[strongSwan] client to site but as a gateway(nat)?
peljasz at yahoo.co.uk
Fri Jul 21 00:30:08 CEST 2017
On 20/07/17 22:57, Karl Denninger wrote:
> On 7/20/2017 16:46, peljasz wrote:
>> On 20/07/17 21:57, Karl Denninger wrote:
>>> That can be made to work provided you do not need
>>> inbound connections to things on the client side.
>> exactly like that.
>> How to even phrase a query to find docs/howtos on such a
>> Or, tips on setup/config much appreciated - I have a
>> working client to site setup - is it only strongswan
>> or/and routing/nating outside of swan?
>> many thanks.
> There's really nothing specific related to StrongSwan
> there other than not mapping your own client NAT
> implementation on top of whatever address/subnet the VPN
> gateway gives you.
> Essentially your client is responsible for NATting the
> client-attached traffic which is then sent to the VPN
> gateway, which (presumably) will NAT it again. It should
> work with few potential issues (the big one being if you
> have a UDP client of some sort and the intermediate NAT
> times out on stateful tables you'll lose some replies, but
> this usually isn't much of a factor.)
> This is, in essence, what running a Hotspot that is also a
> StrongSwan client back to a server winds up being -- the
> VPN server is NATing traffic to the Internet, and the
> Hotspot is NATing traffic for its attached clients. It
> should all "just work" in most cases.
well, if I understand it correctly then my setup is a bit
different, but I thought it still would be commonly desired
that there would be many and easy to find howtos.
Namely: a linux box with a public IP(not static per say but
almost the same IP all the time) and that box is the default
gateway/nat for local/home lan. Now that very box calls
out(as a client) to a VPN's site(server I have no control over).
What is working as of now:
- linux box vpns out with rightsubnet=192.168.0.0/16 but the
rest(from itself and home lan go out via linux nat(via my ISP)
- from another node on local/home lan I can ping linux's vnp
client IP(given by the swan server), on the node a added
route to 192.168.0.0/16 via 10.1.1.100(linux's local lan IP
which is the default gateway for local/home lan to the
Internet via ISP)
! but I cannot reach anything else on 192.168.0.0/16 from
that same node that can ping 192.168.2.111(vpn client IP)
what I want:
a node(s) 10.1.1.200 -> 10.1.1.100/nat/publicIP => the whole
Internet (except to 192.168.0.0/16 should go via linux's vpn
something I am missing.
> Since you said you have no control over the server I'm
> assuming you can't have the server side hand you a subnet
> which you can then hand out hosts from and are forced to
> NAT into a single dynamically-assigned IP address that the
> gateway hands you (and which is likely to change with each
>>> On 7/20/2017 15:50, peljasz wrote:
>>>> hi fellas
>>>> a novice here, whois reading up but was hoping someone
>>>> knowsalready and can shed some light on..
>>>> how to, if possible at all, have a client that calls
>>>> out to a server(site) and that client would route(nat)
>>>> other nodes on it's local lan to the site(server)?
>>>> I'd only hope that if possible that this is all down to
>>>> the "client" as over the server I have
>>>> many thanks
>>> Karl Denninger
>>> karl at denninger.net <mailto:karl at denninger.net>
>>> /The Market Ticker/
>>> /[S/MIME encrypted email preferred]/
> Karl Denninger
> karl at denninger.net <mailto:karl at denninger.net>
> /The Market Ticker/
> /[S/MIME encrypted email preferred]/
More information about the Users