Configure IPsec VPN through uCI with Turris OS 5.3

Hi all, I’m trying to figure out how to set my IPsec VPN up through uCI. It seems that there are two modes, either through XFRM or through a VTI device. I read that XFRM is not supported yet in OpenWRT 19.07’s uCI, which leaves VTI for now. (As TOS 5.3 is OWRT 19.07.)

I managed to configure /etc/config/ipsec to bring up the tunnel, but it’s now using XFRM for which I didn’t manage to configure the firewall properly (no traffic).

I found instructions to configure a VTI device in uCI, but I don’t know how to assign that device for usage by strongSwan. I saw other tutorials use a ‘mark’ setting in ipsec.conf, but I can’t find any reference in /etc/init.d/ipsec to that.

How can I configure strongSwan in OpenWRT entirely through uCI?

See The 2024 way to configure IKEv2 VPN server on Omnia .

1 Like

Thanks! Maybe I will look and see if this also works site2site at some point. It seems Wireguard is also being adopted now as an alternative.

For site2site I’d definitely go with wireguard. The setup would be 1000% simpler. The point of IKEv2 is that it is the preinstalled VPN provider on lots of user devices.

1 Like