[strongSwan] Custom DNS servers for blacklisted users
Martin Willi
martin at strongswan.org
Fri Feb 8 12:07:15 CET 2013
Hi,
> My idea was to allow them to connect to the VPN but if they are on the
> black-list I would like to push them out a custom DNS server
This could be achieved by having a two connections specifying different
DNS servers using the "rightdns" ipsec.conf option. And of course you'd
have to limit the subnet negotiated, as the client could overwrite the
DNS setting to circumvent your restrictions. With iOS and IKEv1, this
could work with an appropriate rightsubnet and the unity plugin.
The question is how you would black-list users and enforce a specific
configuration. When using XAuth and a RADIUS backend, you could assign
group membership in your AAA backend and enforce specific configurations
using rightgroups. When using certificates this might be more difficult,
as we currently don't support attribute certificates in charon.
Alternatively, you could consider writing your own DNS attribute
provider [1] in a plugin and select the correct server for each user
based on your own criteria.
Regards
Martin
[1]http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libhydra/attributes/attribute_provider.h
More information about the Users
mailing list