Some updates. I'm now able to create the vti interface and I have an address assigned to the vti
Result of "ifconfig" vti0 Link encap:IPIP Tunnel HWaddr inet addr:10.3.188.149 P-t-P:10.3.188.149 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MTU:1332 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) Can someone confirm I have now to route all the marked packets to this interface to go through the VPN? if the address assigned to the vti can be seen as a gateway for the VPN? FYI, following files have been updated. [/etc/ipsec.conf] > conn VPN > keyexchange=ike > dpdaction=clear > dpddelay=300s > leftupdown=/etc/ipsec.script.sh > left=%defaultroute > leftsourceip=%config4 > leftauth=eap-mschapv2 > eap_identity=gprintemps > right=free-nl.hide.me > rightauth=pubkey > rightid=%any > rightsubnet=0.0.0.0/0 > auto=route > mark=2 [/etc/ipsec.script.sh] > #!/bin/bash > set -o nounset > set -o errexit > VTI_IF="vti0" > case "${PLUTO_VERB}" in > up-client) > ip tunnel add "${VTI_IF}" local "${PLUTO_ME}" remote > "${PLUTO_PEER}" mode vti \ > okey "${PLUTO_MARK_OUT%%/*}" ikey > "${PLUTO_MARK_IN%%/*}" > ip link set "${VTI_IF}" up > sysctl -w "net.ipv4.conf.${VTI_IF}.disable_policy=1" > ip addr add ${PLUTO_MY_SOURCEIP} dev "${VTI_IF}" > ;; > down-client) > ip tunnel del "${VTI_IF}" > ;; > esac On Thu, May 24, 2018 at 12:15 PM, Gilles Printemps <gprinte...@gmail.com> wrote: I already prepared the next step (after fixing the current issue), I've > created the following script > > #! /bin/bash >> export TABLE_ID="vpn" >> export VPN_USER="vpn" >> export VPN_INTERFACE="vti0" >> export LAN="10.211.55.0/24" >> >> # Flush iptables rules >> iptables -F -t nat >> iptables -F -t mangle >> iptables -F -t filter >> # Mark packets from $VPN_USER >> iptables -t mangle -A OUTPUT ! --dest $LAN -m owner --uid-owner >> $VPN_USER -j MARK --set-mark 0x1 >> iptables -t mangle -A OUTPUT ! --src $LAN -j MARK --set-mark 0x1 >> # Deny $VPN_USER to access other interfaces than lo >> iptables -A OUTPUT ! -o lo -m owner --uid-owner $VPN_USER -J DROP >> # Allow $VPN_USER to access lo and VPN interfaces >> iptables -A OUTPUT -o lo -m owner --uid-owner $VPN_USER -j ACCEPT >> iptables -A OUTPUT -o $VPN_INTERFACE -m owner --uid-owner $VPN_USER -j >> ACCEPT >> >> # Allow response from $VPN_INTERFACE >> iptables -A INPUT -i $VPN_INTERFACE -m conntrack --ctstate ESTABLISHED -j >> ACCEPT >> # Masquarade packets on $VPN_INTERFACE >> iptables -t nat -A POSTROUTING -o $VPN_INTERFACE -j MASQUERADE >> >> # Routing rules >> ip route replace default via $GATEWAY table $TABLE_ID >> ip route append default via 127.0.0.1 dev lo table $TABLE_ID >> ip route flush cache > > > Purpose to is mark all packets from VPN_USER and to redirect them to the > ipsec interface created by the the configuration > I'm planning to do it with the following command: > >> ip rule add from all fwmark 0x1 lookup vpn > > > Best Regards, > Gilles > >