make;
make install;

some notes to myself

Blog

About

pfSense & Ubuntu/Strongswan for VPN

Written on February 23, 2017

Given the current political climate and the dim future for the FCC’s broadband privacy rules, I decided to set up my pfSense box so that internet traffic gets routed over an IPsec connection to a remote Ubuntu VM. This will help to conceal browsing information from my ISP. I also disabled the auto-generated outbound NAT rules so that if the VM goes down, traffic won’t get automatically directed in the clear through my ISP. Currently I am using DigitalOcean but given that they could log traffic under the same laws as Comcast (I am definitely not a lawyer, but sometimes it’s best just to assume to the worst), I will likely end up choosing a provider based in Europe.

The details for the pfSense side…

Go to VPN / IPsec / Tunnels / Phase 1:

Key Exchange version: V2
Internet Protocol: IPv4
Interface: WAN
Remote Gateway: IP of Strongswan server

Authentication Method: Mutual RSA
My identifier: My IP address
Peer identifier: Peer IP address
My Certificate: #select cert
Peer Certificate: #select CA

Encryption Algorithm: AES256-GCM 128 bits
Hash Algorithm: SHA512
DH Group: 18 (8192 bit)

Go to VPN / IPsec / Tunnels / Phase 2:

Mode: Tunnel IPv4
Local Network: OPT2 subnet
NAT/BINAT translation: None
Remote Network: Network 0.0.0.0/0

Protocol: ESP
Encryption Algorithms: AES256-GCM 128 bits
Hash Algorithms: SHA512
PFS key group: 18 (8192 bit)

Go to Firewall / NAT / Outbound and select “Manual Outbound NAT rule generation. (AON - Advanced Outbound NAT)”. Then, disable the rules corresponding to the subnets using the VPN (in my case, these are the OPT1 and OPT2 subnets).

On the Ubuntu server, create a new user & group and build strongswan so that the IKE daemon drops privileges after starting:

./configure --prefix=/usr/local --sysconfdir=/etc --with-user=ustrongswan --with-group=ustrongswan --enable-aesni --enable-gcm --with-capabilities=native

Ubuntu server’s /etc/ipsec.conf:

config setup
        # strictcrlpolicy=yes
        # uniqueids = no

conn %default
    keyexchange=ikev2
    leftfirewall=yes
    auto=add
    right=%any
    leftsubnet=0.0.0.0/0
    left= #server's IP
    ike=aes256gcm128-sha512-modp8192!
    esp=aes256gcm128-sha512-modp8192!
    leftcert=vpn_server.crt
    rightcert=router.crt

conn opt1-vpn
    rightsubnet=192.168.2.0/24

conn opt2-vpn
    rightsubnet=192.168.3.0/24

Add firewall rules for forwarding traffic:

sudo iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -d 192.168.2.0/24 -j ACCEPT
sudo iptables -A FORWARD -s 192.168.2.0/24 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -d 192.168.3.0/24 -j ACCEPT
sudo iptables -A FORWARD -s 192.168.3.0/24 -j ACCEPT

To enable IPv4 forwarding, make sure the below in /etc/sysctl.conf is uncommented.

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

Then run ‘sudo sysctl -p’.

If you find that some websites are loading and others aren’t, you may be running into MTU issues. You can confirm by setting it to something lower:

ip link set dev eth0 mtu 1472