Howto get server host into strongswans virtual IP address subnet

Question

I have configured a VPN server and VPN client with strongswan with the following ipsec.conf configuration settings

Server ipsec.conf

conn ikev2-vpn
    also=rw-base
    auto=add
    compress=no
    keyexchange=ikev2
    forceencaps=yes
    rekey=no
    
    left=%any
    leftid=@xxxx
    leftcert=fullchain.pem
    leftsubnet=10.0.3.0/24
    #lefthostaccess=yes
    leftfirewall=yes
    
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=10.0.3.0/24
    rightsendcert=never
    eap_identity=%identity

Below the client configuration (ipsec.conf)

# client
conn con100
    left=%defaultroute
    compress=no
    leftfirewall=yes
    leftauth=eap-mschapv2
    leftsubnet=10.0.3.0/24
    leftsourceip=%config
    eap_identity="user"

    right=xxxx
    rightauth=pubkey
    rightid=%xxx
    rightsubnet=10.0.3.0/24
    type=tunnel
    auto=add

Once the client is connected successfully, it can only reach itself through the IP 10.0.3.1. As expected it cannot use any other route (external) due to "leftsubnet=10.0.3.0/24"

But I would like to have the running services on the server (which provides the VPN connection "ikev2-vpn") being available on the clients connected to VPN.

Since there is no network interface, like ipsec0 or similar I have no clue how to achieve this.

Already tried creating a new iface with ip address "10.0.3.254" but it seems to be isolated from th VPN connection/policy

Answer 1

I have solved it by adding an additional network interface with CDIR 10.0.2.0/24 and IP address 10.0.2.1 on the server and bound the related services (like DNS) to it.

Then I configured the "leftsubnet" to include 10.0.2.0/24. So I am able to used "rightdns=10.0.2.1" to provide an internal DNS service from the server for instance.