5

I have no particular competences on networking, so I'll do my best to explain my needs. On my Linux laptop I'm running StrongSwan (with NetworkManager) to connect to a particular VPN with IPsec. This VPN lets me reach these kind of IPs 10.*.*.*.

Now, my problem is that when I run the VPN all the traffic goes through the VPN but I would prefer to route to the VPN only packets addressed to those IPs (10.*.*.*).

How can I do it? Can someone provide me a simple guide, or share the necessary configurations and how to apply them?

Codemix
  • 63

2 Answers2

4

strongSwan's NetworkManager plugin does currently not allow changing the proposed traffic selectors (which decide what traffic is tunneled). So it always proposes to tunnel everything and unless the server narrows the traffic selectors (see below) that's what's negotiated.

Possible ways to workaround this:

  1. If you can, change the server's configuration so it narrows the client's proposal to the desired subnets via its own reduced set of traffic selectors. Some clients are more or less able to handle this, strongSwan's NM plugin should be fine (on the strongSwan wiki you can find more information about split-tunneling and potential problems with different clients).
  2. If you are only interested in accessing your local LAN while connected to the VPN, you could load the bypass-lan plugin in the charon-nm daemon (the backend for the strongSwan NM plugin), which automatically installs bypass IPsec policies for all locally attached subnets.
  3. Similar to the previous option, use the regular IKE daemon (charon or charon-systemd, configured via swanctl.conf or ipsec.conf) to install bypass IPsec policies for the subnets you don't want to access via VPN (this also works if they are not locally attached).

  4. Prevent the charon-nm daemon from installing its own routes in routing table 220 (via charon-nm.install_routes option in strongswan.conf), or clear routing table 220 after the connection has been established. And then either manually or via NM script (in /etc/NetworkManager/dispatcher.d, see the documentation here), install specific routes only for the subnets you want to tunnel, for instance:

    ip route add 10.0.0.0/8 dev <outbound interface> src <virtual IP> table 220

    Where the virtual IP address has to be determined via log or ip addr (or in a script via environment variable). If you don't disable the automatic route installation, you can also get the virtual IP from the existing route, which you delete afterwards.

  5. Alternatively, use the regular IKE daemon instead of the NM plugin. There you have more options to only tunnel the traffic you want (either by setting a specific remote traffic selector, or via bypass policies). However, you don't have a GUI to configure/start the VPN connections (but you can start connections automatically or when traffic for the target subnets is detected).
ecdsa
  • 1,288
1

Many Thanks to @ecdsa for the completeness of his answer.

I'm a newbie in networking and I struggled so much to implement the solution although it was trivial.

The following solution adopt the fourth suggestion and require the following steps:

  1. Switch on your VPN through NetworkManager

  2. Run the following command to discover the route created from NetworkManager

    user@laptop:~$ ip route list table 220
default via 192.168.1.1 dev enp0s31f6 proto static src 172.26.199.15

  3. Take note of the interface (enp0s31f6) and virtual ip (172.26.199.15)

  4. Flush the current route, because you want to use a custom route, with the following command

    sudo ip route flush table 220

  5. Add your custom route with the following command

    sudo ip route add 10.0.0.0/8 dev enp0s31f6 via 172.26.199.15 table 220

Now only packets addressed to 10.0.0.0/8 will be routed throught the VPN.

Codemix
  • 63