I’ve efficiently configured an L2TP/IPsec site-to-site VPN on OpenWRT (24.10) utilizing StrongSwan (with preshared key) and xl2tpd. The VPN tunnel connects accurately and all the things works from the router itself – I can ping gadgets within the distant subnet from the OpenWRT shell with out points.
Nevertheless, shoppers on the LAN facet can’t attain the distant subnet through the VPN tunnel. Once I ping from my PC, the site visitors goes to the OpenWRT router however is then routed out through WAN, not through the VPN tunnel (ppp0). From tcpdump I see the echo request goes out through eth0.2 (WAN) and I get again host unreachable.
What I’ve tried and confirmed:
- IP forwarding is enabled (web.ipv4.ip_forward=1)
- The VPN tunnel is up (ppp0 interface exists and works)
- distant LAN “ip route get” from the router accurately resolves through ppp0
- I’ve set firewall guidelines to permit forwarding from LAN to ppp0 and so forth
- MASQUERADE is ready for site visitors from 192.168.1.0/24 to 192.168.195.0/24 on ppp0
- I’ve disabled rp_filter on all interfaces
- tcpdump on ppp0 exhibits nothing when pinging from LAN shopper
To this point it seems just like the LAN-to-VPN site visitors shouldn’t be being routed through the VPN tunnel although the routes appear right from the router. I think one thing refined in routing or NAT is lacking.
Any concepts? Ought to I alter swanctl.conf, choices.l2tpd.shopper, or one thing in /and so forth/config/community? Or is there a extra elegant solution to obtain full routing from LAN to VPN?
Thanks upfront – pleased to share config recordsdata if wanted.