Hi, After combining/executing the different scripts, I'm still not able to send something to the "vti" interface previously created. Indeed, despite the different rules added, "vti" interface is receiving nothing. Seems I made something wrong in my different routes... I will appreciate if someone can point me what's wrong in my config...
$ curl ipinfo.io Returns details from my ISP $ sudo -u vpn -i -- curl ipinfo.io Nothing is returned!!! Thanks / BR Gilles Routing tables > Filter table: Chain INPUT (policy ACCEPT 910 packets, 68548 bytes) > pkts bytes target prot opt in out source > destination > 0 0 ACCEPT all -- vti0 any anywhere > anywhere ctstate ESTABLISHED > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > Chain OUTPUT (policy ACCEPT 651 packets, 85552 bytes) > pkts bytes target prot opt in out source > destination > 32 2688 ACCEPT all -- any lo anywhere > anywhere owner UID match vpn > 0 0 ACCEPT all -- any vti0 anywhere > anywhere owner UID match vpn > Nat table: Chain PREROUTING (policy ACCEPT 2 packets, 160 bytes) > pkts bytes target prot opt in out source > destination > Chain INPUT (policy ACCEPT 2 packets, 160 bytes) > pkts bytes target prot opt in out source > destination > Chain OUTPUT (policy ACCEPT 13 packets, 1165 bytes) > pkts bytes target prot opt in out source > destination > Chain POSTROUTING (policy ACCEPT 10 packets, 962 bytes) > pkts bytes target prot opt in out source > destination > 3 203 MASQUERADE all -- any vti0 anywhere > anywhere > Mangle table: > Chain PREROUTING (policy ACCEPT 914 packets, 68930 bytes) > pkts bytes target prot opt in out source > destination > Chain INPUT (policy ACCEPT 912 packets, 68652 bytes) > pkts bytes target prot opt in out source > destination > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > Chain OUTPUT (policy ACCEPT 685 packets, 88536 bytes) > pkts bytes target prot opt in out source > destination > 685 88536 CONNMARK all -- any any anywhere > anywhere CONNMARK restore > 74 8099 MARK all -- any any anywhere > !10.211.55.3 owner UID match vpn MARK set 0x1 > 64 5376 MARK all -- any any !10.211.55.3 > anywhere MARK set 0x1 > 685 88536 CONNMARK all -- any any anywhere > anywhere CONNMARK save > Chain POSTROUTING (policy ACCEPT 706 packets, 90231 bytes) > pkts bytes target prot opt in out source > destination ifconfig result > enp0s5 Link encap:Ethernet HWaddr 00:1c:42:c0:02:e3 > inet addr:10.211.55.3 Bcast:10.211.55.255 Mask:255.255.255.0 > inet6 addr: fe80::21c:42ff:fec0:2e3/64 Scope:Link > inet6 addr: fdb2:2c26:f4e4:0:21c:42ff:fec0:2e3/64 Scope:Global > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:4505 errors:0 dropped:0 overruns:0 frame:0 > TX packets:3059 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:671940 (671.9 KB) TX bytes:491511 (491.5 KB) > lo Link encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > inet6 addr: ::1/128 Scope:Host > UP LOOPBACK RUNNING MTU:65536 Metric:1 > RX packets:247 errors:0 dropped:0 overruns:0 frame:0 > TX packets:247 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1 > RX bytes:21458 (21.4 KB) TX bytes:21458 (21.4 KB) > vti0 Link encap:IPIP Tunnel HWaddr > inet addr:10.3.216.204 P-t-P:10.3.216.204 Mask:255.255.255.255 > UP POINTOPOINT RUNNING NOARP MTU:1332 Metric:1 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1 > RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) sudo ip route show table 200 > default via 10.3.216.204 dev vti0 > default via 127.0.0.1 dev lo sudo ip rule list > 0: from all lookup local > 219: from all fwmark 0x1 lookup vpn > 220: from all lookup 220 > 32766: from all lookup main > 32767: from all lookup default /etc/strongswan.d/charon/constraints.conf > constraints { > # Whether to load the plugin. Can also be an integer to increase the > # priority of this plugin. > load = no > } In /etc/strongswan.d/charon.conf > install_routes = no > install_virtual_ip = no In /etc/sysctl.conf > net.ipv4.ip_forward=1 > net.ipv6.conf.all.forwarding=1 Scripts for make rules/routes /etc/ipsec.script.sh > set -o nounset > set -o errexit > VPN_USER="vpn" > VTI_INTERFACE="vti0" > case "${PLUTO_VERB}" in > up-client) > ip tunnel add "${VTI_INTERFACE}" local "${PLUTO_ME}" remote > "${PLUTO_PEER}" mode vti \ > okey "${PLUTO_MARK_OUT%%/*}" ikey > "${PLUTO_MARK_IN%%/*}" > ip link set "${VTI_INTERFACE}" up > sysctl -w "net.ipv4.conf.${VTI_INTERFACE}.disable_policy=1" > ip addr add ${PLUTO_MY_SOURCEIP} dev "${VTI_INTERFACE}" > if [[ `ip rule list | grep -c 0x1` == 0 ]]; then > ip rule add from all fwmark 0x1 lookup $VPN_USER > fi > # Launch routing script > /etc/ipsec.route.sh > ;; > down-client) > ip tunnel del "${VTI_INTERFACE}" > ;; > esac /etc/ipsec.route.sh > export TABLE_ID="vpn" > export VPN_USER="vpn" > export VTI_INTERFACE="vti0" > export LOCAL_IP="10.211.55.3" > > # Flush iptables rules > iptables -F -t nat > iptables -F -t mangle > iptables -F -t filter > # Mark packets from $VPN_USER > iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark > iptables -t mangle -A OUTPUT ! --dest $LOCAL_IP -m owner --uid-owner > $VPN_USER -j MARK --set-mark 0x1 > iptables -t mangle -A OUTPUT ! --src $LOCAL_IP -j MARK --set-mark 0x1 > iptables -t mangle -A OUTPUT -j CONNMARK --save-mark > # Deny $VPN_USER to access other interfaces than lo > iptables -A OUTPUT ! -o lo -m owner --uid-owner $VPN_USER -J DROP > # Allow $VPN_USER to access lo and VPN interfaces > iptables -A OUTPUT -o lo -m owner --uid-owner $VPN_USER -j ACCEPT > iptables -A OUTPUT -o $VTI_INTERFACE -m owner --uid-owner $VPN_USER -j > ACCEPT > > # Allow response from $VPN_INTERFACE > iptables -A INPUT -i $VTI_INTERFACE -m conntrack --ctstate ESTABLISHED -j > ACCEPT > # Masquarade packets on $VPN_INTERFACE > iptables -t nat -A POSTROUTING -o $VTI_INTERFACE -j MASQUERADE > # Routing rules > GATEWAY=$(ifconfig $VTI_INTERFACE | > egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | > egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail > -n1) > ip route replace default via $GATEWAY table $TABLE_ID > ip route append default via 127.0.0.1 dev lo table $TABLE_ID > ip route flush cache