Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to route traffic from VPN Clients to LAN devices. #94

Open
DarwinPorras opened this issue Aug 20, 2019 · 10 comments
Open

How to route traffic from VPN Clients to LAN devices. #94

DarwinPorras opened this issue Aug 20, 2019 · 10 comments

Comments

@DarwinPorras
Copy link

Hi,

Everything on the script works great. but I want to try to give more access to VPN clients to LAN resources.

I works with a dedicate server to deploy IKEV2 with two network interfaces.
eth0 -> Public IP 100.100.100.100
eth1 -> Connect server to my LAN network (IP: 192.168.1.100) LAN network: 192.168.1.0/24
IKE VPN clients -> IP 10.10.0.0/16

My goal is provide access from VPN Client (eg: 10.10.0.1) to some resources into my LAN (eg. 192.168.1.150). from the server I can make ping to IP LANs, VPN clients and surfing internet. everything work fine.

I was try to create some Iptables roules to make a NAT from VPN Clients to LAN network but I have not had good results. I'm stuck in this point because I don't know if I have to make some changes in ipsec.conf file or I make a mistake with Iptables routes that I created.

I will appreciate any help that you could provide me to achieve my goal

Many thanks for any help
Darwin.
@bumansu
Copy link

bumansu commented Aug 20, 2019
edited

I am also trying to do the same, but without any success. Have a look at these links https://wiki.strongswan.org/issues/2634#change-10704 and https://www.strongswan.org/testing/testresults/ikev2/nat-virtual-ip/ and https://wiki.strongswan.org/projects/strongswan/repository/entry/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown. I think bypass-lan Plugin should do the trick. https://wiki.strongswan.org/projects/strongswan/wiki/Bypass-lan

@bumansu
Copy link

bumansu commented Aug 21, 2019

If you manage to get it working, would you mind sharing your setup

@DarwinPorras
Copy link
Author

HI,

Thanks for the information. At this moment i don't have any results yet. I will be working on it until new results. and of course i will share my configuration.

Keep in touch if you find something new.

Best Regards
Darwin.

@steeeeev0
Copy link

Make sure you've forwarded the correct ports on the correct protocols:
500/UDP, 4500/UDP
In my router I also forwarded ESP to my VPN server's IP.

@DarwinPorras
Copy link
Author

DarwinPorras commented Mar 27, 2020 via email

@steeeeev0
Copy link

steeeeev0 commented Mar 27, 2020
edited

Here are my current rules in IPTABLES:

steve@VPN:~$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i eth0 -m state --state NEW -m recent --update --seconds 300 --hitcount 60 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
-A INPUT -i eth0 -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -s 10.10.0.0/16 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -d 10.10.0.0/16 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -j DROP

These rules, to my surprise, don't seem to reference my LAN subnet (10.0.1.0 in my case). Are your rules similar?

@steeeeev0
Copy link

It also looks like I may have edited /etc/ufw/systctl.conf. I can't remember exactly what I did, but here's the output of the file:

#
# Configuration file for setting network variables. Please note these settings
# override /etc/sysctl.conf and /etc/sysctl.d. If you prefer to use
# /etc/sysctl.conf, please adjust IPT_SYSCTL in /etc/default/ufw. See
# Documentation/networking/ip-sysctl.txt in the kernel source code for more
# information.
#

# Uncomment this to allow this host to route packets between interfaces
#net/ipv4/ip_forward=1
#net/ipv6/conf/default/forwarding=1
#net/ipv6/conf/all/forwarding=1

# Disable ICMP redirects. ICMP redirects are rarely used but can be used in
# MITM (man-in-the-middle) attacks. Disabling ICMP may disrupt legitimate
# traffic to those sites.
net/ipv4/conf/all/accept_redirects=0
net/ipv4/conf/default/accept_redirects=0
net/ipv6/conf/all/accept_redirects=0
net/ipv6/conf/default/accept_redirects=0

# Ignore bogus ICMP errors
net/ipv4/icmp_echo_ignore_broadcasts=1
net/ipv4/icmp_ignore_bogus_error_responses=1
net/ipv4/icmp_echo_ignore_all=0

# Don't log Martian Packets (impossible addresses)
# packets
net/ipv4/conf/all/log_martians=0
net/ipv4/conf/default/log_martians=0

#net/ipv4/tcp_fin_timeout=30
#net/ipv4/tcp_keepalive_intvl=1800

# Uncomment this to turn off ipv6 autoconfiguration
#net/ipv6/conf/default/autoconf=1
#net/ipv6/conf/all/autoconf=1

# Uncomment this to enable ipv6 privacy addressing
#net/ipv6/conf/default/use_tempaddr=2
#net/ipv6/conf/all/use_tempaddr=2

...it turns out I actually have UFW inactive. Not sure that's the recommended setup to take, but is your UFW enabled?

@DarwinPorras
Copy link
Author

DarwinPorras commented Mar 28, 2020 via email
edited

@DarwinPorras
Copy link
Author

DarwinPorras commented Mar 28, 2020 via email
edited

@LennyLip
Copy link

Hi, I set

bypass-lan {
    load = yes
}

but still can't access to Local WIFI network in Android.
MacOS works fine with enable or disable plugin either.

Any suggestions?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@LennyLip @bumansu @steeeeev0 @DarwinPorras