I’m finding myself working remotely as of late (shock right?) and I’m having issues with local access while using my VPN connection.
Current Tumbleweed + NetworkManger-strongswan 1.4.5-2.1
VPN: IKEv2
The VPN itself works great, however when I connect I lose local resource access/internet. It would appear NetworkManger-strongswan is adding routes automatically (ip xfrm policy show) to force all traffic over the VPN. The other end of my VPN does not allow this extra traffic and I only need access to a single resource at the end of the tunnel anyway while retaining my local access and internet connection.
Is there anyway to split the tunnel and continue using NetworkManger-strongswan? It is clean, convenient and the taskbar status icon is very helpful (vs bringing things up and down in the terminal).
First,
You should understand that split-tunnelling is a major compromise in the security of the VPN network you’re connected to.
Before setting it up, get permission in writing in case you cause a major compromise… The problem with split-tunneling is that if a hacker can compromise your system, he will have access to your VPN resource in real time.
Much better is if you do something like use virtualization and then connect using your VPN from a virtual machine.
Your work in the virtual machine would be isolated from anything you do on your HostOS so you can connect to the regular Internet using your HostOS.
Otherwise, like any other VPN technology, because people ask about this despite its known dangers,
Thank you for the response TUS. The potential problems with splinting is well understood, but I appreciate the warning. My issue is that either splitting/narrowing is flat out broke or seemingly not implemented when using NetworkManager. It is of course, fully supported outside of NetworkManager. The hope was that maybe I was missing a way to configure left/right sub-netting in the background for NM to use, as StrongSwan ignores ipsec.conf in this configuration. Presumably because it is actually charon-nm…
NetworkManager ordinarily does not impose any special restrictions,
I’d recommend you inspect the configuration files Network Manager uses when connecting with Strongswan…
So,
The following is the Strongswan documentation when using Network Manager.
Although it sometimes happens, I don’t expect that the configuration file(s) described in the documentation are very different than on openSUSE, at most you might find them in a different location.
I’d expect that once you’ve located the necessary configuration file, you should be able to insert the setting that enables split-tonnel.
Thanks for the link. That is where I am at right now, however there does not seem to be any specific documentation as to specifically what config(s) can be used to tweak the Networkmanager-Strongswan plug-in. As mentioned previously, it seems to ignore all the standard ipsec configuration files and I have yet to find any plug-in specific files.
deano_ferrari, thank you for the suggestion.
That was the first thing I tried before starting my current search. While using the Networkmanager-Strongswan plug-in, “Use only for resources on this connection” and “Ignore automatically obtained routes” do not work. However this may be by design as Strongswan is IKEv2, which means it is using kernel based policy routing and not traditional routing, the later of which I believe those options are controlling. I believe the OpenVPN in the link you provided is also using the traditional routing options.
With ipsec, this routing would normally be controlled in the ipsec.conf using options such as:
leftsubnet=x.x.x.x/xx
rightsubnet=x.x.x.x/xx
left=x.x.x.x/xx
right=x.x.x.x/xx
But as mentioned, the Networkmanager-Strongswan plug-in seems to ignore this config file. Anyway I am still searching!
Considering the effort involved to configure something that is highly discouraged,
I’d still remind you that if you are able to simply install virtualization like Virtualbox on your machine and create a Guest,
You can easily connect to the VPN using your Guest
While accessing the Internet without the VPN from your HostOS
Which would be relatively safe to do unless you established a real time connection between Guest and HostOS which is again… possible but discouraged.
So I thought I’d follow-up on this problem in case somebody comes across this thread in the future. It seems this issue has been asked about and answered many times across the internet since my original inquiry and with some direction from a Strongswan dev I was able to create a solution to my problem.
This is my take away for anyone trying the same:
1: The Strongswan NetworkManger plug-in really is not (currently) designed to allow much configuration at all. It is more or less a simple plug-n-play element meant to get people going with as little configuration as possible.
2: If you need to be able to customize the vpn configuration from the client side, the full Strongswan ipsec daemon is probably where you should be looking.
3: If you really insist on using the NetworkManger plug-in, you can disable it from creating routes entirely by setting the ‘charon.install_routes’ (no) option in strongswan.conf. Once this is done, the tunnel will still come up, but by default -no- traffic will be routed through it. You can then use the 'ip route add … ’ command to create your own routes in table 220. For convenience, you can create scripts for the addition/removal of your routes, and then trigger these scripts using NetworkManger’s dispatcher event system. I have my scripts triggering on the ‘vpn-up’ and ‘vpn-down’ events, and things have been working flawlessly for a week or two now.