Project

General

Profile

bypass-lan Plugin

Purpose

The bypass-lan plugin automatically installs and updates passthrough/bypass policies for locally attached subnets. This is useful for mobile hosts that are used in different networks that want to access local devices in these networks (e.g. printers or NAS) while connected to a VPN that would otherwise cover that traffic too (e.g. if the remote traffic selector is 0.0.0.0/0).

The plugin is disabled by default and can be enabled by adding

--enable-bypass-lan
to the ./configure options.

The plugin was introduced with strongSwan 5.5.2.

Behavior

When the plugin is initialized it enumerates all enabled interfaces (see below) and installs passthrough/bypass policies for the subnets that are attached directly to these interfaces. Whenever interfaces/addresses/routes are changed the local subnets are again enumerated and, if necessary, policies are added and/or removed.

Configuration

By default, the bypass-lan plugin considers all interfaces. To restrict it to only selected interfaces the following strongswan.conf options may be used:

Key/Description Default
charon.plugins.bypass-lan.interfaces_ignore
A comma-separated list of network interfaces for which connected subnets should be ignored, if interfaces_use is specified this option has no effect.
charon.plugins.bypass-lan.interfaces_use
A comma-separated list of network interfaces for which connected subnets should be considered. All other interfaces are ignored.