Suppose your local LAN has IP subnet 192.168.1.0/24, and you want to forward all traffic to remote server.
1. you need to bypass traffic to local lan: - in client config: conn bypass-non-routable-range leftsubnet=0.0.0.0/0 rightsubnet=192.168.1.0/24,224.0.0.0/4,240.0.0.0/4,0.0.0.0/8,127.0.0.0/8 auto=route - disable farp plugin if installed: edit strongswan.d/charon/farp.conf, change 'load=on' to 'load=off' 2. allow local gateway to forward internet traffic to remote: - in client config: conn ikev2-138.100.100.100 leftsubnet=192.168.1.0/24 - in server config: conn %default rightsubnet=192.168.1.0/24 On Tue, Mar 21, 2017 at 10:16 AM, sendmaildevnull <[email protected]> wrote: > Hi, > > I'm looking for some help setting up a strongSwan client in my local network > as a gateway for other devices to send their traffic through and have it > encrypted to server in the cloud. The end goal would look something like > this: https://imgur.com/a/Ep8W0. Right now I only have the client to server > connection working, and I'm wondering if anyone has any pointers on how to > make this client act as a transparent gateway. In the past with OpenVPN I > was able to enable IP forwarding and setup an iptables MASQUERADE rule that > exited out the tun interface, which obviously won't work here as there are > no tun interfaces. Any pointers would be super appreciated! > > Client config > ----------------------------------------- > conn ikev2-138.100.100.100 > fragmentation=yes > rekey=no > dpdaction=clear > keyexchange=ikev2 > compress=no > dpddelay=35s > > ike=aes128gcm16-sha2_256-prfsha256-ecp256 > esp=aes128gcm16-sha2_256-ecp256 > > right=138.100.100.100 > rightid=138.100.100.100 > rightsubnets=0.0.0.0/0 > rightauth=pubkey > > leftsourceip=%config > leftauth=pubkey > leftcert=138.100.100.100_user.crt > leftfirewall=yes > left=%defaultroute > auto=start > ----------------------------------------- > > Server config > ----------------------------------------- > config setup > uniqueids = never # allow multiple connections per user > charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2" > > conn %default > fragmentation=yes > rekey=no > dpdaction=clear > keyexchange=ikev2 > compress=yes > dpddelay=35s > > ike=aes128gcm16-sha2_256-prfsha256-ecp256! > esp=aes128gcm16-sha2_256-ecp256! > > left=%any > leftauth=pubkey > leftid=138.100.100.100 > leftcert=138.100.100.100.crt > leftsendcert=always > leftsubnet=0.0.0.0/0,::/0 > > right=%any > rightauth=pubkey > rightsourceip=10.19.48.0/24,fd9d:bc11:4020::/48 > rightdns=172.16.0.1 > > conn ikev2-pubkey > auto=add > ----------------------------------------- > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
