VPN between two subnets, what to use?

Thinkcat · September 7, 2020, 12:53pm

Hello

I have one setup where I have two sites, both with a small OpenWrt gateway, connected to each other using Strongswan. It works 99 % perfect. There's something amiss in how and why the sites initiate connection, but it does everything I want it to do.

Now I'd like to connect a roaming OpenWrt gateway to one of these. My problem is that the roaming 3g gateway is behind a carrier-grade NAT and IPv4 only. Because Strongswan relies on UDP, it does not work.

I have tried to set up Wireguard, but I can't make it appear in the list of protocols when I attempt to create a new interface. I am also not sure whether it allows me to route between two subnets.

My second choice is sshtunnel. I have the packages installed and am currently trying to configure it. Problem is, I am not sure if it can do what I want it to do. That is, route selectively between two subnets. I just wanted to set up a client, so I did not use a server section in the config file. Then I realized that the server section refers to what I am connecting to, and the tunnel is about what kind of connection I will make.

The instructions here I find quite confusing. It does not mention tunnelW at all. And neither do I see whether I need tunnelL or tunnelR sections with the tunnelW section. I probably do not.

Also, I get debug1: sys_tun_open: failed to open tunnel control interface: No such file or directory when attempting the same thing manually, but the entire Internet is seemingly unaware of what is a tunnel control interface and how do I set up such a thing. I have enabled tunneling in sshd_config, I am root, I have the tun module loaded. (In remote, yes, but not locally. Solved it by installing kmod-tun. Then the next problem.)

I have this in the /etc/config/network on both ends:

config interface 'vpn0'
	option ifname 'tun0'
	option proto 'none'

On the "server" I get this. These happen within one second:

daemon.notice netifd: Interface 'vpn0' is enabled
daemon.notice netifd: Network device 'tun0' link is up
daemon.notice netifd: Interface 'vpn0' has link connectivity
daemon.notice netifd: Interface 'vpn0' is setting up now
daemon.notice netifd: Interface 'vpn0' is now up
daemon.info : 06[KNL] interface tun0 deactivated
daemon.info : 12[KNL] fe80::19a:267:b731:f800 disappeared from tun0
daemon.notice netifd: Network device 'tun0' link is down
daemon.notice netifd: Interface 'vpn0' has link connectivity loss
daemon.notice netifd: Interface 'vpn0' is now down
daemon.info : 10[KNL] interface tun0 deleted

I could or would try sshuttle also, but I haven't been able to figure out what it is and what it is supposed to do. The documentation just tells me what I could possibly be unable or dislike to do to possibly want to use it.

mikma · September 7, 2020, 12:57pm

Actually Strongswan uses the ESP protocol if you don't have a NAT. UDP encapsulated ESP is used for NAT only. I don't know why it doesn't work for you.

faser · September 7, 2020, 1:31pm

Openvpn is the best for such situation

trendy · September 7, 2020, 1:49pm

opkg update; opkg install kmod-wireguard luci-app-wireguard luci-proto-wireguard wireguard wireguard-tools
It works fine with site 2 site and it is much easier to configure.

Thinkcat · September 7, 2020, 2:08pm

I was missing the luci-proto-wireguard package. I'll attempt this next. Then OpenVPN if still necessary. But still it'd be nice to know why the ssh and tun device stuff fails.

Thinkcat · September 7, 2020, 3:41pm

Actually I have a NAT. I have a NAT in the usual sense and then I have a NAT in a special sense. I doubly have a NAT.

Which makes absolutely no sense in my case, because using UDP is what destroys any chance of making it work.

I said it here:

When I say that "I am behind a NAT", people think it is the common case that in my OpenWRT router that is between me, that is my workstation or my laptop, and the Internet, is a NAT. True. But if it was only that, I'd never have needed to ask anyone anything. This is a special case where between the local OpenWRT router controlled by me and the remote OpenWRT router controlled by me is a NAT somewhere that is controlled by my ISP, not me. The next hop of my local "public" address is in a private subnet.

And when I said that Strongswan relies on UDP, I intended to refer to a stateless protocol in general. In this respect ESP behaves like UDP and doubly so when encapsulated in UDP. My packets are twice as dropped as usual.

Except that in this case it does not. For the same reason that Strongswan doesn't. After trying many different configurations (because the instructions here explain next to nothing) I checked Wikipedia and could verify that it is UDP-based only as pointed out here.

Now I really need something TCP-based or something running on top of ssh. Either it is sshtunnel or it is OpenVPN.

trendy · September 7, 2020, 4:16pm

I am not sure how did you come into this conclusion, but it is nonsense. UDP works the same way as the TCP over cgnat.

If you don't provide the configurations from both sides, no one will be able to help you troubleshoot.
Start with these:

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru

Thinkcat · September 7, 2020, 5:37pm

Well. It was a good guess anyway, based on my experiences with Strongswan. I went through my configurations and realized that I had a mix-up with the keys. It works now and the subnets see each other.

Thanks to everyone for their attention. Sad to see Strongswan beaten. But I'll keep on using it elsewhere.

system · September 17, 2020, 5:37pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.