Project

General

Profile

Issue #3625

Always on VPN when the client is on the same LAN as the VPN server

Added by StrongSwan VPN 11 months ago. Updated 11 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
-
Affected version:
5.9.0
Resolution:

Description

Hi,

Just set up Strongswan on RPi4. Thanks for the documentation, I Have been able to get it up and runs great. My setup is using the DHCP package with FARP loaded so that the client acting as if it is connected locally on the same LAN as the VPN server.

This connection works as well when the client (right side) is connected from LAN the first place, i.e., the client (right side) begin with a local 192.168.1.X IP and then will be assigned with a virtual IP as 192.168.1.X again. It works, as I mentioned. However, the performance is halved. It could be due to encryption and other things, but I just wonder if in the ipsec.conf file, we can setup a special situation conn so that when the client (right side) starts from the local LAN, we can have a passthrough type of connection so that we can keep more or less the same performance.

As for why we do not just turn off the VPN when we connecting from the local LAN, I want to have a always-on VPN setup for kids' iOS devices so that I know that the VPN is always turned on no mater what. My ipsec.conf is as the following

conn ikev2-vpn
        auto=add
        compress=no
        type=tunnel
        keyexchange=ikev2
        fragmentation=yes
        forceencaps=yes
        mobike=yes

        dpdaction=clear
        dpddelay=300s

        left=%any
        leftid=XXX.XXX.XXX
        leftcert=XXX.pem
        leftsendcert=always
        leftsubnet=0.0.0.0/0

        right=%any
        rightid=%any
        rightauth=eap-mschapv2
        rightdns=192.168.1.X
        rightsourceip=%dhcp
        rightsendcert=never
        eap_identity=%identity

Thanks for the help.

History

#1 Updated by Tobias Brunner 11 months ago

  • Status changed from New to Feedback

but I just wonder if in the ipsec.conf file, we can setup a special situation conn so that when the client (right side) starts from the local LAN, we can have a passthrough type of connection so that we can keep more or less the same performance.

The problem is that while the client is connected to the server, it will expect traffic to go via server (it has IPsec policies that prevent plaintext traffic from the remote subnets). So you can't change anything about this just via server config, the client has to play along. You e.g. had to get the client to automatically disable the VPN when it is in the LAN and re-enable it when it is not (on Android you could automate this e.g. based on SSID, no idea about iOS).

As for why we do not just turn off the VPN when we connecting from the local LAN, I want to have a always-on VPN setup for kids' iOS devices so that I know that the VPN is always turned on no mater what.

You might have to live with the performance penalty depending on how much you can change about how iOS handles this.

#2 Updated by StrongSwan VPN 11 months ago

You e.g. had to get the client to automatically disable the VPN when it is in the LAN and re-enable it when it is not (on Android you could automate this e.g. based on SSID, no idea about iOS).

I went through detailed iOS MDM documentation. There does not appear to have an exception rule for a specific captive network SSID where you can just passthrough all traffic for all services. Ouch....

#3 Updated by StrongSwan VPN 11 months ago

StrongSwan VPN wrote:

You e.g. had to get the client to automatically disable the VPN when it is in the LAN and re-enable it when it is not (on Android you could automate this e.g. based on SSID, no idea about iOS).

I went through detailed iOS MDM documentation. There does not appear to have an exception rule for a specific captive network SSID where you can just passthrough all traffic for all services. Ouch....

I misspoke. A little bit more research on this wiki web showed that it is possible to build an on-demand profile where you can turn-off the VPN if the SSID is a match.
https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile

I am trying to test on this.

Also available in: Atom PDF