Written on February 23, 2017
Given the current political climate and the dim future for the FCC’s broadband privacy rules, I decided to set up my pfSense box so that internet traffic gets routed over an IPsec connection to a remote Ubuntu VM. This will help to conceal browsing information from my ISP. I also disabled the auto-generated outbound NAT rules so that if the VM goes down, traffic won’t get automatically directed in the clear through my ISP. Currently I am using DigitalOcean but given that they could log traffic under the same laws as Comcast (I am definitely not a lawyer, but sometimes it’s best just to assume to the worst), I will likely end up choosing a provider based in Europe.
The details for the pfSense side…
Go to VPN / IPsec / Tunnels / Phase 1:
Key Exchange version: V2 Internet Protocol: IPv4 Interface: WAN Remote Gateway: IP of Strongswan server Authentication Method: Mutual RSA My identifier: My IP address Peer identifier: Peer IP address My Certificate: #select cert Peer Certificate: #select CA Encryption Algorithm: AES256-GCM 128 bits Hash Algorithm: SHA512 DH Group: 18 (8192 bit)
Go to VPN / IPsec / Tunnels / Phase 2:
Mode: Tunnel IPv4 Local Network: OPT2 subnet NAT/BINAT translation: None Remote Network: Network 0.0.0.0/0 Protocol: ESP Encryption Algorithms: AES256-GCM 128 bits Hash Algorithms: SHA512 PFS key group: 18 (8192 bit)
Go to Firewall / NAT / Outbound and select “Manual Outbound NAT rule generation. (AON - Advanced Outbound NAT)”. Then, disable the rules corresponding to the subnets using the VPN (in my case, these are the OPT1 and OPT2 subnets).
On the Ubuntu server, create a new user & group and build strongswan so that the IKE daemon drops privileges after starting:
./configure --prefix=/usr/local --sysconfdir=/etc --with-user=ustrongswan --with-group=ustrongswan --enable-aesni --enable-gcm --with-capabilities=native
Ubuntu server’s /etc/ipsec.conf:
config setup # strictcrlpolicy=yes # uniqueids = no conn %default keyexchange=ikev2 leftfirewall=yes auto=add right=%any leftsubnet=0.0.0.0/0 left= #server's IP ike=aes256gcm128-sha512-modp8192! esp=aes256gcm128-sha512-modp8192! leftcert=vpn_server.crt rightcert=router.crt conn opt1-vpn rightsubnet=192.168.2.0/24 conn opt2-vpn rightsubnet=192.168.3.0/24
Add firewall rules for forwarding traffic:
sudo iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE sudo iptables -A FORWARD -d 192.168.2.0/24 -j ACCEPT sudo iptables -A FORWARD -s 192.168.2.0/24 -j ACCEPT sudo iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -o eth0 -j MASQUERADE sudo iptables -A FORWARD -d 192.168.3.0/24 -j ACCEPT sudo iptables -A FORWARD -s 192.168.3.0/24 -j ACCEPT
To enable IPv4 forwarding, make sure the below in /etc/sysctl.conf is uncommented.
# Uncomment the next line to enable packet forwarding for IPv4 net.ipv4.ip_forward=1
Then run ‘sudo sysctl -p’.
If you find that some websites are loading and others aren’t, you may be running into MTU issues. You can confirm by setting it to something lower:
ip link set dev eth0 mtu 1472