StrongSwan with Nextcloud Server

I successfully set up a strongSwan tunnel using the "roadwarrior" config from OpenWrt wiki and have it connected to my iPhone. However, I'm also using port forwards from OpenWrt to ports 80 and 443 on an internal Nextcloud server stack. Whenever I try to access other websites from the strongSwan client, it gets forwarded to the Nextcloud server. I would like the Nextcloud server to remain available from WAN without VPN. Is there a way around this? Sorry, I'm not very familiar with iptables, etc. but obviously I can copy and paste or adapt suggestions.

Perhaps you should limit the scope of those redirects to a specific destination IP.

Iā€™m not sure what you mean. Ports are forwarded only to the internal server (eg. 192.168.1.XXX). Nginx-proxy logs shows strongSwan client requests originating from OpenWrt gateway (eg.,

You have to forward ports from VPN zone to LAN

1 Like

For external access (internet to router WAN to Nextcloud) I configured the router and nextcloud to use a custom high port number (aka 30567).

That said, I no longer do this. Rather, I set up strongswan as a split tunnel and used the strongswan app (the android app in my case) to only forward traffic destined for nextcloud (now on port 443 both wan and lan) for specific apps.


EDIT: the reason I stopped using a high port number instead of 80 and/or 443 is I caught my cell phone provider throttling ssl traffic on high ports (i.e. my external nextcloud connection)...

1 Like

Please post your OpenWrt firewall configuration: /etc/config/firewall

This appears to work. I selected the IP address of the WAN interface in LUCI, so will UCI automatically change the IP address if/when the WAN interface gets a new IP from my provider, or would I have to do something more complicated?

1 Like

Rebind your domain to the LAN IP on the local DNS:

Or use a hotplug script like this:

cat << "EOF" > /etc/hotplug.d/iface/10-firewall
. /lib/functions/
network_find_wan NET_IF
network_get_ipaddr NET_ADDR "${NET_IF}"
if [ "${ACTION}" = "ifup" -o "${ACTION}" = "ifupdate" ] \
&& [ "${INTERFACE}" = "${NET_IF}" ]
uci set firewall.redirect_"${NET_IF}".src_dip="${NET_ADDR}"
/etc/init.d/firewall reload

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.