jawj
How to route traffic from VPN Clients to LAN devices.
Hi,
Everything on the script works great. but I want to try to give more access to VPN clients to LAN resources.
I works with a dedicate server to deploy IKEV2 with two network interfaces. eth0 -> Public IP 100.100.100.100 eth1 -> Connect server to my LAN network (IP: 192.168.1.100) LAN network: 192.168.1.0/24 IKE VPN clients -> IP 10.10.0.0/16
My goal is provide access from VPN Client (eg: 10.10.0.1) to some resources into my LAN (eg. 192.168.1.150). from the server I can make ping to IP LANs, VPN clients and surfing internet. everything work fine.
I was try to create some Iptables roules to make a NAT from VPN Clients to LAN network but I have not had good results. I'm stuck in this point because I don't know if I have to make some changes in ipsec.conf file or I make a mistake with Iptables routes that I created.
I will appreciate any help that you could provide me to achieve my goal
Many thanks for any help Darwin.
I am also trying to do the same, but without any success. Have a look at these links https://wiki.strongswan.org/issues/2634#change-10704 and https://www.strongswan.org/testing/testresults/ikev2/nat-virtual-ip/ and https://wiki.strongswan.org/projects/strongswan/repository/entry/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown. I think bypass-lan Plugin should do the trick. https://wiki.strongswan.org/projects/strongswan/wiki/Bypass-lan
HI,
Thanks for the information. At this moment i don't have any results yet. I will be working on it until new results. and of course i will share my configuration.
Keep in touch if you find something new.
Best Regards Darwin.
Make sure you've forwarded the correct ports on the correct protocols: 500/UDP, 4500/UDP In my router I also forwarded ESP to my VPN server's IP.
Hi There,
Thanks for your advice. I already opened those ports and everything works fine on 10.10.X.X network
Let me explain to you my situation. I have a server with two ethernet network connection
Public IP: x.x.x.x Private IP: 192.168.1.x
When I connect to the VPN server this server assigns to me the IP 10.10.x.x. I can surfing on internet and works fine but when I try to connect to another server inside my LAN (192.168.1.x) I can’t.
Do you know what can I do?. I have to create some rules on IPtables?. by the way I’m not the best on iptables.
Thank you in advance.
Best Regards, Darwin Lemoine
On Mar 26, 2020, at 8:21 PM, stevesanda [email protected] wrote:
Make sure you've forwarded the correct ports on the correct protocols: 500/UDP, 4500/UDP In my router I also forwarded ESP to my VPN server's IP.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/jawj/IKEv2-setup/issues/94#issuecomment-604794171, or unsubscribe https://github.com/notifications/unsubscribe-auth/AM6H6DQDBV2YBC7GNIX4OTDRJQLTHANCNFSM4INLCPMA.
Here are my current rules in IPTABLES:
steve@VPN:~$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i eth0 -m state --state NEW -m recent --update --seconds 300 --hitcount 60 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
-A INPUT -i eth0 -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -s 10.10.0.0/16 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -d 10.10.0.0/16 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -j DROP
These rules, to my surprise, don't seem to reference my LAN subnet (10.0.1.0 in my case). Are your rules similar?
It also looks like I may have edited /etc/ufw/systctl.conf. I can't remember exactly what I did, but here's the output of the file:
#
# Configuration file for setting network variables. Please note these settings
# override /etc/sysctl.conf and /etc/sysctl.d. If you prefer to use
# /etc/sysctl.conf, please adjust IPT_SYSCTL in /etc/default/ufw. See
# Documentation/networking/ip-sysctl.txt in the kernel source code for more
# information.
#
# Uncomment this to allow this host to route packets between interfaces
#net/ipv4/ip_forward=1
#net/ipv6/conf/default/forwarding=1
#net/ipv6/conf/all/forwarding=1
# Disable ICMP redirects. ICMP redirects are rarely used but can be used in
# MITM (man-in-the-middle) attacks. Disabling ICMP may disrupt legitimate
# traffic to those sites.
net/ipv4/conf/all/accept_redirects=0
net/ipv4/conf/default/accept_redirects=0
net/ipv6/conf/all/accept_redirects=0
net/ipv6/conf/default/accept_redirects=0
# Ignore bogus ICMP errors
net/ipv4/icmp_echo_ignore_broadcasts=1
net/ipv4/icmp_ignore_bogus_error_responses=1
net/ipv4/icmp_echo_ignore_all=0
# Don't log Martian Packets (impossible addresses)
# packets
net/ipv4/conf/all/log_martians=0
net/ipv4/conf/default/log_martians=0
#net/ipv4/tcp_fin_timeout=30
#net/ipv4/tcp_keepalive_intvl=1800
# Uncomment this to turn off ipv6 autoconfiguration
#net/ipv6/conf/default/autoconf=1
#net/ipv6/conf/all/autoconf=1
# Uncomment this to enable ipv6 privacy addressing
#net/ipv6/conf/default/use_tempaddr=2
#net/ipv6/conf/all/use_tempaddr=2
...it turns out I actually have UFW inactive. Not sure that's the recommended setup to take, but is your UFW enabled?
Hi,
I have exactly the same rules in my iptables configuration
Thanks. Darwin Lemoine
On Mar 27, 2020, at 2:23 PM, stevesanda [email protected] wrote:
Here are my current rules in IPTABLES:
steve@VPN:~$ sudo iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A INPUT -i eth0 -m state --state NEW -m recent --update --seconds 300 --hitcount 60 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP -A INPUT -i eth0 -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state INVALID -j DROP -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p udp -m udp --dport 500 -j ACCEPT -A INPUT -p udp -m udp --dport 4500 -j ACCEPT -A INPUT -j DROP -A FORWARD -s 10.10.0.0/16 -m policy --dir in --pol ipsec --proto esp -j ACCEPT -A FORWARD -d 10.10.0.0/16 -m policy --dir out --pol ipsec --proto esp -j ACCEPT -A FORWARD -j DROP
These rules, to my surprise, don't seem to reference my LAN subnet (10.0.1.0 in my case). Are your rules similar?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/jawj/IKEv2-setup/issues/94#issuecomment-605321159, or unsubscribe https://github.com/notifications/unsubscribe-auth/AM6H6DT2PGSSOJPDKRW752LRJUKOPANCNFSM4INLCPMA.
Hi,
I also have my UFW inactive.
root@VPN:~# ufw status Status: inactive
Thanks. Darwin Lemoine
On Mar 27, 2020, at 2:30 PM, stevesanda [email protected] wrote:
It also looks like I may have edited /etc/ufw/systctl.conf. I can't remember exactly what I did, but here's the output of the file:
Configuration file for setting network variables. Please note these settings
override /etc/sysctl.conf and /etc/sysctl.d. If you prefer to use
/etc/sysctl.conf, please adjust IPT_SYSCTL in /etc/default/ufw. See
Documentation/networking/ip-sysctl.txt in the kernel source code for more
information.
Uncomment this to allow this host to route packets between interfaces
#net/ipv4/ip_forward=1 #net/ipv6/conf/default/forwarding=1 #net/ipv6/conf/all/forwarding=1
Disable ICMP redirects. ICMP redirects are rarely used but can be used in
MITM (man-in-the-middle) attacks. Disabling ICMP may disrupt legitimate
traffic to those sites.
net/ipv4/conf/all/accept_redirects=0 net/ipv4/conf/default/accept_redirects=0 net/ipv6/conf/all/accept_redirects=0 net/ipv6/conf/default/accept_redirects=0
Ignore bogus ICMP errors
net/ipv4/icmp_echo_ignore_broadcasts=1 net/ipv4/icmp_ignore_bogus_error_responses=1 net/ipv4/icmp_echo_ignore_all=0
Don't log Martian Packets (impossible addresses)
packets
net/ipv4/conf/all/log_martians=0 net/ipv4/conf/default/log_martians=0
#net/ipv4/tcp_fin_timeout=30 #net/ipv4/tcp_keepalive_intvl=1800
Uncomment this to turn off ipv6 autoconfiguration
#net/ipv6/conf/default/autoconf=1 #net/ipv6/conf/all/autoconf=1
Uncomment this to enable ipv6 privacy addressing
#net/ipv6/conf/default/use_tempaddr=2 #net/ipv6/conf/all/use_tempaddr=2 ...it turns out I actually have UFW inactive. Not sure that's the recommended setup to take, but is your UFW enabled?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/jawj/IKEv2-setup/issues/94#issuecomment-605323429, or unsubscribe https://github.com/notifications/unsubscribe-auth/AM6H6DT6UBCIF4TGA72AFWDRJULHVANCNFSM4INLCPMA.
Hi, I set
bypass-lan {
load = yes
}
but still can't access to Local WIFI network in Android. MacOS works fine with enable or disable plugin either.
Any suggestions?
