DHCP for a VPN/Router

Question

I'm running a custom router (Ubuntu 18.04) which uses a "bridge mode" LTE/4G modem (connected via. ethernet). My ISP uses DHCP and hands out 10.x addresses which get assigned to the external NIC of the router.

I've also got StrongSwan set up on the router, and when I start the VPN all works well, the config is as follows:

conn ikev2-rw
    right=my-vpn-server
    rightid=@my-vpn-server
    rightsubnet=0.0.0.0/0
    rightauth=pubkey
    leftsourceip=%config
    leftid=centaurus
    leftauth=psk
    auto=start

When first started this works fine, however after a while connectivity drops, I think this is because the router can't refresh the DHCP lease. I see lots of these in my logs a few hours after the initial DHCP lease:

Sep 07 20:54:05 centaurus dhclient[1378]: DHCPREQUEST of 10.3.22.61 on enp4s0 to 10.3.22.1 port 67 (xid=0x18dcd11)
Sep 07 20:54:15 centaurus dhclient[1378]: DHCPREQUEST of 10.3.22.61 on enp4s0 to 10.3.22.1 port 67 (xid=0x18dcd11)
Sep 07 20:54:26 centaurus dhclient[1378]: DHCPREQUEST of 10.3.22.61 on enp4s0 to 10.3.22.1 port 67 (xid=0x18dcd11)

I think what's happening is that the VPN is interfering with DCHP, so the lease isn't being renewed with my ISP. If I switch off the VPN then ifdown/ifup the external interface, it all comes back on line.

Any standard methods for dealing with this?

Answer 1

With rightsubnet=0.0.0.0/0 you tunnel all traffic to the VPN server. That includes the DHCP messages (UDP from port 68 to 67).

To exclude that traffic bypass/passthrough IPsec policies may be configured. Either exclude the whole local network or only the DHCP traffic:

conn bypass-lan
    left=127.0.0.1
    leftsubnet=10.0.0.0/8
    rightsubnet=10.0.0.0/8
    type=passthrough
    auto=route

This excludes the whole 10.x range from the VPN. To only exclude DHCP traffic add [udp/68] to leftsubnet and [udp/67] to rightsubnet.

Installing bypass policies for locally attached networks can also be automated via bypass-lan plugin.