[strongSwan] Prevent traffic outside VPN
tony at tonysown.net
Fri Mar 29 16:54:11 CET 2019
When my tunnel comes up, locations at the destination of the VPN are reachable as desired.
However, in my use case, I want to prevent anything talking to the client on its real interface (bypassing the tunnel). Right now, even with the tunnel up, I can SSH into the client's real eth0 interface's IP address *and* the tunnel IP address.
I've tried removing the original default route (and of course adding a host-specific route so the client knows how to get to the VPN server), but still doesn't stop traffic from "outside" the VPN from reaching the client.
Here's my ipsec.conf file:
From my understanding of the documentation, what I'm asking for SHOULD be the default behavior. But I'm obviously missing something.
The address I'm given by the VPN server is in the 10.248.60/19 range.
More information about the Users