I've setup a linux server with a strongswan VPN server. I have a Win7 (also, separately, Android) client (builtin IKEv2) connecting ok to the linux server. Things seemed to be VPN'ing nicely. I can get to internal hosts on other subnets I wouldn't be able to see without the VPN. I can watch the ESP traffic to/from the client with tcpdump.
(For these tests the clients are on a separate locked-down subnet for my wifi.)
But I noticed some traffic isn't using the VPN. It's just coming in on the normal wifi connection/subnet. In particular, I'm looking at DNS udp port 53. If I ping from Windows to wherever, the dns occurs over non-VPN (I run my own caching name server, so the same linux server is the DNS server in this case.) I want dns to hit my server over the VPN.
The strongswan is configured on server to provide a DNS server entry to the client. I can confirm Windows is seeing the proper DNS server on the VPN with ipconfig /all. I can even try to set those servers manually in the Win7 VPN properties menus. But the dns query never goes out over the VPN. For kicks I iptables'd out port 53 from the non-VPN'd IP and then the client can't resolve anything (ie it doesn't fallback to using the VPN).
So if I ping from the VPN to anywhere on the net, the DNS is not VPN'd but the ICMP *is*. Same with web browsing: it seems to do non-VPN DNS and then VPN the http traffic.
How can I force the Windows client to force *all* traffic over the VPN? Especially DNS.
After that's fixed, how can I force *all* traffic over the VPN on Android? I've heard rumours Android screws with VPN and makes some things impossible.
Thanks!
Take a look at the OpenVPN docs to see how they manage this; it's a Windows thing where it latches on to a working DNS server and never lets go. IIRC it's a series of ipconfig /flushdns or something similar that's required. -Adam
On November 2, 2015 2:06:47 AM CST, Trevor Cordes trevor@tecnopolis.ca wrote:
I've setup a linux server with a strongswan VPN server. I have a Win7 (also, separately, Android) client (builtin IKEv2) connecting ok to the
linux server. Things seemed to be VPN'ing nicely. I can get to internal hosts on other subnets I wouldn't be able to see without the VPN. I can watch the ESP traffic to/from the client with tcpdump.
(For these tests the clients are on a separate locked-down subnet for my wifi.)
But I noticed some traffic isn't using the VPN. It's just coming in on
the normal wifi connection/subnet. In particular, I'm looking at DNS udp port 53. If I ping from Windows to wherever, the dns occurs over non-VPN (I run my own caching name server, so the same linux server is the DNS server in this case.) I want dns to hit my server over the VPN.
The strongswan is configured on server to provide a DNS server entry to
the client. I can confirm Windows is seeing the proper DNS server on the VPN with ipconfig /all. I can even try to set those servers manually in the Win7 VPN properties menus. But the dns query never goes out over the VPN. For kicks I iptables'd out port 53 from the non-VPN'd IP and then
the client can't resolve anything (ie it doesn't fallback to using the VPN).
So if I ping from the VPN to anywhere on the net, the DNS is not VPN'd but the ICMP *is*. Same with web browsing: it seems to do non-VPN DNS and then VPN the http traffic.
How can I force the Windows client to force *all* traffic over the VPN?
Especially DNS.
After that's fixed, how can I force *all* traffic over the VPN on Android? I've heard rumours Android screws with VPN and makes some things impossible.
Thanks! _______________________________________________ Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable
-
Adam Thompson -
Trevor Cordes