Project

General

Profile

Issue #3032

Updated by Tobias Brunner 11 months ago

Hello.

I'm able to connect to my VPN but am not able connect to the internet.

<pre> ------------------------------------------------------------------------
# ipsec.conf - strongSwan IPsec configuration file

config setup
cachecrls=yes
uniqueids=no

conn ios
keyexchange=ikev1
authby=xauthpsk
xauth=server
left=%defaultroute
leftsubnet=0.0.0.0/0
leftfirewall=yes
right=%any
rightsubnet=10.0.0.0/24
rightsourceip=10.0.0.1/24
rightdns=1.1.1.1,9.9.9.9,192.168.1.1
auto=add
forceencaps=yes

include /var/lib/strongswan/ipsec.conf.inc
</pre> -------------------------------------------------------------------------

<pre>
# This file holds shared secrets or RSA private keys for authentication.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.

# this file is managed with debconf and will contain the automatically created private key
include /var/lib/strongswan/ipsec.secrets.inc

192.168.1.10 %any : PSK "xxxxxxxxxx"

User1 : XAUTH "xxxxxxxxxx"
</pre>


<pre>
--------------------------------------------------------------------------

#!/bin/sh

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -Z

## To prevent us from being locked out of the SSH session,
## well accept connections that are already accepted.
## Well also open port 22 (or whichever port you've configured) for future SSH connections to the server.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

## Well also need to accept connections on the local loopback interface:
iptables -A INPUT -i lo -j ACCEPT

## Then well tell IPTables to accept IPSec connections:
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT

## Next, well tell IPTables to forward ESP (Encapsulating Security Payload) traffic so the VPN clients will be able to connect.
## ESP provides additional security for our VPN packets as they're traversing untrusted networks:
iptables -A FORWARD --match policy --pol ipsec --dir in --proto esp -s 10.0.0.0/24 -j ACCEPT
iptables -A FORWARD --match policy --pol ipsec --dir out --proto esp -d 10.0.0.0/24 -j ACCEPT

## Our VPN server will act as a gateway between the VPN clients and the internet.
## Since the VPN server will only have a single public IP address,
## we will need to configure masquerading to allow the server to request data from the internet on behalf of the clients;
## this will allow traffic to flow from the VPN clients to the internet, and vice-versa:
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -m policy --pol ipsec --dir out -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE

## To prevent IP packet fragmentation on some clients, well tell IPTables to reduce the size of packets by adjusting the packets' maximum segment size.
## This prevents issues with some VPN clients.
iptables -t mangle -A FORWARD --match policy --pol ipsec --dir in -s 10.0.0.0/24 -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360

## For better security, well drop everything else that does not match the rules we've configured:
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
</pre>


Back