[strongSwan] Client access to DNS service running on same host as strongSwan server

Dan Vee sendmaildevnull at gmail.com
Sat Oct 7 00:27:49 CEST 2017 

Anvar, thank you so much! This works perfectly.

On Fri, Oct 6, 2017 at 3:20 PM Anvar Kuchkartaev <anvar at anvartay.com> wrote:

> The best practice is creating dummy virtual interface and assign ip
> address to it and use it as dns server ip address.
>
> modprobe dummy
> ip link set dummy0 up
> ifconfig dummy0 1.1.1.1/32
>
> Now you can use it as internal ip address of dns server (you might change
> 1.1.1.1 with other ip address according to your network planning).
>
> Anvar Kuchkartaev
> anvar at anvartay.com
> *From: *Dan Vee
> *Sent: *sábado, 7 de octubre de 2017 12:01 a.m.
> *To: *users at lists.strongswan.org
> *Subject: *[strongSwan] Client access to DNS service running on same host
> as    strongSwan server
>
> Hi,
>
> I currently have strongSwan server setup on a VPS host, and I'm also
> running an adblocking DNS server (not exposed to internet) on this same
> host. The server only has one interface and it has a public IP address
> (e.g. 1.2.3.4). I'd like to configure strongSwan to hand out a DNS address
> (for this local DNS server) for any clients that connect. I have two
> problems:
> * I don't know how to make the DNS service running on the same VPS host
> accessible to the connecting client. My client has a virtual IP (e.g.
> 10.20.30.1) and not sure how I can communicate directly with a service
> running locally on this VPS host.
> * I don't know what IP I should I pass back to the client for this DNS
> address. I have no private IP address on this server. Should I return the
> public IP address for the server?
>
>
> Server config
> ------------------------------------
> config setup
>     uniqueids=never
>     charondebug="cfg 2, dmn 2, ike 2, net 2"
> conn %default
>     keyexchange=ike
>     dpdaction=clear
>     dpddelay=300s
>     rekey=no
>     left=%any
>     leftca=ca.cert.pem
>     leftcert=server.cert.pem
>     leftsubnet=0.0.0.0/0
>     right=%any
>     rightdns=????
>     rightsourceip=10.20.30.0/24
>     rightsubnets=192.168.3.0/24
> conn IPSec-IKEv2
>     keyexchange=ikev2
>     ike=aes256-sha256-modp1024,3des-sha1-modp1024,aes256-sha1-modp1024!
>     esp=aes256-sha256,3des-sha1,aes256-sha1!
>     leftid="1.2.3.4"
>     leftsendcert=always
>     leftauth=pubkey
>     rightauth=pubkey
>     rightid="client at 1.2.3.4"
>     rightcert=client.cert.pem
>     auto=add
>
> Any help would be greatly appreciated. Thanks!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171006/b0d681a3/attachment-0001.html>

More information about the Users mailing list