[strongSwan] Forcing all traffic from a specific user to use Strongswan

Gilles Printemps gprintemps at gmail.com
Mon May 28 15:03:46 CEST 2018 

Hi,
After combining/executing the different scripts, I'm still not able to send
something to the "vti" interface previously created.
Indeed, despite the different rules added, "vti" interface is receiving
nothing. Seems I made something wrong in my different routes...
I will appreciate if someone can point me what's wrong in my config...

$ curl ipinfo.io
   Returns details from my ISP

$ sudo -u vpn -i -- curl ipinfo.io
   Nothing is returned!!!

Thanks / BR Gilles

Routing tables

> Filter table:

Chain INPUT (policy ACCEPT 910 packets, 68548 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>     0     0 ACCEPT     all  --  vti0   any     anywhere
> anywhere             ctstate ESTABLISHED
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
> Chain OUTPUT (policy ACCEPT 651 packets, 85552 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>    32  2688 ACCEPT     all  --  any    lo      anywhere
> anywhere             owner UID match vpn
>     0     0 ACCEPT     all  --  any    vti0    anywhere
> anywhere             owner UID match vpn
> Nat table:

Chain PREROUTING (policy ACCEPT 2 packets, 160 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
> Chain INPUT (policy ACCEPT 2 packets, 160 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
> Chain OUTPUT (policy ACCEPT 13 packets, 1165 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
> Chain POSTROUTING (policy ACCEPT 10 packets, 962 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>     3   203 MASQUERADE  all  --  any    vti0    anywhere
> anywhere
> Mangle table:
> Chain PREROUTING (policy ACCEPT 914 packets, 68930 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
> Chain INPUT (policy ACCEPT 912 packets, 68652 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
> Chain OUTPUT (policy ACCEPT 685 packets, 88536 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>   685 88536 CONNMARK   all  --  any    any     anywhere
> anywhere             CONNMARK restore
>    74  8099 MARK       all  --  any    any     anywhere
>  !10.211.55.3          owner UID match vpn MARK set 0x1
>    64  5376 MARK       all  --  any    any    !10.211.55.3
>  anywhere             MARK set 0x1
>   685 88536 CONNMARK   all  --  any    any     anywhere
> anywhere             CONNMARK save
> Chain POSTROUTING (policy ACCEPT 706 packets, 90231 bytes)
>  pkts bytes target     prot opt in     out     source
> destination


ifconfig result

> enp0s5    Link encap:Ethernet  HWaddr 00:1c:42:c0:02:e3
>           inet addr:10.211.55.3  Bcast:10.211.55.255  Mask:255.255.255.0
>           inet6 addr: fe80::21c:42ff:fec0:2e3/64 Scope:Link
>           inet6 addr: fdb2:2c26:f4e4:0:21c:42ff:fec0:2e3/64 Scope:Global
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:4505 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:3059 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:671940 (671.9 KB)  TX bytes:491511 (491.5 KB)
> lo        Link encap:Local Loopback
>           inet addr:127.0.0.1  Mask:255.0.0.0
>           inet6 addr: ::1/128 Scope:Host
>           UP LOOPBACK RUNNING  MTU:65536  Metric:1
>           RX packets:247 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:247 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1
>           RX bytes:21458 (21.4 KB)  TX bytes:21458 (21.4 KB)
> vti0      Link encap:IPIP Tunnel  HWaddr
>           inet addr:10.3.216.204  P-t-P:10.3.216.204  Mask:255.255.255.255
>           UP POINTOPOINT RUNNING NOARP  MTU:1332  Metric:1
>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1
>           RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)



sudo ip route show table 200

> default via 10.3.216.204 dev vti0
> default via 127.0.0.1 dev lo


sudo ip rule list

> 0:      from all lookup local
> 219:    from all fwmark 0x1 lookup vpn
> 220:    from all lookup 220
> 32766:  from all lookup main
> 32767:  from all lookup default


/etc/strongswan.d/charon/constraints.conf

> constraints {
>     # Whether to load the plugin. Can also be an integer to increase the
>     # priority of this plugin.
>     load = no
> }


 In /etc/strongswan.d/charon.conf

> install_routes = no
> install_virtual_ip = no


In /etc/sysctl.conf

> net.ipv4.ip_forward=1
> net.ipv6.conf.all.forwarding=1


Scripts for make rules/routes
/etc/ipsec.script.sh

> set -o nounset
> set -o errexit
> VPN_USER="vpn"
> VTI_INTERFACE="vti0"
> case "${PLUTO_VERB}" in
>     up-client)
>         ip tunnel add "${VTI_INTERFACE}" local "${PLUTO_ME}" remote
> "${PLUTO_PEER}" mode vti \
>                       okey "${PLUTO_MARK_OUT%%/*}" ikey
> "${PLUTO_MARK_IN%%/*}"
>         ip link set "${VTI_INTERFACE}" up
>         sysctl -w "net.ipv4.conf.${VTI_INTERFACE}.disable_policy=1"
>         ip addr add ${PLUTO_MY_SOURCEIP} dev "${VTI_INTERFACE}"
>         if [[ `ip rule list | grep -c 0x1` == 0 ]]; then
>           ip rule add from all fwmark 0x1 lookup $VPN_USER
>         fi
>         # Launch routing script
>         /etc/ipsec.route.sh
>         ;;
>     down-client)
>         ip tunnel del "${VTI_INTERFACE}"
>         ;;
> esac


/etc/ipsec.route.sh

> export TABLE_ID="vpn"
> export VPN_USER="vpn"
> export VTI_INTERFACE="vti0"
> export LOCAL_IP="10.211.55.3"
>
> # Flush iptables rules
> iptables -F -t nat
> iptables -F -t mangle
> iptables -F -t filter
> # Mark packets from $VPN_USER
> iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
> iptables -t mangle -A OUTPUT ! --dest $LOCAL_IP  -m owner --uid-owner
> $VPN_USER -j MARK --set-mark 0x1
> iptables -t mangle -A OUTPUT ! --src $LOCAL_IP -j MARK --set-mark 0x1
> iptables -t mangle -A OUTPUT -j CONNMARK --save-mark
> # Deny $VPN_USER to access other interfaces than lo
> iptables -A OUTPUT ! -o lo -m owner --uid-owner $VPN_USER -J DROP
> # Allow $VPN_USER to access lo and VPN interfaces
> iptables -A OUTPUT -o lo -m owner --uid-owner $VPN_USER -j ACCEPT
> iptables -A OUTPUT -o $VTI_INTERFACE -m owner --uid-owner $VPN_USER -j
> ACCEPT
>
> # Allow response from $VPN_INTERFACE
> iptables -A INPUT -i $VTI_INTERFACE -m conntrack --ctstate ESTABLISHED -j
> ACCEPT
> # Masquarade packets on $VPN_INTERFACE
> iptables -t nat -A POSTROUTING -o $VTI_INTERFACE -j MASQUERADE
> # Routing rules
> GATEWAY=$(ifconfig $VTI_INTERFACE |
>           egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' |
>           egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail
> -n1)
> ip route replace default via $GATEWAY table $TABLE_ID
> ip route append default via 127.0.0.1 dev lo table $TABLE_ID
> ip route flush cache
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180528/8d395608/attachment.html>

More information about the Users mailing list