Connect IPSEC VPN to network interface
0
votes
1
answer
872
views
I have a StrongSwan IPSEC VPN configured on my Ubuntu 22.04.4 LTS server. The VPN starts up and connects to the primary interface (eno1) successfully.
Using qBittorrent, I bind to the IP Address that is assigned to the VPN connection so that torrent traffic is directed through the VPN. (I don't send any other network traffic through the VPN.) This works successfully so that if the VPN drops, the torrent traffic is halted.
The issue is that upon reconnection, I may get assigned a different IP address by the VPN. And so the torrent traffic never resumes.
I was hoping to solve this by setting up a tun interface (tun0) and having the VPN connect directly to that interface. Then I could have qBittorrent always stay connected to the tun0 interface rather than a specific IP address.
But I can't get data to flow through the VPN connected to the tun0 interface. Any assistance would be appreciated.
Here's what I have so far:
sudo tunctl -t tun0 # create tun0 interface
sudo ip link set tun0 up # enable tun0 interfacecharon {
install_routes = no
install_virtual_ip_on = tun0 # Connect VPN to tun0 interface
if_id_in = 1
if_id_out = 1
remote_ts = 10.128.0.0/16
}sudo ipsec down vpn-ca-torrent # shut down VPN
sudo ipsec restart # restart ipsec
sudo ipsec up vpn-ca-torrent # start VPN> ip a
1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno1: mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 98:90:96:c0:1b:8c brd ff:ff:ff:ff:ff:ff
altname enp0s25
inet 192.168.0.5/24 metric 100 brd 192.168.0.255 scope global dynamic eno1
valid_lft 84935sec preferred_lft 84935sec
inet6 fe80::9a90:96ff:fec0:1b8c/64 scope link
valid_lft forever preferred_lft forever
3: tun0: mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
link/ether 8a:2d:38:87:5d:5c brd ff:ff:ff:ff:ff:ff
inet 10.128.0.2/32 scope global tun0
valid_lft forever preferred_lft forever> sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 32400 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -j DROP
> cat /etc/ipsec.conf
conn vpn-ca-torrent
keyexchange=ikev2
dpdaction=clear
dpddelay=300s
eap_identity=xxxxx@xxx.com
leftauth=eap-mschapv2
left=%defaultroute
leftsourceip=%config
right=ca-tr.vpnunlimitedapp.com
rightauth=pubkey
rightsubnet=0.0.0.0/0
rightid=ironnodes.com
type=tunnel
auto=add
leftupdown=/usr/lib/ipsec/_updown
> ip r
default via 192.168.0.1 dev eno1 proto dhcp src 192.168.0.5 metric 100
192.168.0.0/24 dev eno1 proto static
192.168.0.0/24 dev eno1 proto kernel scope link src 192.168.0.5 metric 100
192.168.0.1 dev eno1 proto dhcp scope link src 192.168.0.5 metric 100
> resolvectl
Global
Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Link 2 (eno1)
Current Scopes: DNS
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.0.1
DNS Servers: 192.168.0.1
Link 3 (tun0)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupportedcharon {
install_routes = no
install_virtual_ip_on = tun0
if_id_in = 1
if_id_out = 1
remote_ts = 10.128.0.0/16
leftfirewall=yes
leftsourceip=%config
leftsubnet=10.128.0.2/32
rightsubnet=10.128.0.0/16
}11[IKE] scheduling reauthentication in 9950s
11[IKE] maximum IKE_SA lifetime 10490s
11[IKE] adding DNS server failed
11[IKE] adding DNS server failed
11[CFG] handling INTERNAL_IP4_DNS attribute failed
11[IKE] installing new virtual IP 10.128.0.2
11[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
11[IKE] CHILD_SA vpn-ca-torrent{3} established with SPIs ca04de43_i ce23bdaf_o and TS 10.128.0.2/32 === 0.0.0.0/0default via 192.168.0.1 dev eno1 proto dhcp src 192.168.0.5 metric 100
10.128.0.0/16 via 10.128.0.2 dev tun0 linkdown
192.168.0.0/24 dev eno1 proto static
192.168.0.0/24 dev eno1 proto kernel scope link src 192.168.0.5 metric 100
192.168.0.1 dev eno1 proto dhcp scope link src 192.168.0.5 metric 1001: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno1: mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 98:90:96:c0:1b:8c brd ff:ff:ff:ff:ff:ff
altname enp0s25
inet 192.168.0.5/24 metric 100 brd 192.168.0.255 scope global dynamic eno1
valid_lft 66730sec preferred_lft 66730sec
inet6 fe80::9a90:96ff:fec0:1b8c/64 scope link
valid_lft forever preferred_lft forever
3: tun0: mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
link/ether 8a:2d:38:87:5d:5c brd ff:ff:ff:ff:ff:ff
inet 10.128.0.2/32 scope global tun0
valid_lft forever preferred_lft forever
Asked by furnaceX
(51 rep)
Feb 24, 2024, 11:31 PM
Last activity: Feb 29, 2024, 06:28 PM
Last activity: Feb 29, 2024, 06:28 PM