2

I have server with Ubuntu 20.04 and installed and working IKEv2 VPN with Strongswan.

And i have one php system (installed on the same server with the VPN), that is locked by IP. So i'm using my VPN to get inside with my IP. (Yes i've added the VPN local addresses)

The problem is that $_SERVER['REMOTE_ADDR'] is NOT showing my VPN IP, But is showing my mobile operator IP. It's like it doesn't matter that i'm with VPN or without.

I really can't figure out what's wrong. I've tried to remove the DNS's but in this way the VPN is not working. Does someone know how to fix this issue?

Here is the ipsec.conf:

config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    ike=aes256-sha1-modp1024,3des-sha1-modp1024!
    esp=aes256-sha1,3des-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=@example.com
    leftsubnet=0.0.0.0/0
    #leftauth=eap
    #eap_identity=username
    right=%any
    rightid=%any
    rightdns=8.8.8.8,8.8.4.4
    rightsourceip=10.10.10.0/24
    authby=secret
Nicox
  • 21
  • 2
  • What client are you using? Some can't connect to the VPN server over its public IP address (to which the VPN is connected). – ecdsa Feb 22 '21 at 15:29
  • Using the iOS integrated one (that's why it's ikev2). It's connected and working. Other servers are reporting that my IP is the right one (the VPN's one). Only my local site is reporting my mobile provider IP. – Nicox Feb 22 '21 at 15:52

1 Answers1

0

Some clients can't connect to the VPN server's public IP address via VPN, even if all traffic is configured to get tunneled (the goal of leftsubnet=0.0.0.0/0). Apple clients (in your case iOS) are among them.

So to connect to the server, you have to assign it an additional IP address and connect to that. This could be a second public or an arbitrary virtual IP address. For instance, you could assign 10.10.10.1 to the server's lo interface and then assign 10.10.10.2 as first virtual IP to clients (i.e. rightsourceip=10.10.10.2/24).

Make sure you don't NAT traffic from the server's virtual IP back to the clients, e.g. by inserting the following rule (if you followed the Forwarding and Split-Tunneling page on the strongSwan wiki you might already have this or a similar rule):

iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
ecdsa
  • 3,973
  • 15
  • 29
  • I've got these rules for iptables: https://pastebin.com/raw/Wfd8n0qf – Nicox Feb 22 '21 at 16:14
  • BTW i'm not sure you get me well. I have the exactly the same system, installed on another web hosting. There it return the correct VPN IP address. The problem is only on the local stage. Accessing project on the same server as the VPN. It's accessible, but the server returns that i'm connected with the mobile provider IP (Not even 10.10.10.x). And the local website is accessed by domain name. – Nicox Feb 22 '21 at 17:17
  • Yes, that's exactly the problem, accessing a service on the same host/IP as the VPN server/endpoint itself. Please read my answer again. – ecdsa Feb 23 '21 at 07:43
  • Sorry this is way beyond my abilities :/ How i can assign ip to the lo interface? – Nicox Feb 23 '21 at 17:19
  • Temporarily or in a script e.g. via `ip addr add 10.10.10.1/32 dev lo` (you could even do this via `charon.start-scripts` in strongswan.conf so it gets added when the IKE daemon starts, remove it again via `charon.stop-scripts`), permanently probably via `netplan` on Ubuntu 20.04, see [here](https://netplan.io/examples/#configuring-a-loopback-interface). – ecdsa Feb 24 '21 at 08:06
  • Hey. I did that `sudo ip addr add 10.10.10.1/32 dev lo` and also `rightsourceip=10.10.10.2/24` to ipsec.conf. Than `sudo ipsec rereadsecrets`, `sudo ipsec reload` and `sudo ipsec restart`. Same thing. Still the mobile provider ip address is shown. I tried this command too `sudo iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT`, and still the same :( – Nicox Feb 24 '21 at 13:58
  • Did you actually try to connect to `10.10.10.1`? Or did you use the hostname that resolves to the public IP? – ecdsa Feb 26 '21 at 07:32
  • I use the domain, that is in `leftid`. And the domain is the same with the website that i try to reach but they are different subdomains. – Nicox Mar 02 '21 at 09:28
  • any idea how to fix the problem? Maybe connecting to different hostname? – Nicox Mar 22 '21 at 21:31
  • If the host name resolves to the public IP this won't work if the client doesn't route such requests through the tunnel. So if you can't connect to the server's virtual IP (`10.10.10.1`), e.g. because the host header wouldn't match, you have to either add an entry in your `hosts` file for this host/IP, or use a custom DNS server/proxy that you assign to VPN clients and which responds with the virtual IP for this hostname. – ecdsa May 07 '21 at 15:08