[strongSwan] How to properly set up the "hide IP" VPN function?

strongswan_user at mail.ru strongswan_user at mail.ru
Tue Jul 25 19:24:04 CEST 2017


Hello all!

I want the common "hide IP" feature of VPN. I (tried to) use the tunnel mode (no L2TP), IKEv2, and manually (and naively?) set the needed D/SNAT rules. It all basically works, but not for all web sites. All http seem to work (mostly..), and most https are fine too, while some https take forever, as if no reply from DNS (no errors; Firefox). I don't know anything about
TLS debugging, and I didn't try to actually debug it (yet).

Below are details of how I did it. Hopefully I'm just missing some simple setting, and somebody can spot it.. Or, alternatively, could you suggest some instructions how to set it up best?


  .1.21  .1.20 .2.20  .2.21 .3.20    .3.21 .4.20    .4.21 .5.20    .5.21
  Ca---------CG-----------I1-------------J1------+-----SG------------Sa
client:      NAT          these 2 hosts          |     NAT         server
Firefox    gateway        simulate internet      |   gateway
                                                 |
                                                 |
                                                 |
                            Internet             |.4.31
                           provider's           tap2 - my real PC
   real internet ----------- router ----------- eth0
                                192.168.100.1   192.168.100.101

(copy-paste to a fixed-width editor to view it properly)

The upper part is in Qemu/KVM, strongSwan U5.5.1/K4.9.0-3-amd64. IP addresses are like 10.0.x.y, .x.y indicated. All Qemus and my PC are Debian 9 Stretch. The bottom is real hardware.

SG forwards (DNAT) all traffic to Sa:
iptables -t nat -A PREROUTING -p all ! -s 10.0.5.21 -d 10.0.4.21 \\
-m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 10.0.5.21

Assume below:
CLIENT_PRIVATE_IP="10.0.1.23";
SERV_PUBLIC_IP="10.0.4.21"
SERV_PRIVATE_IP="10.0.5.21"

Main magic for the VPN feature I want, on Sa:
iptables -t nat -A POSTROUTING -s $CLIENT_PRIVATE_IP -j SNAT --to-source $SERV_PRIVATE_IP
iptables -t nat -A PREROUTING -d $SERV_PRIVATE_IP \\
-m state --state NEW,ESTABLISHED,RELATED -j DNAT --to $CLIENT_PRIVATE_IP

The host (real PC) masquerades all packets coming from tap2:
iptables -t nat -A POSTROUTING -s 10.0.4.0/24 -j MASQUERADE

Default gateway for J1 is my host's tap2 address - 10.0.4.31

Server Sa:

/etc/ipsec.conf :
config setup
conn %default
    keyexchange=ikev2
conn vpn1
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=$CLIENT_PRIVATE_IP
    rightsubnet=$CLIENT_PRIVATE_IP/32
    auto=route
    authby=secret

/etc/ipsec.secrets :
$CLIENT_PRIVATE_IP : PSK 0x123

Client Ca:

/etc/ipsec.conf :
config setup
conn %default
    keyexchange=ikev2
conn vpn1
    right=$SERV_PUBLIC_IP
    rightid=$SERV_PRIVATE_IP
    rightsubnet=0.0.0.0/0
    auto=start
    authby=secret

/etc/ipsec.secrets :
$SERV_PRIVATE_IP : PSK 0x123

(strongSwan config files not touched, default)

I tried to reduce MTU to 1280 (from 1500) on Sa - no luck.

Thank you - whoever replies with some hints.


More information about the Users mailing list