How do I set up a VPN to access specific subnets?

Question

I would like to set up a point-to-site VPN that is only used to access a specific set of subnets so that I can access services via the VPN but without routing all traffic through it.

In my test setup, I have three servers, one of which (fra1-02) is running StrongSwan/IPSec:

          +-----------------+     +-----------------+
          |    client(s)    |---->|    internet     |
          +-----------------+     +-----------------+
                   |
                   v
          +-----------------+
          |  fra1-02 (vpn)  |
          +-----------------+
                   |
         +---------+---------+
         |                   |
         v                   v
+-----------------+ +-----------------+
|     fra1-01     | |     fra1-03     |
+-----------------+ +-----------------+

I want the clients to connect to the internet normally, but for three subnets (specifically the ones assigned to the three servers), traffic should go through the VPN.

The three servers have these subnets:

2a03:b0c0:3:e0::489:d000/124
2a03:b0c0:3:e0::493:1000/124
2a03:b0c0:3:e0::493:2000/124

I have configured IPSec to assign clients IP addresses from fd00:0::0/32

This is my ipsec.conf:

config setup
    uniqueids=no
conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=@{{ leftid }}
    leftcert=cert.pem
    leftsendcert=always
    leftsubnet=2a03:b0c0:3:e0::489:d000/124,2a03:b0c0:3:e0::493:1000/124,2a03:b0c0:3:e0::493:2000/124
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=fd00:0::0/32
    rightdns={{ rightdns }}
    rightsendcert=never
    eap_identity=%identity

(the {{ variables }} will be filled in by Ansible).

I haven't configured any routing or anything else.

When I'm connected to the VPN from my laptop, I can still ping fra1-02, the vpn host, and the source address is now one assigned by IPSec and not my laptop's public address, but the other two hosts are not reachable at all.

I have also added this to /etc/sysctl.conf:

net.ipv6.conf.all.forwarding=1

These is (some of) the output of netstat -rn on my laptop (looks like exactly what I expected):

default                         fd00::    UGcI     ipsec0
2a03:b0c0:3:e0::489:d000/124    fd00::    UGSc     ipsec0
2a03:b0c0:3:e0::493:1000/124    fd00::    UGSc     ipsec0
2a03:b0c0:3:e0::493:2000/124    fd00::    UGSc     ipsec0
...

And the routing table on the VPN server is this:

root@fra1-02:~# ip -6 route list
::1 dev lo proto kernel metric 256 pref medium
2a03:b0c0:3:e0::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
default via 2a03:b0c0:3:e0::1 dev eth0 proto static metric 1024 pref medium

How do I set it up so that traffic to fra1-01 and fra1-03 is routed through the VPN?

score 1 · Accepted Answer · answered Dec 14 '19 at 12:33

1

I have installed netfilter-persistent and added the following to /etc/iptables/rules.v6:

*nat
-A POSTROUTING -s fd00::/32 -o eth0 -j MASQUERADE
COMMIT

And now everything works great.

answered Dec 14 '19 at 12:33

Stefano Palazzo

227
1
13

How do I set up a VPN to access specific subnets?

1 Answers1