The bypass-lan plugin automatically installs and updates passthrough/bypass policies for locally attached subnets. This is useful for mobile hosts that are used in different networks that want to access local devices in these networks (e.g. printers or NAS) while connected to a VPN that would otherwise cover that traffic too (e.g. if the remote traffic selector is 0.0.0.0/0).
The plugin is disabled by default and can be enabled by adding
--enable-bypass-lanto the ./configure options.
The plugin was introduced with strongSwan 5.5.2.
When the plugin is initialized it enumerates all enabled interfaces (see below) and installs passthrough/bypass policies for the subnets that are attached directly to these interfaces. Whenever interfaces/addresses/routes are changed the local subnets are again enumerated and, if necessary, policies are added and/or removed.
Note: The plugin's default behavior is incompatible with route-based VPNs, so you might have to disable it or configure interfaces (see below).
By default, the bypass-lan plugin considers all interfaces. To restrict it to only selected interfaces the following strongswan.conf options may be used:
|A comma-separated list of network interfaces for which connected subnets should be ignored, if interfaces_use is specified this option has no effect.|
|A comma-separated list of network interfaces for which connected subnets should be considered. All other interfaces are ignored.|