Hello,
I‘m not really sure where to post this. If a moderator thinks it belongs to somewhere else move it please.
Anyway, I‘m experimenting with the hardening guide from Peter and set the default rules for FORWARD and OUTGOING to DROP. Great guide for me as a beginner - it works as expected. I implemented the rules Peter mentioned for ipfire so my devices can access the web via proxy. Neat! The problem arises as soon as I test the IPSec VPN. I can connect the vpn without problems. But it can‘t get out of my home network. While that is expected I can‘t find a way to tell my vpn clients to go via proxy. So either I have to give the IPsec net full forward access for 80/443 connections or find a way to tell them to use the proxy. I don‘t want the first alternative as it would bypass any url filtering. Is there a way to tell road warriors (here iPhone/IPad) to connect via proxy in a vpn tunnel?
This is exactly the right place to ask such questions, and I’m glad that blog post was helpful to you.
Sadly, I am not very familiar with Apple devices and their proxy configuration/provisioning methods. There is this thread, which goes a bit deeper into this topic, but it does not look like there is an easy one-click solution to this, if I understood it correctly.
If you have permanent control over these road warriors, manually configuring the proxy would be an option. But I assume this is not the case here…
In corporate environments, Apple devices can be exhaustively provisioned by an MDM (mobile device management), but I have no experience with that, either.
Sorry to disappoint, and best regards,
Peter Müller
Thank you for the links (and the answer of course). I was afraid it is that way. The problem is that - MDM aside - one has to configure a proxy for a connection. While that might be workable for wifi connections it is pointless for mobile connections. To my knowledge there isn’t a global proxy setting for iOS.
So I guess the only way to provide wan access for IPsec clients is to explicitly allow port 443 connections to any destination for IPsec clients. At least I have the dnssec protection for lookups. Am I right?
HTTP requests should be catched by the transparent proxy but I do think they are rare.
Yes there is, however it is only possible by using apple configurator 2 and putting the iOS devices in supervised mode from a macOS device connected thorough the USB port. In that case you have a global proxy setting. The major obstacle is that you will have to reset the devices, so it require planning (backup, restore etc.).
EDIT, let me add few more words on the topic. Last time I checked (iOS 13, later I mostly ditched the Apple ecosystem) the re-connection to the tunnel after standby is not automatic with IPSec, unless you use a profile with apple configurator. For that reason I gave up on IPSec and I would use OpenVPN, which by using an app as a client not only reconnects after standby but also can honor dhcp-option directives coming from the server, where the proxy can be centrally configured in the IPFire machine.
So I need to buy a mac first since apple hasn’t released the configurator 2 for windows. But good to know there is a global option for a supervised phone.
With IOS 15 the behaviour is still unchanged. The tunnel drops often and without notice. I do have a working OpenVPN profile. But there I have the problem, that it won‘t work when I‘m on my home wlan. But that is another topic so I might open it in the relevant section.
I solved that problem by creating a second profile where the remote server would be the internal IP address of IPFire, all the rest would be identical to the profile for connecting from the WAN side.
Thanks for the suggestion. I switched to OpenVPN too and with Passepartout I have an app that actually does what I wanted. I can define my home ssid as trusted and the app switches openvpn off in my home wlan and activates it as soon, as I leave it. Works flawlessly with ipfire so far.
I have a similar setting, however when I am in my household I switch to an “internal” VPN connection. The reason was, I wanted to see if it was possible (it is).
Does this make sense? Probably not, however I could argue that an internal VPN on the blue segment of the network where otherwise everything is blocked, constitute a second, password-less layer of encryption. In this setting even if an attacker would manage to break in the wifi network, it would not be able to do anything important, besides opening a tunnel. Of course, I am sensitive to security issues but I know enough to be mildly aware that I am totally ignorant on the topic. Therefore I have no idea what are the tradeoffs of such a system, which second order effects are introduced by the complexity etc. For this reason I stick to the story that I just wanted to know if it was possible .
.