[strongSwan] Forcing all traffic from a specific user to use Strongswan

Gilles Printemps gprintemps at gmail.com
Tue May 29 10:24:11 CEST 2018 

Hi,
I found my problem: "rp_filter" for the vti interface was not set to 2.
No, I can establish correctly the connection and any request done by "vpn"
user is going through it.

Currently, I still have a problem for keeping alive the connection...
Indeed, after several minutes, no way to use anymore the VPN (see new
thread).

Gilles

On Mon, May 28, 2018 at 3:03 PM, Gilles Printemps <gprintemps at gmail.com>
wrote:

> Hi,
> After combining/executing the different scripts, I'm still not able to
> send something to the "vti" interface previously created.
> Indeed, despite the different rules added, "vti" interface is receiving
> nothing. Seems I made something wrong in my different routes...
> I will appreciate if someone can point me what's wrong in my config...
>
> $ curl ipinfo.io
>    Returns details from my ISP
>
> $ sudo -u vpn -i -- curl ipinfo.io
>    Nothing is returned!!!
>
> Thanks / BR Gilles
>
> Routing tables
>
>> Filter table:
>
> Chain INPUT (policy ACCEPT 910 packets, 68548 bytes)
>>  pkts bytes target     prot opt in     out     source
>> destination
>>     0     0 ACCEPT     all  --  vti0   any     anywhere
>> anywhere             ctstate ESTABLISHED
>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>>  pkts bytes target     prot opt in     out     source
>> destination
>> Chain OUTPUT (policy ACCEPT 651 packets, 85552 bytes)
>>  pkts bytes target     prot opt in     out     source
>> destination
>>    32  2688 ACCEPT     all  --  any    lo      anywhere
>> anywhere             owner UID match vpn
>>     0     0 ACCEPT     all  --  any    vti0    anywhere
>> anywhere             owner UID match vpn
>> Nat table:
>
> Chain PREROUTING (policy ACCEPT 2 packets, 160 bytes)
>>  pkts bytes target     prot opt in     out     source
>> destination
>> Chain INPUT (policy ACCEPT 2 packets, 160 bytes)
>>  pkts bytes target     prot opt in     out     source
>> destination
>> Chain OUTPUT (policy ACCEPT 13 packets, 1165 bytes)
>>  pkts bytes target     prot opt in     out     source
>> destination
>> Chain POSTROUTING (policy ACCEPT 10 packets, 962 bytes)
>>  pkts bytes target     prot opt in     out     source
>> destination
>>     3   203 MASQUERADE  all  --  any    vti0    anywhere
>> anywhere
>> Mangle table:
>> Chain PREROUTING (policy ACCEPT 914 packets, 68930 bytes)
>>  pkts bytes target     prot opt in     out     source
>> destination
>> Chain INPUT (policy ACCEPT 912 packets, 68652 bytes)
>>  pkts bytes target     prot opt in     out     source
>> destination
>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>>  pkts bytes target     prot opt in     out     source
>> destination
>> Chain OUTPUT (policy ACCEPT 685 packets, 88536 bytes)
>>  pkts bytes target     prot opt in     out     source
>> destination
>>   685 88536 CONNMARK   all  --  any    any     anywhere
>> anywhere             CONNMARK restore
>>    74  8099 MARK       all  --  any    any     anywhere
>>  !10.211.55.3          owner UID match vpn MARK set 0x1
>>    64  5376 MARK       all  --  any    any    !10.211.55.3
>>  anywhere             MARK set 0x1
>>   685 88536 CONNMARK   all  --  any    any     anywhere
>> anywhere             CONNMARK save
>> Chain POSTROUTING (policy ACCEPT 706 packets, 90231 bytes)
>>  pkts bytes target     prot opt in     out     source
>> destination
>
>
> ifconfig result
>
>> enp0s5    Link encap:Ethernet  HWaddr 00:1c:42:c0:02:e3
>>           inet addr:10.211.55.3  Bcast:10.211.55.255  Mask:255.255.255.0
>>           inet6 addr: fe80::21c:42ff:fec0:2e3/64 Scope:Link
>>           inet6 addr: fdb2:2c26:f4e4:0:21c:42ff:fec0:2e3/64 Scope:Global
>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>           RX packets:4505 errors:0 dropped:0 overruns:0 frame:0
>>           TX packets:3059 errors:0 dropped:0 overruns:0 carrier:0
>>           collisions:0 txqueuelen:1000
>>           RX bytes:671940 (671.9 KB)  TX bytes:491511 (491.5 KB)
>> lo        Link encap:Local Loopback
>>           inet addr:127.0.0.1  Mask:255.0.0.0
>>           inet6 addr: ::1/128 Scope:Host
>>           UP LOOPBACK RUNNING  MTU:65536  Metric:1
>>           RX packets:247 errors:0 dropped:0 overruns:0 frame:0
>>           TX packets:247 errors:0 dropped:0 overruns:0 carrier:0
>>           collisions:0 txqueuelen:1
>>           RX bytes:21458 (21.4 KB)  TX bytes:21458 (21.4 KB)
>> vti0      Link encap:IPIP Tunnel  HWaddr
>>           inet addr:10.3.216.204  P-t-P:10.3.216.204  Mask:255.255.255.255
>>           UP POINTOPOINT RUNNING NOARP  MTU:1332  Metric:1
>>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>>           collisions:0 txqueuelen:1
>>           RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
>
>
>
> sudo ip route show table 200
>
>> default via 10.3.216.204 dev vti0
>> default via 127.0.0.1 dev lo
>
>
> sudo ip rule list
>
>> 0:      from all lookup local
>> 219:    from all fwmark 0x1 lookup vpn
>> 220:    from all lookup 220
>> 32766:  from all lookup main
>> 32767:  from all lookup default
>
>
> /etc/strongswan.d/charon/constraints.conf
>
>> constraints {
>>     # Whether to load the plugin. Can also be an integer to increase the
>>     # priority of this plugin.
>>     load = no
>> }
>
>
>  In /etc/strongswan.d/charon.conf
>
>> install_routes = no
>> install_virtual_ip = no
>
>
> In /etc/sysctl.conf
>
>> net.ipv4.ip_forward=1
>> net.ipv6.conf.all.forwarding=1
>
>
> Scripts for make rules/routes
> /etc/ipsec.script.sh
>
>> set -o nounset
>> set -o errexit
>> VPN_USER="vpn"
>> VTI_INTERFACE="vti0"
>> case "${PLUTO_VERB}" in
>>     up-client)
>>         ip tunnel add "${VTI_INTERFACE}" local "${PLUTO_ME}" remote
>> "${PLUTO_PEER}" mode vti \
>>                       okey "${PLUTO_MARK_OUT%%/*}" ikey
>> "${PLUTO_MARK_IN%%/*}"
>>         ip link set "${VTI_INTERFACE}" up
>>         sysctl -w "net.ipv4.conf.${VTI_INTERFACE}.disable_policy=1"
>>         ip addr add ${PLUTO_MY_SOURCEIP} dev "${VTI_INTERFACE}"
>>         if [[ `ip rule list | grep -c 0x1` == 0 ]]; then
>>           ip rule add from all fwmark 0x1 lookup $VPN_USER
>>         fi
>>         # Launch routing script
>>         /etc/ipsec.route.sh
>>         ;;
>>     down-client)
>>         ip tunnel del "${VTI_INTERFACE}"
>>         ;;
>> esac
>
>
> /etc/ipsec.route.sh
>
>> export TABLE_ID="vpn"
>> export VPN_USER="vpn"
>> export VTI_INTERFACE="vti0"
>> export LOCAL_IP="10.211.55.3"
>>
>> # Flush iptables rules
>> iptables -F -t nat
>> iptables -F -t mangle
>> iptables -F -t filter
>> # Mark packets from $VPN_USER
>> iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
>> iptables -t mangle -A OUTPUT ! --dest $LOCAL_IP  -m owner --uid-owner
>> $VPN_USER -j MARK --set-mark 0x1
>> iptables -t mangle -A OUTPUT ! --src $LOCAL_IP -j MARK --set-mark 0x1
>> iptables -t mangle -A OUTPUT -j CONNMARK --save-mark
>> # Deny $VPN_USER to access other interfaces than lo
>> iptables -A OUTPUT ! -o lo -m owner --uid-owner $VPN_USER -J DROP
>> # Allow $VPN_USER to access lo and VPN interfaces
>> iptables -A OUTPUT -o lo -m owner --uid-owner $VPN_USER -j ACCEPT
>> iptables -A OUTPUT -o $VTI_INTERFACE -m owner --uid-owner $VPN_USER -j
>> ACCEPT
>>
>> # Allow response from $VPN_INTERFACE
>> iptables -A INPUT -i $VTI_INTERFACE -m conntrack --ctstate ESTABLISHED -j
>> ACCEPT
>> # Masquarade packets on $VPN_INTERFACE
>> iptables -t nat -A POSTROUTING -o $VTI_INTERFACE -j MASQUERADE
>> # Routing rules
>> GATEWAY=$(ifconfig $VTI_INTERFACE |
>>           egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' |
>>           egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' |
>> tail -n1)
>> ip route replace default via $GATEWAY table $TABLE_ID
>> ip route append default via 127.0.0.1 dev lo table $TABLE_ID
>> ip route flush cache
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180529/910ea69f/attachment-0001.html>

More information about the Users mailing list