[2025] How to Set Up Site-to-Site VPN in OpenWRT: Step-by-Step Guide

Опубликовано: 06 Май 2025
на канале: Francis Techworld

195

Learn how to set up a site-to-site VPN in OpenWRT with this comprehensive tutorial. Whether you're looking to securely connect multiple networks or enhance your privacy, this video will guide you through the entire process. We'll cover everything from initial configuration to troubleshooting common issues. Perfect for beginners and advanced users alike, this tutorial ensures you can establish a reliable VPN connection with ease.

Policy-based IPSec OpenWRT - opkg update && opkg install strongswan-full ip-full kmod-ip-vti vtiv4

opkg update && opkg install strongswan-full ip-full kmod-ip-vti vtiv4

—
OpenWRT-1

Part 1:

root@OpenWrt:~# cat /etc/ipsec.conf
conn vpn-static
keyexchange=ikev1
ike=aes256-sha256-modp2048!
esp=aes256gcm16!
dpdaction=restart
dpddelay=300s
rekey=yes
left=192.168.4.114
leftid=192.168.4.114
leftsubnet=192.168.2.0/24
right=192.168.4.118
rightid=192.168.4.118
rightsubnet=192.168.1.0/24
authby=secret
lifetime=28800s
auto=start
leftfirewall=yes
root@OpenWrt:~#

Part 2:

root@OpenWrt:~# cat /etc/ipsec.secrets
192.168.4.114 192.168.4.118 : PSK 12345678

root@OpenWrt:~#

Part 3:
root@OpenWrt:~# cat /etc/strongswan.conf
strongswan.conf - strongSwan configuration file
# Refer to the strongswan.conf(5) manpage for details
# Configuration changes should be made in the included files

charon {
load_modular = yes
install_routes=no
install_virtual_ip=no

plugins {
include strongswan.d/charon/*.conf
}
}

include strongswan.d/*.conf

include /var/ipsec/strongswan.conf
root@OpenWrt:~#

Part 4: Add WAN to LAN firewall rule

—
OpenWRT-2

root@OpenWrt:~# cat /etc/ipsec.conf
conn vpn-static
keyexchange=ikev1
ike=aes256-sha256-modp2048!
esp=aes256gcm16!
dpdaction=restart
dpddelay=300s
rekey=yes
left=192.168.4.118
leftid=192.168.4.118
leftsubnet=192.168.1.0/24
right=192.168.4.114
rightid=192.168.4.114
rightsubnet=192.168.2.0/24
authby=secret
lifetime=28800s
auto=start
leftfirewall=yes

root@OpenWrt:~#

Part 2:

root@OpenWrt:~# cat /etc/ipsec.secrets
192.168.4.118 192.168.4.114 : PSK 12345678
root@OpenWrt:~#

root@OpenWrt:~#

Part 3:
root@OpenWrt:~# cat /etc/strongswan.conf
strongswan.conf - strongSwan configuration file
# Refer to the strongswan.conf(5) manpage for details
# Configuration changes should be made in the included files

charon {
load_modular = yes
install_routes=no
install_virtual_ip=no

plugins {
include strongswan.d/charon/*.conf
}
}

include strongswan.d/*.conf

include /var/ipsec/strongswan.conf
root@OpenWrt:~#

root@OpenWrt:~# cat /etc/strongswan.conf
strongswan.conf - strongSwan configuration file
# Refer to the strongswan.conf(5) manpage for details
# Configuration changes should be made in the included files

charon {
load_modular = yes
install_routes=no
install_virtual_ip=no

plugins {
include strongswan.d/charon/*.conf
}
}

include strongswan.d/*.conf

include /var/ipsec/strongswan.conf
root@OpenWrt:~#

Part 4: Add WAN to LAN firewall rule

REMARK: 1. Dead Peer Detection (DPD) Settings
Your configuration includes dpdaction=clear and dpddelay=300s. This means that if no traffic is detected for 300 seconds, the connection will be cleared. If the connection is idle for too long, it might be considered dead and thus disconnected.
Solution: You can try adjusting the dpddelay to a shorter interval or changing the dpdaction to restart to automatically attempt to re-establish the connection.
2. Rekeying
Although you have rekey=no in your configuration, it's possible that the remote peer is initiating a rekey, which might cause the connection to drop if not handled properly.
Solution: Ensure that both sides of the IPSec connection have compatible rekeying settings.