Hello everyone!
I have remote machines acting as strongswan VPN servers.
They can handle roadwarrior clients with EAP-TLS auth.
I installed OpenWRT on my Archer C6. I want all router's clients traffic to go thru VPN tunnel.
I've followed a guide to make a tunnel.
It works. I can ping machines from server's subnet from my pc.
I can't set up forwarding properly.
I need to wrap all traffic thru VPN.
If i set Firewall rule in LuCi LAN->VPN i just have no internet.
I understand that this is most likely a very simple question, but i am a programmer and not a network eginner. I desperately need you help. Much appreciated!
/etc/ipsec.conf on OpenWRT
config setup
strictcrlpolicy=no
uniqueids=never
cachecrls=no
conn swanvpn
type=tunnel
auto=start
keyexchange=ikev2
authby=secret
left=92.255.**.** # Public ip
#leftsubnet=10.10.10.10/32
#leftsubnet=192.168.1.1/24
leftsubnet=192.168.1.0/32
leftsourceip=%config
right=3.8.**.** # AWS server public ip
rightsubnet=172.31.0.0/20
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
aggressive=no
keyingtries=%forever
ikelifetime=28800s
lifetime=3600s
dpddelay=30s
dpdtimeout=120s
dpdaction=restart
mark_in=32
mark_out=42
include /var/ipsec/ipsec.conf
/etc/ipsec.conf on server
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no
conn ikev2-vpn # Default roadwarrior connection
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
#leftid=%any
leftid=@vpn.***.com # Domain
leftcert=server-cert.pem
leftsendcert=always
leftupdown=/etc/ipsec.d/firewall.updown
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.10.10.0/24
rightdns=8.8.8.8,8.8.4.4
rightsendcert=never
eap_identity=%identity
ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes12>
esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1!
conn wrt # PSK For OpenWRT
type=tunnel
auto=add
keyexchange=ikev2
authby=secret
left=%any
leftid=%any
#leftsubnet=172.31.0.0/20
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightdns=8.8.8.8,8.8.4.4
rightsourceip=10.10.10.0/24
#rightsubnet=192.168.1.0/32
rightsubnet=0.0.0.0/0
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
aggressive=no
keyingtries=%forever
ikelifetime=28800s
lifetime=3600s
dpddelay=30s
dpdtimeout=120s
dpdaction=restart
leftupdown=/etc/ipsec.d/firewall.updown
/etc/config/firewall
config defaults
option synflood_protect '1'
option input 'REJECT'
option output 'REJECT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option forward 'ACCEPT'
option input 'ACCEPT'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config zone
option name 'VPN'
option input 'ACCEPT'
option output 'ACCEPT'
list network 'VPN'
option forward 'ACCEPT'
option masq '1'
config forwarding
option src 'VPN'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'VPN'
config forwarding
option src 'wan'
option dest 'VPN'
config forwarding
option src 'VPN'
option dest 'wan'
config forwarding
option src 'wan'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'wan'
ip a
root@OpenWrt:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether e4:c3:2a:34:30:ad brd ff:ff:ff:ff:ff:ff
inet6 fe80::e6c3:2aff:fe34:30ad/64 scope link
valid_lft forever preferred_lft forever
4: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
link/ipip 0.0.0.0 brd 0.0.0.0
6: wlan1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether e4:c3:2a:34:30:ad brd ff:ff:ff:ff:ff:ff
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether e4:c3:2a:34:30:ad brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
inet6 fd16:8463:f762::1/60 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::e6c3:2aff:fe34:30ad/64 scope link
valid_lft forever preferred_lft forever
8: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
link/ether e4:c3:2a:34:30:ad brd ff:ff:ff:ff:ff:ff
9: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether e4:c3:2a:34:30:ad brd ff:ff:ff:ff:ff:ff
inet6 fe80::e6c3:2aff:fe34:30ad/64 scope link
valid_lft forever preferred_lft forever
10: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN group default qlen 3
link/ppp
inet 92.255.**.** peer 172.20.63.254/32 scope global pppoe-wan
valid_lft forever preferred_lft forever
12: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
link/ether e4:c3:2a:34:30:ac brd ff:ff:ff:ff:ff:ff
inet6 fe80::e6c3:2aff:fe34:30ac/64 scope link
valid_lft forever preferred_lft forever
13: vti1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1472 qdisc noqueue state UNKNOWN group default qlen 1000
link/ipip 92.255.**.** peer 3.8.**.**
inet 192.168.1.0/32 brd 255.255.255.255 scope global vti1
valid_lft forever preferred_lft forever
inet6 fe80::200:5efe:5cff:c2ea/64 scope link
valid_lft forever preferred_lft forever