Closed echinida closed 1 year ago
gitbls
commented
2 years ago Please download and run pscollect from this github and provide the output here. Please have all firewall rules for wg and openvpn enabled so the iptables rules uesd by those VPNs are enabled.
echinida
commented
2 years ago echinida
commented
2 years ago The output on screen after pscollect is [sudo] password for pi: Gathering diagnostic information for pistrong/strongSwan ...Environmental details ...apt-cache policy strongswan ...systemctl status strongswan ...pistrong config [minus smtp credentials] ...pistrong showca ...pistrong list --full ...copy /etc/swanctl/pistrong/makeCA.log ...copy /etc/swanctl/conf.d/pistrong-CAServerConnection.conf ...ls -lR /etc/swanctl ...ip configuration information Error: ipv4: FIB table does not exist. Dump terminated ...iptables filter table ...iptables nat table ...journalctl for charon and swanctl Done.
As far as I know the firewall settings (if any, port forwarding is set on the router) for wg and openvpn are unaltered. I should say that I have not yet tried to use the pistrong certs etc on my phone
gitbls
commented
2 years ago Thanks for the pscollect output. I was hoping that it might show something obvious in the iptables output, but of course, no joy. There don't appear to be any packets that hit the two strongSwan iptables rules in the POSTROUTING table, so this is very confusing. Are you saying that if you remove the two rules for 10.1.10.0/24 in the POSTROUTING table that wg and ovpn then work correctly?
Another question from your initial post: You said that you're using "a commercial IKEV2 connection to a paid VPN provider". Is that via pistrong/strongSwan or something else? I don't see any traces of that in the iptables listing unless it's in a docker container.
Are either wg or ovpn using subnet 10.1.10.0/24 for anything? Doesn't look like it from the iptables output, but want to confirm that.
I may need to set up a similar configuration for in-depth examination. If that's the case, and to set your expectations, I won't be able to do that for about a week.
echinida
commented
2 years ago On Thu, 20 Oct 2022, 17:49 Benn, @.***> wrote:
Thanks for the pscollect output. I was hoping that it might show something obvious in the iptables output, but of course, no joy. There don't appear to be any packets that hit the two strongSwan iptables rules in the POSTROUTING table, so this is very confusing. Are you saying that if you remove the two rules for 10.1.10.0/24 in the POSTROUTING table that wg and ovpn then work correctly?
Yes, if I disable them WG and openvpn revert to normal function
Another question from your initial post: You said that you're using "a commercial IKEV2 connection to a paid VPN provider". Is that via pistrong/strongSwan or something else? I don't see any traces of that in the iptables listing unless it's in a docker container.
Sorry, that was confusing. I was talking about using the strongswan app with a certificate and server from nordvpn on my phone. Haven't experimented with that on pi
Are either wg or ovpn using subnet 10.1.10.0/24 for anything? Doesn't look like it from the iptables output, but want to confirm that.
I will attempt to attach connection logs from my phone in case it becomes obvious
I may need to set up a similar configuration for in-depth examination. If that's the case, and to set your expectations, I won't be able to do that for about a week.
Thanks for your help! Howard
— Reply to this email directly, view it on GitHub https://github.com/gitbls/pistrong/issues/12#issuecomment-1285864063, or unsubscribe https://github.com/notifications/unsubscribe-auth/A3WGCUHDV3PQDDVXDETU4G3WEFZXXANCNFSM6AAAAAARI3WBRI . You are receiving this because you modified the open/close state.
19:00:56.700 -- ----- OpenVPN Start -----
19:00:56.700 -- EVENT: CORE_THREAD_ACTIVE
19:00:56.702 -- OpenVPN core 3.git::d3f8b18b:Release android arm64 64-bit PT_PROXY
19:00:56.703 -- Frame=512/2048/512 mssfix-ctrl=1250
19:00:56.704 -- UNUSED OPTIONS 4 [resolv-retry] [infinite] 5 [nobind] 6 [persist-key] 7 [persist-tun] 11 [auth-nocache] 13 [tls-client] 16 [ignore-unknown-option] [block-outside-dns] 17 [block-outside-dns] 18 [verb] [3]
19:00:56.705 -- EVENT: RESOLVE
19:00:56.983 -- Contacting 188.28.150.121:1194 via TCPv4
19:00:56.984 -- EVENT: WAIT
19:00:57.105 -- Connecting to [stirlingroad.duckdns.org]:1194 (188.28.150.121) via TCPv4
19:00:57.228 -- EVENT: CONNECTING
19:00:57.233 -- Tunnel Options:V4,dev-type tun,link-mtu 1523,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-128-GCM,auth [null-digest],keysize 128,key-method 2,tls-client
19:00:57.234 -- Creds: UsernameEmpty/PasswordEmpty
19:00:57.235 -- Peer Info: IV_VER=3.git::d3f8b18b:Release IV_PLAT=android IV_NCP=2 IV_TCPNL=1 IV_PROTO=30 IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305 IV_AUTO_SESS=1 IV_GUI_VER=net.openvpn.connect.android_3.3.0-8367 IV_SSO=webauth,openurl
19:00:57.806 -- VERIFY OK: depth=1, /CN=cn_s1S5Xt1FRXQD6HBA, signature: ecdsa-with-SHA256
19:00:57.808 -- VERIFY OK: depth=0, /CN=server_rNfOWhi29DRRCAqm, signature: ecdsa-with-SHA256
19:00:58.081 -- SSL Handshake: peer certificate: CN=server_rNfOWhi29DRRCAqm, 256 bit EC, curve:prime256v1, cipher: TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
19:00:58.084 -- Session is ACTIVE
19:00:58.085 -- EVENT: GET_CONFIG
19:00:58.095 -- Sending PUSH_REQUEST to server...
19:00:58.217 -- OPTIONS: 0 [dhcp-option] [DNS] [192.168.0.1] 1 [redirect-gateway] [def1] [bypass-dhcp] 2 [route-gateway] [10.8.0.1] 3 [topology] [subnet] 4 [ping] [10] 5 [ping-restart] [120] 6 [ifconfig] [10.8.0.2] [255.255.255.0] 7 [peer-id] [0] 8 [cipher] [AES-128-GCM]
19:00:58.219 -- PROTOCOL OPTIONS: cipher: AES-128-GCM digest: NONE key-derivation: OpenVPN PRF compress: NONE peer ID: 0 control channel: tls-crypt enabled
19:00:58.220 -- EVENT: ASSIGN_IP
19:00:58.268 -- Connected via tun
19:00:58.269 -- EVENT: CONNECTED info='stirlingroad.duckdns.org:1194 (188.28.150.121) via /TCPv4 on tun/10.8.0.2/ gw=[10.8.0.1/]'
Message ID: @.***>
--------- beginning of perf 10-20 12:56:08.568 17410 30919 I 110 : OptJank - total:81 frameGap:84 delta#0#77#0#76#0#3 --------- beginning of main 10-20 19:01:18.603 17410 17410 W DisplayEventDispatcher: dispatcher 0xb4000076a5325450 ~ ignoring unknown event type 0x6d746f6e 10-20 19:01:18.603 17410 17410 I chatty : uid=10227(com.wireguard.android) identical 20 lines 10-20 19:01:18.603 17410 17410 W DisplayEventDispatcher: dispatcher 0xb4000076a5325450 ~ ignoring unknown event type 0x6d746f6e 10-20 19:01:18.604 17410 30919 W DisplayEventDispatcher: dispatcher 0xb4000076f5315770 ~ ignoring unknown event type 0x6d746f6e --------- beginning of events 10-20 19:01:18.858 17410 17410 I wm_on_destroy_called: [199430040,com.wireguard.android.activity.MainActivity,performDestroy] 10-20 19:01:40.817 17410 17410 I reguard.androi: failed to find target package for overlay /system/product/overlay/ProductOverlay-oneplus-framework-res.apk 10-20 19:01:40.817 17410 17410 I reguard.androi: failed to find target package for overlay /system/system_ext/overlay/CommonOverlay-oneplus-framework-res.apk 10-20 19:01:40.817 17410 17410 I reguard.androi: failed to find target package for overlay /odm/overlay/OdmOverlay-oneplus-framework-res.apk 10-20 19:01:40.851 17410 17410 I wm_on_create_called: [261811320,com.wireguard.android.activity.MainActivity,performCreate] 10-20 19:01:40.861 17410 17410 I wm_on_start_called: [261811320,com.wireguard.android.activity.MainActivity,handleStartActivity] 10-20 19:01:40.862 17410 17410 I wm_on_resume_called: [261811320,com.wireguard.android.activity.MainActivity,RESUME_ACTIVITY] --------- beginning of system 10-20 19:01:40.866 17410 17410 D ViewRootImpl: support adaptive color gamut feature! 10-20 19:01:40.867 17410 17410 V ViewRootImpl: The specified message queue synchronization barrier token has not been posted or has already been removed 10-20 19:01:40.886 17410 30919 I AdrenoGLES-0: QUALCOMM build : 559e78c, Ib9d997268a 10-20 19:01:40.886 17410 30919 I AdrenoGLES-0: Build Date : 10/13/20 10-20 19:01:40.886 17410 30919 I AdrenoGLES-0: OpenGL ES Shader Compiler Version: EV031.32.02.02 10-20 19:01:40.886 17410 30919 I AdrenoGLES-0: Local Branch : mybrancheb0d76cb-f27a-f1ff-9cdc-1458d0b52ae8 10-20 19:01:40.886 17410 30919 I AdrenoGLES-0: Remote Branch : quic/gfx-adreno.lnx.1.0.r99-rel 10-20 19:01:40.886 17410 30919 I AdrenoGLES-0: Remote Branch : NONE 10-20 19:01:40.886 17410 30919 I AdrenoGLES-0: Reconstruct Branch : NOTHING 10-20 19:01:40.886 17410 30919 I AdrenoGLES-0: Build Config : S P 10.0.7 AArch64 10-20 19:01:40.886 17410 30919 I AdrenoGLES-0: Driver Path : /vendor/lib64/egl/libGLESv2_adreno.so 10-20 19:01:40.895 17410 30919 I AdrenoGLES-0: PFP: 0x016ee190, ME: 0x00000000 10-20 19:01:40.921 17410 17410 W Choreographer: Already have a pending vsync event. There should only be one at a time. 10-20 19:01:40.923 17410 17410 I wm_on_top_resumed_gained_called: [261811320,com.wireguard.android.activity.MainActivity,topStateChangedWhenResumed] 10-20 19:01:40.924 17410 17410 D ActivityThread: pid:17410 tid:17410 doframe Callback 10-20 19:01:40.934 17410 17410 D DecorView: onWindowFocusChangedFromViewRoot hasFocus: true, @.[MainActivity] 10-20 19:01:40.937 17410 17410 D ViewRootImpl[MainActivity]: windowFocusChanged hasFocus=true inTouchMode=true 10-20 19:01:42.260 17410 30917 I WireGuard/GoBackend: Bringing tunnel home UP 10-20 19:01:42.260 17410 30917 D WireGuard/GoBackend: Requesting to start VpnService 10-20 19:01:42.304 17410 30917 D WireGuard/GoBackend: Go backend ef5c587 10-20 19:01:42.305 17410 30917 D WireGuard/GoBackend/home: Attaching to interface tun0 10-20 19:01:42.307 17410 30917 D WireGuard/GoBackend/home: UAPI: Updating private key 10-20 19:01:42.308 17410 30917 D WireGuard/GoBackend/home: UAPI: Removing all peers 10-20 19:01:42.308 17410 30923 D WireGuard/GoBackend/home: Routine: encryption worker 7 - started 10-20 19:01:42.308 17410 30934 D WireGuard/GoBackend/home: Routine: encryption worker 6 - started 10-20 19:01:42.308 17410 30923 D WireGuard/GoBackend/home: Routine: decryption worker 6 - started 10-20 19:01:42.308 17410 30923 D WireGuard/GoBackend/home: Routine: handshake worker 6 - started 10-20 19:01:42.308 17410 30934 D WireGuard/GoBackend/home: Routine: handshake worker 5 - started 10-20 19:01:42.308 17410 30923 D WireGuard/GoBackend/home: Routine: encryption worker 4 - started 10-20 19:01:42.308 17410 30929 D WireGuard/GoBackend/home: Routine: encryption worker 1 - started 10-20 19:01:42.308 17410 31351 D WireGuard/GoBackend/home: Routine: encryption worker 3 - started 10-20 19:01:42.308 17410 31351 D WireGuard/GoBackend/home: Routine: decryption worker 2 - started 10-20 19:01:42.308 17410 31351 D WireGuard/GoBackend/home: Routine: handshake worker 2 - started 10-20 19:01:42.308 17410 31351 D WireGuard/GoBackend/home: Routine: decryption worker 1 - started 10-20 19:01:42.308 17410 30934 D WireGuard/GoBackend/home: Routine: encryption worker 2 - started 10-20 19:01:42.308 17410 30934 D WireGuard/GoBackend/home: Routine: handshake worker 1 - started 10-20 19:01:42.308 17410 30934 D WireGuard/GoBackend/home: Routine: handshake worker 8 - started 10-20 19:01:42.308 17410 30934 D WireGuard/GoBackend/home: Routine: decryption worker 8 - started 10-20 19:01:42.308 17410 31352 D WireGuard/GoBackend/home: Routine: handshake worker 4 - started 10-20 19:01:42.308 17410 31352 D WireGuard/GoBackend/home: Routine: TUN reader - started 10-20 19:01:42.308 17410 30934 D WireGuard/GoBackend/home: Routine: handshake worker 3 - started 10-20 19:01:42.308 17410 30937 D WireGuard/GoBackend/home: Routine: decryption worker 5 - started 10-20 19:01:42.308 17410 30929 D WireGuard/GoBackend/home: Routine: decryption worker 4 - started 10-20 19:01:42.308 17410 30934 D WireGuard/GoBackend/home: Routine: decryption worker 7 - started 10-20 19:01:42.308 17410 30937 D WireGuard/GoBackend/home: Routine: handshake worker 7 - started 10-20 19:01:42.308 17410 31350 D WireGuard/GoBackend/home: Routine: encryption worker 5 - started 10-20 19:01:42.308 17410 31351 D WireGuard/GoBackend/home: Routine: encryption worker 8 - started 10-20 19:01:42.308 17410 30917 D WireGuard/GoBackend/home: peer(0z9B…iw1Y) - UAPI: Created 10-20 19:01:42.308 17410 30917 D WireGuard/GoBackend/home: peer(0z9B…iw1Y) - UAPI: Adding allowedip 10-20 19:01:42.308 17410 30929 D WireGuard/GoBackend/home: Routine: event worker - started 10-20 19:01:42.308 17410 30917 D WireGuard/GoBackend/home: peer(0z9B…iw1Y) - UAPI: Adding allowedip 10-20 19:01:42.308 17410 30917 D WireGuard/GoBackend/home: peer(0z9B…iw1Y) - UAPI: Updating endpoint 10-20 19:01:42.308 17410 30917 D WireGuard/GoBackend/home: peer(0z9B…iw1Y) - UAPI: Updating preshared key 10-20 19:01:42.309 17410 30923 D WireGuard/GoBackend/home: Routine: decryption worker 3 - started 10-20 19:01:42.313 17410 30917 D WireGuard/GoBackend/home: UDP bind has been updated 10-20 19:01:42.313 17410 30917 D WireGuard/GoBackend/home: peer(0z9B…iw1Y) - Starting 10-20 19:01:42.313 17410 30917 D WireGuard/GoBackend/home: Interface state was Down, requested Up, now Up 10-20 19:01:42.313 17410 30917 D WireGuard/GoBackend/home: Device started 10-20 19:01:42.313 17410 31352 D WireGuard/GoBackend/home: Routine: receive incoming v6 - started 10-20 19:01:42.313 17410 30934 D WireGuard/GoBackend/home: Routine: receive incoming v4 - started 10-20 19:01:42.313 17410 30934 D WireGuard/GoBackend/home: peer(0z9B…iw1Y) - Routine: sequential sender - started 10-20 19:01:42.313 17410 30934 D WireGuard/GoBackend/home: peer(0z9B…iw1Y) - Routine: sequential receiver - started 10-20 19:01:42.324 17410 30929 D WireGuard/GoBackend/home: peer(0z9B…iw1Y) - Sending handshake initiation 10-20 19:01:42.482 17410 30929 D WireGuard/GoBackend/home: peer(0z9B…iw1Y) - Received handshake response 10-20 19:01:45.657 17410 17410 I menu_item_selected: [0,Settings] 10-20 19:01:45.680 17410 17410 I wm_on_top_resumed_lost_called: [261811320,com.wireguard.android.activity.MainActivity,topStateChangedWhenResumed] 10-20 19:01:45.680 17410 17410 I wm_on_paused_called: [261811320,com.wireguard.android.activity.MainActivity,performPause] 10-20 19:01:45.694 17410 17410 I wm_on_create_called: [147520209,com.wireguard.android.activity.SettingsActivity,performCreate] 10-20 19:01:45.708 17410 17410 E reguard.androi: Invalid ID 0x00000000. 10-20 19:01:45.712 17410 17410 I wm_on_start_called: [147520209,com.wireguard.android.activity.SettingsActivity,handleStartActivity] 10-20 19:01:45.713 17410 17410 I wm_on_resume_called: [147520209,com.wireguard.android.activity.SettingsActivity,RESUME_ACTIVITY] 10-20 19:01:45.716 17410 17410 D ViewRootImpl: support adaptive color gamut feature! 10-20 19:01:45.711 17410 17410 E reguard.androi: Invalid ID 0x00000000. 10-20 19:01:45.717 17410 17410 V ViewRootImpl: The specified message queue synchronization barrier token has not been posted or has already been removed 10-20 19:01:45.720 17410 30902 W reguard.androi: Reducing the number of considered missed Gc histogram windows from 1899 to 100 10-20 19:01:45.721 17410 17410 D ViewRootImpl[MainActivity]: windowFocusChanged hasFocus=false inTouchMode=true 10-20 19:01:45.756 17410 17410 W Choreographer: Already have a pending vsync event. There should only be one at a time. 10-20 19:01:45.756 17410 17410 I wm_on_top_resumed_gained_called: [147520209,com.wireguard.android.activity.SettingsActivity,topStateChangedWhenResumed] 10-20 19:01:45.774 17410 17410 D DecorView: onWindowFocusChangedFromViewRoot hasFocus: true, @.[SettingsActivity] 10-20 19:01:45.775 17410 17410 D ViewRootImpl[SettingsActivity]: windowFocusChanged hasFocus=true inTouchMode=true 10-20 19:01:46.185 17410 17410 I wm_on_stop_called: [261811320,com.wireguard.android.activity.MainActivity,STOP_ACTIVITY_ITEM] 10-20 19:01:47.613 17410 17410 I wm_on_top_resumed_lost_called: [147520209,com.wireguard.android.activity.SettingsActivity,topStateChangedWhenResumed] 10-20 19:01:47.613 17410 17410 I wm_on_paused_called: [147520209,com.wireguard.android.activity.SettingsActivity,performPause] 10-20 19:01:47.623 17410 17410 I reguard.androi: failed to find target package for overlay /system/product/overlay/ProductOverlay-oneplus-framework-res.apk 10-20 19:01:47.624 17410 17410 I reguard.androi: failed to find target package for overlay /system/system_ext/overlay/CommonOverlay-oneplus-framework-res.apk 10-20 19:01:47.624 17410 17410 I reguard.androi: failed to find target package for overlay /odm/overlay/OdmOverlay-oneplus-framework-res.apk 10-20 19:01:47.630 17410 17410 E reguard.androi: Invalid ID 0x00000000. 10-20 19:01:47.638 17410 17410 I wm_on_create_called: [93683592,com.wireguard.android.activity.LogViewerActivity,performCreate] 10-20 19:01:47.639 17410 17410 I wm_on_start_called: [93683592,com.wireguard.android.activity.LogViewerActivity,handleStartActivity] 10-20 19:01:47.639 17410 17410 I wm_on_resume_called: [93683592,com.wireguard.android.activity.LogViewerActivity,RESUME_ACTIVITY] 10-20 19:01:47.641 17410 17410 D ViewRootImpl: support adaptive color gamut feature! 10-20 19:01:47.642 17410 17410 V ViewRootImpl: The specified message queue synchronization barrier token has not been posted or has already been removed 10-20 19:01:47.645 17410 17410 D ViewRootImpl[SettingsActivity]: windowFocusChanged hasFocus=false inTouchMode=true 10-20 19:01:47.661 17410 17410 W Choreographer: Already have a pending vsync event. There should only be one at a time. 10-20 19:01:47.661 17410 17410 I wm_on_top_resumed_gained_called: [93683592,com.wireguard.android.activity.LogViewerActivity,topStateChangedWhenResumed] 10-20 19:01:47.679 17410 17410 D DecorView: onWindowFocusChangedFromViewRoot hasFocus: true, @.***[LogViewerActivity] 10-20 19:01:47.680 17410 17410 D ViewRootImpl[LogViewerActivity]: windowFocusChanged hasFocus=true inTouchMode=true 10-20 19:01:48.084 17410 17410 I wm_on_stop_called: [147520209,com.wireguard.android.activity.SettingsActivity,STOP_ACTIVITY_ITEM] 10-20 19:01:51.820 17410 17410 I menu_item_selected: [0,Export log file]
echinida
commented
2 years ago I realised that the ps collect output I sent you was not generated when I was trying to use wg or ovpn. Here are two files collected when trying to use wg/ovpn. Apologies if this is too much information.
On Thu, 20 Oct 2022 at 17:49, Benn @.***> wrote:
Thanks for the pscollect output. I was hoping that it might show something obvious in the iptables output, but of course, no joy. There don't appear to be any packets that hit the two strongSwan iptables rules in the POSTROUTING table, so this is very confusing. Are you saying that if you remove the two rules for 10.1.10.0/24 in the POSTROUTING table that wg and ovpn then work correctly?
Another question from your initial post: You said that you're using "a commercial IKEV2 connection to a paid VPN provider". Is that via pistrong/strongSwan or something else? I don't see any traces of that in the iptables listing unless it's in a docker container.
Are either wg or ovpn using subnet 10.1.10.0/24 for anything? Doesn't look like it from the iptables output, but want to confirm that.
I may need to set up a similar configuration for in-depth examination. If that's the case, and to set your expectations, I won't be able to do that for about a week.
— Reply to this email directly, view it on GitHub https://github.com/gitbls/pistrong/issues/12#issuecomment-1285864063, or unsubscribe https://github.com/notifications/unsubscribe-auth/A3WGCUHDV3PQDDVXDETU4G3WEFZXXANCNFSM6AAAAAARI3WBRI . You are receiving this because you modified the open/close state.Message ID: @.***>
System Info PRETTY_NAME="Debian GNU/Linux 11 (bullseye)" NAME="Debian GNU/Linux" VERSION_ID="11" VERSION="11 (bullseye)" VERSION_CODENAME=bullseye ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" Linux raspberrypi4B 5.15.61-v8+ #1579 SMP PREEMPT Fri Aug 26 11:16:44 BST 2022 aarch64 GNU/Linux
*** apt-cache policy strongswan strongswan: Installed: (none) Candidate: 5.9.1-1+deb11u3 Version table: 5.9.1-1+deb11u3 500 500 http://security.debian.org/debian-security bullseye-security/main arm64 Packages 500 http://security.debian.org/debian-security bullseye-security/main armhf Packages 5.9.1-1+deb11u2 500 500 http://deb.debian.org/debian bullseye/main arm64 Packages 500 http://deb.debian.org/debian bullseye/main armhf Packages
systemctl status strongswan ● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl Loaded: loaded (/lib/systemd/system/strongswan.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2022-10-21 10:40:08 BST; 7min ago Process: 711 ExecStartPost=/usr/sbin/swanctl --load-all --noprompt (code=exited, status=0/SUCCESS) Main PID: 549 (charon-systemd) Status: "charon-systemd running, strongSwan 5.9.1, Linux 5.15.61-v8+, aarch64" Tasks: 17 (limit: 4164) CPU: 1.173s CGroup: /system.slice/strongswan.service └─549 /usr/sbin/charon-systemd
Oct 21 10:40:12 raspberrypi4B charon-systemd[549]: fded:348b:d56:0:24f2:a36a:2866:eda5 appeared on eth0 Oct 21 10:40:12 raspberrypi4B charon-systemd[549]: fded:348b:d56:0:3ada:24bd:3ad5:c976 appeared on wlan0 Oct 21 10:40:13 raspberrypi4B charon-systemd[549]: fded:348b:d56::356 appeared on eth0 Oct 21 10:40:13 raspberrypi4B charon-systemd[549]: fded:348b:d56::c1f appeared on wlan0 Oct 21 10:40:16 raspberrypi4B charon-systemd[549]: 192.168.0.233 appeared on eth0 Oct 21 10:40:16 raspberrypi4B charon-systemd[549]: 192.168.0.236 appeared on wlan0 Oct 21 10:40:16 raspberrypi4B charon-systemd[549]: flags changed for fded:348b:d56:0:24f2:a36a:2866:eda5 on eth0 Oct 21 10:40:17 raspberrypi4B charon-systemd[549]: flags changed for fded:348b:d56::356 on eth0 Oct 21 10:40:17 raspberrypi4B charon-systemd[549]: flags changed for fded:348b:d56:0:3ada:24bd:3ad5:c976 on wlan0 Oct 21 10:40:18 raspberrypi4B charon-systemd[549]: flags changed for fded:348b:d56::c1f on wlan0
pistrong config Config Key Value Description calife 3650 CA Lifetime [3650 days] cnsuffix @. Suffix for user cert names crllife 7 Cert Revocation List lifetime [7 days] lxscript pistrong-vpn-installer Linux VPN Config Pack script name mailfrom @. 'From' string for cert email myfqdn raspberrypi4B.stirlingroad.duckdns.org VPN host FQDN (Fully Qualified Domain Name) random 1 Generate random cert passwords rootca strongSwan String for root CA name [strongSwan] service strongswan.service strongSwan service name smtpport 587 SMTP mail server port smtpserver smtp.gmail.com SMTP mail server IP address or name smtpusetls 1 SMTP Mail use TLS auth swancertpfx strongSwan CA Cert name prefix [strongSwan] swandir /etc/swanctl System directory for strongSwan [/etc/swanctl] uclife 730 User Cert Lifetime [730 days] validids android.stirlingroad.duckdns.org,ios.stirlingroad.duckdns.org,linux.stirlingroad.duckdns.org,windows.stirlingroad.duckdns.org Valid SAN Keys version 3 Database version vpnaddr stirlingroad.duckdns.org VPN Server Address (IP or DNS) vpncertpfx ios VPN Cert name prefix [default] vpnsankey ios.stirlingroad.duckdns.org Default VPN SAN key webdir /var/www/html/vpn Directory in file system corresponding to weburl weburl http://raspberrypi4B.stirlingroad.duckdns.org/vpn Web URL on which to append cert name
pistrong showca [CA Certificate /etc/swanctl/x509ca/strongSwanCACert.pem] subject: "C=US, O=raspberrypi4B-strongSwan, CN=strongSwan raspberrypi4B Root CA" issuer: "C=US, O=raspberrypi4B-strongSwan, CN=strongSwan raspberrypi4B Root CA" validity: not before Sep 29 16:02:04 2022, ok not after Sep 26 16:02:04 2032, ok (expires in 3628 days) serial: 79:d6:73:65:41:db:a9:ec flags: CA CRLSign self-signed subjkeyId: ab:2c:f4:2f:bc:e0:02:ea:87:df:56:06:11:ab:be:2a:f4:6c:47:89 pubkey: RSA 4096 bits keyid: 6e:d9:38:09:aa:80:70:28:36:55:2d:09:ce:a3:7b:12:d6:ed:63:ed subjkey: ab:2c:f4:2f:bc:e0:02:ea:87:df:56:06:11:ab:be:2a:f4:6c:47:89
[VPN Host Certificate /etc/swanctl/x509/android-strongSwanVPNCert.pem] subject: "C=US, O=raspberrypi4B-strongSwan, CN=raspberrypi4B.stirlingroad.duckdns.org" issuer: "C=US, O=raspberrypi4B-strongSwan, CN=strongSwan raspberrypi4B Root CA" validity: not before Sep 29 16:02:06 2022, ok not after Sep 26 16:02:06 2032, ok (expires in 3628 days) serial: 6a:e4:47:e8:06:95:e9:51 altNames: android.stirlingroad.duckdns.org, stirlingroad.duckdns.org, stirlingroad.duckdns.org flags: serverAuth ikeIntermediate authkeyId: ab:2c:f4:2f:bc:e0:02:ea:87:df:56:06:11:ab:be:2a:f4:6c:47:89 subjkeyId: 0b:95:b0:cc:ab:fe:a7:33:11:ac:d4:b8:39:a3:81:b9:19:96:1e:d8 pubkey: RSA 4096 bits keyid: fc:19:77:c0:10:74:f2:7f:61:98:20:09:30:f9:26:bd:f9:94:41:ee subjkey: 0b:95:b0:cc:ab:fe:a7:33:11:ac:d4:b8:39:a3:81:b9:19:96:1e:d8
[VPN Host Certificate /etc/swanctl/x509/ios-strongSwanVPNCert.pem] subject: "C=US, O=raspberrypi4B-strongSwan, CN=raspberrypi4B.stirlingroad.duckdns.org" issuer: "C=US, O=raspberrypi4B-strongSwan, CN=strongSwan raspberrypi4B Root CA" validity: not before Sep 29 16:02:08 2022, ok not after Sep 26 16:02:08 2032, ok (expires in 3628 days) serial: 51:82:cb:5d:13:16:f3:ca altNames: ios.stirlingroad.duckdns.org, stirlingroad.duckdns.org, stirlingroad.duckdns.org flags: serverAuth ikeIntermediate authkeyId: ab:2c:f4:2f:bc:e0:02:ea:87:df:56:06:11:ab:be:2a:f4:6c:47:89 subjkeyId: 2e:c9:b2:44:f3:9f:c1:2e:a1:be:48:ad:64:e7:9d:e8:09:54:6d:14 pubkey: RSA 4096 bits keyid: 10:9e:8d:40:37:90:8e:54:12:4a:ef:bc:a0:0e:7a:6c:42:27:88:03 subjkey: 2e:c9:b2:44:f3:9f:c1:2e:a1:be:48:ad:64:e7:9d:e8:09:54:6d:14
[VPN Host Certificate /etc/swanctl/x509/linux-strongSwanVPNCert.pem] subject: "C=US, O=raspberrypi4B-strongSwan, CN=raspberrypi4B.stirlingroad.duckdns.org" issuer: "C=US, O=raspberrypi4B-strongSwan, CN=strongSwan raspberrypi4B Root CA" validity: not before Sep 29 16:02:16 2022, ok not after Sep 26 16:02:16 2032, ok (expires in 3628 days) serial: 68:4e:90:47:2f:1f:e8:07 altNames: linux.stirlingroad.duckdns.org, stirlingroad.duckdns.org, stirlingroad.duckdns.org flags: serverAuth ikeIntermediate authkeyId: ab:2c:f4:2f:bc:e0:02:ea:87:df:56:06:11:ab:be:2a:f4:6c:47:89 subjkeyId: 2f:0c:2a:0a:da:e0:fe:38:6c:f6:52:f1:62:07:19:e6:0f:bb:01:84 pubkey: RSA 4096 bits keyid: ea:51:4c:45:96:ed:89:4b:64:1c:d7:b2:8c:c8:13:8c:70:a7:38:33 subjkey: 2f:0c:2a:0a:da:e0:fe:38:6c:f6:52:f1:62:07:19:e6:0f:bb:01:84
[VPN Host Certificate /etc/swanctl/x509/windows-strongSwanVPNCert.pem] subject: "C=US, O=raspberrypi4B-strongSwan, CN=raspberrypi4B.stirlingroad.duckdns.org" issuer: "C=US, O=raspberrypi4B-strongSwan, CN=strongSwan raspberrypi4B Root CA" validity: not before Sep 29 16:02:20 2022, ok not after Sep 26 16:02:20 2032, ok (expires in 3628 days) serial: 25:2b:47:6d:f9:f1:7b:f2 altNames: windows.stirlingroad.duckdns.org, stirlingroad.duckdns.org, stirlingroad.duckdns.org flags: serverAuth ikeIntermediate authkeyId: ab:2c:f4:2f:bc:e0:02:ea:87:df:56:06:11:ab:be:2a:f4:6c:47:89 subjkeyId: 67:ce:e9:56:f8:48:52:9a:02:cc:2b:96:75:c3:40:8b:2f:f6:57:f3 pubkey: RSA 4096 bits keyid: d3:53:13:fd:f5:aa:8c:f4:e8:ef:f4:60:b3:45:cf:ca:c3:06:33:db subjkey: 67:ce:e9:56:f8:48:52:9a:02:cc:2b:96:75:c3:40:8b:2f:f6:57:f3
pistrong list --full
V hjc-oneplus 2022-10-18:14:14:57 strongSwan ios.stirlingroad.duckdns.org 1gNWLZDQyf6k6GD7eh6SlZwGW0mPtoP
subject: "C=US, O=raspberrypi4B-strongSwan, @.@cnsuffix"
issuer: "C=US, O=raspberrypi4B-strongSwan, CN=strongSwan raspberrypi4B Root CA"
validity: not before Oct 18 14:14:56 2022, ok
not after Oct 17 14:14:56 2024, ok (expires in 727 days)
serial: 41:35:4a:b2:15:28:45:17
altNames: @.@cnsuffix
flags:
authkeyId: ab:2c:f4:2f:bc:e0:02:ea:87:df:56:06:11:ab:be:2a:f4:6c:47:89
subjkeyId: db:3d:3a:7e:60:61:ed:7b:12:26:e2:fc:0f:e3:ba:9d:12:eb:81:8f
pubkey: RSA 2048 bits
keyid: 1b:2d:f9:b7:5a:f3:60:4b:38:dd:26:cf:2f:8f:f9:56:69:6b:a0:9c
subjkey: db:3d:3a:7e:60:61:ed:7b:12:26:e2:fc:0f:e3:ba:9d:12:eb:81:8f
/etc/swanctl/pistrong/makeCA.log date: 2022-09-29 16:02:21 version: V3.1 dnsoffline: 0 unkvpndns: 0 thishost: raspberrypi4B thisdomain: stirlingroad.duckdns.org thisfqdn: raspberrypi4B.stirlingroad.duckdns.org vpnaddrhasname: 0 vpnaddr: stirlingroad.duckdns.org vpndev: eth0 landev: eth0 myipaddr: 192.168.0.233 emyipaddr: 192.168.0.233 mysubnetx: 192.168.0 myfullsubnet: 192.168.0.0/24 vpnsubnet: 10.1.10.0/24 vpndns: 192.168.0.1 cnsuffix: @.*** webdir: /var/www/html/vpn weburl: http://raspberrypi4B.stirlingroad.duckdns.org/vpn san2x: stirlingroad.duckdns.org,stirlingroad.duckdns.org android: android androidkey: android.stirlingroad.duckdns.org ios: ios ioskey: ios.stirlingroad.duckdns.org linux: linux linuxkey: linux.stirlingroad.duckdns.org windows: windows winkey: windows.stirlingroad.duckdns.org
/etc/swanctl/conf.d/pistrong-CAServerConnection.conf
conn-defaults { version = 2 send_certreq = yes send_cert = always unique = never fragmentation = yes
encap = yes
dpd_delay = 120s
rekey_time = 0s
pools = primary-pool-ipv4
local {
auth = pubkey
cacerts = strongSwanCACert.pem
}}
remote-defaults { remote { id = %any }
} child-defaults { net { dpd_action = clear rekey_time = 0s updown = /usr/lib/ipsec/_updown iptables } }
connections { conn-android: conn-defaults, remote-defaults { proposals = aes256-aes192-aes128-sha384-sha256-sha1-modp3072-modp2048-modp1536 local { certs = android-strongSwanVPNCert.pem id = android.stirlingroad.duckdns.org } children { net : child-defaults { local_ts = 0.0.0.0/0 esp_proposals = aes256-sha256 } } }
conn-windows: conn-defaults, remote-defaults {
proposals = aes256-sha256-modp1024
local {
certs = windows-strongSwanVPNCert.pem
id = windows.stirlingroad.duckdns.org
}
children {
net : child-defaults {
local_ts = 0.0.0.0/0
esp_proposals = aes256-sha256-sha1-modp1024
}
}
}
conn-linux: conn-defaults, remote-defaults {
proposals = aes192-sha256-modp3072
local {
certs = linux-strongSwanVPNCert.pem
id = linux.stirlingroad.duckdns.org
}
remote {
auth = pubkey
}
children {
net : child-defaults {
local_ts = 0.0.0.0/0
esp_proposals = aes128gcm128-x25519
}
}
}
conn-ios : conn-defaults, remote-defaults {
proposals = aes256-sha256-modp2048, aes256-sha256-modp1024,aes256-sha1-modp1024
local {
certs = ios-strongSwanVPNCert.pem
id = ios.stirlingroad.duckdns.org
}
remote {
auth = eap-tls
}
children {
net : child-defaults {
local_ts = 0.0.0.0/0
esp_proposals = aes256-sha256
}
}
}}
pools { primary-pool-ipv4 { addrs = 10.1.10.0/24 dns = 192.168.0.1 } }
ls -l /etc/swanctl /etc/swanctl: total 80 drwx------ 2 root root 4096 Jan 21 2022 bliss drwxr-xr-x 2 root root 4096 Sep 29 16:02 conf.d drwx------ 2 root root 4096 Jan 21 2022 ecdsa drwxr-x--- 2 root root 4096 Oct 18 14:14 p12 drwxr-xr-x 6 root root 4096 Oct 18 14:14 pistrong drwxr-xr-x 2 root root 4096 Jan 21 2022 pkcs12 drwx------ 2 root root 4096 Jan 21 2022 pkcs8 drwx------ 2 root root 4096 Oct 18 14:14 private drwxr-xr-x 2 root root 4096 Jan 21 2022 pubkey drwx------ 2 root root 4096 Jan 21 2022 rsa -rw-r--r-- 1 root root 16058 Jan 21 2022 swanctl.conf drwxr-xr-x 2 root root 4096 Oct 18 14:14 x509 drwxr-xr-x 2 root root 4096 Jan 21 2022 x509aa drwxr-xr-x 2 root root 4096 Jan 21 2022 x509ac drwxr-xr-x 2 root root 4096 Sep 29 16:02 x509ca drwxr-xr-x 2 root root 4096 Jan 21 2022 x509crl drwxr-xr-x 2 root root 4096 Jan 21 2022 x509ocsp
/etc/swanctl/bliss: total 0
/etc/swanctl/conf.d: total 4 -rw-r--r-- 1 root root 2509 Sep 29 16:02 pistrong-CAServerConnection.conf
/etc/swanctl/ecdsa: total 0
/etc/swanctl/p12: total 8 -rw------- 1 root root 4537 Oct 18 14:14 hjc-oneplus-raspberrypi4B.p12
/etc/swanctl/pistrong: total 36 drwxr-xr-x 2 root root 4096 Sep 29 15:44 backup -rw------- 1 root root 3281 Oct 18 14:12 bak-pistrongdb.json -rw-r--r-- 1 root root 554 Sep 29 16:02 CA-iptables drwx------ 2 root root 4096 Sep 29 15:44 client-assets -rw-r--r-- 1 root root 955 Sep 29 16:02 makeCA.log -rw-r--r-- 1 root root 955 Sep 29 16:01 makeCA.log.bak -rw------- 1 root root 3564 Oct 18 14:14 pistrongdb.json drwx------ 2 root root 4096 Oct 18 14:14 server-assets drwxr-xr-x 2 root root 4096 Sep 29 15:44 VPNClients
/etc/swanctl/pistrong/backup: total 0
/etc/swanctl/pistrong/client-assets: total 0
/etc/swanctl/pistrong/server-assets: total 8 -rw-r--r-- 1 root root 6774 Oct 18 14:14 hjc-oneplus.zip
/etc/swanctl/pistrong/VPNClients: total 0
/etc/swanctl/pkcs12: total 0
/etc/swanctl/pkcs8: total 0
/etc/swanctl/private: total 24 -rw------- 1 root root 3247 Sep 29 16:02 android-strongSwanVPNKey.pem -rw------- 1 root root 1675 Oct 18 14:14 hjc-oneplus-raspberrypi4BKey.pem -rw------- 1 root root 3243 Sep 29 16:02 ios-strongSwanVPNKey.pem -rw------- 1 root root 3243 Sep 29 16:02 linux-strongSwanVPNKey.pem -rw------- 1 root root 3243 Sep 29 16:02 strongSwanCAKey.pem -rw------- 1 root root 3243 Sep 29 16:02 windows-strongSwanVPNKey.pem
/etc/swanctl/pubkey: total 0
/etc/swanctl/rsa: total 0
/etc/swanctl/x509: total 20 -rw-r--r-- 1 root root 2102 Sep 29 16:02 android-strongSwanVPNCert.pem -rw-r--r-- 1 root root 1688 Oct 18 14:14 hjc-oneplus-raspberrypi4BCert.pem -rw-r--r-- 1 root root 2098 Sep 29 16:02 ios-strongSwanVPNCert.pem -rw-r--r-- 1 root root 2098 Sep 29 16:02 linux-strongSwanVPNCert.pem -rw-r--r-- 1 root root 2102 Sep 29 16:02 windows-strongSwanVPNCert.pem
/etc/swanctl/x509aa: total 0
/etc/swanctl/x509ac: total 0
/etc/swanctl/x509ca: total 4 -rw-r--r-- 1 root root 1960 Sep 29 16:02 strongSwanCACert.pem
/etc/swanctl/x509crl: total 0
/etc/swanctl/x509ocsp: total 0
IP information ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether dc:a6:32:94:69:21 brd ff:ff:ff:ff:ff:ff inet 192.168.0.233/24 brd 192.168.0.255 scope global dynamic noprefixroute eth0 valid_lft 85990sec preferred_lft 75190sec inet6 fded:348b:d56::356/128 scope global dynamic noprefixroute valid_lft 42787sec preferred_lft 42787sec inet6 fded:348b:d56:0:24f2:a36a:2866:eda5/64 scope global mngtmpaddr noprefixroute valid_lft forever preferred_lft forever inet6 fe80::8b2c:bbcf:b728:c913/64 scope link valid_lft forever preferred_lft forever 3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether dc:a6:32:94:69:22 brd ff:ff:ff:ff:ff:ff inet 192.168.0.236/24 brd 192.168.0.255 scope global dynamic noprefixroute wlan0 valid_lft 85990sec preferred_lft 75190sec inet6 fded:348b:d56::c1f/128 scope global dynamic noprefixroute valid_lft 42787sec preferred_lft 42787sec inet6 fded:348b:d56:0:3ada:24bd:3ad5:c976/64 scope global mngtmpaddr noprefixroute valid_lft forever preferred_lft forever inet6 fe80::d88e:66cd:4726:562f/64 scope link valid_lft forever preferred_lft forever 4: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000 link/none inet 10.147.219.1/24 scope global wg0 valid_lft forever preferred_lft forever 5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500 link/none inet 10.8.0.1/24 scope global tun0 valid_lft forever preferred_lft forever inet6 fe80::4bcd:632:21dd:3df9/64 scope link stable-privacy valid_lft forever preferred_lft forever 6: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default link/ether 02:42:1b:d9:8b:03 brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 valid_lft forever preferred_lft forever ip r default via 192.168.0.1 dev eth0 proto dhcp src 192.168.0.233 metric 202 default via 192.168.0.1 dev wlan0 proto dhcp src 192.168.0.236 metric 303 10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1 10.147.219.0/24 dev wg0 proto kernel scope link src 10.147.219.1 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 192.168.0.0/24 dev eth0 proto dhcp scope link src 192.168.0.233 metric 202 192.168.0.0/24 dev wlan0 proto dhcp scope link src 192.168.0.236 metric 303 ip r show table 220
iptables filter table
Chain INPUT (policy ACCEPT 1826 packets, 429K bytes)
pkts bytes target prot opt in out source destination
321 48320 ACCEPT tcp -- eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:1194
0 0 ACCEPT all -- tun0 0.0.0.0/0 0.0.0.0/0
277 39600 ACCEPT udp -- eth0 0.0.0.0/0 0.0.0.0/0 udp dpt:51820 / wireguard-input-rule /
0 0 ACCEPT tcp -- eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:1194
0 0 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
466 30041 DOCKER-USER all -- 0.0.0.0/0 0.0.0.0/0
466 30041 DOCKER-ISOLATION-STAGE-1 all -- 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
215 13800 ACCEPT all -- tun0 eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 tun0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 wg0 0.0.0.0/0 10.147.219.0/24 ctstate RELATED,ESTABLISHED / wireguard-forward-rule /
251 16241 ACCEPT all -- wg0 eth0 10.147.219.0/24 0.0.0.0/0 / wireguard-forward-rule /
0 0 ACCEPT all -- tun0 eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 tun0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 765 packets, 160K bytes) pkts bytes target prot opt in out source destination
Chain DOCKER (1 references) pkts bytes target prot opt in out source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
466 30041 RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- docker0 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
466 30041 RETURN all -- 0.0.0.0/0 0.0.0.0/0
iptables nat table
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
13 973 DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 363 packets, 23893 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- !docker0 172.17.0.0/16 0.0.0.0/0
0 0 ACCEPT all -- eth0 10.1.10.0/24 0.0.0.0/0 policy match dir out pol ipsec
0 0 MASQUERADE all -- * eth0 10.1.10.0/24 0.0.0.0/0
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
journalctl Oct 21 10:40:05 raspberrypi4B systemd[1]: Starting strongSwan IPsec IKEv1/IKEv2 daemon using swanctl... Oct 21 10:40:07 raspberrypi4B charon-systemd[549]: loaded 0 RADIUS server configurations Oct 21 10:40:07 raspberrypi4B charon-systemd[549]: HA config misses local/remote address Oct 21 10:40:07 raspberrypi4B charon-systemd[549]: loaded plugins: charon-systemd aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark farp vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters Oct 21 10:40:07 raspberrypi4B charon-systemd[549]: dropped capabilities, running as uid 0, gid 0 Oct 21 10:40:07 raspberrypi4B charon-systemd[549]: spawning 16 worker threads Oct 21 10:40:07 raspberrypi4B charon-systemd[549]: loaded certificate 'C=US, O=raspberrypi4B-strongSwan, CN=raspberrypi4B.stirlingroad.duckdns.org' Oct 21 10:40:07 raspberrypi4B charon-systemd[549]: loaded certificate 'C=US, O=raspberrypi4B-strongSwan, CN=raspberrypi4B.stirlingroad.duckdns.org' Oct 21 10:40:07 raspberrypi4B charon-systemd[549]: loaded certificate 'C=US, O=raspberrypi4B-strongSwan, @.***@cnsuffix' Oct 21 10:40:07 raspberrypi4B charon-systemd[549]: loaded certificate 'C=US, O=raspberrypi4B-strongSwan, CN=raspberrypi4B.stirlingroad.duckdns.org' Oct 21 10:40:07 raspberrypi4B charon-systemd[549]: loaded certificate 'C=US, O=raspberrypi4B-strongSwan, CN=raspberrypi4B.stirlingroad.duckdns.org' Oct 21 10:40:07 raspberrypi4B charon-systemd[549]: loaded certificate 'C=US, O=raspberrypi4B-strongSwan, CN=strongSwan raspberrypi4B Root CA' Oct 21 10:40:07 raspberrypi4B charon-systemd[549]: loaded ANY private key Oct 21 10:40:07 raspberrypi4B charon-systemd[549]: loaded ANY private key Oct 21 10:40:07 raspberrypi4B charon-systemd[549]: loaded ANY private key Oct 21 10:40:07 raspberrypi4B charon-systemd[549]: loaded ANY private key Oct 21 10:40:08 raspberrypi4B charon-systemd[549]: loaded ANY private key Oct 21 10:40:08 raspberrypi4B charon-systemd[549]: loaded ANY private key Oct 21 10:40:08 raspberrypi4B swanctl[711]: no authorities found, 0 unloaded Oct 21 10:40:08 raspberrypi4B charon-systemd[549]: added vici pool primary-pool-ipv4: 10.1.10.0, 254 entries Oct 21 10:40:08 raspberrypi4B charon-systemd[549]: added vici connection: conn-android Oct 21 10:40:08 raspberrypi4B charon-systemd[549]: added vici connection: conn-windows Oct 21 10:40:08 raspberrypi4B charon-systemd[549]: added vici connection: conn-linux Oct 21 10:40:08 raspberrypi4B charon-systemd[549]: added vici connection: conn-ios Oct 21 10:40:08 raspberrypi4B swanctl[711]: loaded certificate from '/etc/swanctl/x509/windows-strongSwanVPNCert.pem' Oct 21 10:40:08 raspberrypi4B swanctl[711]: loaded certificate from '/etc/swanctl/x509/android-strongSwanVPNCert.pem' Oct 21 10:40:08 raspberrypi4B swanctl[711]: loaded certificate from '/etc/swanctl/x509/hjc-oneplus-raspberrypi4BCert.pem' Oct 21 10:40:08 raspberrypi4B swanctl[711]: loaded certificate from '/etc/swanctl/x509/ios-strongSwanVPNCert.pem' Oct 21 10:40:08 raspberrypi4B swanctl[711]: loaded certificate from '/etc/swanctl/x509/linux-strongSwanVPNCert.pem' Oct 21 10:40:08 raspberrypi4B swanctl[711]: loaded certificate from '/etc/swanctl/x509ca/strongSwanCACert.pem' Oct 21 10:40:08 raspberrypi4B swanctl[711]: loaded private key from '/etc/swanctl/private/hjc-oneplus-raspberrypi4BKey.pem' Oct 21 10:40:08 raspberrypi4B swanctl[711]: loaded private key from '/etc/swanctl/private/android-strongSwanVPNKey.pem' Oct 21 10:40:08 raspberrypi4B swanctl[711]: loaded private key from '/etc/swanctl/private/linux-strongSwanVPNKey.pem' Oct 21 10:40:08 raspberrypi4B swanctl[711]: loaded private key from '/etc/swanctl/private/ios-strongSwanVPNKey.pem' Oct 21 10:40:08 raspberrypi4B swanctl[711]: loaded private key from '/etc/swanctl/private/windows-strongSwanVPNKey.pem' Oct 21 10:40:08 raspberrypi4B swanctl[711]: loaded private key from '/etc/swanctl/private/strongSwanCAKey.pem' Oct 21 10:40:08 raspberrypi4B swanctl[711]: loaded pool 'primary-pool-ipv4' Oct 21 10:40:08 raspberrypi4B swanctl[711]: successfully loaded 1 pools, 0 unloaded Oct 21 10:40:08 raspberrypi4B swanctl[711]: loaded connection 'conn-android' Oct 21 10:40:08 raspberrypi4B swanctl[711]: loaded connection 'conn-windows' Oct 21 10:40:08 raspberrypi4B swanctl[711]: loaded connection 'conn-linux' Oct 21 10:40:08 raspberrypi4B swanctl[711]: loaded connection 'conn-ios' Oct 21 10:40:08 raspberrypi4B swanctl[711]: successfully loaded 4 connections, 0 unloaded Oct 21 10:40:08 raspberrypi4B systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using swanctl. Oct 21 10:40:10 raspberrypi4B charon-systemd[549]: fe80::8b2c:bbcf:b728:c913 appeared on eth0 Oct 21 10:40:10 raspberrypi4B charon-systemd[549]: 172.17.0.1 appeared on docker0 Oct 21 10:40:10 raspberrypi4B charon-systemd[549]: interface docker0 activated Oct 21 10:40:11 raspberrypi4B charon-systemd[549]: fe80::d88e:66cd:4726:562f appeared on wlan0 Oct 21 10:40:12 raspberrypi4B charon-systemd[549]: flags changed for fe80::8b2c:bbcf:b728:c913 on eth0 Oct 21 10:40:12 raspberrypi4B charon-systemd[549]: flags changed for fe80::d88e:66cd:4726:562f on wlan0 Oct 21 10:40:12 raspberrypi4B charon-systemd[549]: fded:348b:d56:0:24f2:a36a:2866:eda5 appeared on eth0 Oct 21 10:40:12 raspberrypi4B charon-systemd[549]: fded:348b:d56:0:3ada:24bd:3ad5:c976 appeared on wlan0 Oct 21 10:40:13 raspberrypi4B charon-systemd[549]: fded:348b:d56::356 appeared on eth0 Oct 21 10:40:13 raspberrypi4B charon-systemd[549]: fded:348b:d56::c1f appeared on wlan0 Oct 21 10:40:16 raspberrypi4B charon-systemd[549]: 192.168.0.233 appeared on eth0 Oct 21 10:40:16 raspberrypi4B charon-systemd[549]: 192.168.0.236 appeared on wlan0 Oct 21 10:40:16 raspberrypi4B charon-systemd[549]: flags changed for fded:348b:d56:0:24f2:a36a:2866:eda5 on eth0 Oct 21 10:40:17 raspberrypi4B charon-systemd[549]: flags changed for fded:348b:d56::356 on eth0 Oct 21 10:40:17 raspberrypi4B charon-systemd[549]: flags changed for fded:348b:d56:0:3ada:24bd:3ad5:c976 on wlan0 Oct 21 10:40:18 raspberrypi4B charon-systemd[549]: flags changed for fded:348b:d56::c1f on wlan0
Done
System Info PRETTY_NAME="Debian GNU/Linux 11 (bullseye)" NAME="Debian GNU/Linux" VERSION_ID="11" VERSION="11 (bullseye)" VERSION_CODENAME=bullseye ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" Linux raspberrypi4B 5.15.61-v8+ #1579 SMP PREEMPT Fri Aug 26 11:16:44 BST 2022 aarch64 GNU/Linux
*** apt-cache policy strongswan strongswan: Installed: (none) Candidate: 5.9.1-1+deb11u3 Version table: 5.9.1-1+deb11u3 500 500 http://security.debian.org/debian-security bullseye-security/main arm64 Packages 500 http://security.debian.org/debian-security bullseye-security/main armhf Packages 5.9.1-1+deb11u2 500 500 http://deb.debian.org/debian bullseye/main arm64 Packages 500 http://deb.debian.org/debian bullseye/main armhf Packages
systemctl status strongswan ● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl Loaded: loaded (/lib/systemd/system/strongswan.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2022-10-21 10:40:08 BST; 1min 39s ago Process: 711 ExecStartPost=/usr/sbin/swanctl --load-all --noprompt (code=exited, status=0/SUCCESS) Main PID: 549 (charon-systemd) Status: "charon-systemd running, strongSwan 5.9.1, Linux 5.15.61-v8+, aarch64" Tasks: 17 (limit: 4164) CPU: 1.091s CGroup: /system.slice/strongswan.service └─549 /usr/sbin/charon-systemd
Oct 21 10:40:12 raspberrypi4B charon-systemd[549]: fded:348b:d56:0:24f2:a36a:2866:eda5 appeared on eth0 Oct 21 10:40:12 raspberrypi4B charon-systemd[549]: fded:348b:d56:0:3ada:24bd:3ad5:c976 appeared on wlan0 Oct 21 10:40:13 raspberrypi4B charon-systemd[549]: fded:348b:d56::356 appeared on eth0 Oct 21 10:40:13 raspberrypi4B charon-systemd[549]: fded:348b:d56::c1f appeared on wlan0 Oct 21 10:40:16 raspberrypi4B charon-systemd[549]: 192.168.0.233 appeared on eth0 Oct 21 10:40:16 raspberrypi4B charon-systemd[549]: 192.168.0.236 appeared on wlan0 Oct 21 10:40:16 raspberrypi4B charon-systemd[549]: flags changed for fded:348b:d56:0:24f2:a36a:2866:eda5 on eth0 Oct 21 10:40:17 raspberrypi4B charon-systemd[549]: flags changed for fded:348b:d56::356 on eth0 Oct 21 10:40:17 raspberrypi4B charon-systemd[549]: flags changed for fded:348b:d56:0:3ada:24bd:3ad5:c976 on wlan0 Oct 21 10:40:18 raspberrypi4B charon-systemd[549]: flags changed for fded:348b:d56::c1f on wlan0
pistrong config Config Key Value Description calife 3650 CA Lifetime [3650 days] cnsuffix @. Suffix for user cert names crllife 7 Cert Revocation List lifetime [7 days] lxscript pistrong-vpn-installer Linux VPN Config Pack script name mailfrom @. 'From' string for cert email myfqdn raspberrypi4B.stirlingroad.duckdns.org VPN host FQDN (Fully Qualified Domain Name) random 1 Generate random cert passwords rootca strongSwan String for root CA name [strongSwan] service strongswan.service strongSwan service name smtpport 587 SMTP mail server port smtpserver smtp.gmail.com SMTP mail server IP address or name smtpusetls 1 SMTP Mail use TLS auth swancertpfx strongSwan CA Cert name prefix [strongSwan] swandir /etc/swanctl System directory for strongSwan [/etc/swanctl] uclife 730 User Cert Lifetime [730 days] validids android.stirlingroad.duckdns.org,ios.stirlingroad.duckdns.org,linux.stirlingroad.duckdns.org,windows.stirlingroad.duckdns.org Valid SAN Keys version 3 Database version vpnaddr stirlingroad.duckdns.org VPN Server Address (IP or DNS) vpncertpfx ios VPN Cert name prefix [default] vpnsankey ios.stirlingroad.duckdns.org Default VPN SAN key webdir /var/www/html/vpn Directory in file system corresponding to weburl weburl http://raspberrypi4B.stirlingroad.duckdns.org/vpn Web URL on which to append cert name
pistrong showca [CA Certificate /etc/swanctl/x509ca/strongSwanCACert.pem] subject: "C=US, O=raspberrypi4B-strongSwan, CN=strongSwan raspberrypi4B Root CA" issuer: "C=US, O=raspberrypi4B-strongSwan, CN=strongSwan raspberrypi4B Root CA" validity: not before Sep 29 16:02:04 2022, ok not after Sep 26 16:02:04 2032, ok (expires in 3628 days) serial: 79:d6:73:65:41:db:a9:ec flags: CA CRLSign self-signed subjkeyId: ab:2c:f4:2f:bc:e0:02:ea:87:df:56:06:11:ab:be:2a:f4:6c:47:89 pubkey: RSA 4096 bits keyid: 6e:d9:38:09:aa:80:70:28:36:55:2d:09:ce:a3:7b:12:d6:ed:63:ed subjkey: ab:2c:f4:2f:bc:e0:02:ea:87:df:56:06:11:ab:be:2a:f4:6c:47:89
[VPN Host Certificate /etc/swanctl/x509/android-strongSwanVPNCert.pem] subject: "C=US, O=raspberrypi4B-strongSwan, CN=raspberrypi4B.stirlingroad.duckdns.org" issuer: "C=US, O=raspberrypi4B-strongSwan, CN=strongSwan raspberrypi4B Root CA" validity: not before Sep 29 16:02:06 2022, ok not after Sep 26 16:02:06 2032, ok (expires in 3628 days) serial: 6a:e4:47:e8:06:95:e9:51 altNames: android.stirlingroad.duckdns.org, stirlingroad.duckdns.org, stirlingroad.duckdns.org flags: serverAuth ikeIntermediate authkeyId: ab:2c:f4:2f:bc:e0:02:ea:87:df:56:06:11:ab:be:2a:f4:6c:47:89 subjkeyId: 0b:95:b0:cc:ab:fe:a7:33:11:ac:d4:b8:39:a3:81:b9:19:96:1e:d8 pubkey: RSA 4096 bits keyid: fc:19:77:c0:10:74:f2:7f:61:98:20:09:30:f9:26:bd:f9:94:41:ee subjkey: 0b:95:b0:cc:ab:fe:a7:33:11:ac:d4:b8:39:a3:81:b9:19:96:1e:d8
[VPN Host Certificate /etc/swanctl/x509/ios-strongSwanVPNCert.pem] subject: "C=US, O=raspberrypi4B-strongSwan, CN=raspberrypi4B.stirlingroad.duckdns.org" issuer: "C=US, O=raspberrypi4B-strongSwan, CN=strongSwan raspberrypi4B Root CA" validity: not before Sep 29 16:02:08 2022, ok not after Sep 26 16:02:08 2032, ok (expires in 3628 days) serial: 51:82:cb:5d:13:16:f3:ca altNames: ios.stirlingroad.duckdns.org, stirlingroad.duckdns.org, stirlingroad.duckdns.org flags: serverAuth ikeIntermediate authkeyId: ab:2c:f4:2f:bc:e0:02:ea:87:df:56:06:11:ab:be:2a:f4:6c:47:89 subjkeyId: 2e:c9:b2:44:f3:9f:c1:2e:a1:be:48:ad:64:e7:9d:e8:09:54:6d:14 pubkey: RSA 4096 bits keyid: 10:9e:8d:40:37:90:8e:54:12:4a:ef:bc:a0:0e:7a:6c:42:27:88:03 subjkey: 2e:c9:b2:44:f3:9f:c1:2e:a1:be:48:ad:64:e7:9d:e8:09:54:6d:14
[VPN Host Certificate /etc/swanctl/x509/linux-strongSwanVPNCert.pem] subject: "C=US, O=raspberrypi4B-strongSwan, CN=raspberrypi4B.stirlingroad.duckdns.org" issuer: "C=US, O=raspberrypi4B-strongSwan, CN=strongSwan raspberrypi4B Root CA" validity: not before Sep 29 16:02:16 2022, ok not after Sep 26 16:02:16 2032, ok (expires in 3628 days) serial: 68:4e:90:47:2f:1f:e8:07 altNames: linux.stirlingroad.duckdns.org, stirlingroad.duckdns.org, stirlingroad.duckdns.org flags: serverAuth ikeIntermediate authkeyId: ab:2c:f4:2f:bc:e0:02:ea:87:df:56:06:11:ab:be:2a:f4:6c:47:89 subjkeyId: 2f:0c:2a:0a:da:e0:fe:38:6c:f6:52:f1:62:07:19:e6:0f:bb:01:84 pubkey: RSA 4096 bits keyid: ea:51:4c:45:96:ed:89:4b:64:1c:d7:b2:8c:c8:13:8c:70:a7:38:33 subjkey: 2f:0c:2a:0a:da:e0:fe:38:6c:f6:52:f1:62:07:19:e6:0f:bb:01:84
[VPN Host Certificate /etc/swanctl/x509/windows-strongSwanVPNCert.pem] subject: "C=US, O=raspberrypi4B-strongSwan, CN=raspberrypi4B.stirlingroad.duckdns.org" issuer: "C=US, O=raspberrypi4B-strongSwan, CN=strongSwan raspberrypi4B Root CA" validity: not before Sep 29 16:02:20 2022, ok not after Sep 26 16:02:20 2032, ok (expires in 3628 days) serial: 25:2b:47:6d:f9:f1:7b:f2 altNames: windows.stirlingroad.duckdns.org, stirlingroad.duckdns.org, stirlingroad.duckdns.org flags: serverAuth ikeIntermediate authkeyId: ab:2c:f4:2f:bc:e0:02:ea:87:df:56:06:11:ab:be:2a:f4:6c:47:89 subjkeyId: 67:ce:e9:56:f8:48:52:9a:02:cc:2b:96:75:c3:40:8b:2f:f6:57:f3 pubkey: RSA 4096 bits keyid: d3:53:13:fd:f5:aa:8c:f4:e8:ef:f4:60:b3:45:cf:ca:c3:06:33:db subjkey: 67:ce:e9:56:f8:48:52:9a:02:cc:2b:96:75:c3:40:8b:2f:f6:57:f3
pistrong list --full
V hjc-oneplus 2022-10-18:14:14:57 strongSwan ios.stirlingroad.duckdns.org 1gNWLZDQyf6k6GD7eh6SlZwGW0mPtoP
subject: "C=US, O=raspberrypi4B-strongSwan, @.@cnsuffix"
issuer: "C=US, O=raspberrypi4B-strongSwan, CN=strongSwan raspberrypi4B Root CA"
validity: not before Oct 18 14:14:56 2022, ok
not after Oct 17 14:14:56 2024, ok (expires in 727 days)
serial: 41:35:4a:b2:15:28:45:17
altNames: @.@cnsuffix
flags:
authkeyId: ab:2c:f4:2f:bc:e0:02:ea:87:df:56:06:11:ab:be:2a:f4:6c:47:89
subjkeyId: db:3d:3a:7e:60:61:ed:7b:12:26:e2:fc:0f:e3:ba:9d:12:eb:81:8f
pubkey: RSA 2048 bits
keyid: 1b:2d:f9:b7:5a:f3:60:4b:38:dd:26:cf:2f:8f:f9:56:69:6b:a0:9c
subjkey: db:3d:3a:7e:60:61:ed:7b:12:26:e2:fc:0f:e3:ba:9d:12:eb:81:8f
/etc/swanctl/pistrong/makeCA.log date: 2022-09-29 16:02:21 version: V3.1 dnsoffline: 0 unkvpndns: 0 thishost: raspberrypi4B thisdomain: stirlingroad.duckdns.org thisfqdn: raspberrypi4B.stirlingroad.duckdns.org vpnaddrhasname: 0 vpnaddr: stirlingroad.duckdns.org vpndev: eth0 landev: eth0 myipaddr: 192.168.0.233 emyipaddr: 192.168.0.233 mysubnetx: 192.168.0 myfullsubnet: 192.168.0.0/24 vpnsubnet: 10.1.10.0/24 vpndns: 192.168.0.1 cnsuffix: @.*** webdir: /var/www/html/vpn weburl: http://raspberrypi4B.stirlingroad.duckdns.org/vpn san2x: stirlingroad.duckdns.org,stirlingroad.duckdns.org android: android androidkey: android.stirlingroad.duckdns.org ios: ios ioskey: ios.stirlingroad.duckdns.org linux: linux linuxkey: linux.stirlingroad.duckdns.org windows: windows winkey: windows.stirlingroad.duckdns.org
/etc/swanctl/conf.d/pistrong-CAServerConnection.conf
conn-defaults { version = 2 send_certreq = yes send_cert = always unique = never fragmentation = yes
encap = yes
dpd_delay = 120s
rekey_time = 0s
pools = primary-pool-ipv4
local {
auth = pubkey
cacerts = strongSwanCACert.pem
}}
remote-defaults { remote { id = %any }
} child-defaults { net { dpd_action = clear rekey_time = 0s updown = /usr/lib/ipsec/_updown iptables } }
connections { conn-android: conn-defaults, remote-defaults { proposals = aes256-aes192-aes128-sha384-sha256-sha1-modp3072-modp2048-modp1536 local { certs = android-strongSwanVPNCert.pem id = android.stirlingroad.duckdns.org } children { net : child-defaults { local_ts = 0.0.0.0/0 esp_proposals = aes256-sha256 } } }
conn-windows: conn-defaults, remote-defaults {
proposals = aes256-sha256-modp1024
local {
certs = windows-strongSwanVPNCert.pem
id = windows.stirlingroad.duckdns.org
}
children {
net : child-defaults {
local_ts = 0.0.0.0/0
esp_proposals = aes256-sha256-sha1-modp1024
}
}
}
conn-linux: conn-defaults, remote-defaults {
proposals = aes192-sha256-modp3072
local {
certs = linux-strongSwanVPNCert.pem
id = linux.stirlingroad.duckdns.org
}
remote {
auth = pubkey
}
children {
net : child-defaults {
local_ts = 0.0.0.0/0
esp_proposals = aes128gcm128-x25519
}
}
}
conn-ios : conn-defaults, remote-defaults {
proposals = aes256-sha256-modp2048, aes256-sha256-modp1024,aes256-sha1-modp1024
local {
certs = ios-strongSwanVPNCert.pem
id = ios.stirlingroad.duckdns.org
}
remote {
auth = eap-tls
}
children {
net : child-defaults {
local_ts = 0.0.0.0/0
esp_proposals = aes256-sha256
}
}
}}
pools { primary-pool-ipv4 { addrs = 10.1.10.0/24 dns = 192.168.0.1 } }
ls -l /etc/swanctl /etc/swanctl: total 80 drwx------ 2 root root 4096 Jan 21 2022 bliss drwxr-xr-x 2 root root 4096 Sep 29 16:02 conf.d drwx------ 2 root root 4096 Jan 21 2022 ecdsa drwxr-x--- 2 root root 4096 Oct 18 14:14 p12 drwxr-xr-x 6 root root 4096 Oct 18 14:14 pistrong drwxr-xr-x 2 root root 4096 Jan 21 2022 pkcs12 drwx------ 2 root root 4096 Jan 21 2022 pkcs8 drwx------ 2 root root 4096 Oct 18 14:14 private drwxr-xr-x 2 root root 4096 Jan 21 2022 pubkey drwx------ 2 root root 4096 Jan 21 2022 rsa -rw-r--r-- 1 root root 16058 Jan 21 2022 swanctl.conf drwxr-xr-x 2 root root 4096 Oct 18 14:14 x509 drwxr-xr-x 2 root root 4096 Jan 21 2022 x509aa drwxr-xr-x 2 root root 4096 Jan 21 2022 x509ac drwxr-xr-x 2 root root 4096 Sep 29 16:02 x509ca drwxr-xr-x 2 root root 4096 Jan 21 2022 x509crl drwxr-xr-x 2 root root 4096 Jan 21 2022 x509ocsp
/etc/swanctl/bliss: total 0
/etc/swanctl/conf.d: total 4 -rw-r--r-- 1 root root 2509 Sep 29 16:02 pistrong-CAServerConnection.conf
/etc/swanctl/ecdsa: total 0
/etc/swanctl/p12: total 8 -rw------- 1 root root 4537 Oct 18 14:14 hjc-oneplus-raspberrypi4B.p12
/etc/swanctl/pistrong: total 36 drwxr-xr-x 2 root root 4096 Sep 29 15:44 backup -rw------- 1 root root 3281 Oct 18 14:12 bak-pistrongdb.json -rw-r--r-- 1 root root 554 Sep 29 16:02 CA-iptables drwx------ 2 root root 4096 Sep 29 15:44 client-assets -rw-r--r-- 1 root root 955 Sep 29 16:02 makeCA.log -rw-r--r-- 1 root root 955 Sep 29 16:01 makeCA.log.bak -rw------- 1 root root 3564 Oct 18 14:14 pistrongdb.json drwx------ 2 root root 4096 Oct 18 14:14 server-assets drwxr-xr-x 2 root root 4096 Sep 29 15:44 VPNClients
/etc/swanctl/pistrong/backup: total 0
/etc/swanctl/pistrong/client-assets: total 0
/etc/swanctl/pistrong/server-assets: total 8 -rw-r--r-- 1 root root 6774 Oct 18 14:14 hjc-oneplus.zip
/etc/swanctl/pistrong/VPNClients: total 0
/etc/swanctl/pkcs12: total 0
/etc/swanctl/pkcs8: total 0
/etc/swanctl/private: total 24 -rw------- 1 root root 3247 Sep 29 16:02 android-strongSwanVPNKey.pem -rw------- 1 root root 1675 Oct 18 14:14 hjc-oneplus-raspberrypi4BKey.pem -rw------- 1 root root 3243 Sep 29 16:02 ios-strongSwanVPNKey.pem -rw------- 1 root root 3243 Sep 29 16:02 linux-strongSwanVPNKey.pem -rw------- 1 root root 3243 Sep 29 16:02 strongSwanCAKey.pem -rw------- 1 root root 3243 Sep 29 16:02 windows-strongSwanVPNKey.pem
/etc/swanctl/pubkey: total 0
/etc/swanctl/rsa: total 0
/etc/swanctl/x509: total 20 -rw-r--r-- 1 root root 2102 Sep 29 16:02 android-strongSwanVPNCert.pem -rw-r--r-- 1 root root 1688 Oct 18 14:14 hjc-oneplus-raspberrypi4BCert.pem -rw-r--r-- 1 root root 2098 Sep 29 16:02 ios-strongSwanVPNCert.pem -rw-r--r-- 1 root root 2098 Sep 29 16:02 linux-strongSwanVPNCert.pem -rw-r--r-- 1 root root 2102 Sep 29 16:02 windows-strongSwanVPNCert.pem
/etc/swanctl/x509aa: total 0
/etc/swanctl/x509ac: total 0
/etc/swanctl/x509ca: total 4 -rw-r--r-- 1 root root 1960 Sep 29 16:02 strongSwanCACert.pem
/etc/swanctl/x509crl: total 0
/etc/swanctl/x509ocsp: total 0
IP information ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether dc:a6:32:94:69:21 brd ff:ff:ff:ff:ff:ff inet 192.168.0.233/24 brd 192.168.0.255 scope global dynamic noprefixroute eth0 valid_lft 86321sec preferred_lft 75521sec inet6 fded:348b:d56::356/128 scope global dynamic noprefixroute valid_lft 43118sec preferred_lft 43118sec inet6 fded:348b:d56:0:24f2:a36a:2866:eda5/64 scope global mngtmpaddr noprefixroute valid_lft forever preferred_lft forever inet6 fe80::8b2c:bbcf:b728:c913/64 scope link valid_lft forever preferred_lft forever 3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether dc:a6:32:94:69:22 brd ff:ff:ff:ff:ff:ff inet 192.168.0.236/24 brd 192.168.0.255 scope global dynamic noprefixroute wlan0 valid_lft 86321sec preferred_lft 75521sec inet6 fded:348b:d56::c1f/128 scope global dynamic noprefixroute valid_lft 43118sec preferred_lft 43118sec inet6 fded:348b:d56:0:3ada:24bd:3ad5:c976/64 scope global mngtmpaddr noprefixroute valid_lft forever preferred_lft forever inet6 fe80::d88e:66cd:4726:562f/64 scope link valid_lft forever preferred_lft forever 4: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000 link/none inet 10.147.219.1/24 scope global wg0 valid_lft forever preferred_lft forever 5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500 link/none inet 10.8.0.1/24 scope global tun0 valid_lft forever preferred_lft forever inet6 fe80::4bcd:632:21dd:3df9/64 scope link stable-privacy valid_lft forever preferred_lft forever 6: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default link/ether 02:42:1b:d9:8b:03 brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 valid_lft forever preferred_lft forever ip r default via 192.168.0.1 dev eth0 proto dhcp src 192.168.0.233 metric 202 default via 192.168.0.1 dev wlan0 proto dhcp src 192.168.0.236 metric 303 10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1 10.147.219.0/24 dev wg0 proto kernel scope link src 10.147.219.1 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 192.168.0.0/24 dev eth0 proto dhcp scope link src 192.168.0.233 metric 202 192.168.0.0/24 dev wlan0 proto dhcp scope link src 192.168.0.236 metric 303 ip r show table 220
iptables filter table
Chain INPUT (policy ACCEPT 514 packets, 176K bytes)
pkts bytes target prot opt in out source destination
194 31723 ACCEPT tcp -- eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:1194
0 0 ACCEPT all -- tun0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- eth0 0.0.0.0/0 0.0.0.0/0 udp dpt:51820 / wireguard-input-rule /
0 0 ACCEPT tcp -- eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:1194
0 0 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
152 9966 DOCKER-USER all -- 0.0.0.0/0 0.0.0.0/0
152 9966 DOCKER-ISOLATION-STAGE-1 all -- 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
152 9966 ACCEPT all -- tun0 eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 tun0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 wg0 0.0.0.0/0 10.147.219.0/24 ctstate RELATED,ESTABLISHED / wireguard-forward-rule /
0 0 ACCEPT all -- wg0 eth0 10.147.219.0/24 0.0.0.0/0 / wireguard-forward-rule /
0 0 ACCEPT all -- tun0 eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 tun0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 406 packets, 39876 bytes) pkts bytes target prot opt in out source destination
Chain DOCKER (1 references) pkts bytes target prot opt in out source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
152 9966 RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- docker0 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
152 9966 RETURN all -- 0.0.0.0/0 0.0.0.0/0
iptables nat table
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6 429 DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 140 packets, 9398 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- !docker0 172.17.0.0/16 0.0.0.0/0
0 0 ACCEPT all -- eth0 10.1.10.0/24 0.0.0.0/0 policy match dir out pol ipsec
0 0 MASQUERADE all -- * eth0 10.1.10.0/24 0.0.0.0/0
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
journalctl Oct 21 10:40:05 raspberrypi4B systemd[1]: Starting strongSwan IPsec IKEv1/IKEv2 daemon using swanctl... Oct 21 10:40:07 raspberrypi4B charon-systemd[549]: loaded 0 RADIUS server configurations Oct 21 10:40:07 raspberrypi4B charon-systemd[549]: HA config misses local/remote address Oct 21 10:40:07 raspberrypi4B charon-systemd[549]: loaded plugins: charon-systemd aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark farp vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters Oct 21 10:40:07 raspberrypi4B charon-systemd[549]: dropped capabilities, running as uid 0, gid 0 Oct 21 10:40:07 raspberrypi4B charon-systemd[549]: spawning 16 worker threads Oct 21 10:40:07 raspberrypi4B charon-systemd[549]: loaded certificate 'C=US, O=raspberrypi4B-strongSwan, CN=raspberrypi4B.stirlingroad.duckdns.org' Oct 21 10:40:07 raspberrypi4B charon-systemd[549]: loaded certificate 'C=US, O=raspberrypi4B-strongSwan, CN=raspberrypi4B.stirlingroad.duckdns.org' Oct 21 10:40:07 raspberrypi4B charon-systemd[549]: loaded certificate 'C=US, O=raspberrypi4B-strongSwan, @.***@cnsuffix' Oct 21 10:40:07 raspberrypi4B charon-systemd[549]: loaded certificate 'C=US, O=raspberrypi4B-strongSwan, CN=raspberrypi4B.stirlingroad.duckdns.org' Oct 21 10:40:07 raspberrypi4B charon-systemd[549]: loaded certificate 'C=US, O=raspberrypi4B-strongSwan, CN=raspberrypi4B.stirlingroad.duckdns.org' Oct 21 10:40:07 raspberrypi4B charon-systemd[549]: loaded certificate 'C=US, O=raspberrypi4B-strongSwan, CN=strongSwan raspberrypi4B Root CA' Oct 21 10:40:07 raspberrypi4B charon-systemd[549]: loaded ANY private key Oct 21 10:40:07 raspberrypi4B charon-systemd[549]: loaded ANY private key Oct 21 10:40:07 raspberrypi4B charon-systemd[549]: loaded ANY private key Oct 21 10:40:07 raspberrypi4B charon-systemd[549]: loaded ANY private key Oct 21 10:40:08 raspberrypi4B charon-systemd[549]: loaded ANY private key Oct 21 10:40:08 raspberrypi4B charon-systemd[549]: loaded ANY private key Oct 21 10:40:08 raspberrypi4B swanctl[711]: no authorities found, 0 unloaded Oct 21 10:40:08 raspberrypi4B charon-systemd[549]: added vici pool primary-pool-ipv4: 10.1.10.0, 254 entries Oct 21 10:40:08 raspberrypi4B charon-systemd[549]: added vici connection: conn-android Oct 21 10:40:08 raspberrypi4B charon-systemd[549]: added vici connection: conn-windows Oct 21 10:40:08 raspberrypi4B charon-systemd[549]: added vici connection: conn-linux Oct 21 10:40:08 raspberrypi4B charon-systemd[549]: added vici connection: conn-ios Oct 21 10:40:08 raspberrypi4B swanctl[711]: loaded certificate from '/etc/swanctl/x509/windows-strongSwanVPNCert.pem' Oct 21 10:40:08 raspberrypi4B swanctl[711]: loaded certificate from '/etc/swanctl/x509/android-strongSwanVPNCert.pem' Oct 21 10:40:08 raspberrypi4B swanctl[711]: loaded certificate from '/etc/swanctl/x509/hjc-oneplus-raspberrypi4BCert.pem' Oct 21 10:40:08 raspberrypi4B swanctl[711]: loaded certificate from '/etc/swanctl/x509/ios-strongSwanVPNCert.pem' Oct 21 10:40:08 raspberrypi4B swanctl[711]: loaded certificate from '/etc/swanctl/x509/linux-strongSwanVPNCert.pem' Oct 21 10:40:08 raspberrypi4B swanctl[711]: loaded certificate from '/etc/swanctl/x509ca/strongSwanCACert.pem' Oct 21 10:40:08 raspberrypi4B swanctl[711]: loaded private key from '/etc/swanctl/private/hjc-oneplus-raspberrypi4BKey.pem' Oct 21 10:40:08 raspberrypi4B swanctl[711]: loaded private key from '/etc/swanctl/private/android-strongSwanVPNKey.pem' Oct 21 10:40:08 raspberrypi4B swanctl[711]: loaded private key from '/etc/swanctl/private/linux-strongSwanVPNKey.pem' Oct 21 10:40:08 raspberrypi4B swanctl[711]: loaded private key from '/etc/swanctl/private/ios-strongSwanVPNKey.pem' Oct 21 10:40:08 raspberrypi4B swanctl[711]: loaded private key from '/etc/swanctl/private/windows-strongSwanVPNKey.pem' Oct 21 10:40:08 raspberrypi4B swanctl[711]: loaded private key from '/etc/swanctl/private/strongSwanCAKey.pem' Oct 21 10:40:08 raspberrypi4B swanctl[711]: loaded pool 'primary-pool-ipv4' Oct 21 10:40:08 raspberrypi4B swanctl[711]: successfully loaded 1 pools, 0 unloaded Oct 21 10:40:08 raspberrypi4B swanctl[711]: loaded connection 'conn-android' Oct 21 10:40:08 raspberrypi4B swanctl[711]: loaded connection 'conn-windows' Oct 21 10:40:08 raspberrypi4B swanctl[711]: loaded connection 'conn-linux' Oct 21 10:40:08 raspberrypi4B swanctl[711]: loaded connection 'conn-ios' Oct 21 10:40:08 raspberrypi4B swanctl[711]: successfully loaded 4 connections, 0 unloaded Oct 21 10:40:08 raspberrypi4B systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using swanctl. Oct 21 10:40:10 raspberrypi4B charon-systemd[549]: fe80::8b2c:bbcf:b728:c913 appeared on eth0 Oct 21 10:40:10 raspberrypi4B charon-systemd[549]: 172.17.0.1 appeared on docker0 Oct 21 10:40:10 raspberrypi4B charon-systemd[549]: interface docker0 activated Oct 21 10:40:11 raspberrypi4B charon-systemd[549]: fe80::d88e:66cd:4726:562f appeared on wlan0 Oct 21 10:40:12 raspberrypi4B charon-systemd[549]: flags changed for fe80::8b2c:bbcf:b728:c913 on eth0 Oct 21 10:40:12 raspberrypi4B charon-systemd[549]: flags changed for fe80::d88e:66cd:4726:562f on wlan0 Oct 21 10:40:12 raspberrypi4B charon-systemd[549]: fded:348b:d56:0:24f2:a36a:2866:eda5 appeared on eth0 Oct 21 10:40:12 raspberrypi4B charon-systemd[549]: fded:348b:d56:0:3ada:24bd:3ad5:c976 appeared on wlan0 Oct 21 10:40:13 raspberrypi4B charon-systemd[549]: fded:348b:d56::356 appeared on eth0 Oct 21 10:40:13 raspberrypi4B charon-systemd[549]: fded:348b:d56::c1f appeared on wlan0 Oct 21 10:40:16 raspberrypi4B charon-systemd[549]: 192.168.0.233 appeared on eth0 Oct 21 10:40:16 raspberrypi4B charon-systemd[549]: 192.168.0.236 appeared on wlan0 Oct 21 10:40:16 raspberrypi4B charon-systemd[549]: flags changed for fded:348b:d56:0:24f2:a36a:2866:eda5 on eth0 Oct 21 10:40:17 raspberrypi4B charon-systemd[549]: flags changed for fded:348b:d56::356 on eth0 Oct 21 10:40:17 raspberrypi4B charon-systemd[549]: flags changed for fded:348b:d56:0:3ada:24bd:3ad5:c976 on wlan0 Oct 21 10:40:18 raspberrypi4B charon-systemd[549]: flags changed for fded:348b:d56::c1f on wlan0
Done
gitbls
commented
2 years ago Hi, I'm back. I see that this issue is closed. Did you resolve it? If not, please re-open and LMK the current status. Thanks
echinida
commented
2 years ago Not resolved yet. Will try to reopen when on computer.
On Sun, 30 Oct 2022, 01:13 Benn, @.***> wrote:
Hi, I'm back. I see that this issue is closed. Did you resolve it? If not, please re-open and LMK the current status. Thanks
— Reply to this email directly, view it on GitHub https://github.com/gitbls/pistrong/issues/12#issuecomment-1296032018, or unsubscribe https://github.com/notifications/unsubscribe-auth/A3WGCUGLOKD7DFQ3GLULFSLWFW4RLANCNFSM6AAAAAARI3WBRI . You are receiving this because you modified the open/close state.Message ID: @.***>
echinida
commented
2 years ago Now reopened, I have not attempted to resolve it since we were last in touch. Thanks for your interest and let me know if I can provide further information.
gitbls
commented
2 years ago I have a configuration set up as:
+--------+ +--------+
| pi3 | <-------router1-------><-------router2----->| pi4 |
+--------+ +--------+
configuration:
Pi3: IP=192.168.16.2
Router1 LAN IP: 192.168.16.1
Router1 WAN IP: 2.2.2.2
Pi4: IP=192.168.32.2
Router2 LAN IP: 192.168.32.2
Router2 WAN IP: 2.2.2.3The Pis are set up as a site-to-site tunnel, which is different than the client/server VPN you configured, but the iptables rules are similar.
On this configuration I'm able to bring up BOTH wg and strongswan tunnels, at the same time.
Traffic passes fine between them. Pi3 is able to ping the wg private address of Pi4 (10.8.0.2), and also the remote LAN address of the Pi over strongswan.
I can't add a client/server VPN to this configuration at the moment, and it will be a while before I am able to do so. With that said, besides the client/server VPN difference, I note that you also have docker installed.
WRT to openvpn, the only thing I know about it is the slowest and most complex by far of wg/strongswan/ovpn. I don't have the time to chase down any ovpn-related issues.
So, here are some things we can try with your system to help nail it down.
sudo iptables -L -v -n > iptables-wg-no-traffic.txt and sudo iptables -t nat -L -v -n >> iptables-wg-no-traffic.txt sudo iptables -L -v -n > iptables-wg-with-traffic.txt and sudo iptables -t nat -L -v -n >> iptables-wg-with-traffic.txt If you can do all of the above without docker started, that would be EXTREMELY helpful. I'm not convinced that docker is the culprit, but docker does mess with iptables and adds a level of complexity that I simply don't have time to muck with.
echinida
commented
2 years ago Thanks, I'll follow your suggestions asap. As a quick attempt I removed Docker from the pi as I ended up never using it but that had no effect. open-vpn is only there in case UDP is blocked and my gli-net travel router can only handle wireguard and opnvpn as client.
On Mon, 31 Oct 2022 at 00:40, Benn @.***> wrote:
I have a configuration set up as:
+--------+ +--------+ | pi3 | <-------router1-------><-------router2----->| pi4 | +--------+ +--------+
configuration: Pi3: IP=192.168.16.2 Router1 LAN IP: 192.168.16.1 Router1 WAN IP: 2.2.2.2
Pi4: IP=192.168.32.2 Router2 LAN IP: 192.168.32.2 Router2 WAN IP: 2.2.2.3
The Pis are set up as a site-to-site tunnel, which is different than the client/server VPN you configured, but the iptables rules are similar.
On this configuration I'm able to bring up BOTH wg and strongswan tunnels, at the same time.
Traffic passes fine between them. Pi3 is able to ping the wg private address of Pi4 (10.8.0.2), and also the remote LAN address of the Pi over strongswan.
I can't add a client/server VPN to this configuration at the moment, and it will be a while before I am able to do so. With that said, besides the client/server VPN difference, I note that you also have docker installed.
WRT to openvpn, the only thing I know about it is the slowest and most complex by far of wg/strongswan/ovpn. I don't have the time to chase down any ovpn-related issues.
So, here are some things we can try with your system to help nail it down.
- Shut down all VPNs the server
- Start wg server
- grab the output from sudo iptables -L -v -n > iptables-wg-no-traffic.txt and sudo iptables -t nat -L -v -n >> iptables-wg-no-traffic.txt
- Connect to the wg server
- While the connection is up and passing traffic generated from the remote end, grab the output from sudo iptables -L -v -n > iptables-wg-with-traffic.txt and sudo iptables -t nat -L -v -n >> iptables-wg-with-traffic.txt
- Stop wg server
- Start the strongswan server and grab the iptables outputs as above, but obviously to a different file
- Start the wg server and grab the iptables outputs again, and again, to another different file
- Post those files here
If you can do all of the above without docker started, that would be EXTREMELY helpful. I'm not convinced that docker is the culprit, but docker does mess with iptables and adds a level of complexity that I simply don't have time to muck with.
— Reply to this email directly, view it on GitHub https://github.com/gitbls/pistrong/issues/12#issuecomment-1296403417, or unsubscribe https://github.com/notifications/unsubscribe-auth/A3WGCUCAIWZNC7BQ2R5DKQLWF4IOPANCNFSM6AAAAAARI3WBRI . You are receiving this because you modified the open/close state.Message ID: @.***>
echinida
commented
2 years ago Hope these are the files you asked for. I'm not sure I managed to shut wg down before starting. It was installed using pivpn and I'm not sure what the service is called. The pistrong firewall rules were in operation.
On Mon, 31 Oct 2022 at 00:40, Benn @.***> wrote:
I have a configuration set up as:
+--------+ +--------+ | pi3 | <-------router1-------><-------router2----->| pi4 | +--------+ +--------+
configuration: Pi3: IP=192.168.16.2 Router1 LAN IP: 192.168.16.1 Router1 WAN IP: 2.2.2.2
Pi4: IP=192.168.32.2 Router2 LAN IP: 192.168.32.2 Router2 WAN IP: 2.2.2.3
The Pis are set up as a site-to-site tunnel, which is different than the client/server VPN you configured, but the iptables rules are similar.
On this configuration I'm able to bring up BOTH wg and strongswan tunnels, at the same time.
Traffic passes fine between them. Pi3 is able to ping the wg private address of Pi4 (10.8.0.2), and also the remote LAN address of the Pi over strongswan.
I can't add a client/server VPN to this configuration at the moment, and it will be a while before I am able to do so. With that said, besides the client/server VPN difference, I note that you also have docker installed.
WRT to openvpn, the only thing I know about it is the slowest and most complex by far of wg/strongswan/ovpn. I don't have the time to chase down any ovpn-related issues.
So, here are some things we can try with your system to help nail it down.
- Shut down all VPNs the server
- Start wg server
- grab the output from sudo iptables -L -v -n > iptables-wg-no-traffic.txt and sudo iptables -t nat -L -v -n >> iptables-wg-no-traffic.txt
- Connect to the wg server
- While the connection is up and passing traffic generated from the remote end, grab the output from sudo iptables -L -v -n > iptables-wg-with-traffic.txt and sudo iptables -t nat -L -v -n >> iptables-wg-with-traffic.txt
- Stop wg server
- Start the strongswan server and grab the iptables outputs as above, but obviously to a different file
- Start the wg server and grab the iptables outputs again, and again, to another different file
- Post those files here
If you can do all of the above without docker started, that would be EXTREMELY helpful. I'm not convinced that docker is the culprit, but docker does mess with iptables and adds a level of complexity that I simply don't have time to muck with.
— Reply to this email directly, view it on GitHub https://github.com/gitbls/pistrong/issues/12#issuecomment-1296403417, or unsubscribe https://github.com/notifications/unsubscribe-auth/A3WGCUCAIWZNC7BQ2R5DKQLWF4IOPANCNFSM6AAAAAARI3WBRI . You are receiving this because you modified the open/close state.Message ID: @.***>
Chain INPUT (policy ACCEPT 4692 packets, 1604K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:1194
0 0 ACCEPT all -- tun0 0.0.0.0/0 0.0.0.0/0
9199 4335K ACCEPT udp -- eth0 0.0.0.0/0 0.0.0.0/0 udp dpt:51820 / wireguard-input-rule /
0 0 ACCEPT tcp -- eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:1194
0 0 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- tun0 eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 tun0 0.0.0.0/0 0.0.0.0/0
8912 9075K ACCEPT all -- eth0 wg0 0.0.0.0/0 10.147.219.0/24 ctstate RELATED,ESTABLISHED / wireguard-forward-rule /
8283 3661K ACCEPT all -- wg0 eth0 10.147.219.0/24 0.0.0.0/0 / wireguard-forward-rule /
0 0 ACCEPT all -- tun0 eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 tun0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 11669 packets, 9954K bytes)
pkts bytes target prot opt in out source destination
Chain PREROUTING (policy ACCEPT 468 packets, 83840 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 164 packets, 26108 bytes) pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 37 packets, 2706 bytes) pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 37 packets, 2706 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- eth0 10.8.0.0/24 0.0.0.0/0
297 56762 MASQUERADE all -- eth0 10.147.219.0/24 0.0.0.0/0 / wireguard-nat-rule /
0 0 MASQUERADE all -- * eth0 10.8.0.0/24 0.0.0.0/0
Chain INPUT (policy ACCEPT 2933 packets, 1271K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:1194
0 0 ACCEPT all -- tun0 0.0.0.0/0 0.0.0.0/0
1345 309K ACCEPT udp -- eth0 0.0.0.0/0 0.0.0.0/0 udp dpt:51820 / wireguard-input-rule /
0 0 ACCEPT tcp -- eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:1194
0 0 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- tun0 eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 tun0 0.0.0.0/0 0.0.0.0/0
2740 2648K ACCEPT all -- eth0 wg0 0.0.0.0/0 10.147.219.0/24 ctstate RELATED,ESTABLISHED / wireguard-forward-rule /
1330 218K ACCEPT all -- wg0 eth0 10.147.219.0/24 0.0.0.0/0 / wireguard-forward-rule /
0 0 ACCEPT all -- tun0 eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 tun0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 3506 packets, 2893K bytes)
pkts bytes target prot opt in out source destination
Chain PREROUTING (policy ACCEPT 216 packets, 45837 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 105 packets, 17461 bytes) pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 37 packets, 2706 bytes) pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 37 packets, 2706 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- eth0 10.8.0.0/24 0.0.0.0/0
104 27406 MASQUERADE all -- eth0 10.147.219.0/24 0.0.0.0/0 / wireguard-nat-rule /
0 0 MASQUERADE all -- * eth0 10.8.0.0/24 0.0.0.0/0
Chain INPUT (policy ACCEPT 665 packets, 161K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:1194
0 0 ACCEPT all -- tun0 0.0.0.0/0 0.0.0.0/0
374 71948 ACCEPT udp -- eth0 0.0.0.0/0 0.0.0.0/0 udp dpt:51820 / wireguard-input-rule /
0 0 ACCEPT tcp -- eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:1194
0 0 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- tun0 eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 tun0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 wg0 0.0.0.0/0 10.147.219.0/24 ctstate RELATED,ESTABLISHED / wireguard-forward-rule /
360 45195 ACCEPT all -- wg0 eth0 10.147.219.0/24 0.0.0.0/0 / wireguard-forward-rule /
0 0 ACCEPT all -- tun0 eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 tun0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 184 packets, 22918 bytes)
pkts bytes target prot opt in out source destination
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 277 packets, 22843 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth0 10.1.10.0/24 0.0.0.0/0 policy match dir out pol ipsec
0 0 MASQUERADE all -- eth0 10.1.10.0/24 0.0.0.0/0
Chain INPUT (policy ACCEPT 3381 packets, 1360K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:1194
0 0 ACCEPT all -- tun0 0.0.0.0/0 0.0.0.0/0
7114 2039K ACCEPT udp -- eth0 0.0.0.0/0 0.0.0.0/0 udp dpt:51820 / wireguard-input-rule /
0 0 ACCEPT tcp -- eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:1194
0 0 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- tun0 eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 tun0 0.0.0.0/0 0.0.0.0/0
7477 8897K ACCEPT all -- eth0 wg0 0.0.0.0/0 10.147.219.0/24 ctstate RELATED,ESTABLISHED / wireguard-forward-rule /
6921 1533K ACCEPT all -- wg0 eth0 10.147.219.0/24 0.0.0.0/0 / wireguard-forward-rule /
0 0 ACCEPT all -- tun0 eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 tun0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 10134 packets, 9660K bytes)
pkts bytes target prot opt in out source destination
Chain PREROUTING (policy ACCEPT 393 packets, 73931 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 119 packets, 19335 bytes) pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 37 packets, 2706 bytes) pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 37 packets, 2706 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- eth0 10.8.0.0/24 0.0.0.0/0
267 53626 MASQUERADE all -- eth0 10.147.219.0/24 0.0.0.0/0 / wireguard-nat-rule /
0 0 MASQUERADE all -- * eth0 10.8.0.0/24 0.0.0.0/0
gitbls
commented
1 year ago Closing for lack of a repro. OP, if you can provide a repro on a clean system so that I can replicate it here, please re-open with all details.
I have a Pi4b acting as wireguard host and openvpn host using standard ports forwarded from an edgerouter bridged to a 5g LTE modem. Wg for simplicity and openvpn on TCP as UDP can be blocked. When nothing else works a commercial IKeV2 connection to a paid VPN provider gets through. I have used Pistrong to add IKeV2 to this Pi but with the firewall rules provided with Pistrong wg and openvpn apparently connect but there is no traffic. If these rules are disabled wg and openvpn are working as expected. I don't know much about IP tables, can you point me to a route around this problem?