Issue #2788
Updated by Tobias Brunner almost 7 years ago
Hi,
There are some IP addresses I would like to bypass and not tunnel through the VPN. I tunnel all the internet traffic and have to because there is a proxy and dns server doing extra checks after the traffic is tunneled.
Essentially what I want to achieve is not to tunnel streaming from Youtube or Netflix and the best way I thought of doing this isthe Passthrough policy but I couldn't get it to work. I have read https://wiki.strongswan.org/issues/2472 this issue but is no help.
Here is the setup:
<pre>
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.5 LTS
Release: 16.04
Codename: xenial
</pre>
<pre>
ipsec --version
Linux strongSwan U5.6.3/K4.4.0-87-generic
</pre>
<pre>
# Generated by iptables-save v1.6.0 on Fri Sep 28 16:58:02 2018
*mangle
:PREROUTING ACCEPT [4053395:425322637]
:INPUT ACCEPT [4053309:425318312]
:FORWARD ACCEPT [86:4325]
:OUTPUT ACCEPT [4338860:311661664]
:POSTROUTING ACCEPT [4338903:311663699]
-A FORWARD -s 10.2.0.0/16 -o ens160 -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
COMMIT
# Completed on Fri Sep 28 16:58:02 2018
# Generated by iptables-save v1.6.0 on Fri Sep 28 16:58:02 2018
*nat
:PREROUTING ACCEPT [40815:3297594]
:INPUT ACCEPT [133498:6632831]
:OUTPUT ACCEPT [365510:21963470]
:POSTROUTING ACCEPT [365510:21963470]
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129
-A POSTROUTING -s 10.2.0.0/16 -o ens160 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 10.2.0.0/16 -o ens160 -j MASQUERADE
COMMIT
# Completed on Fri Sep 28 16:58:02 2018
# Generated by iptables-save v1.6.0 on Fri Sep 28 16:58:02 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4338861:311661752]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3129 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -s 10.2.0.0/16 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.2.0.0/16 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -j DROP
COMMIT
# Completed on Fri Sep 28 16:58:02 2018
</pre>
and my ipsec.conf
<pre>
config setup
uniqueids=no
charondebug="ike 3, knl 2, cfg 3, tls 2, dmn 2, net 2"
conn %default
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftsubnet=0.0.0.0/0
# leftsubnet=35.234.101.161/32
leftcert=/etc/ipsec.d/certs/vpn-server-cert-v2.pem
leftsendcert=always
# leftfirewall=yes
leftupdown=/etc/ipsec.d/vpn_updown.sh leftupdown=/usr/local/django/lilutv/vpn_updown.sh
rightupdown=/etc/ipsec.d/vpn_updown.sh rightupdown=/usr/local/django/lilutv/vpn_updown.sh
right=%any
rightdns=172.31.32.90
fragmentation=yes
conn IPSec-IKEv2
keyexchange=ikev2
auto=add
leftid=x.x.x.x leftid=185.4.208.13
leftsendcert=always
# Currently used by Windows and Android
conn IKEv2-EAP
also="IPSec-IKEv2"
rightauth=eap-radius
rightsourceip=%radius
rightsendcert=never
eap_identity=%identity
leftid=x.x.x.x leftid=185.4.208.13
auto=add
conn IPSec-IKEv1
keyexchange=ikev1
auto=add
rightsourceip=%radius
# Currently used by OSX and iOS
conn IKEv1-XAUTHPSK
also="IPSec-IKEv1"
xauth=server
authby=xauthpsk
# VPN passthrough / tunnel bypass rules
conn passthrough_base
left=127.0.0.1
# right=127.0.0.1
leftsubnet=0.0.0.0/0
rightsubnet=35.234.101.161/32
authby=never
type=passthrough
auto=route
</pre>
35.234.101.161 is just for testing... it points to www.ipnedir.com which shows my ip to see if the passthrough policy worked.
Roadwarrior connects to server x.x.x.x 185.4.208.13 and is given 10.2.0.4 virtual IP.
Your help would be much appreciated. Thank you.
There are some IP addresses I would like to bypass and not tunnel through the VPN. I tunnel all the internet traffic and have to because there is a proxy and dns server doing extra checks after the traffic is tunneled.
Essentially what I want to achieve is not to tunnel streaming from Youtube or Netflix and the best way I thought of doing this isthe Passthrough policy but I couldn't get it to work. I have read https://wiki.strongswan.org/issues/2472 this issue but is no help.
Here is the setup:
<pre>
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.5 LTS
Release: 16.04
Codename: xenial
</pre>
<pre>
ipsec --version
Linux strongSwan U5.6.3/K4.4.0-87-generic
</pre>
<pre>
# Generated by iptables-save v1.6.0 on Fri Sep 28 16:58:02 2018
*mangle
:PREROUTING ACCEPT [4053395:425322637]
:INPUT ACCEPT [4053309:425318312]
:FORWARD ACCEPT [86:4325]
:OUTPUT ACCEPT [4338860:311661664]
:POSTROUTING ACCEPT [4338903:311663699]
-A FORWARD -s 10.2.0.0/16 -o ens160 -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
COMMIT
# Completed on Fri Sep 28 16:58:02 2018
# Generated by iptables-save v1.6.0 on Fri Sep 28 16:58:02 2018
*nat
:PREROUTING ACCEPT [40815:3297594]
:INPUT ACCEPT [133498:6632831]
:OUTPUT ACCEPT [365510:21963470]
:POSTROUTING ACCEPT [365510:21963470]
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129
-A POSTROUTING -s 10.2.0.0/16 -o ens160 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 10.2.0.0/16 -o ens160 -j MASQUERADE
COMMIT
# Completed on Fri Sep 28 16:58:02 2018
# Generated by iptables-save v1.6.0 on Fri Sep 28 16:58:02 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4338861:311661752]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3129 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -s 10.2.0.0/16 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.2.0.0/16 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -j DROP
COMMIT
# Completed on Fri Sep 28 16:58:02 2018
</pre>
and my ipsec.conf
<pre>
config setup
uniqueids=no
charondebug="ike 3, knl 2, cfg 3, tls 2, dmn 2, net 2"
conn %default
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftsubnet=0.0.0.0/0
# leftsubnet=35.234.101.161/32
leftcert=/etc/ipsec.d/certs/vpn-server-cert-v2.pem
leftsendcert=always
# leftfirewall=yes
leftupdown=/etc/ipsec.d/vpn_updown.sh leftupdown=/usr/local/django/lilutv/vpn_updown.sh
rightupdown=/etc/ipsec.d/vpn_updown.sh rightupdown=/usr/local/django/lilutv/vpn_updown.sh
right=%any
rightdns=172.31.32.90
fragmentation=yes
conn IPSec-IKEv2
keyexchange=ikev2
auto=add
leftid=x.x.x.x leftid=185.4.208.13
leftsendcert=always
# Currently used by Windows and Android
conn IKEv2-EAP
also="IPSec-IKEv2"
rightauth=eap-radius
rightsourceip=%radius
rightsendcert=never
eap_identity=%identity
leftid=x.x.x.x leftid=185.4.208.13
auto=add
conn IPSec-IKEv1
keyexchange=ikev1
auto=add
rightsourceip=%radius
# Currently used by OSX and iOS
conn IKEv1-XAUTHPSK
also="IPSec-IKEv1"
xauth=server
authby=xauthpsk
# VPN passthrough / tunnel bypass rules
conn passthrough_base
left=127.0.0.1
# right=127.0.0.1
leftsubnet=0.0.0.0/0
rightsubnet=35.234.101.161/32
authby=never
type=passthrough
auto=route
</pre>
35.234.101.161 is just for testing... it points to www.ipnedir.com which shows my ip to see if the passthrough policy worked.
Roadwarrior connects to server x.x.x.x 185.4.208.13 and is given 10.2.0.4 virtual IP.
Your help would be much appreciated. Thank you.