Connect IPSEC VPN to network interface

Question

I have a StrongSwan IPSEC VPN configured on my Ubuntu 22.04.4 LTS server. The VPN starts up and connects to the primary interface (eno1) successfully.

Using qBittorrent, I bind to the IP Address that is assigned to the VPN connection so that torrent traffic is directed through the VPN. (I don't send any other network traffic through the VPN.) This works successfully so that if the VPN drops, the torrent traffic is halted.

The issue is that upon reconnection, I may get assigned a different IP address by the VPN. And so the torrent traffic never resumes.

I was hoping to solve this by setting up a tun interface (tun0) and having the VPN connect directly to that interface. Then I could have qBittorrent always stay connected to the tun0 interface rather than a specific IP address.

But I can't get data to flow through the VPN connected to the tun0 interface. Any assistance would be appreciated.

Here's what I have so far:

sudo tunctl -t tun0        # create tun0 interface
sudo ip link set tun0 up   # enable tun0 interface

Edit /etc/strongswan.d/vtun.conf:

charon {
  install_routes = no
  install_virtual_ip_on = tun0  # Connect VPN to tun0 interface
  if_id_in = 1
  if_id_out = 1
  remote_ts = 10.128.0.0/16
}

Restart VPN:

sudo ipsec down vpn-ca-torrent  # shut down VPN
sudo ipsec restart              # restart ipsec 
sudo ipsec up vpn-ca-torrent    # start VPN

VPN is now connected to tun0:

> ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 98:90:96:c0:1b:8c brd ff:ff:ff:ff:ff:ff
    altname enp0s25
    inet 192.168.0.5/24 metric 100 brd 192.168.0.255 scope global dynamic eno1
       valid_lft 84935sec preferred_lft 84935sec
    inet6 fe80::9a90:96ff:fec0:1b8c/64 scope link
       valid_lft forever preferred_lft forever
3: tun0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether 8a:2d:38:87:5d:5c brd ff:ff:ff:ff:ff:ff
    inet 10.128.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever

I now connect qBittorrent to the tun0 interface, but no data flows.

Here is additional information:

> sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 32400 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -j DROP

> cat /etc/ipsec.conf
  conn vpn-ca-torrent
        keyexchange=ikev2
        dpdaction=clear
        dpddelay=300s
        [email protected]
        leftauth=eap-mschapv2
        left=%defaultroute
        leftsourceip=%config
        right=ca-tr.vpnunlimitedapp.com
        rightauth=pubkey
        rightsubnet=0.0.0.0/0
        rightid=ironnodes.com
        type=tunnel
        auto=add
        leftupdown=/usr/lib/ipsec/_updown

> ip r
default via 192.168.0.1 dev eno1 proto dhcp src 192.168.0.5 metric 100
192.168.0.0/24 dev eno1 proto static
192.168.0.0/24 dev eno1 proto kernel scope link src 192.168.0.5 metric 100
192.168.0.1 dev eno1 proto dhcp scope link src 192.168.0.5 metric 100

> resolvectl
Global
       Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub

Link 2 (eno1)
    Current Scopes: DNS
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.0.1
       DNS Servers: 192.168.0.1

Link 3 (tun0)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported

UPDATE:

I've added the changes as suggested:

/etc/strongswan.d/vtun.conf:

charon {
  install_routes = no
  install_virtual_ip_on = tun0
  if_id_in = 1
  if_id_out = 1
  remote_ts = 10.128.0.0/16

  leftfirewall=yes
  leftsourceip=%config
  leftsubnet=10.128.0.2/32
  rightsubnet=10.128.0.0/16
}

Once the vpn comes up and attaches to the tun0 interface I add a route to the assigned IP:

sudo ip route add 10.128.0.0/16 dev tun0 via 10.128.0.XX

I can ping the remote ip at 10.128.0.XX, but qBittorrent still cannot send traffic over it.

When I look through the charon logs, I see these errors:

  11[IKE] scheduling reauthentication in 9950s
  11[IKE] maximum IKE_SA lifetime 10490s
  11[IKE] adding DNS server failed
  11[IKE] adding DNS server failed
  11[CFG] handling INTERNAL_IP4_DNS attribute failed
  11[IKE] installing new virtual IP 10.128.0.2
  11[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
  11[IKE] CHILD_SA vpn-ca-torrent{3} established with SPIs ca04de43_i ce23bdaf_o and TS 10.128.0.2/32 === 0.0.0.0/0

ip r:

default via 192.168.0.1 dev eno1 proto dhcp src 192.168.0.5 metric 100
10.128.0.0/16 via 10.128.0.2 dev tun0 linkdown
192.168.0.0/24 dev eno1 proto static
192.168.0.0/24 dev eno1 proto kernel scope link src 192.168.0.5 metric 100
192.168.0.1 dev eno1 proto dhcp scope link src 192.168.0.5 metric 100

ip a:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 98:90:96:c0:1b:8c brd ff:ff:ff:ff:ff:ff
    altname enp0s25
    inet 192.168.0.5/24 metric 100 brd 192.168.0.255 scope global dynamic eno1
       valid_lft 66730sec preferred_lft 66730sec
    inet6 fe80::9a90:96ff:fec0:1b8c/64 scope link
       valid_lft forever preferred_lft forever
3: tun0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether 8a:2d:38:87:5d:5c brd ff:ff:ff:ff:ff:ff
    inet 10.128.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever

Answer 1

It seems that the issue is related to the fact that the tun0 interface does not have a default route, and therefore, it does not know how to forward packets to the VPN server.

To fix this, you can add a static route to the tun0 interface, pointing to the VPN server's IP address as the gateway for the 10.128.0.0/16 subnet. This will tell the interface to send all packets destined for that subnet to the VPN server.

Assuming that the VPN server has the IP address 10.128.0.1, you can add the following command to the /etc/strongswan.d/vtun.conf file:

leftfirewall=yes
leftsourceip=%config
leftsubnet=10.128.0.2/32
rightsubnet=10.128.0.0/16

And then add the following route to the tun0 interface after bringing it up:

sudo ip route add 10.128.0.0/16 via 10.128.0.1 dev tun0

This should enable data flow through the VPN connected to the tun0 interface. Keep in mind that changes to the routing table are not persistent across reboots, so you may want to add this command to a startup script or configure it in your router.

Also, note that you might want to adjust the configuration of the strongSwan charon to match your specific setup, such as the IKE version, encryption algorithms, and authentication mechanisms.

Lastly, you may want to check the logs of the strongSwan daemon to see if there are any error messages or warnings that might help you further diagnose the issue. You can do this by running the following command:

sudo journalctl -f -u charon.service