[strongSwan] Forcing all traffic from a specific user to use Strongswan

Gilles Printemps gprintemps at gmail.com
Thu May 24 17:24:43 CEST 2018


Some updates.
I'm now able to create the vti interface and I have an address assigned to
the vti

Result of "ifconfig"
vti0      Link encap:IPIP Tunnel  HWaddr
          inet addr:10.3.188.149  P-t-P:10.3.188.149  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP  MTU:1332  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

Can someone confirm I have now to route all the marked packets to this
interface to go through the VPN?
if the address assigned to the vti can be seen as a gateway for the VPN?


FYI, following files have been updated.

[/etc/ipsec.conf]

> conn VPN
>         keyexchange=ike
>         dpdaction=clear
>         dpddelay=300s
>         leftupdown=/etc/ipsec.script.sh
>         left=%defaultroute
>         leftsourceip=%config4
>         leftauth=eap-mschapv2
>         eap_identity=gprintemps
>         right=free-nl.hide.me
>         rightauth=pubkey
>         rightid=%any
>         rightsubnet=0.0.0.0/0
>         auto=route
>         mark=2


[/etc/ipsec.script.sh]

> #!/bin/bash
> set -o nounset
> set -o errexit
> VTI_IF="vti0"
> case "${PLUTO_VERB}" in
>     up-client)
>         ip tunnel add "${VTI_IF}" local "${PLUTO_ME}" remote
> "${PLUTO_PEER}" mode vti \
>                       okey "${PLUTO_MARK_OUT%%/*}" ikey
> "${PLUTO_MARK_IN%%/*}"
>         ip link set "${VTI_IF}" up
>         sysctl -w "net.ipv4.conf.${VTI_IF}.disable_policy=1"
>         ip addr add ${PLUTO_MY_SOURCEIP} dev "${VTI_IF}"
>         ;;
>     down-client)
>         ip tunnel del "${VTI_IF}"
>         ;;
> esac



On Thu, May 24, 2018 at 12:15 PM, Gilles Printemps <gprintemps at gmail.com>
wrote:

I already prepared the next step (after fixing the current issue), I've
> created the following script
>
> #! /bin/bash
>> export TABLE_ID="vpn"
>> export VPN_USER="vpn"
>> export VPN_INTERFACE="vti0"
>> export LAN="10.211.55.0/24"
>>
>> # Flush iptables rules
>> iptables -F -t nat
>> iptables -F -t mangle
>> iptables -F -t filter
>> # Mark packets from $VPN_USER
>> iptables -t mangle -A OUTPUT ! --dest $LAN  -m owner --uid-owner
>> $VPN_USER -j MARK --set-mark 0x1
>> iptables -t mangle -A OUTPUT ! --src $LAN -j MARK --set-mark 0x1
>> # Deny $VPN_USER to access other interfaces than lo
>> iptables -A OUTPUT ! -o lo -m owner --uid-owner $VPN_USER -J DROP
>> # Allow $VPN_USER to access lo and VPN interfaces
>> iptables -A OUTPUT -o lo -m owner --uid-owner $VPN_USER -j ACCEPT
>> iptables -A OUTPUT -o $VPN_INTERFACE -m owner --uid-owner $VPN_USER -j
>> ACCEPT
>>
>> # Allow response from $VPN_INTERFACE
>> iptables -A INPUT -i $VPN_INTERFACE -m conntrack --ctstate ESTABLISHED -j
>> ACCEPT
>> # Masquarade packets on $VPN_INTERFACE
>> iptables -t nat -A POSTROUTING -o $VPN_INTERFACE -j MASQUERADE
>>
>> # Routing rules
>> ip route replace default via $GATEWAY table $TABLE_ID
>> ip route append default via 127.0.0.1 dev lo table $TABLE_ID
>> ip route flush cache
>
>
> Purpose to is mark all packets from VPN_USER and to redirect them to the
> ipsec interface created by the the configuration
> I'm planning to do it with the following command:
>
>> ip rule add from all fwmark 0x1 lookup vpn
>
>
> Best Regards,
> Gilles
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180524/184f4218/attachment-0001.html>


More information about the Users mailing list