[strongSwan] Forcing all traffic from a specific user to use Strongswan

Phil Frost phil at postmates.com
Fri May 18 14:37:28 CEST 2018


It looks like the leftupdown option is set to run some other script than
the one you created.

On Fri, May 18, 2018, 05:26 Gilles Printemps <gprintemps at gmail.com> wrote:

> Hi Phil, All
> I tried to look for some details how to implement a route based VPN and
> I've created the following configuration
>
> First, I've created the following script which will be called by the VPN
> at the start/end of the connection
> As a test, I tried to route only 172.217.19.69 (it's one of the google
> addresses)
> [/etc/ipsec.script.sh]
>
> #!/bin/bash
>> set -o nounset
>> set -o errexit
>> VTI_IF="vti${PLUTO_UNIQUEID}"
>> case "${PLUTO_VERB}" in
>>     up-client)
>>         ip tunnel add "${VTI_IF}" local "${PLUTO_ME}" remote
>> "${PLUTO_PEER}" mode vti \
>>             okey "${PLUTO_MARK_OUT%%/*}" ikey "${PLUTO_MARK_IN%%/*}"
>>         ip link set "${VTI_IF}" up
>>         ip addr add ${PLUTO_MY_SOURCEIP} dev "${VTI_IF}"
>>         ip route add 172.217.19.68/32 dev "${VTI_IF}"
>>         sysctl -w "net.ipv4.conf.${VTI_IF}.disable_policy=1"
>>         ;;
>>     down-client)
>>         ip tunnel del "${VTI_IF}"
>>         ;;
>> esac
>
>
> and the IPSec configuration [etc/ipsec.conf]
>
> conn hide-nl
>>        keyexchange=ike
>>        dpdaction=clear
>>        dpddelay=300s
>>        eap_identity=gprintemps
>>        leftupdown=/usr/local/sbin/ipsec-notify.sh
>>        leftauth=eap-mschapv2
>>        left=%defaultroute
>>        leftsourceip=%config
>>        right=free-nl.hide.me
>>        rightauth=pubkey
>>        rightsubnet=0.0.0.0/0
>>        rightid=%any
>>        type=tunnel
>>        auto=route
>>
>
> I started the VPN + the "hides-nl" connection
>
>> Routed Connections:
>>      hide-nl{1}:  ROUTED, TUNNEL, reqid 1
>>      hide-nl{1}:   10.211.55.15/32 === 0.0.0.0/0
>> Security Associations (1 up, 0 connecting):
>>      hide-nl[1]: ESTABLISHED 20 minutes ago,
>> 10.211.55.15[10.211.55.15]...95.211.101.198[C=MY, ST=Wilayah Persekutuan,
>> L=Labuan, O=eVenture Limited, CN=*.hide.me]
>>      hide-nl{2}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ca4900c6_i
>> cd2bd533_o
>>      hide-nl{2}:   10.3.150.159/32 === 0.0.0.0/0
>
>
> I'm not really sure the VPN is used when I call "curl 172.217.19.68"
> Indeed, I don't see any trace of the "vtixx" interface.I'm sure.
> Moreover, something seems strange in my ipsec.conf - Does it mean the
> filter is only done in the script and each time the interface is created?
>
> Seems I need help and explanations/pointers...
> Thanks / Best Regards,
> Gilles
>
>
> On Thu, May 17, 2018 at 3:16 PM, Phil Frost <phil at postmates.com> wrote:
>
>> One way to go would be configuring a route based VPN[1]. Then you can use
>> all kinds of Linux routing tricks to get just that user's traffic over the
>> VPN by directing it to the vti interface. For example you could launch that
>> user's processes in a network namespace, or use the "owner" module of
>> iptables to match traffic from processes run as that user and mangle them
>> to use the VPN.
>>
>>   [1]: https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN
>>
>> On Thu, May 17, 2018 at 9:25 AM Gilles Printemps <gprintemps at gmail.com>
>> wrote:
>>
>>> Hi,
>>> Is there a way to force all the traffic from a specific linux user to be
>>> routed through the VPN?
>>> I would like to use the split tunnelling but I don't understand how to
>>> configure Strongswan?
>>>
>>> Thanks for your help / BR Gilles
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180518/c6d597d2/attachment.html>


More information about the Users mailing list