StrongSwan with Nextcloud Server

theriverlethe · December 10, 2020, 7:17pm

I successfully set up a strongSwan tunnel using the "roadwarrior" config from OpenWrt wiki and have it connected to my iPhone. However, I'm also using port forwards from OpenWrt to ports 80 and 443 on an internal Nextcloud server stack. Whenever I try to access other websites from the strongSwan client, it gets forwarded to the Nextcloud server. I would like the Nextcloud server to remain available from WAN without VPN. Is there a way around this? Sorry, I'm not very familiar with iptables, etc. but obviously I can copy and paste or adapt suggestions.

vgaetera · December 10, 2020, 7:34pm

Perhaps you should limit the scope of those redirects to a specific destination IP.

theriverlethe · December 10, 2020, 8:01pm

I’m not sure what you mean. Ports are forwarded only to the internal server (eg. 192.168.1.XXX). Nginx-proxy logs shows strongSwan client requests originating from OpenWrt gateway (eg., 192.168.1.1).

EnfermeraSexy · December 10, 2020, 8:25pm

You have to forward ports from VPN zone to LAN

vgaetera · December 10, 2020, 8:30pm

anon98444528 · December 10, 2020, 8:35pm

For external access (internet to router WAN to Nextcloud) I configured the router and nextcloud to use a custom high port number (aka 30567).

That said, I no longer do this. Rather, I set up strongswan as a split tunnel and used the strongswan app (the android app in my case) to only forward traffic destined for nextcloud (now on port 443 both wan and lan) for specific apps.

HTH

EDIT: the reason I stopped using a high port number instead of 80 and/or 443 is I caught my cell phone provider throttling ssl traffic on high ports (i.e. my external nextcloud connection)...

mpa · December 11, 2020, 12:05am

Please post your OpenWrt firewall configuration: /etc/config/firewall

theriverlethe · December 11, 2020, 4:50am

This appears to work. I selected the IP address of the WAN interface in LUCI, so will UCI automatically change the IP address if/when the WAN interface gets a new IP from my provider, or would I have to do something more complicated?

vgaetera · December 11, 2020, 5:58am

Rebind your domain to the LAN IP on the local DNS:
https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#hostnames

Or use a hotplug script like this:

cat << "EOF" > /etc/hotplug.d/iface/10-firewall
. /lib/functions/network.sh
network_flush_cache
network_find_wan NET_IF
network_get_ipaddr NET_ADDR "${NET_IF}"
if [ "${ACTION}" = "ifup" -o "${ACTION}" = "ifupdate" ] \
&& [ "${INTERFACE}" = "${NET_IF}" ]
then
uci set firewall.redirect_"${NET_IF}".src_dip="${NET_ADDR}"
/etc/init.d/firewall reload
fi
EOF

https://openwrt.org/docs/guide-user/base-system/hotplug

system · December 21, 2020, 5:58am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.