IKEv2-setup icon indicating copy to clipboard operation
IKEv2-setup copied to clipboard

How to route traffic from VPN Clients to LAN devices.

Open DarwinPorras opened this issue 6 years ago • 10 comments

Hi,

Everything on the script works great. but I want to try to give more access to VPN clients to LAN resources.

I works with a dedicate server to deploy IKEV2 with two network interfaces. eth0 -> Public IP 100.100.100.100 eth1 -> Connect server to my LAN network (IP: 192.168.1.100) LAN network: 192.168.1.0/24 IKE VPN clients -> IP 10.10.0.0/16

My goal is provide access from VPN Client (eg: 10.10.0.1) to some resources into my LAN (eg. 192.168.1.150). from the server I can make ping to IP LANs, VPN clients and surfing internet. everything work fine.

I was try to create some Iptables roules to make a NAT from VPN Clients to LAN network but I have not had good results. I'm stuck in this point because I don't know if I have to make some changes in ipsec.conf file or I make a mistake with Iptables routes that I created.

I will appreciate any help that you could provide me to achieve my goal

Many thanks for any help Darwin.

DarwinPorras avatar Aug 20 '19 01:08 DarwinPorras

I am also trying to do the same, but without any success. Have a look at these links https://wiki.strongswan.org/issues/2634#change-10704 and https://www.strongswan.org/testing/testresults/ikev2/nat-virtual-ip/ and https://wiki.strongswan.org/projects/strongswan/repository/entry/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown. I think bypass-lan Plugin should do the trick. https://wiki.strongswan.org/projects/strongswan/wiki/Bypass-lan

bumansu avatar Aug 20 '19 12:08 bumansu

If you manage to get it working, would you mind sharing your setup

bumansu avatar Aug 21 '19 08:08 bumansu

HI,

Thanks for the information. At this moment i don't have any results yet. I will be working on it until new results. and of course i will share my configuration.

Keep in touch if you find something new.

Best Regards Darwin.

DarwinPorras avatar Aug 21 '19 17:08 DarwinPorras

Make sure you've forwarded the correct ports on the correct protocols: 500/UDP, 4500/UDP In my router I also forwarded ESP to my VPN server's IP.

steeeeev0 avatar Mar 27 '20 03:03 steeeeev0

Hi There,

Thanks for your advice. I already opened those ports and everything works fine on 10.10.X.X network

Let me explain to you my situation. I have a server with two ethernet network connection

Public IP: x.x.x.x Private IP: 192.168.1.x

When I connect to the VPN server this server assigns to me the IP 10.10.x.x. I can surfing on internet and works fine but when I try to connect to another server inside my LAN (192.168.1.x) I can’t.

Do you know what can I do?. I have to create some rules on IPtables?. by the way I’m not the best on iptables.

Thank you in advance.

Best Regards, Darwin Lemoine

On Mar 26, 2020, at 8:21 PM, stevesanda [email protected] wrote:

Make sure you've forwarded the correct ports on the correct protocols: 500/UDP, 4500/UDP In my router I also forwarded ESP to my VPN server's IP.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/jawj/IKEv2-setup/issues/94#issuecomment-604794171, or unsubscribe https://github.com/notifications/unsubscribe-auth/AM6H6DQDBV2YBC7GNIX4OTDRJQLTHANCNFSM4INLCPMA.

DarwinPorras avatar Mar 27 '20 20:03 DarwinPorras

Here are my current rules in IPTABLES:

steve@VPN:~$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i eth0 -m state --state NEW -m recent --update --seconds 300 --hitcount 60 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
-A INPUT -i eth0 -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -s 10.10.0.0/16 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -d 10.10.0.0/16 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -j DROP

These rules, to my surprise, don't seem to reference my LAN subnet (10.0.1.0 in my case). Are your rules similar?

steeeeev0 avatar Mar 27 '20 21:03 steeeeev0

It also looks like I may have edited /etc/ufw/systctl.conf. I can't remember exactly what I did, but here's the output of the file:

#
# Configuration file for setting network variables. Please note these settings
# override /etc/sysctl.conf and /etc/sysctl.d. If you prefer to use
# /etc/sysctl.conf, please adjust IPT_SYSCTL in /etc/default/ufw. See
# Documentation/networking/ip-sysctl.txt in the kernel source code for more
# information.
#

# Uncomment this to allow this host to route packets between interfaces
#net/ipv4/ip_forward=1
#net/ipv6/conf/default/forwarding=1
#net/ipv6/conf/all/forwarding=1

# Disable ICMP redirects. ICMP redirects are rarely used but can be used in
# MITM (man-in-the-middle) attacks. Disabling ICMP may disrupt legitimate
# traffic to those sites.
net/ipv4/conf/all/accept_redirects=0
net/ipv4/conf/default/accept_redirects=0
net/ipv6/conf/all/accept_redirects=0
net/ipv6/conf/default/accept_redirects=0

# Ignore bogus ICMP errors
net/ipv4/icmp_echo_ignore_broadcasts=1
net/ipv4/icmp_ignore_bogus_error_responses=1
net/ipv4/icmp_echo_ignore_all=0

# Don't log Martian Packets (impossible addresses)
# packets
net/ipv4/conf/all/log_martians=0
net/ipv4/conf/default/log_martians=0

#net/ipv4/tcp_fin_timeout=30
#net/ipv4/tcp_keepalive_intvl=1800

# Uncomment this to turn off ipv6 autoconfiguration
#net/ipv6/conf/default/autoconf=1
#net/ipv6/conf/all/autoconf=1

# Uncomment this to enable ipv6 privacy addressing
#net/ipv6/conf/default/use_tempaddr=2
#net/ipv6/conf/all/use_tempaddr=2

...it turns out I actually have UFW inactive. Not sure that's the recommended setup to take, but is your UFW enabled?

steeeeev0 avatar Mar 27 '20 21:03 steeeeev0

Hi,

I have exactly the same rules in my iptables configuration

Thanks. Darwin Lemoine

On Mar 27, 2020, at 2:23 PM, stevesanda [email protected] wrote:

Here are my current rules in IPTABLES:

steve@VPN:~$ sudo iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A INPUT -i eth0 -m state --state NEW -m recent --update --seconds 300 --hitcount 60 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP -A INPUT -i eth0 -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state INVALID -j DROP -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p udp -m udp --dport 500 -j ACCEPT -A INPUT -p udp -m udp --dport 4500 -j ACCEPT -A INPUT -j DROP -A FORWARD -s 10.10.0.0/16 -m policy --dir in --pol ipsec --proto esp -j ACCEPT -A FORWARD -d 10.10.0.0/16 -m policy --dir out --pol ipsec --proto esp -j ACCEPT -A FORWARD -j DROP

These rules, to my surprise, don't seem to reference my LAN subnet (10.0.1.0 in my case). Are your rules similar?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/jawj/IKEv2-setup/issues/94#issuecomment-605321159, or unsubscribe https://github.com/notifications/unsubscribe-auth/AM6H6DT2PGSSOJPDKRW752LRJUKOPANCNFSM4INLCPMA.

DarwinPorras avatar Mar 28 '20 00:03 DarwinPorras

Hi,

I also have my UFW inactive.

root@VPN:~# ufw status Status: inactive

Thanks. Darwin Lemoine

On Mar 27, 2020, at 2:30 PM, stevesanda [email protected] wrote:

It also looks like I may have edited /etc/ufw/systctl.conf. I can't remember exactly what I did, but here's the output of the file:

Configuration file for setting network variables. Please note these settings

override /etc/sysctl.conf and /etc/sysctl.d. If you prefer to use

/etc/sysctl.conf, please adjust IPT_SYSCTL in /etc/default/ufw. See

Documentation/networking/ip-sysctl.txt in the kernel source code for more

information.

Uncomment this to allow this host to route packets between interfaces

#net/ipv4/ip_forward=1 #net/ipv6/conf/default/forwarding=1 #net/ipv6/conf/all/forwarding=1

Disable ICMP redirects. ICMP redirects are rarely used but can be used in

MITM (man-in-the-middle) attacks. Disabling ICMP may disrupt legitimate

traffic to those sites.

net/ipv4/conf/all/accept_redirects=0 net/ipv4/conf/default/accept_redirects=0 net/ipv6/conf/all/accept_redirects=0 net/ipv6/conf/default/accept_redirects=0

Ignore bogus ICMP errors

net/ipv4/icmp_echo_ignore_broadcasts=1 net/ipv4/icmp_ignore_bogus_error_responses=1 net/ipv4/icmp_echo_ignore_all=0

Don't log Martian Packets (impossible addresses)

packets

net/ipv4/conf/all/log_martians=0 net/ipv4/conf/default/log_martians=0

#net/ipv4/tcp_fin_timeout=30 #net/ipv4/tcp_keepalive_intvl=1800

Uncomment this to turn off ipv6 autoconfiguration

#net/ipv6/conf/default/autoconf=1 #net/ipv6/conf/all/autoconf=1

Uncomment this to enable ipv6 privacy addressing

#net/ipv6/conf/default/use_tempaddr=2 #net/ipv6/conf/all/use_tempaddr=2 ...it turns out I actually have UFW inactive. Not sure that's the recommended setup to take, but is your UFW enabled?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/jawj/IKEv2-setup/issues/94#issuecomment-605323429, or unsubscribe https://github.com/notifications/unsubscribe-auth/AM6H6DT6UBCIF4TGA72AFWDRJULHVANCNFSM4INLCPMA.

DarwinPorras avatar Mar 28 '20 00:03 DarwinPorras

Hi, I set

bypass-lan {
    load = yes
}

but still can't access to Local WIFI network in Android. MacOS works fine with enable or disable plugin either.

Any suggestions?

LennyLip avatar Jul 18 '23 08:07 LennyLip