[strongSwan] Forcing all traffic from a specific user to use Strongswan

[Gilles Printemps]

Hi Phil, All
I tried to look for some details how to implement a route based VPN and
I've created the following configuration

First, I've created the following script which will be called by the VPN at
the start/end of the connection
As a test, I tried to route only 172.217.19.69 (it's one of the google
addresses)
[/etc/ipsec.script.sh]

#!/bin/bash
> set -o nounset
> set -o errexit
> VTI_IF="vti${PLUTO_UNIQUEID}"
> case "${PLUTO_VERB}" in
>     up-client)
>         ip tunnel add "${VTI_IF}" local "${PLUTO_ME}" remote
> "${PLUTO_PEER}" mode vti \
>             okey "${PLUTO_MARK_OUT%%/*}" ikey "${PLUTO_MARK_IN%%/*}"
>         ip link set "${VTI_IF}" up
>         ip addr add ${PLUTO_MY_SOURCEIP} dev "${VTI_IF}"
>         ip route add 172.217.19.68/32 dev "${VTI_IF}"
>         sysctl -w "net.ipv4.conf.${VTI_IF}.disable_policy=1"
>         ;;
>     down-client)
>         ip tunnel del "${VTI_IF}"
>         ;;
> esac


and the IPSec configuration [etc/ipsec.conf]

conn hide-nl
>        keyexchange=ike
>        dpdaction=clear
>        dpddelay=300s
>        eap_identity=gprintemps
>        leftupdown=/usr/local/sbin/ipsec-notify.sh
>        leftauth=eap-mschapv2
>        left=%defaultroute
>        leftsourceip=%config
>        right=free-nl.hide.me
>        rightauth=pubkey
>        rightsubnet=0.0.0.0/0
>        rightid=%any
>        type=tunnel
>        auto=route
>

I started the VPN + the "hides-nl" connection

> Routed Connections:
>      hide-nl{1}:  ROUTED, TUNNEL, reqid 1
>      hide-nl{1}:   10.211.55.15/32 === 0.0.0.0/0
> Security Associations (1 up, 0 connecting):
>      hide-nl[1]: ESTABLISHED 20 minutes ago,
> 10.211.55.15[10.211.55.15]...95.211.101.198[C=MY, ST=Wilayah Persekutuan,
> L=Labuan, O=eVenture Limited, CN=*.hide.me]
>      hide-nl{2}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ca4900c6_i
> cd2bd533_o
>      hide-nl{2}:   10.3.150.159/32 === 0.0.0.0/0


I'm not really sure the VPN is used when I call "curl 172.217.19.68"
Indeed, I don't see any trace of the "vtixx" interface.I'm sure.
Moreover, something seems strange in my ipsec.conf - Does it mean the
filter is only done in the script and each time the interface is created?

Seems I need help and explanations/pointers...
Thanks / Best Regards,
Gilles


On Thu, May 17, 2018 at 3:16 PM, Phil Frost <phil at postmates.com> wrote:

> One way to go would be configuring a route based VPN[1]. Then you can use
> all kinds of Linux routing tricks to get just that user's traffic over the
> VPN by directing it to the vti interface. For example you could launch that
> user's processes in a network namespace, or use the "owner" module of
> iptables to match traffic from processes run as that user and mangle them
> to use the VPN.
>
>   [1]: https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN
>
> On Thu, May 17, 2018 at 9:25 AM Gilles Printemps <gprintemps at gmail.com>
> wrote:
>
>> Hi,
>> Is there a way to force all the traffic from a specific linux user to be
>> routed through the VPN?
>> I would like to use the split tunnelling but I don't understand how to
>> configure Strongswan?
>>
>> Thanks for your help / BR Gilles
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180518/65af3c14/attachment.html>