Issue #3625
Always on VPN when the client is on the same LAN as the VPN server
Description
Hi,
Just set up Strongswan on RPi4. Thanks for the documentation, I Have been able to get it up and runs great. My setup is using the DHCP package with FARP loaded so that the client acting as if it is connected locally on the same LAN as the VPN server.
This connection works as well when the client (right side) is connected from LAN the first place, i.e., the client (right side) begin with a local 192.168.1.X IP and then will be assigned with a virtual IP as 192.168.1.X again. It works, as I mentioned. However, the performance is halved. It could be due to encryption and other things, but I just wonder if in the ipsec.conf file, we can setup a special situation conn so that when the client (right side) starts from the local LAN, we can have a passthrough type of connection so that we can keep more or less the same performance.
As for why we do not just turn off the VPN when we connecting from the local LAN, I want to have a always-on VPN setup for kids' iOS devices so that I know that the VPN is always turned on no mater what. My ipsec.conf is as the following
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
mobike=yes
dpdaction=clear
dpddelay=300s
left=%any
leftid=XXX.XXX.XXX
leftcert=XXX.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightdns=192.168.1.X
rightsourceip=%dhcp
rightsendcert=never
eap_identity=%identity
Thanks for the help.
History
#1 Updated by Tobias Brunner about 1 year ago
- Status changed from New to Feedback
but I just wonder if in the ipsec.conf file, we can setup a special situation conn so that when the client (right side) starts from the local LAN, we can have a passthrough type of connection so that we can keep more or less the same performance.
The problem is that while the client is connected to the server, it will expect traffic to go via server (it has IPsec policies that prevent plaintext traffic from the remote subnets). So you can't change anything about this just via server config, the client has to play along. You e.g. had to get the client to automatically disable the VPN when it is in the LAN and re-enable it when it is not (on Android you could automate this e.g. based on SSID, no idea about iOS).
As for why we do not just turn off the VPN when we connecting from the local LAN, I want to have a always-on VPN setup for kids' iOS devices so that I know that the VPN is always turned on no mater what.
You might have to live with the performance penalty depending on how much you can change about how iOS handles this.
#2 Updated by StrongSwan VPN about 1 year ago
You e.g. had to get the client to automatically disable the VPN when it is in the LAN and re-enable it when it is not (on Android you could automate this e.g. based on SSID, no idea about iOS).
I went through detailed iOS MDM documentation. There does not appear to have an exception rule for a specific captive network SSID where you can just passthrough all traffic for all services. Ouch....
#3 Updated by StrongSwan VPN about 1 year ago
StrongSwan VPN wrote:
You e.g. had to get the client to automatically disable the VPN when it is in the LAN and re-enable it when it is not (on Android you could automate this e.g. based on SSID, no idea about iOS).
I went through detailed iOS MDM documentation. There does not appear to have an exception rule for a specific captive network SSID where you can just passthrough all traffic for all services. Ouch....
I misspoke. A little bit more research on this wiki web showed that it is possible to build an on-demand profile where you can turn-off the VPN if the SSID is a match.
https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile
I am trying to test on this.