[strongSwan] Forcing all traffic from a specific user to use Strongswan
Gilles Printemps
gprintemps at gmail.com
Fri May 18 11:26:37 CEST 2018
Hi Phil, All
I tried to look for some details how to implement a route based VPN and
I've created the following configuration
First, I've created the following script which will be called by the VPN at
the start/end of the connection
As a test, I tried to route only 172.217.19.69 (it's one of the google
addresses)
[/etc/ipsec.script.sh]
#!/bin/bash
> set -o nounset
> set -o errexit
> VTI_IF="vti${PLUTO_UNIQUEID}"
> case "${PLUTO_VERB}" in
> up-client)
> ip tunnel add "${VTI_IF}" local "${PLUTO_ME}" remote
> "${PLUTO_PEER}" mode vti \
> okey "${PLUTO_MARK_OUT%%/*}" ikey "${PLUTO_MARK_IN%%/*}"
> ip link set "${VTI_IF}" up
> ip addr add ${PLUTO_MY_SOURCEIP} dev "${VTI_IF}"
> ip route add 172.217.19.68/32 dev "${VTI_IF}"
> sysctl -w "net.ipv4.conf.${VTI_IF}.disable_policy=1"
> ;;
> down-client)
> ip tunnel del "${VTI_IF}"
> ;;
> esac
and the IPSec configuration [etc/ipsec.conf]
conn hide-nl
> keyexchange=ike
> dpdaction=clear
> dpddelay=300s
> eap_identity=gprintemps
> leftupdown=/usr/local/sbin/ipsec-notify.sh
> leftauth=eap-mschapv2
> left=%defaultroute
> leftsourceip=%config
> right=free-nl.hide.me
> rightauth=pubkey
> rightsubnet=0.0.0.0/0
> rightid=%any
> type=tunnel
> auto=route
>
I started the VPN + the "hides-nl" connection
> Routed Connections:
> hide-nl{1}: ROUTED, TUNNEL, reqid 1
> hide-nl{1}: 10.211.55.15/32 === 0.0.0.0/0
> Security Associations (1 up, 0 connecting):
> hide-nl[1]: ESTABLISHED 20 minutes ago,
> 10.211.55.15[10.211.55.15]...95.211.101.198[C=MY, ST=Wilayah Persekutuan,
> L=Labuan, O=eVenture Limited, CN=*.hide.me]
> hide-nl{2}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ca4900c6_i
> cd2bd533_o
> hide-nl{2}: 10.3.150.159/32 === 0.0.0.0/0
I'm not really sure the VPN is used when I call "curl 172.217.19.68"
Indeed, I don't see any trace of the "vtixx" interface.I'm sure.
Moreover, something seems strange in my ipsec.conf - Does it mean the
filter is only done in the script and each time the interface is created?
Seems I need help and explanations/pointers...
Thanks / Best Regards,
Gilles
On Thu, May 17, 2018 at 3:16 PM, Phil Frost <phil at postmates.com> wrote:
> One way to go would be configuring a route based VPN[1]. Then you can use
> all kinds of Linux routing tricks to get just that user's traffic over the
> VPN by directing it to the vti interface. For example you could launch that
> user's processes in a network namespace, or use the "owner" module of
> iptables to match traffic from processes run as that user and mangle them
> to use the VPN.
>
> [1]: https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN
>
> On Thu, May 17, 2018 at 9:25 AM Gilles Printemps <gprintemps at gmail.com>
> wrote:
>
>> Hi,
>> Is there a way to force all the traffic from a specific linux user to be
>> routed through the VPN?
>> I would like to use the split tunnelling but I don't understand how to
>> configure Strongswan?
>>
>> Thanks for your help / BR Gilles
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180518/65af3c14/attachment.html>
More information about the Users
mailing list