I have configured Openwrt on raspberry pi 3b+ using a snapshot version of openwrt. I eliminate all the chains from iptables and flush the iptables rules. There is only one rule in postrouting chain to masquerade. I am able to run Internet on lan devices (lan on wifi network, wan on Ethernet). Then i have install strongswan (on openwrt and on centos 7) and able to establish an IPSec tunnel (site to site VPN). While connected on raspberry pi 3b+ using HDMI all my traffic tunnel to the VPN server means internet in working fine (getting a response from curl and ping). Now once i connect a device on wifi network there is no Internet
Here is my openwrt router configuration: ipsec.conf
conn conn-p
#strictcrlpolicy=no
authby=secret
keyexchange=ikev1
left=%defaultroute
leftsubnet=0.0.0.0/0
leftfirewall=yes
right=95.216.212.162
rightsubnet=0.0.0.0/0
rightid=
#ike=aes256-sha2_256-modp1024!
#esp=aes256-sha2_256!
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
auto=add
rightdns=10.10.1.1
# mark=42
strongswan.conf
charon {
install_routes=yes
install_virtual_ip=yes
ifconfig before tunnel
eth0 Link encap:Ethernet HWaddr B8:27:EB:B0:52:8E
inet addr:192.168.0.26 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::ba27:ebff:feb0:528e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:293 errors:0 dropped:0 overruns:0 frame:0
TX packets:31 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:37560 (36.6 KiB) TX bytes:2612 (2.5 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:20 errors:0 dropped:0 overruns:0 frame:0
TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4124 (4.0 KiB) TX bytes:4124 (4.0 KiB)
wlan0 Link encap:Ethernet HWaddr B8:27:EB:E5:07:DB
inet addr:10.10.4.1 Bcast:10.10.4.255 Mask:255.255.255.0
inet6 addr: fe80::ba27:ebff:fee5:7db/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:1614 (1.5 KiB)
Creating a VTI tunnel
ip tunnel add ipsec0 local 10.10.0.14 remote 95.216.212.162 mode vti key 42
sysctl -w net.ipv4.conf.ipsec0.disable_policy=1
ip link set ipsec0 up
ip route add 10.0.0.0/8 dev ipsec0
ifconfig ipsec0 10.10.0.14 netmask 255.255.255.0 broadcast 10.10.0.255
connecting IPSec tunnel
ipsec statusall on openwrt
Status of IKE charon daemon (strongSwan 5.8.0, Linux 4.14.123, aarch64):
uptime: 7 minutes, since Jun 18 09:32:17 2019
worker threads: 10 of 16 idle, 6/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
loaded plugins: charon addrblock af-alg agent attr blowfish ccm cmac connmark constraints ctr curl curve25519 des dhcp dnskey duplicheck eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls farp fips-prf forecast gcm gcrypt gmp ldap led md4 md5 mysql openssl pem pgp pkcs1 pkcs11 pkcs12 pkcs7 pkcs8 pubkey random rc2 resolve revocation smp sqlite sshkey test-vectors unity vici whitelist x509 xauth-eap xauth-generic xcbc nonce aes sha1 sha2 hmac stroke kernel-netlink socket-default updown
Listening IP addresses:
192.168.0.26
10.10.4.1
10.10.0.14
Connections:
net-net1: %any...95.216.212.162 IKEv1, dpddelay=300s
net-net1: local: uses pre-shared key authentication
net-net1: remote: [global.safelabs.net] uses pre-shared key authentication
net-net1: child: 192.168.1.0/24 === 10.10.1.0/24 TUNNEL, dpdaction=clear
conn-ikev2: %any...95.216.212.162 IKEv2, dpddelay=300s
conn-ikev2: local: uses EAP authentication with EAP identity 'sqltest'
conn-ikev2: remote: [95.216.212.162] uses public key authentication
conn-ikev2: child: 192.168.0.0/16 === 10.10.1.0/24 TUNNEL, dpdaction=clear
conn-p: %any...95.216.212.162 IKEv1, dpddelay=30s
conn-p: local: [192.168.0.26] uses pre-shared key authentication
conn-p: remote: [global.safelabs.net] uses pre-shared key authentication
conn-p: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=restart
IK1: %any...------ IKEv2, dpddelay=300s
IK1: local: uses public key authentication
IK1: remote: [-----] uses public key authentication
IK1: child: dynamic === 0.0.0.0/0 TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
conn-p[1]: ESTABLISHED 7 minutes ago, 192.168.0.26[192.168.0.26]...95.216.212.162[-----]
conn-p[1]: IKEv1 SPIs: 817b867c2c5d77ee_i* 5efa2029856f7577_r, rekeying disabled
conn-p[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
conn-p{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c298a5fc_i c7b7e976_o
conn-p{1}: AES_CBC_128/HMAC_SHA2_256_128/MODP_2048, 59308 bytes_i (1111 pkts, 29s ago), 23822 bytes_o (436 pkts, 29s ago), rekeying disabled
conn-p{1}: 10.0.0.0/8 === 0.0.0.0/0
ping from openwrt (while connected on hdmi)
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=39 time=193.995 ms
64 bytes from 8.8.8.8: seq=1 ttl=39 time=188.339 ms
64 bytes from 8.8.8.8: seq=2 ttl=39 time=185.797 ms
iptables
# Generated by iptables-save v1.8.2 on Tue Jun 18 11:15:25 2019
*nat
:PREROUTING ACCEPT [3961:589682]
:INPUT ACCEPT [2445:202214]
:OUTPUT ACCEPT [443:34025]
:POSTROUTING ACCEPT [637:44128]
-A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
COMMIT
# Completed on Tue Jun 18 11:15:25 2019
# Generated by iptables-save v1.8.2 on Tue Jun 18 11:15:25 2019
*mangle
:PREROUTING ACCEPT [9598:2016471]
:INPUT ACCEPT [8548:1717666]
:FORWARD ACCEPT [44:2288]
:OUTPUT ACCEPT [1535:182929]
:POSTROUTING ACCEPT [1583:185473]
COMMIT
# Completed on Tue Jun 18 11:15:25 2019
# Generated by iptables-save v1.8.2 on Tue Jun 18 11:15:25 2019
*filter
:INPUT ACCEPT [11:2254]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:108]
-A FORWARD -d 10.0.0.0/8 -i eth0 -m policy --dir in --pol ipsec --reqid 2 --proto esp -j ACCEPT
-A FORWARD -s 10.0.0.0/8 -o eth0 -m policy --dir out --pol ipsec --reqid 2 --proto esp -j ACCEPT
COMMIT
# Completed on Tue Jun 18 11:15:25 2019
Although according to document and tutorial i found on Internet either we can use Route based VPN or policy based VPN. But my configuration is a mix of both. On strongswan.conf route_install=yes, leftfirewall=yes. On the other hand VTI tunnel is created (if i do not create it then there is no traffic on IPsec tunnel) and mark=42 is checked(if i unchecked it then there is no internet on openwrt after tunnel is connected). If i do not create a tunnel using ip command then no traffic on ipsec tunnel.
I need help