I've set up an ikev2 VPN using strongswan on a Ubuntu 18.04 server, and I'm using Windows 10 Pro 1809, and the built-in vpn client.
I can connect to the vpn just fine, and almost all traffic is routed through the vpn. If I visit sites like ipchicken.com or whatismyip.com, they show the vpn ip address.
However, if I attempt to access my reverse proxy, which is hosted on the same server, the traffic comes from my external connection, not the vpn. This means I can't access some services on my reverse proxy that are limited to local ip addresses.
If I access the reverse proxy directly via the server's LAN ip, then the traffic goes through the vpn.
What gives?
Answer
Traffic to your server's public IP address must go via the internet. Otherwise the VPN itself would not work. The VPN tunnel cannot use itself to get to the server; that would make no sense. Windows doesn't discriminate when it comes to protocol; anything destine for the public IP of your server will be routed via Internet.
You can see the route rule in your route table by opening command prompt and typing route print. The public IP address of your VPN server will be listed as a single, high priority route.
To get to your server via VPN, you should use the IP address of the server...
- on the VPN subnet
- routable from the VPN subnet gateway
You have found that the LAN IP of your server goes over VPN. Your computer is going to send this via VPN because this IP isn't on your local LAN and isn't the public IP of the server. The server sees this traffic coming in on the VPN interface and, being the VPN gateway, the server forwards it into the remote LAN*. Then the server sees this traffic on the remote LAN with it's remote LAN IP and picks it up, forwarding it to the correct application.
* Note that Linux is smart enough to skip this step. It knows the IP address of all other interfaces and by default will accept traffic for any IP it owns on any interface.
No comments:
Post a Comment