[strongSwan] Forcing all traffic from a specific user to use Strongswan

Phil Frost phil at postmates.com
Fri May 25 15:57:32 CEST 2018


To check your routing tables, you can use `ip route get SOME_IP_ADDRESS`.

You can also inspect the routing tables with `ip route`. One non-obvious
thing is strongswan may install an additional route table. You can see all
the tables that exist with `ip rule`. The one strongswan makes is called
simply "220". `ip route` will show the main table, and the 220 table can be
show with `ip route list table 220`. With the usual way the rules are set
(ip rule), anything in table 220 will override the main table.

In my case I found it best to disable strongswan's management of the route
table and ip addresses with the `charon.install_routes = no` and
`charon.install_virtual_ip = no` settings. I handle all of it in my own
networking scripts.

On Thu, May 24, 2018 at 11:24 AM Gilles Printemps <gprintemps at gmail.com>
wrote:

> Some updates.
> I'm now able to create the vti interface and I have an address assigned to
> the vti
>
> Result of "ifconfig"
> vti0      Link encap:IPIP Tunnel  HWaddr
>           inet addr:10.3.188.149  P-t-P:10.3.188.149  Mask:255.255.255.255
>           UP POINTOPOINT RUNNING NOARP  MTU:1332  Metric:1
>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1
>           RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
>
> Can someone confirm I have now to route all the marked packets to this
> interface to go through the VPN?
> if the address assigned to the vti can be seen as a gateway for the VPN?
>
>
> FYI, following files have been updated.
>
> [/etc/ipsec.conf]
>
>> conn VPN
>>         keyexchange=ike
>>         dpdaction=clear
>>         dpddelay=300s
>>
>         leftupdown=/etc/ipsec.script.sh
>>         left=%defaultroute
>>         leftsourceip=%config4
>>         leftauth=eap-mschapv2
>>         eap_identity=gprintemps
>>         right=free-nl.hide.me
>>         rightauth=pubkey
>>         rightid=%any
>>         rightsubnet=0.0.0.0/0
>>         auto=route
>>         mark=2
>
>
> [/etc/ipsec.script.sh]
>
>> #!/bin/bash
>> set -o nounset
>> set -o errexit
>> VTI_IF="vti0"
>> case "${PLUTO_VERB}" in
>>     up-client)
>>         ip tunnel add "${VTI_IF}" local "${PLUTO_ME}" remote
>> "${PLUTO_PEER}" mode vti \
>>                       okey "${PLUTO_MARK_OUT%%/*}" ikey
>> "${PLUTO_MARK_IN%%/*}"
>>         ip link set "${VTI_IF}" up
>>         sysctl -w "net.ipv4.conf.${VTI_IF}.disable_policy=1"
>>         ip addr add ${PLUTO_MY_SOURCEIP} dev "${VTI_IF}"
>>         ;;
>>     down-client)
>>         ip tunnel del "${VTI_IF}"
>>         ;;
>> esac
>
>
>
> On Thu, May 24, 2018 at 12:15 PM, Gilles Printemps <gprintemps at gmail.com>
> wrote:
>
> I already prepared the next step (after fixing the current issue), I've
>> created the following script
>>
>> #! /bin/bash
>>> export TABLE_ID="vpn"
>>> export VPN_USER="vpn"
>>> export VPN_INTERFACE="vti0"
>>> export LAN="10.211.55.0/24"
>>>
>>> # Flush iptables rules
>>> iptables -F -t nat
>>> iptables -F -t mangle
>>> iptables -F -t filter
>>> # Mark packets from $VPN_USER
>>> iptables -t mangle -A OUTPUT ! --dest $LAN  -m owner --uid-owner
>>> $VPN_USER -j MARK --set-mark 0x1
>>> iptables -t mangle -A OUTPUT ! --src $LAN -j MARK --set-mark 0x1
>>> # Deny $VPN_USER to access other interfaces than lo
>>> iptables -A OUTPUT ! -o lo -m owner --uid-owner $VPN_USER -J DROP
>>> # Allow $VPN_USER to access lo and VPN interfaces
>>> iptables -A OUTPUT -o lo -m owner --uid-owner $VPN_USER -j ACCEPT
>>> iptables -A OUTPUT -o $VPN_INTERFACE -m owner --uid-owner $VPN_USER -j
>>> ACCEPT
>>>
>>> # Allow response from $VPN_INTERFACE
>>> iptables -A INPUT -i $VPN_INTERFACE -m conntrack --ctstate ESTABLISHED
>>> -j ACCEPT
>>> # Masquarade packets on $VPN_INTERFACE
>>> iptables -t nat -A POSTROUTING -o $VPN_INTERFACE -j MASQUERADE
>>>
>>> # Routing rules
>>> ip route replace default via $GATEWAY table $TABLE_ID
>>> ip route append default via 127.0.0.1 dev lo table $TABLE_ID
>>> ip route flush cache
>>
>>
>> Purpose to is mark all packets from VPN_USER and to redirect them to the
>> ipsec interface created by the the configuration
>> I'm planning to do it with the following command:
>>
>>> ip rule add from all fwmark 0x1 lookup vpn
>>
>>
>> Best Regards,
>> Gilles
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180525/5eb74834/attachment-0001.html>


More information about the Users mailing list