[strongSwan] How to properly set up the "hide IP" VPN function?

strongswan_user at mail.ru strongswan_user at mail.ru
Fri Mar 30 19:21:26 CEST 2018 

In case this comes up for someone in a search: SOLVED.
Need this on the server:
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 128


>Вторник, 25 июля 2017, 20:24 +03:00 от strongswan_user at mail.ru:
>
>Hello all!
>
>I want the common "hide IP" feature of VPN. I (tried to) use the tunnel mode (no L2TP), IKEv2, and manually (and naively?) set the needed D/SNAT rules. It all basically works, but not for all web sites. All http seem to work (mostly..), and most https are fine too, while some https take forever, as if no reply from DNS (no errors; Firefox). I don't know anything about
>TLS debugging, and I didn't try to actually debug it (yet).
>
>Below are details of how I did it. Hopefully I'm just missing some simple setting, and somebody can spot it.. Or, alternatively, could you suggest some instructions how to set it up best?
>
>
>  .1.21  .1.20 .2.20  .2.21 .3.20    .3.21 .4.20    .4.21 .5.20    .5.21
>  Ca---------CG-----------I1-------------J1------+-----SG------------Sa
>client:      NAT          these 2 hosts          |     NAT         server
>Firefox    gateway        simulate internet      |   gateway
>                                                 |
>                                                 |
>                                                 |
>                            Internet             |.4.31
>                           provider's           tap2 - my real PC
>   real internet ----------- router ----------- eth0
>                                192.168.100.1   192.168.100.101
>
>(copy-paste to a fixed-width editor to view it properly)
>
>The upper part is in Qemu/KVM, strongSwan U5.5.1/K4.9.0-3-amd64. IP addresses are like 10.0.x.y, .x.y indicated. All Qemus and my PC are Debian 9 Stretch. The bottom is real hardware.
>
>SG forwards (DNAT) all traffic to Sa:
>iptables -t nat -A PREROUTING -p all ! -s 10.0.5.21 -d 10.0.4.21 \\
>-m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 10.0.5.21
>
>Assume below:
>CLIENT_PRIVATE_IP="10.0.1.23";
>SERV_PUBLIC_IP="10.0.4.21"
>SERV_PRIVATE_IP="10.0.5.21"
>
>Main magic for the VPN feature I want, on Sa:
>iptables -t nat -A POSTROUTING -s $CLIENT_PRIVATE_IP -j SNAT --to-source $SERV_PRIVATE_IP
>iptables -t nat -A PREROUTING -d $SERV_PRIVATE_IP \\
>-m state --state NEW,ESTABLISHED,RELATED -j DNAT --to $CLIENT_PRIVATE_IP
>
>The host (real PC) masquerades all packets coming from tap2:
>iptables -t nat -A POSTROUTING -s 10.0.4.0/24 -j MASQUERADE
>
>Default gateway for J1 is my host's tap2 address - 10.0.4.31
>
>Server Sa:
>
>/etc/ipsec.conf :
>config setup
>conn %default
>    keyexchange=ikev2
>conn vpn1
>    leftsubnet=0.0.0.0/0
>    right=%any
>    rightid=$CLIENT_PRIVATE_IP
>    rightsubnet=$CLIENT_PRIVATE_IP/32
>    auto=route
>    authby=secret
>
>/etc/ipsec.secrets :
>$CLIENT_PRIVATE_IP : PSK 0x123
>
>Client Ca:
>
>/etc/ipsec.conf :
>config setup
>conn %default
>    keyexchange=ikev2
>conn vpn1
>    right=$SERV_PUBLIC_IP
>    rightid=$SERV_PRIVATE_IP
>    rightsubnet=0.0.0.0/0
>    auto=start
>    authby=secret
>
>/etc/ipsec.secrets :
>$SERV_PRIVATE_IP : PSK 0x123
>
>(strongSwan config files not touched, default)
>
>I tried to reduce MTU to 1280 (from 1500) on Sa - no luck.
>
>Thank you - whoever replies with some hints.

--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180330/fabcfb6e/attachment.html>

More information about the Users mailing list