09[IKE] DH group ECP_256 unacceptable, requesting ECP_256

internet-delenda-est

  • invalidusernamelol [he/him]@hexbear.netEnglish
    2·
    6 days ago

    I’m gonna shill it again on here, but Pangolin is actually a really great tunnel manager if you need one. I toss it up on a vps then just spool up the newt containers on an endpoint in any network and it lets you expose ports and reverse proxy services through an admin UI.

    It’s really just some sugar on top of Traefik and Wireguard, so you could just configure all that yourself, but sometimes I like having an admin pannel.

    You can even specify multiple endpoints for an exposed service and it’ll load balance for you. Exposing raw TCP/UDP ports through the tunnel drops the internal validation (all services require authentication through Pangolin before you are allowed to access them), but as long as you set up like fail2ban or ssh key only access on the endpoint server you should be fine.

    It does let you toggle availability through the admin panel or the config files and that kills the tunnel instantly so I usually just leave them off till I need them.

    • miz [any, any]@hexbear.netOPEnglish
      2·
      8 days ago

      no, in fact I gave up on IPSec since I posted this and have started working on a wireguard setup because fuck this unmaintained pile of shit

      • stupid_asshole69 [none/use name]@hexbear.netEnglish
        3·
        8 days ago

        It can be easier to find help with wireguard setups. I hope you succeed.

        I learned how to do IPsec by using a perfectly functional example config in one room and changing things one tiny step at a time until it got where I needed it. IPsec can be very stable and simple but you gotta have your ducks in a row first.

        • miz [any, any]@hexbear.netOPEnglish
          2·
          8 days ago

          well, the worst part is I had a functioning IPsec site-to-site setup as well as road warrior configuration, running on OpenWRT 19. but now after upgrading to OpenWRT 24, I can’t get it to work again. they redid the whole config system and moved away from ipsec to swanctl and the user-layer part of the IPSec subsystem in OpenWRT appears to have been barely maintained through the upgrade path

          • stupid_asshole69 [none/use name]@hexbear.netEnglish
            3·
            8 days ago

            Yeah the last five years have been very bad for open source projects. If you can justify the move to pfsense it’s very worth it to get away from projects that are maybe getting too far out over their skis.

            I’m in the process of doing this with a handful of tomato derivative running old edge devices that never got replaced.