Discussion:
[strongSwan] Forcing all traffic from a specific user to use Strongswan
Gilles Printemps
2018-05-17 09:25:11 UTC
Permalink
Hi,
Is there a way to force all the traffic from a specific linux user to be
routed through the VPN?
I would like to use the split tunnelling but I don't understand how to
configure Strongswan?

Thanks for your help / BR Gilles
Phil Frost
2018-05-17 13:16:48 UTC
Permalink
One way to go would be configuring a route based VPN[1]. Then you can use
all kinds of Linux routing tricks to get just that user's traffic over the
VPN by directing it to the vti interface. For example you could launch that
user's processes in a network namespace, or use the "owner" module of
iptables to match traffic from processes run as that user and mangle them
to use the VPN.

[1]: https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN
Post by Gilles Printemps
Hi,
Is there a way to force all the traffic from a specific linux user to be
routed through the VPN?
I would like to use the split tunnelling but I don't understand how to
configure Strongswan?
Thanks for your help / BR Gilles
Phil Frost
2018-05-18 12:37:28 UTC
Permalink
It looks like the leftupdown option is set to run some other script than
the one you created.
Hi Phil, All
I tried to look for some details how to implement a route based VPN and
I've created the following configuration
First, I've created the following script which will be called by the VPN
at the start/end of the connection
As a test, I tried to route only 172.217.19.69 (it's one of the google
addresses)
[/etc/ipsec.script.sh]
#!/bin/bash
set -o nounset
set -o errexit
VTI_IF="vti${PLUTO_UNIQUEID}"
case "${PLUTO_VERB}" in
up-client)
ip tunnel add "${VTI_IF}" local "${PLUTO_ME}" remote
"${PLUTO_PEER}" mode vti \
okey "${PLUTO_MARK_OUT%%/*}" ikey "${PLUTO_MARK_IN%%/*}"
ip link set "${VTI_IF}" up
ip addr add ${PLUTO_MY_SOURCEIP} dev "${VTI_IF}"
ip route add 172.217.19.68/32 dev "${VTI_IF}"
sysctl -w "net.ipv4.conf.${VTI_IF}.disable_policy=1"
;;
down-client)
ip tunnel del "${VTI_IF}"
;;
esac
and the IPSec configuration [etc/ipsec.conf]
conn hide-nl
keyexchange=ike
dpdaction=clear
dpddelay=300s
eap_identity=gprintemps
leftupdown=/usr/local/sbin/ipsec-notify.sh
leftauth=eap-mschapv2
left=%defaultroute
leftsourceip=%config
right=free-nl.hide.me
rightauth=pubkey
rightsubnet=0.0.0.0/0
rightid=%any
type=tunnel
auto=route
I started the VPN + the "hides-nl" connection
hide-nl{1}: ROUTED, TUNNEL, reqid 1
hide-nl{1}: 10.211.55.15/32 === 0.0.0.0/0
hide-nl[1]: ESTABLISHED 20 minutes ago,
10.211.55.15[10.211.55.15]...95.211.101.198[C=MY, ST=Wilayah Persekutuan,
L=Labuan, O=eVenture Limited, CN=*.hide.me]
hide-nl{2}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ca4900c6_i
cd2bd533_o
hide-nl{2}: 10.3.150.159/32 === 0.0.0.0/0
I'm not really sure the VPN is used when I call "curl 172.217.19.68"
Indeed, I don't see any trace of the "vtixx" interface.I'm sure.
Moreover, something seems strange in my ipsec.conf - Does it mean the
filter is only done in the script and each time the interface is created?
Seems I need help and explanations/pointers...
Thanks / Best Regards,
Gilles
One way to go would be configuring a route based VPN[1]. Then you can use
all kinds of Linux routing tricks to get just that user's traffic over the
VPN by directing it to the vti interface. For example you could launch that
user's processes in a network namespace, or use the "owner" module of
iptables to match traffic from processes run as that user and mangle them
to use the VPN.
[1]: https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN
Post by Gilles Printemps
Hi,
Is there a way to force all the traffic from a specific linux user to be
routed through the VPN?
I would like to use the split tunnelling but I don't understand how to
configure Strongswan?
Thanks for your help / BR Gilles
Gilles Printemps
2018-05-24 10:15:16 UTC
Permalink
Hi Phil/All,

Sorry for the mistake - Bad copy/Paste
Nevertheless, things are not better after fixing the path.
Indeed, after restarting ipsec,
- SSH connection is dropping
- No way to resolve any web site

In the syslog, I've seen the following message
...
charon: 00[CFG] loading ocsp signer certificates from
'/etc/ipsec.d/ocspcerts'
charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
charon: 00[CFG] loaded EAP secret for gprintemps
charon: 00[CFG] loaded 0 RADIUS server configurations
charon: 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md5 random
nonce x509 revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem
openssl fips-prf curve25519 xcbc cmac hmac attr kernel-netlink resolve
socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2
eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
xauth-eap tnc-tnccs dhcp certexpire radattr addrblock unity counters
charon: 00[JOB] spawning 16 worker threads
charon: 04[CFG] received stroke: add connection 'VPN'
charon: 04[CFG] added configuration 'VPN'
charon: 06[CFG] received stroke: route 'VPN'
charon: 09[KNL] creating acquire job for policy 10.211.55.3/32[udp/40255]
=== 10.211.55.1/32[udp/domain] with reqid {1}
charon: 00[DMN] signal of type SIGINT received. Shutting down
charon: 09[IKE] unable to resolve free-nl.hide.me, initiate aborted
charon: 09[MGR] tried to checkin and delete nonexisting IKE_SA
For information, I can ping easily the host when ipsec is stopped...

Hereafter my full configuration

[/etc/ipsec.conf]
conn VPN
keyexchange=ike
dpdaction=clear
dpddelay=300s
eap_identity=gprintemps
leftupdown=/etc/ipsec.script.sh
leftauth=eap-mschapv2
left=%defaultroute
leftsourceip=%config
right=free-nl.hide.me
rightauth=pubkey
rightsubnet=0.0.0.0/0
rightid=%any
type=tunnel
auto=route
[/etc/ipsec.script.sh]
#!/bin/bash
set -o nounset
set -o errexit
VTI_IF="vti0"
case "${PLUTO_VERB}" in
up-client)
ip tunnel add "${VTI_IF}" local "${PLUTO_ME}" remote
"${PLUTO_PEER}" mode vti \
okey "${PLUTO_MARK_OUT%%/*}" ikey
"${PLUTO_MARK_IN%%/*}"
ip link set "${VTI_IF}" up
sysctl -w "net.ipv4.conf.${VTI_IF}.disable_policy=1"
;;
down-client)
ip tunnel del "${VTI_IF}"
;;
esac
I already prepared the next step (after fixing the current issue), I've
created the following script

#! /bin/bash
export TABLE_ID="vpn"
export VPN_USER="vpn"
export VPN_INTERFACE="vti0"
export LAN="10.211.55.0/24"
# Flush iptables rules
iptables -F -t nat
iptables -F -t mangle
iptables -F -t filter
# Mark packets from $VPN_USER
iptables -t mangle -A OUTPUT ! --dest $LAN -m owner --uid-owner $VPN_USER
-j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT ! --src $LAN -j MARK --set-mark 0x1
# Deny $VPN_USER to access other interfaces than lo
iptables -A OUTPUT ! -o lo -m owner --uid-owner $VPN_USER -J DROP
# Allow $VPN_USER to access lo and VPN interfaces
iptables -A OUTPUT -o lo -m owner --uid-owner $VPN_USER -j ACCEPT
iptables -A OUTPUT -o $VPN_INTERFACE -m owner --uid-owner $VPN_USER -j
ACCEPT
# Allow response from $VPN_INTERFACE
iptables -A INPUT -i $VPN_INTERFACE -m conntrack --ctstate ESTABLISHED -j
ACCEPT
# Masquarade packets on $VPN_INTERFACE
iptables -t nat -A POSTROUTING -o $VPN_INTERFACE -j MASQUERADE
# Routing rules
ip route replace default via $GATEWAY table $TABLE_ID
ip route append default via 127.0.0.1 dev lo table $TABLE_ID
ip route flush cache
Purpose to is mark all packets from VPN_USER and to redirect them to the
ipsec interface created by the the configuration
ip rule add from all fwmark 0x1 lookup vpn
Best Regards,
Gilles
Gilles Printemps
2018-05-24 15:24:43 UTC
Permalink
Some updates.
I'm now able to create the vti interface and I have an address assigned to
the vti

Result of "ifconfig"
vti0 Link encap:IPIP Tunnel HWaddr
inet addr:10.3.188.149 P-t-P:10.3.188.149 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MTU:1332 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

Can someone confirm I have now to route all the marked packets to this
interface to go through the VPN?
if the address assigned to the vti can be seen as a gateway for the VPN?


FYI, following files have been updated.

[/etc/ipsec.conf]
conn VPN
keyexchange=ike
dpdaction=clear
dpddelay=300s
leftupdown=/etc/ipsec.script.sh
left=%defaultroute
leftsourceip=%config4
leftauth=eap-mschapv2
eap_identity=gprintemps
right=free-nl.hide.me
rightauth=pubkey
rightid=%any
rightsubnet=0.0.0.0/0
auto=route
mark=2
[/etc/ipsec.script.sh]
#!/bin/bash
set -o nounset
set -o errexit
VTI_IF="vti0"
case "${PLUTO_VERB}" in
up-client)
ip tunnel add "${VTI_IF}" local "${PLUTO_ME}" remote
"${PLUTO_PEER}" mode vti \
okey "${PLUTO_MARK_OUT%%/*}" ikey
"${PLUTO_MARK_IN%%/*}"
ip link set "${VTI_IF}" up
sysctl -w "net.ipv4.conf.${VTI_IF}.disable_policy=1"
ip addr add ${PLUTO_MY_SOURCEIP} dev "${VTI_IF}"
;;
down-client)
ip tunnel del "${VTI_IF}"
;;
esac
On Thu, May 24, 2018 at 12:15 PM, Gilles Printemps <***@gmail.com>
wrote:

I already prepared the next step (after fixing the current issue), I've
created the following script
#! /bin/bash
export TABLE_ID="vpn"
export VPN_USER="vpn"
export VPN_INTERFACE="vti0"
export LAN="10.211.55.0/24"
# Flush iptables rules
iptables -F -t nat
iptables -F -t mangle
iptables -F -t filter
# Mark packets from $VPN_USER
iptables -t mangle -A OUTPUT ! --dest $LAN -m owner --uid-owner
$VPN_USER -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT ! --src $LAN -j MARK --set-mark 0x1
# Deny $VPN_USER to access other interfaces than lo
iptables -A OUTPUT ! -o lo -m owner --uid-owner $VPN_USER -J DROP
# Allow $VPN_USER to access lo and VPN interfaces
iptables -A OUTPUT -o lo -m owner --uid-owner $VPN_USER -j ACCEPT
iptables -A OUTPUT -o $VPN_INTERFACE -m owner --uid-owner $VPN_USER -j
ACCEPT
# Allow response from $VPN_INTERFACE
iptables -A INPUT -i $VPN_INTERFACE -m conntrack --ctstate ESTABLISHED -j
ACCEPT
# Masquarade packets on $VPN_INTERFACE
iptables -t nat -A POSTROUTING -o $VPN_INTERFACE -j MASQUERADE
# Routing rules
ip route replace default via $GATEWAY table $TABLE_ID
ip route append default via 127.0.0.1 dev lo table $TABLE_ID
ip route flush cache
Purpose to is mark all packets from VPN_USER and to redirect them to the
ipsec interface created by the the configuration
ip rule add from all fwmark 0x1 lookup vpn
Best Regards,
Gilles
Phil Frost
2018-05-25 13:57:32 UTC
Permalink
To check your routing tables, you can use `ip route get SOME_IP_ADDRESS`.

You can also inspect the routing tables with `ip route`. One non-obvious
thing is strongswan may install an additional route table. You can see all
the tables that exist with `ip rule`. The one strongswan makes is called
simply "220". `ip route` will show the main table, and the 220 table can be
show with `ip route list table 220`. With the usual way the rules are set
(ip rule), anything in table 220 will override the main table.

In my case I found it best to disable strongswan's management of the route
table and ip addresses with the `charon.install_routes = no` and
`charon.install_virtual_ip = no` settings. I handle all of it in my own
networking scripts.
Post by Gilles Printemps
Some updates.
I'm now able to create the vti interface and I have an address assigned to
the vti
Result of "ifconfig"
vti0 Link encap:IPIP Tunnel HWaddr
inet addr:10.3.188.149 P-t-P:10.3.188.149 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MTU:1332 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Can someone confirm I have now to route all the marked packets to this
interface to go through the VPN?
if the address assigned to the vti can be seen as a gateway for the VPN?
FYI, following files have been updated.
[/etc/ipsec.conf]
conn VPN
keyexchange=ike
dpdaction=clear
dpddelay=300s
leftupdown=/etc/ipsec.script.sh
left=%defaultroute
leftsourceip=%config4
leftauth=eap-mschapv2
eap_identity=gprintemps
right=free-nl.hide.me
rightauth=pubkey
rightid=%any
rightsubnet=0.0.0.0/0
auto=route
mark=2
[/etc/ipsec.script.sh]
#!/bin/bash
set -o nounset
set -o errexit
VTI_IF="vti0"
case "${PLUTO_VERB}" in
up-client)
ip tunnel add "${VTI_IF}" local "${PLUTO_ME}" remote
"${PLUTO_PEER}" mode vti \
okey "${PLUTO_MARK_OUT%%/*}" ikey
"${PLUTO_MARK_IN%%/*}"
ip link set "${VTI_IF}" up
sysctl -w "net.ipv4.conf.${VTI_IF}.disable_policy=1"
ip addr add ${PLUTO_MY_SOURCEIP} dev "${VTI_IF}"
;;
down-client)
ip tunnel del "${VTI_IF}"
;;
esac
I already prepared the next step (after fixing the current issue), I've
created the following script
#! /bin/bash
export TABLE_ID="vpn"
export VPN_USER="vpn"
export VPN_INTERFACE="vti0"
export LAN="10.211.55.0/24"
# Flush iptables rules
iptables -F -t nat
iptables -F -t mangle
iptables -F -t filter
# Mark packets from $VPN_USER
iptables -t mangle -A OUTPUT ! --dest $LAN -m owner --uid-owner
$VPN_USER -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT ! --src $LAN -j MARK --set-mark 0x1
# Deny $VPN_USER to access other interfaces than lo
iptables -A OUTPUT ! -o lo -m owner --uid-owner $VPN_USER -J DROP
# Allow $VPN_USER to access lo and VPN interfaces
iptables -A OUTPUT -o lo -m owner --uid-owner $VPN_USER -j ACCEPT
iptables -A OUTPUT -o $VPN_INTERFACE -m owner --uid-owner $VPN_USER -j
ACCEPT
# Allow response from $VPN_INTERFACE
iptables -A INPUT -i $VPN_INTERFACE -m conntrack --ctstate ESTABLISHED
-j ACCEPT
# Masquarade packets on $VPN_INTERFACE
iptables -t nat -A POSTROUTING -o $VPN_INTERFACE -j MASQUERADE
# Routing rules
ip route replace default via $GATEWAY table $TABLE_ID
ip route append default via 127.0.0.1 dev lo table $TABLE_ID
ip route flush cache
Purpose to is mark all packets from VPN_USER and to redirect them to the
ipsec interface created by the the configuration
ip rule add from all fwmark 0x1 lookup vpn
Best Regards,
Gilles
Gilles Printemps
2018-05-28 13:03:46 UTC
Permalink
Hi,
After combining/executing the different scripts, I'm still not able to send
something to the "vti" interface previously created.
Indeed, despite the different rules added, "vti" interface is receiving
nothing. Seems I made something wrong in my different routes...
I will appreciate if someone can point me what's wrong in my config...

$ curl ipinfo.io
Returns details from my ISP

$ sudo -u vpn -i -- curl ipinfo.io
Nothing is returned!!!

Thanks / BR Gilles

Routing tables
Chain INPUT (policy ACCEPT 910 packets, 68548 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- vti0 any anywhere
anywhere ctstate ESTABLISHED
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 651 packets, 85552 bytes)
pkts bytes target prot opt in out source
destination
32 2688 ACCEPT all -- any lo anywhere
anywhere owner UID match vpn
0 0 ACCEPT all -- any vti0 anywhere
anywhere owner UID match vpn
Chain PREROUTING (policy ACCEPT 2 packets, 160 bytes)
pkts bytes target prot opt in out source
destination
Chain INPUT (policy ACCEPT 2 packets, 160 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 13 packets, 1165 bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 10 packets, 962 bytes)
pkts bytes target prot opt in out source
destination
3 203 MASQUERADE all -- any vti0 anywhere
anywhere
Chain PREROUTING (policy ACCEPT 914 packets, 68930 bytes)
pkts bytes target prot opt in out source
destination
Chain INPUT (policy ACCEPT 912 packets, 68652 bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 685 packets, 88536 bytes)
pkts bytes target prot opt in out source
destination
685 88536 CONNMARK all -- any any anywhere
anywhere CONNMARK restore
74 8099 MARK all -- any any anywhere
!10.211.55.3 owner UID match vpn MARK set 0x1
64 5376 MARK all -- any any !10.211.55.3
anywhere MARK set 0x1
685 88536 CONNMARK all -- any any anywhere
anywhere CONNMARK save
Chain POSTROUTING (policy ACCEPT 706 packets, 90231 bytes)
pkts bytes target prot opt in out source
destination
ifconfig result
enp0s5 Link encap:Ethernet HWaddr 00:1c:42:c0:02:e3
inet addr:10.211.55.3 Bcast:10.211.55.255 Mask:255.255.255.0
inet6 addr: fe80::21c:42ff:fec0:2e3/64 Scope:Link
inet6 addr: fdb2:2c26:f4e4:0:21c:42ff:fec0:2e3/64 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4505 errors:0 dropped:0 overruns:0 frame:0
TX packets:3059 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:671940 (671.9 KB) TX bytes:491511 (491.5 KB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:247 errors:0 dropped:0 overruns:0 frame:0
TX packets:247 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:21458 (21.4 KB) TX bytes:21458 (21.4 KB)
vti0 Link encap:IPIP Tunnel HWaddr
inet addr:10.3.216.204 P-t-P:10.3.216.204 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MTU:1332 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
sudo ip route show table 200
default via 10.3.216.204 dev vti0
default via 127.0.0.1 dev lo
sudo ip rule list
0: from all lookup local
219: from all fwmark 0x1 lookup vpn
220: from all lookup 220
32766: from all lookup main
32767: from all lookup default
/etc/strongswan.d/charon/constraints.conf
constraints {
# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = no
}
In /etc/strongswan.d/charon.conf
install_routes = no
install_virtual_ip = no
In /etc/sysctl.conf
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
Scripts for make rules/routes
/etc/ipsec.script.sh
set -o nounset
set -o errexit
VPN_USER="vpn"
VTI_INTERFACE="vti0"
case "${PLUTO_VERB}" in
up-client)
ip tunnel add "${VTI_INTERFACE}" local "${PLUTO_ME}" remote
"${PLUTO_PEER}" mode vti \
okey "${PLUTO_MARK_OUT%%/*}" ikey
"${PLUTO_MARK_IN%%/*}"
ip link set "${VTI_INTERFACE}" up
sysctl -w "net.ipv4.conf.${VTI_INTERFACE}.disable_policy=1"
ip addr add ${PLUTO_MY_SOURCEIP} dev "${VTI_INTERFACE}"
if [[ `ip rule list | grep -c 0x1` == 0 ]]; then
ip rule add from all fwmark 0x1 lookup $VPN_USER
fi
# Launch routing script
/etc/ipsec.route.sh
;;
down-client)
ip tunnel del "${VTI_INTERFACE}"
;;
esac
/etc/ipsec.route.sh
export TABLE_ID="vpn"
export VPN_USER="vpn"
export VTI_INTERFACE="vti0"
export LOCAL_IP="10.211.55.3"
# Flush iptables rules
iptables -F -t nat
iptables -F -t mangle
iptables -F -t filter
# Mark packets from $VPN_USER
iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
iptables -t mangle -A OUTPUT ! --dest $LOCAL_IP -m owner --uid-owner
$VPN_USER -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT ! --src $LOCAL_IP -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT -j CONNMARK --save-mark
# Deny $VPN_USER to access other interfaces than lo
iptables -A OUTPUT ! -o lo -m owner --uid-owner $VPN_USER -J DROP
# Allow $VPN_USER to access lo and VPN interfaces
iptables -A OUTPUT -o lo -m owner --uid-owner $VPN_USER -j ACCEPT
iptables -A OUTPUT -o $VTI_INTERFACE -m owner --uid-owner $VPN_USER -j
ACCEPT
# Allow response from $VPN_INTERFACE
iptables -A INPUT -i $VTI_INTERFACE -m conntrack --ctstate ESTABLISHED -j
ACCEPT
# Masquarade packets on $VPN_INTERFACE
iptables -t nat -A POSTROUTING -o $VTI_INTERFACE -j MASQUERADE
# Routing rules
GATEWAY=$(ifconfig $VTI_INTERFACE |
egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' |
egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail
-n1)
ip route replace default via $GATEWAY table $TABLE_ID
ip route append default via 127.0.0.1 dev lo table $TABLE_ID
ip route flush cache
Gilles Printemps
2018-05-29 08:24:11 UTC
Permalink
Hi,
I found my problem: "rp_filter" for the vti interface was not set to 2.
No, I can establish correctly the connection and any request done by "vpn"
user is going through it.

Currently, I still have a problem for keeping alive the connection...
Indeed, after several minutes, no way to use anymore the VPN (see new
thread).

Gilles
Post by Gilles Printemps
Hi,
After combining/executing the different scripts, I'm still not able to
send something to the "vti" interface previously created.
Indeed, despite the different rules added, "vti" interface is receiving
nothing. Seems I made something wrong in my different routes...
I will appreciate if someone can point me what's wrong in my config...
$ curl ipinfo.io
Returns details from my ISP
$ sudo -u vpn -i -- curl ipinfo.io
Nothing is returned!!!
Thanks / BR Gilles
Routing tables
Chain INPUT (policy ACCEPT 910 packets, 68548 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- vti0 any anywhere
anywhere ctstate ESTABLISHED
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 651 packets, 85552 bytes)
pkts bytes target prot opt in out source
destination
32 2688 ACCEPT all -- any lo anywhere
anywhere owner UID match vpn
0 0 ACCEPT all -- any vti0 anywhere
anywhere owner UID match vpn
Chain PREROUTING (policy ACCEPT 2 packets, 160 bytes)
pkts bytes target prot opt in out source
destination
Chain INPUT (policy ACCEPT 2 packets, 160 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 13 packets, 1165 bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 10 packets, 962 bytes)
pkts bytes target prot opt in out source
destination
3 203 MASQUERADE all -- any vti0 anywhere
anywhere
Chain PREROUTING (policy ACCEPT 914 packets, 68930 bytes)
pkts bytes target prot opt in out source
destination
Chain INPUT (policy ACCEPT 912 packets, 68652 bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 685 packets, 88536 bytes)
pkts bytes target prot opt in out source
destination
685 88536 CONNMARK all -- any any anywhere
anywhere CONNMARK restore
74 8099 MARK all -- any any anywhere
!10.211.55.3 owner UID match vpn MARK set 0x1
64 5376 MARK all -- any any !10.211.55.3
anywhere MARK set 0x1
685 88536 CONNMARK all -- any any anywhere
anywhere CONNMARK save
Chain POSTROUTING (policy ACCEPT 706 packets, 90231 bytes)
pkts bytes target prot opt in out source
destination
ifconfig result
enp0s5 Link encap:Ethernet HWaddr 00:1c:42:c0:02:e3
inet addr:10.211.55.3 Bcast:10.211.55.255 Mask:255.255.255.0
inet6 addr: fe80::21c:42ff:fec0:2e3/64 Scope:Link
inet6 addr: fdb2:2c26:f4e4:0:21c:42ff:fec0:2e3/64 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4505 errors:0 dropped:0 overruns:0 frame:0
TX packets:3059 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:671940 (671.9 KB) TX bytes:491511 (491.5 KB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:247 errors:0 dropped:0 overruns:0 frame:0
TX packets:247 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:21458 (21.4 KB) TX bytes:21458 (21.4 KB)
vti0 Link encap:IPIP Tunnel HWaddr
inet addr:10.3.216.204 P-t-P:10.3.216.204 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MTU:1332 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
sudo ip route show table 200
default via 10.3.216.204 dev vti0
default via 127.0.0.1 dev lo
sudo ip rule list
0: from all lookup local
219: from all fwmark 0x1 lookup vpn
220: from all lookup 220
32766: from all lookup main
32767: from all lookup default
/etc/strongswan.d/charon/constraints.conf
constraints {
# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = no
}
In /etc/strongswan.d/charon.conf
install_routes = no
install_virtual_ip = no
In /etc/sysctl.conf
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
Scripts for make rules/routes
/etc/ipsec.script.sh
set -o nounset
set -o errexit
VPN_USER="vpn"
VTI_INTERFACE="vti0"
case "${PLUTO_VERB}" in
up-client)
ip tunnel add "${VTI_INTERFACE}" local "${PLUTO_ME}" remote
"${PLUTO_PEER}" mode vti \
okey "${PLUTO_MARK_OUT%%/*}" ikey
"${PLUTO_MARK_IN%%/*}"
ip link set "${VTI_INTERFACE}" up
sysctl -w "net.ipv4.conf.${VTI_INTERFACE}.disable_policy=1"
ip addr add ${PLUTO_MY_SOURCEIP} dev "${VTI_INTERFACE}"
if [[ `ip rule list | grep -c 0x1` == 0 ]]; then
ip rule add from all fwmark 0x1 lookup $VPN_USER
fi
# Launch routing script
/etc/ipsec.route.sh
;;
down-client)
ip tunnel del "${VTI_INTERFACE}"
;;
esac
/etc/ipsec.route.sh
export TABLE_ID="vpn"
export VPN_USER="vpn"
export VTI_INTERFACE="vti0"
export LOCAL_IP="10.211.55.3"
# Flush iptables rules
iptables -F -t nat
iptables -F -t mangle
iptables -F -t filter
# Mark packets from $VPN_USER
iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
iptables -t mangle -A OUTPUT ! --dest $LOCAL_IP -m owner --uid-owner
$VPN_USER -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT ! --src $LOCAL_IP -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT -j CONNMARK --save-mark
# Deny $VPN_USER to access other interfaces than lo
iptables -A OUTPUT ! -o lo -m owner --uid-owner $VPN_USER -J DROP
# Allow $VPN_USER to access lo and VPN interfaces
iptables -A OUTPUT -o lo -m owner --uid-owner $VPN_USER -j ACCEPT
iptables -A OUTPUT -o $VTI_INTERFACE -m owner --uid-owner $VPN_USER -j
ACCEPT
# Allow response from $VPN_INTERFACE
iptables -A INPUT -i $VTI_INTERFACE -m conntrack --ctstate ESTABLISHED -j
ACCEPT
# Masquarade packets on $VPN_INTERFACE
iptables -t nat -A POSTROUTING -o $VTI_INTERFACE -j MASQUERADE
# Routing rules
GATEWAY=$(ifconfig $VTI_INTERFACE |
egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' |
egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' |
tail -n1)
ip route replace default via $GATEWAY table $TABLE_ID
ip route append default via 127.0.0.1 dev lo table $TABLE_ID
ip route flush cache
Loading...