18.06-snapshot-OpenWrt router, I find that there is already an init script, which appears to be more sophisticated that the one suggested in the docs...
As I don't want to break anything, I have a very basic question to start:
Am I correct to assume that I don't need to replace the init script, and that I can start editing the config files directly that I find in /etc/ (or /etc/swanctl).
If so, I'd try to use the roadwarrior initiator configs from the strongswan wiki as a basis to test things.