Conversation
Notices
-
I am thinking of changing my VPN to use wireguard on OpenWRT and Streisand on the server.
Currently I use ipsec, but think it would make more sense to automate the process of deploying the remote end with some scripts, and I don't feel like writing my own.
Also wireguard seems like it would take a lot of the complexity out of building a ipsec configuration, so.. that's why I'm thinking about streisand and wireguard.
-
Also I might reflash the router to the some more modern version of OpenWRT/LEDE ... if only I can remember what router it is, and how to do it.
-
I went with algo eventually - thanks _sizeofcat@mastodon.social , and transitioned over to using wireguard instead of ipsec.
I tried to get the algo ipsec implementation working against openWRT 18.06.2 https://openwrt.org/releases/18.06/notes-18.06.2
BUT ...
As far as I could tell the strongswan implementation in OpenWRT has no support of elliptic curves, and the certificates and keys generated by Algo were all ECDSA keys... So I gave up with that.
-
I would have liked to use ipsec. Because previously I was doing a site to site ipsec so all hosts connected via that subnet could get use of the vpn.
Anyway.. re-engineered the solution to use double NAT and wireguard PtP. Setting that up via Algo and OpenWRT was easy https://danrl.com/blog/2017/luci-proto-wireguard/ helped, and adding the new wireguard interface to the WAN zone on the openWRT firewall.
-
The only thing left to do then was set up a bunch of port forwards from the VPN endpoint AND on the OpenWRT router, so I can get my bittorrent and SSH into the home LAN to work.
The FW rule set on Algo seemed simpler to work with than the one that came with Streisand too.
Streisand used UFW ( uncomplicated Fw) to wrap te IPTables config which I found quite complicated. 🤷♀️
Algo had some just iptables rules stored using netfilter-persistent package, which seemed easier to modify