Hi, I found my problem: "rp_filter" for the vti interface was not set to 2. No, I can establish correctly the connection and any request done by "vpn" user is going through it.
Currently, I still have a problem for keeping alive the connection... Indeed, after several minutes, no way to use anymore the VPN (see new thread). Gilles On Mon, May 28, 2018 at 3:03 PM, Gilles Printemps <[email protected]> wrote: > Hi, > After combining/executing the different scripts, I'm still not able to > send something to the "vti" interface previously created. > Indeed, despite the different rules added, "vti" interface is receiving > nothing. Seems I made something wrong in my different routes... > I will appreciate if someone can point me what's wrong in my config... > > $ curl ipinfo.io > Returns details from my ISP > > $ sudo -u vpn -i -- curl ipinfo.io > Nothing is returned!!! > > Thanks / BR Gilles > > Routing tables > >> Filter table: > > Chain INPUT (policy ACCEPT 910 packets, 68548 bytes) >> pkts bytes target prot opt in out source >> destination >> 0 0 ACCEPT all -- vti0 any anywhere >> anywhere ctstate ESTABLISHED >> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) >> pkts bytes target prot opt in out source >> destination >> Chain OUTPUT (policy ACCEPT 651 packets, 85552 bytes) >> pkts bytes target prot opt in out source >> destination >> 32 2688 ACCEPT all -- any lo anywhere >> anywhere owner UID match vpn >> 0 0 ACCEPT all -- any vti0 anywhere >> anywhere owner UID match vpn >> Nat table: > > Chain PREROUTING (policy ACCEPT 2 packets, 160 bytes) >> pkts bytes target prot opt in out source >> destination >> Chain INPUT (policy ACCEPT 2 packets, 160 bytes) >> pkts bytes target prot opt in out source >> destination >> Chain OUTPUT (policy ACCEPT 13 packets, 1165 bytes) >> pkts bytes target prot opt in out source >> destination >> Chain POSTROUTING (policy ACCEPT 10 packets, 962 bytes) >> pkts bytes target prot opt in out source >> destination >> 3 203 MASQUERADE all -- any vti0 anywhere >> anywhere >> Mangle table: >> Chain PREROUTING (policy ACCEPT 914 packets, 68930 bytes) >> pkts bytes target prot opt in out source >> destination >> Chain INPUT (policy ACCEPT 912 packets, 68652 bytes) >> pkts bytes target prot opt in out source >> destination >> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) >> pkts bytes target prot opt in out source >> destination >> Chain OUTPUT (policy ACCEPT 685 packets, 88536 bytes) >> pkts bytes target prot opt in out source >> destination >> 685 88536 CONNMARK all -- any any anywhere >> anywhere CONNMARK restore >> 74 8099 MARK all -- any any anywhere >> !10.211.55.3 owner UID match vpn MARK set 0x1 >> 64 5376 MARK all -- any any !10.211.55.3 >> anywhere MARK set 0x1 >> 685 88536 CONNMARK all -- any any anywhere >> anywhere CONNMARK save >> Chain POSTROUTING (policy ACCEPT 706 packets, 90231 bytes) >> pkts bytes target prot opt in out source >> destination > > > ifconfig result > >> enp0s5 Link encap:Ethernet HWaddr 00:1c:42:c0:02:e3 >> inet addr:10.211.55.3 Bcast:10.211.55.255 Mask:255.255.255.0 >> inet6 addr: fe80::21c:42ff:fec0:2e3/64 Scope:Link >> inet6 addr: fdb2:2c26:f4e4:0:21c:42ff:fec0:2e3/64 Scope:Global >> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 >> RX packets:4505 errors:0 dropped:0 overruns:0 frame:0 >> TX packets:3059 errors:0 dropped:0 overruns:0 carrier:0 >> collisions:0 txqueuelen:1000 >> RX bytes:671940 (671.9 KB) TX bytes:491511 (491.5 KB) >> lo Link encap:Local Loopback >> inet addr:127.0.0.1 Mask:255.0.0.0 >> inet6 addr: ::1/128 Scope:Host >> UP LOOPBACK RUNNING MTU:65536 Metric:1 >> RX packets:247 errors:0 dropped:0 overruns:0 frame:0 >> TX packets:247 errors:0 dropped:0 overruns:0 carrier:0 >> collisions:0 txqueuelen:1 >> RX bytes:21458 (21.4 KB) TX bytes:21458 (21.4 KB) >> vti0 Link encap:IPIP Tunnel HWaddr >> inet addr:10.3.216.204 P-t-P:10.3.216.204 Mask:255.255.255.255 >> UP POINTOPOINT RUNNING NOARP MTU:1332 Metric:1 >> RX packets:0 errors:0 dropped:0 overruns:0 frame:0 >> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 >> collisions:0 txqueuelen:1 >> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) > > > > sudo ip route show table 200 > >> default via 10.3.216.204 dev vti0 >> default via 127.0.0.1 dev lo > > > sudo ip rule list > >> 0: from all lookup local >> 219: from all fwmark 0x1 lookup vpn >> 220: from all lookup 220 >> 32766: from all lookup main >> 32767: from all lookup default > > > /etc/strongswan.d/charon/constraints.conf > >> constraints { >> # Whether to load the plugin. Can also be an integer to increase the >> # priority of this plugin. >> load = no >> } > > > In /etc/strongswan.d/charon.conf > >> install_routes = no >> install_virtual_ip = no > > > In /etc/sysctl.conf > >> net.ipv4.ip_forward=1 >> net.ipv6.conf.all.forwarding=1 > > > Scripts for make rules/routes > /etc/ipsec.script.sh > >> set -o nounset >> set -o errexit >> VPN_USER="vpn" >> VTI_INTERFACE="vti0" >> case "${PLUTO_VERB}" in >> up-client) >> ip tunnel add "${VTI_INTERFACE}" local "${PLUTO_ME}" remote >> "${PLUTO_PEER}" mode vti \ >> okey "${PLUTO_MARK_OUT%%/*}" ikey >> "${PLUTO_MARK_IN%%/*}" >> ip link set "${VTI_INTERFACE}" up >> sysctl -w "net.ipv4.conf.${VTI_INTERFACE}.disable_policy=1" >> ip addr add ${PLUTO_MY_SOURCEIP} dev "${VTI_INTERFACE}" >> if [[ `ip rule list | grep -c 0x1` == 0 ]]; then >> ip rule add from all fwmark 0x1 lookup $VPN_USER >> fi >> # Launch routing script >> /etc/ipsec.route.sh >> ;; >> down-client) >> ip tunnel del "${VTI_INTERFACE}" >> ;; >> esac > > > /etc/ipsec.route.sh > >> export TABLE_ID="vpn" >> export VPN_USER="vpn" >> export VTI_INTERFACE="vti0" >> export LOCAL_IP="10.211.55.3" >> >> # Flush iptables rules >> iptables -F -t nat >> iptables -F -t mangle >> iptables -F -t filter >> # Mark packets from $VPN_USER >> iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark >> iptables -t mangle -A OUTPUT ! --dest $LOCAL_IP -m owner --uid-owner >> $VPN_USER -j MARK --set-mark 0x1 >> iptables -t mangle -A OUTPUT ! --src $LOCAL_IP -j MARK --set-mark 0x1 >> iptables -t mangle -A OUTPUT -j CONNMARK --save-mark >> # Deny $VPN_USER to access other interfaces than lo >> iptables -A OUTPUT ! -o lo -m owner --uid-owner $VPN_USER -J DROP >> # Allow $VPN_USER to access lo and VPN interfaces >> iptables -A OUTPUT -o lo -m owner --uid-owner $VPN_USER -j ACCEPT >> iptables -A OUTPUT -o $VTI_INTERFACE -m owner --uid-owner $VPN_USER -j >> ACCEPT >> >> # Allow response from $VPN_INTERFACE >> iptables -A INPUT -i $VTI_INTERFACE -m conntrack --ctstate ESTABLISHED -j >> ACCEPT >> # Masquarade packets on $VPN_INTERFACE >> iptables -t nat -A POSTROUTING -o $VTI_INTERFACE -j MASQUERADE >> # Routing rules >> GATEWAY=$(ifconfig $VTI_INTERFACE | >> egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | >> egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | >> tail -n1) >> ip route replace default via $GATEWAY table $TABLE_ID >> ip route append default via 127.0.0.1 dev lo table $TABLE_ID >> ip route flush cache > >
