<html><head></head><body lang="en-GB" style="background-color: rgb(255, 255, 255); line-height: initial;"> <div style="width: 100%; font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);">The best practice is creating dummy virtual interface and assign ip address to it and use it as dns server ip address.</div><div style="width: 100%; font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);"><br></div><div style="width: 100%; font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);">modprobe dummy</div><div style="width: 100%; font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);">ip link set dummy0 up</div><div style="width: 100%; font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);">ifconfig dummy0 1.1.1.1/32<span style="font-size: initial; line-height: initial; text-align: initial;"></span></div> <div style="width: 100%; font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);"><br></div><div style="width: 100%; font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);">Now you can use it as internal ip address of dns server (you might change 1.1.1.1 with other ip address according to your network planning).</div><div style="width: 100%; font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);"><br></div> <div style="font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);">Anvar Kuchkartaev <br>anvar@anvartay.com </div> <table width="100%" style="background-color:white;border-spacing:0px;"> <tbody><tr><td colspan="2" style="font-size: initial; text-align: initial; background-color: rgb(255, 255, 255);"> <div style="border-style: solid none none; border-top-color: rgb(181, 196, 223); border-top-width: 1pt; padding: 3pt 0in 0in; font-family: Tahoma, 'BB Alpha Sans', 'Slate Pro'; font-size: 10pt;"> <div><b>From: </b>Dan Vee</div><div><b>Sent: </b>sábado, 7 de octubre de 2017 12:01 a.m.</div><div><b>To: </b>users@lists.strongswan.org</div><div><b>Subject: </b>[strongSwan] Client access to DNS service running on same host as strongSwan server</div></div></td></tr></tbody></table><div style="border-style: solid none none; border-top-color: rgb(186, 188, 209); border-top-width: 1pt; font-size: initial; text-align: initial; background-color: rgb(255, 255, 255);"></div><br><div id="_originalContent" style=""><div dir="ltr"><span style="color:rgb(33,33,33);font-size:13px">Hi,</span><div style="color:rgb(33,33,33);font-size:13px"><br></div><div style="color:rgb(33,33,33);font-size:13px">I currently have strongSwan server setup on a VPS host, and I'm also running an adblocking DNS server (not exposed to internet) on this same host. The server only has one interface and it has a public IP address (e.g. 1.2.3.4). I'd like to configure strongSwan to hand out a DNS address (for this local DNS server) for any clients that connect. I have two problems:</div><div style="color:rgb(33,33,33);font-size:13px">* I don't know how to make the DNS service running on the same VPS host accessible to the connecting client. My client has a virtual IP (e.g. 10.20.30.1) and not sure how I can communicate directly with a service running locally on this VPS host.</div><div style="color:rgb(33,33,33);font-size:13px">* I don't know what IP I should I pass back to the client for this DNS address. I have no private IP address on this server. Should I return the public IP address for the server?</div><div style="color:rgb(33,33,33);font-size:13px"><br></div><div style="color:rgb(33,33,33);font-size:13px"><br></div><div style="color:rgb(33,33,33);font-size:13px">Server config</div><div style="color:rgb(33,33,33);font-size:13px">------------------------------------</div><div style="color:rgb(33,33,33);font-size:13px"><div>config setup</div><div> uniqueids=never</div><div> charondebug="cfg 2, dmn 2, ike 2, net 2"</div><div>conn %default</div><div> keyexchange=ike</div><div> dpdaction=clear</div><div> dpddelay=300s</div><div> rekey=no</div><div> left=%any</div><div> leftca=ca.cert.pem</div><div> leftcert=server.cert.pem</div><div> leftsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></div><div> right=%any</div><div> rightdns=????</div><div> rightsourceip=<a href="http://10.20.30.0/24" target="_blank">10.20.30.0/24</a></div><div> rightsubnets=<a href="http://192.168.3.0/24" target="_blank">192.168.3.0/24</a></div><div>conn IPSec-IKEv2</div><div> keyexchange=ikev2</div><div> ike=aes256-sha256-modp1024,3des-sha1-modp1024,aes256-sha1-modp1024!</div><div> esp=aes256-sha256,3des-sha1,aes256-sha1!</div><div> leftid="1.2.3.4"</div><div> leftsendcert=always</div><div> leftauth=pubkey</div><div> rightauth=pubkey</div><div> rightid="<a href="mailto:client@1.2.3.4" target="_blank">client@1.2.3.4</a>"</div><div> rightcert=client.cert.pem</div><div> auto=add</div></div><div style="color:rgb(33,33,33);font-size:13px"><br></div><div style="color:rgb(33,33,33);font-size:13px">Any help would be greatly appreciated. Thanks!</div></div>
<br><!--end of _originalContent --></div></body></html>