Hi,
I’ve been working on this since my target setup is a personal VPN on my desktop endpoint that goes through an IPSec tunnel established from my IPFire for double encryption and see how it fairs against Chinese hacking bastards persistently targeting me.
I’ve referred to the following articles:
https://wiki.strongswan.org/issues/1247
https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN#XFRM-Interfaces-on-Linux
and finally resorting to this
So far, I’ve had major success in making all connections coming from the IPFire instance to use the tunnel BUT no matter what I do, I can’t see to make all traffic coming from green0 to go through the tunnel even after implementing a VTI interface to help along.
Things I’ve tried:
- Adding a custom route to routing table 220 to allow communication between IPFire and green0 cause I found out that connecting the IPSec tunnel where charon.conf has install_routes and install_virtual_ip set to “yes” were green0 to become unreachable cause it’s forcing all traffic to go through the tunnel.
The above solution did restore communication to green0 but all packets coming from green0 were still going through normal internet and not through the tunnel.
- Using the VTI interface script from VTI Tunnel Interface with strongSwan :: Endre Szabo to create a dedicated vti interface that appears in ifconfig for a potentially easier life in routing.
I created a default route that utilizes the VTI interface to forward all traffic:
route add -net 0.0.0.0 netmask 0.0.0.0 gw 10.1.8.229 metric 0 dev vti3
Yet again, it worked for the IPFire itself but fails to forward green0 traffic through the tunnel.
I’m utterly confused how to make this work, may I ask for some help/guidance on how I could solve this?
NOTE: Yes, I understand the security implications of this setup as mentioned in Feature Request: Easy Way to Add VPN Service - #2 by pmueller and I am responsible for the potential consequences that could arise out of this setup.
To those wondering why am I not just using the web interface for this:
I believe Apache web server to be a major security risk so I always have it stopped/disabled in my IPFire instance and I use a serial console to directly manage my IPFire instance.