I am trying to setup Strongswan for VPN split tunneling.
What I want is only the subnets 10.88.0.0/16 and 10.0.200.0/24 is accessible through the VPN tunnel. Everyting else is handled throught the default gateway for the network.
All clients are assigned an ip adress belonging to the 10.0.201.0/24 subnet.
In my configuration file I have among others the following:
# Default login method
eap-defaults {
remote {
auth = eap-radius
id = %any
eap_id = %any
}
}
connections
{
conn-unix : conn-defaults, eap-defaults {
children {
net {
local_ts = 10.0.200.0/24, 10.88.0.0/16
}
esp_proposals = aes128gcm128-x25519
}
pools = IkeVPN-ipv4
proposals = aes128-sha256-x25519
}
conn-windows : conn-defaults, eap-defaults {
children {
net {
local_ts = 10.0.200.0/24, 10.88.0.0/16
}
esp_proposals = aes256-sha256-prfsha256-modp1024
}
proposals = aes256-sha256-prfsha256-modp1024
pools = IkeVPN-ipv4
}
}
pools
{
IkeVPN-ipv4 {
addrs = 10.0.201.0/24
dns = 10.0.88.2
}
}
When I login over VPN it is possible to ping hosts belonging to 10.88.0.0/16 and 10.0.200.0/24, so I know I can use the VPN tunnel.
However:
If I try to access any other ressource on the Internet while still being connected to the VPN, then I cannot even ping the ip adress belonging to that ressourse.
In my routing table on my Windows computer I can find the following entries:
I know that when you have two routes to a given subnet like 0.0.0.0/0 in the routing table, then whatever rule has the lowest metric wins and traffic is forwarded using that rule.
However I do not want the VPN server to install a default route via VPN, but rather only tell that the subnets 10.88.0.0/16 and 10.0.200.0/24 has to be routed via VPN.
What I want is that I see a routing table closer to this without having to edit the routing table by hand on every VPN client:
So how do I go about doing that?
Turns out my issue with split tunnelling was placed in a completely different area, due to I have 2 routers at home so my home network is something like: ISP <-> R1 <-> R2 <-> Me.
... and R1 was configured to an IP address in the 10.0.0.0/24 range.
When you disable default routing in Windows VPN client, it will then add a class based route insted, so in my case it will add a route that sends everything for 10.0.0.0/8 over VPN, which ment it would of course conflict with setup on router R1.
That is why wanted to remove route 10.0.0.0/8 altogether and push routes for the subnets
10.88.0.0/16and10.0.200.0/16over VPN.Turns out it is doable.
The class based routing is removed by enabling
disable class based routingwhen you disabledefault routingin the VPN client.In Strongswan you have to forward dhcp request from the clients to a DHCP server that has implemented RFC3442.
So in my configuration above I have to replace all occurences of
pools = IkeVPN-ipv4withpools = dhcpand instrongswan.confI have to add the following to charon plugins subsection:I can then delete the whole
poolssection at the bottom of my configuration.There are a few more options available which can be read here.
The guide from Strongswan from @ecdsa hint gave some of the information, but that guide is Windows specific, so it will not tell you how to handle Linux, MacOS or Android devices. RFC3442 will however handle the generic case.
In a nutshell what RFC3442 says is that you have to send the following two dhcp options:
Basically you have to encode each route as an array of int using the following syntax:
x,y1,y2,y3,y4,z1,z2,z3,z4
Where:
If there is more than one route to be send via DHCP, then you will have to add another sequence similar to the above at the tail of the first router.
According to Strongswan documentation I can replace standard gateway with
0.0.0.0.That means my route to
10.0.200.0/24gets encoded as24,10,0,200,0,0,0,0and10.88.0.0/16gets encoded to16,10,88,0,0,0,0.Combining the two gives me
24,10,0,200,0,0,0,0,16,10,88,0,0,0,0, which leads me to the following configuration inISC DHCP server:I hope this helps anybody who is strunggeling with the split tunneling.