Server ipsec.conf
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=never
conn ikev2
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
ike=aes256gcm16-sha384-modp3072!
esp=aes256gcm16-sha384-modp3072!
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=my-vpn.com
leftcert=vpn-server.crt
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-tls
rightdns=1.1.1.1,1.0.0.1
rightsourceip=10.0.2.0/24
rightsendcert=never
eap_identity=%identity
Server iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -m limit --limit 60/sec --limit-burst 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -m limit --limit 60/sec --limit-burst 20 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A FORWARD -s 10.0.2.0/24 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -d 10.0.2.0/24 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Client ipsec.conf
conn ikev2
auto=start
[email protected]
leftsourceip=%config
leftauth=eap-tls
leftcert=vpn-client.crt
right=my-vpn.com
rightid=my-vpn.com
rightauth=pubkey
Client iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp -m udp --dport 500 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp -m udp --dport 4500 -m state --state NEW -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
The connection is established but when I run curl https://checkip.amazonaws.com
, the returned IP is the client public IP vs the server public IP (expected). How can I route all traffic through the VPN?
Also, can’t SSH to client from server. Why?
Thanks!
You want to configure
rightsubet=0.0.0.0/0
on the client. The default is%dynamic
, which resolves to the VPN server's IP address, so only traffic to that will then be tunneled.Regarding SSH, you need to check the traffic counters (IPsec SAs, firewall rules) to see in which direction that traffic does or doesn't flow.