[strongSwan] Forcing all traffic from a specific user to use Strongswan
Phil Frost
phil at postmates.com
Fri May 25 15:57:32 CEST 2018
To check your routing tables, you can use `ip route get SOME_IP_ADDRESS`.
You can also inspect the routing tables with `ip route`. One non-obvious
thing is strongswan may install an additional route table. You can see all
the tables that exist with `ip rule`. The one strongswan makes is called
simply "220". `ip route` will show the main table, and the 220 table can be
show with `ip route list table 220`. With the usual way the rules are set
(ip rule), anything in table 220 will override the main table.
In my case I found it best to disable strongswan's management of the route
table and ip addresses with the `charon.install_routes = no` and
`charon.install_virtual_ip = no` settings. I handle all of it in my own
networking scripts.
On Thu, May 24, 2018 at 11:24 AM Gilles Printemps <gprintemps at gmail.com>
wrote:
> Some updates.
> I'm now able to create the vti interface and I have an address assigned to
> the vti
>
> Result of "ifconfig"
> vti0 Link encap:IPIP Tunnel HWaddr
> inet addr:10.3.188.149 P-t-P:10.3.188.149 Mask:255.255.255.255
> UP POINTOPOINT RUNNING NOARP MTU:1332 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1
> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
>
> Can someone confirm I have now to route all the marked packets to this
> interface to go through the VPN?
> if the address assigned to the vti can be seen as a gateway for the VPN?
>
>
> FYI, following files have been updated.
>
> [/etc/ipsec.conf]
>
>> conn VPN
>> keyexchange=ike
>> dpdaction=clear
>> dpddelay=300s
>>
> leftupdown=/etc/ipsec.script.sh
>> left=%defaultroute
>> leftsourceip=%config4
>> leftauth=eap-mschapv2
>> eap_identity=gprintemps
>> right=free-nl.hide.me
>> rightauth=pubkey
>> rightid=%any
>> rightsubnet=0.0.0.0/0
>> auto=route
>> mark=2
>
>
> [/etc/ipsec.script.sh]
>
>> #!/bin/bash
>> set -o nounset
>> set -o errexit
>> VTI_IF="vti0"
>> case "${PLUTO_VERB}" in
>> up-client)
>> ip tunnel add "${VTI_IF}" local "${PLUTO_ME}" remote
>> "${PLUTO_PEER}" mode vti \
>> okey "${PLUTO_MARK_OUT%%/*}" ikey
>> "${PLUTO_MARK_IN%%/*}"
>> ip link set "${VTI_IF}" up
>> sysctl -w "net.ipv4.conf.${VTI_IF}.disable_policy=1"
>> ip addr add ${PLUTO_MY_SOURCEIP} dev "${VTI_IF}"
>> ;;
>> down-client)
>> ip tunnel del "${VTI_IF}"
>> ;;
>> esac
>
>
>
> On Thu, May 24, 2018 at 12:15 PM, Gilles Printemps <gprintemps at gmail.com>
> wrote:
>
> I already prepared the next step (after fixing the current issue), I've
>> created the following script
>>
>> #! /bin/bash
>>> export TABLE_ID="vpn"
>>> export VPN_USER="vpn"
>>> export VPN_INTERFACE="vti0"
>>> export LAN="10.211.55.0/24"
>>>
>>> # Flush iptables rules
>>> iptables -F -t nat
>>> iptables -F -t mangle
>>> iptables -F -t filter
>>> # Mark packets from $VPN_USER
>>> iptables -t mangle -A OUTPUT ! --dest $LAN -m owner --uid-owner
>>> $VPN_USER -j MARK --set-mark 0x1
>>> iptables -t mangle -A OUTPUT ! --src $LAN -j MARK --set-mark 0x1
>>> # Deny $VPN_USER to access other interfaces than lo
>>> iptables -A OUTPUT ! -o lo -m owner --uid-owner $VPN_USER -J DROP
>>> # Allow $VPN_USER to access lo and VPN interfaces
>>> iptables -A OUTPUT -o lo -m owner --uid-owner $VPN_USER -j ACCEPT
>>> iptables -A OUTPUT -o $VPN_INTERFACE -m owner --uid-owner $VPN_USER -j
>>> ACCEPT
>>>
>>> # Allow response from $VPN_INTERFACE
>>> iptables -A INPUT -i $VPN_INTERFACE -m conntrack --ctstate ESTABLISHED
>>> -j ACCEPT
>>> # Masquarade packets on $VPN_INTERFACE
>>> iptables -t nat -A POSTROUTING -o $VPN_INTERFACE -j MASQUERADE
>>>
>>> # Routing rules
>>> ip route replace default via $GATEWAY table $TABLE_ID
>>> ip route append default via 127.0.0.1 dev lo table $TABLE_ID
>>> ip route flush cache
>>
>>
>> Purpose to is mark all packets from VPN_USER and to redirect them to the
>> ipsec interface created by the the configuration
>> I'm planning to do it with the following command:
>>
>>> ip rule add from all fwmark 0x1 lookup vpn
>>
>>
>> Best Regards,
>> Gilles
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180525/5eb74834/attachment-0001.html>
More information about the Users
mailing list