gitbls / pistrong Goto Github PK
View Code? Open in Web Editor NEWSimplified CA and device cert manager for strongSwan VPN
License: MIT License
Simplified CA and device cert manager for strongSwan VPN
License: MIT License
I have a Pi4b acting as wireguard host and openvpn host using standard ports forwarded from an edgerouter bridged to a 5g LTE modem. Wg for simplicity and openvpn on TCP as UDP can be blocked. When nothing else works a commercial IKeV2 connection to a paid VPN provider gets through.
I have used Pistrong to add IKeV2 to this Pi but with the firewall rules provided with Pistrong wg and openvpn apparently connect but there is no traffic. If these rules are disabled wg and openvpn are working as expected.
I don't know much about IP tables, can you point me to a route around this problem?
So for about two years (close to one and a half?) now, I've been using pistrong to access my files & Pi at home, but now I'm having a bit of trouble with getting it to work. I recently got an iPad and I tried adding it as a device & installed the certs but it doesn't work. I got all the certs to install properly and I actually can connect to it (like the little VPN icon shows up), but I can't access anything (terminal, webpages, files, etc.) as it just says it can't connect to the server/server issue. And my iPhone also stopped allowing me to connect (or same with the iPad, as in the VPN icon pops up and says I'm connected, but I can't do anything). Interestingly, my Windows device & cert remained intact so I suspect it's something specific pertaining to the iOS connection/cert.
I opened up a similar issue about two years ago (Closed Issue #10), and I tried retracing all the steps I took, but perhaps something changed with iOS certifications through an iOS update that caused this issue (like the switch to iPadOS instead of iOS)? Or maybe I messed up somewhere along the process?
Here are the devices listed (as you can see, the 2021 certs are from when I first setup Pistrong, and the 2023 cert is the newest one, ignore the ethan-iphone11 ):
And here's the command I used to setup the new device (iPad):
And this is off-topic, but I remember when I first worked with you on this, you mentioned a paid SSH application on iOS/iPadOS that was pretty good and I never got the chance to check it out. I can't seem to find it after searching through #10 and the emails we exchanged, so I was hoping if you still remember/use it, could you let me know what it is? Thanks!
Hi. I'm trying to configure pistrong with an external smtp server, but it appears that maybe the smtp user configuration value is not fully implemented? This is the error message I'm getting. I looked briefly at the code as well and there are only a couple references to the smtpuser parameter.
pi@swan:/etc/swanctl/pistrong $ sudo pistrong config --smtpuser [email protected]
usage: pistrong [-h]
{config,createca,deleteca,showcert,makevpncert,makecacert,showca,listca,add,delete,revoke,list,resend,service,client,help,version}
...
pistrong: error: unrecognized arguments: --smtpuser [email protected]
pi@swan:/etc/swanctl/pistrong $
Hi there,
Just a quick note to say that linux mint isn't recognised by your install script:
% Pre-reqs unknown for distro linuxmint
These will just be the same as for Ubuntu as mint is based on Ubuntu :)
I have 2 networks that I'm trying to connect with LAN ranges 192.168.1.0/24 and 192.168.0.0/24. Both networks have an RPi running pistrong and it looks like the tunnel is established correctly. I can ping between the networks from the pi's themselves but no dice when trying from another node on the network which leads me to believe it's a routing issue.
Running sudo iptables -t nat --list
on each pi gives the following:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
ACCEPT all -- $therange anywhere policy match dir out pol ipsec
MASQUERADE all -- $therange anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
$therange is the range of the other end of the tunnel.
Running sudo iptables -L -v
on each end gives the following:
From pi @ 192.168.1.10
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3 252 ACCEPT all -- eth0 any 192.168.0.0/24 192.168.1.0/24 policy match dir in pol ipsec reqid 1 proto esp
3 252 ACCEPT all -- any eth0 192.168.1.0/24 192.168.0.0/24 policy match dir out pol ipsec reqid 1 proto esp
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
From pi @ 192.168.0.10
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth0 any 192.168.1.0/24 192.168.0.0/24 policy match dir in pol ipsec reqid 1 proto esp
0 0 ACCEPT all -- any eth0 192.168.0.0/24 192.168.1.0/24 policy match dir out pol ipsec reqid 1 proto esp
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
I know I'm probably just overlooking something simple. Any ideas why I can't reach the other side of the tunnel from other nodes?
Raspberry Pi OS 32-bit Bullseye with Desktop
Install pistrong script on client and run it. Install finishes normally. OK.
Reboot pi
copy zip file raspi1-linux.zip to pi
sudo pistrong client install raspi1-linux.zip
fails
Archive: raspi1-linux.zip
caution: filename not matched: pistrong-vpn-installer
Traceback (most recent call last):
File "/usr/local/bin/pistrong", line 1411, in
args.func(pd, args)
File "/usr/local/bin/pistrong", line 1164, in cmd_client
client_cmd_actions[args.action][0](pd, args)
File "/usr/local/bin/pistrong", line 1126, in cmd_client_install
os.chmod(ufn, 0o755)
FileNotFoundError: [Errno 2] No such file or directory: '/tmp/pistrongnv0dsy_0/pistrong-vpn-installer'
This was originally a thread from: https://forums.raspberrypi.com/viewtopic.php?p=1951935#p1951935
But basically, I'm trying to set up Pistrong as a VPN I can tunnel through to my Pi on my phone/computer outside my home network for SSH & SFTP (Samba). I've already installed Pistrong and setup port forwarding on my Pi through my router's settings but am stuck on trying to setup the CA (Certification authority?). I'm running the makeMyCA script through terminal and am getting stuck at the part where it asks for my VPN Server Local LAN Subnet. I've already entered tried entering the subnet (from command ip a
in terminal) with no success and saying that 'No IP Address is assigned to network device my router/gateway's IP address'.
Though one thing I'm confused about is what is the difference between my 'eth0' and 'lo' IP addresses? I know eth0 is ethernet but what exactly is 'lo'? From what I can gather from Google, is that it's some kind of loopback address that communicates with my Pi? Not sure what exactly the use for that is, but I entered in my both my 'eth0' and 'lo' IP addresses during the makeMyCA session/script with the same error message on VPN Server Local LAN Subnet.
I also have a suspicion it's because I set up DDNS incorrectly (using no-ip), but I'm not too sure. For my IPv4 address, I entered in what I got from echo "$(curl -s 'dynupdate.no-ip.com/ip.php')"
but I'm not sure if I need to do any more setup on that end. I've port forwarded ports 500 & 4500 already but do I need to configure anything extra in my router/gateway settings (like static IP, private from pool/fixed private lan assignment, etc?)
Running the makeTunnel
script says the following: "NOTE: LocalNet1 and LocalNet2 cannot be the same subnet (e.g., 192.168.1.0/24 on both networks)"
I'm trying to implement a site to site tunnel with both ends on the same subnet 192.168.1.0/24. Would it be possible if the routers on both ends used non colliding ip ranges?
e.g. LocalNet1 Router dchp range 192.168.1.2-128
LocalNet2 Router dchp range 192.168.1.129-255
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.