I've setup a host to host setup where I only want the server ip exposed so anyone connected to the VPN can talk to the services on that server.
connections {
rw {
pools = rw_pool
send_cert = always
unique = no
fragmentation=yes
local {
auth = pubkey
certs = [CERT].pem
id = [ID]
}
remote {
auth = eap-mschapv2
eap_id = %any
}
children {
rw {
local_ts = [WAN IP OF SERVER]
esp_proposals = chacha20poly1305-sha512, aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1
}
}
send_certreq = no
}
}
The connection works an the requests are indeed coming from a VPN selected IP range, however, since i'm targeting the outfacing IP, wouldn't this still route the traffic over an un-secure channel after the IP exit?
Client config:
connections {
home {
version=2
remote_addrs = [SERVER ADDR]
vips = 0.0.0.0
local {
auth = eap-mschapv2
eap_id = [ID]
}
remote {
auth = pubkey
id = [SERVER ID]
}
children {
home {
remote_ts = [WAN IP OF SERVER]
local_ts = dynamic
#remote_ts = 10.10.10.0/24
start_action = start
}
}
}
}
A second smaller question, how would you make a host to site setup, where my server is a single entity in its network, but the other side is a fortigate router with a larger network behind it, would this setup work?
Thanks for the effort in advance!
EDIT: Ip problem solved by using ip to create a tun0 interface and using that as local_ts