Conversation

Notices

Kat MCP(NT4) MCSE(Win2K) (kat@mastodon.social)'s status on Tuesday, 04-Jun-2019 08:32:53 EDT Kat MCP(NT4) MCSE(Win2K)

I am thinking of changing my VPN to use wireguard on OpenWRT and Streisand on the server.
Currently I use ipsec, but think it would make more sense to automate the process of deploying the remote end with some scripts, and I don't feel like writing my own.
Also wireguard seems like it would take a lot of the complexity out of building a ipsec configuration, so.. that's why I'm thinking about streisand and wireguard.

In conversation Tuesday, 04-Jun-2019 08:32:53 EDT from mastodon.social permalink
1. Kat MCP(NT4) MCSE(Win2K) (kat@mastodon.social)'s status on Tuesday, 04-Jun-2019 08:39:45 EDT Kat MCP(NT4) MCSE(Win2K)
  in reply to
  
  Also I might reflash the router to the some more modern version of OpenWRT/LEDE ... if only I can remember what router it is, and how to do it.
  
  In conversation Tuesday, 04-Jun-2019 08:39:45 EDT from mastodon.social permalink
2. Kat MCP(NT4) MCSE(Win2K) (kat@mastodon.social)'s status on Friday, 07-Jun-2019 09:02:31 EDT Kat MCP(NT4) MCSE(Win2K)
  in reply to
  
  I went with algo eventually - thanks @_sizeofcat , and transitioned over to using wireguard instead of ipsec.
  I tried to get the algo ipsec implementation working against openWRT 18.06.2 https://openwrt.org/releases/18.06/notes-18.06.2
  BUT ...
  As far as I could tell the strongswan implementation in OpenWRT has no support of elliptic curves, and the certificates and keys generated by Algo were all ECDSA keys... So I gave up with that.
  
  In conversation Friday, 07-Jun-2019 09:02:31 EDT from mastodon.social permalink
  1. Kat MCP(NT4) MCSE(Win2K) (kat@mastodon.social)'s status on Friday, 07-Jun-2019 09:12:35 EDT Kat MCP(NT4) MCSE(Win2K)
    in reply to
    
    @_sizeofcat I would have liked to use ipsec. Because previously I was doing a site to site ipsec so all hosts connected via that subnet could get use of the vpn.
    Anyway.. re-engineered the solution to use double NAT and wireguard PtP. Setting that up via Algo and OpenWRT was easy https://danrl.com/blog/2017/luci-proto-wireguard/ helped, and adding the new wireguard interface to the WAN zone on the openWRT firewall.
    
    In conversation Friday, 07-Jun-2019 09:12:35 EDT from mastodon.social permalink
    1. Kat MCP(NT4) MCSE(Win2K) (kat@mastodon.social)'s status on Friday, 07-Jun-2019 09:18:01 EDT Kat MCP(NT4) MCSE(Win2K)
      in reply to
      
      @_sizeofcat The only thing left to do then was set up a bunch of port forwards from the VPN endpoint AND on the OpenWRT router, so I can get my bittorrent and SSH into the home LAN to work.
      The FW rule set on Algo seemed simpler to work with than the one that came with Streisand too.
      Streisand used UFW ( uncomplicated Fw) to wrap te IPTables config which I found quite complicated. 🤷♀️
      Algo had some just iptables rules stored using netfilter-persistent package, whihc seemed easier to modify
      
      In conversation Friday, 07-Jun-2019 09:18:01 EDT from mastodon.social permalink

Public

Notices