Hello to everyone, can anyone tell me if this configuration is right?
Source: https://www.mundhenk.org/blog/fritzbox-openwrt-vpn
What i want to do:
What have I done:
- I configured the 2 DNS (obviously different dns and tested; one for 7490 and one for LEDE)
FRITZ!BOX 7490 CONFIGURATION
2) I added this VPN configuration in 7490:
vpncfg {
connections {
enabled = yes;
conn_type = conntype_lan;
name = "VPN_NAME";
always_renew = no;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 0.0.0.0;
remote_virtualip = 0.0.0.0;
remotehostname = "DYNAMIC_DNS_OF_RASPBERRY.domain.com";
localid {
fqdn = "DYNAMIC_DNS_OF_7490.domain.com";
}
remoteid {
fqdn = "DYNAMIC_DNS_OF_RASPBERRY.domain.com";
}
mode = phase1_mode_idp;
phase1ss = "all/all/all";
keytype = connkeytype_pre_shared;
key = "VPN_Password";
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 192.168.178.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipnet {
ipaddr = 10.10.10.0;
mask = 255.255.255.0;
}
}
phase2ss = "esp-all-all/ah-none/comp-all/pfs";
accesslist = "permit ip any 10.10.10.0 255.255.255.0";
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
}RASPBERRY PI 3 (LEDE) CONFIGURATION
- I installed strongswan-full
- I modified the ipsec.conf file as follows:
/etc/ipsec.conf:
# ipsec.conf - strongSwan IPsec configuration file
version 2
config setup
charondebug="dmn 0, mgr 0, ike 0, chd 0, job 0, cfg 0, knl 0, net 0, asn 0, enc 0, lib 0, esp 0, tls 0, tnc 0, imc 0, imv 0, pts 0"
conn %default
keyingtries=%forever
conn STS
aggressive=yes
left=DYNAMIC_DNS_OF_7490.domain.com
leftsubnet=10.10.10.0/24
leftfirewall=yes
lefthostaccess=yes
right=DYNAMIC_DNS_OF_RASPBERRY.domain.com
rightsubnet=192.168.178.0/24
rightallowany=yes
leftid="@DYNAMIC_DNS_OF_7490.domain.com"
rightid="@DYNAMIC_DNS_OF_RASPBERRY.domain.com"
ike=aes256-sha1-modp1024
esp=aes256-sha1-modp1024
keyexchange=ikev1
ikelifetime=1h
margintime=9m
rekey=yes
reauth=yes
keylife=8h
compress=yes
dpddelay=30
dpdtimeout=60
dpdaction=restart
authby=secret
auto=start- I modified the ipsec.secrets file as follows:
/etc/ipsec.secrets:
# /etc/ipsec.secrets - strongSwan IPsec secrets file
DYNAMIC_DNS_OF_7490.domain.com @DYNAMIC_DNS_OF_RASPBERRY.domain.com : PSK 'VPN_Password'- I add also a script that restart ipsec if 192.168.178.1 is unreachable. In this way:
[code]
I named it ipsecauto ad put it in /etc/init.d/
I made sure it was bootable (chmod +x /etc/init.d/ipsecauto)
I enabled it (/etc/init.d/ipsecauto enable)
/etc/init.d/ipsecauto:
#!/bin/sh
# wait for DDNS update
echo "waiting 90 seconds for setup of network and DDNS"
sleep 90
while [ 1=1 ]
do
ping -q -c2 192.168.178.1 > /dev/null
if [ $? -ne 0 ]
then
echo "ping failed, restarting ipsec"
ipsec stop
sleep 5
killall charon
ipsec start
else
echo "VPN established"
fi
echo "waiting 30 seconds before next check"
sleep 30
done- I modified the ipsec.secrets file as follows:
/etc/firewall.users:
### IPSec VPN
# allow IPSEC
iptables -A input_rule -p esp -j ACCEPT
# allow ISAKMP
iptables -A input_rule -p udp -m udp --dport 500 -j ACCEPT
# allow NAT-T
iptables -A input_rule -p udp -m udp --dport 4500 -j ACCEPT
# disable NAT for communications with remote LAN
iptables -t nat -A postrouting_rule -d 192.168.1.0/24 -j ACCEPT
# Allow any traffic between tunnel LANs
iptables -A forwarding_rule -i $LAN -o $VPN -j ACCEPT
iptables -A forwarding_rule -i $VPN -o $LAN -j ACCEPTIT IS ALL RIGHT? IT CAN WORK? Thanks a lot