7

I'm using the Gnome Network manager to connect to my office VPN. It's using StrongSwan IPSec.

It connects fine, but all my internet traffic is routed through the office. I don't want this, I only want to see the IP addresses of my office without all my internet traffic going through the office. Also, if possible, to use the office DNS to resolve the office server names (but this is less important).

The following settings are set:

  • Gateway Address: IP address of the office
  • Certificates: All working, I'm using "Certificate/private key".
  • Options: All options are enabled.
  • IPv4: I tried a view settings here, but currently only "Automatic (DHCP)" is selected.
  • IPv6: Disabled.

UPDATE: My ip -r output is:

default via 192.168.188.1 dev enp3s0 proto dhcp metric 100 
169.254.0.0/16 dev enp3s0 scope link metric 1000 
192.168.2.103 dev enp3s0 proto kernel scope link src 192.168.2.103 metric 50 
192.168.2.103 dev enp3s0 proto kernel scope link src 192.168.2.103 metric 100 
192.168.188.0/24 dev enp3s0 proto kernel scope link src 192.168.188.21 metric 100
psiphi75
  • 918
  • 1
  • 13
  • 25
  • It is you manage the VPN service at your office? Normally those settings are pushed from the server to client, and not always can be changed on client side, you could try to remove the default route VPN set and set there another only use the VPN gateway for the office subnet. – AtomiX84 Apr 16 '20 at 21:51
  • @AtomiX84 Thanks. It's not me who manages the VPN, there will be reluctance to change the settings server side. "remove the default route VPN set"... that's over my head. – psiphi75 Apr 16 '20 at 22:02
  • See [my answer to a similar question](https://superuser.com/a/1535002/98749) on superuser.com. – ecdsa Apr 17 '20 at 06:40

1 Answers1

4

The general idea is to modify the routing table so only known office subnets (address blocks) get routed through your VPN interface (e.g. ppp0) and all other subnets get routed through your normal network interface (e.g. en0). When you connect to VPN Gnome network manager adds so-called default route to the VPN interface (ppp0). You need to remove this route but add new routing entries for known office subnets.

Firstly, you need to find what private subnets are used by your office network. The easiest way is just to ask your office network administrators. If this not an option, you can figure it yourself by resolving your office host names after you connected to VPN. For example:

$ nslookup service.company.office
Server:     127.0.0.53
Address:    127.0.0.53#53

Non-authoritative answer:
Name:   service.company.office
Address: 192.168.1.22

In this case the subnet you need to route through your VPN is 192.168.1.0/24 which means all addresses from 192.168.1.0 to 192.168.1.255. Your office may have more than one subnet you need to route.

Secondly, you need to modify routing table by using ip command. Print out the table by typing ip r and look for an entry that points to VPN device:

$ ip r
default dev ppp0 proto static scope link metric 50 
default via 192.168.20.1 dev eno1 proto dhcp metric 100 
...
192.168.20.0/24 dev eno1 proto kernel scope link src 192.168.20.126 metric 100
192.168.100.1 dev ppp0 proto kernel scope link src 192.168.100.89 metric 50

So now you know that ppp0 is your VPN device. In my example there are two default routes but ppp0 has smaller metric so all traffic goes there. Now, add a separate route to your office network:

$ ip route add 192.168.1.0/24 dev ppp0 proto static scope link

Now you just need to remove the default route to ppp0 and you are good to go:

$ ip route delete default dev ppp0

You can automate this by the following script:

#!/bin/bash

# List your office networks
networks=(
                192.168.1.0/24 
                192.168.2.0/24 
)

# Execute it with sudo
if [ $(id -u) != "0" ]; then
        echo "You must be root to execute this script. Use sudo?"
        exit -1
fi

# Check if VPN is active. You can use ipsec status command 
# if your VPN is not L2TP
tunnel=$(ip l2tp show tunnel 2>&1)
if [ -z "$tunnel" ]; then
        echo "VPN is not active."
        exit -2
fi

# Add office private network routes
for net in ${networks[*]}; do
        ret=$(ip route add $net dev ppp0 proto static scope link 2>&1)
        if [[ $ret =~ "File exists" ]]; then
                echo "routes have been already added."
                exit -3
        fi
done

# Delete default routes so Internet is routed via local ISP
ip route delete default dev ppp0
Croften
  • 51
  • 1
  • Thanks, that seems reasonable. But my `ip -r` command does not clearly distinguish between my VPN connection and my ethernet cable (see my updated question). – psiphi75 Apr 19 '20 at 21:30
  • @psiphi75 I think that means your VPN connection is not active yet / has not set up it's routing. – TeNNoX May 06 '22 at 14:40
  • NetworkManager might have changed the routing policy to check a different routing table before `main` (which is the one that `ip route` shows by default). To see if that's the case, you can run `ip rule` and look for any rule prior to the `from all lookup main` one that contains `lookup` followed by a number. Then run `ip route show table N`, where N is that number to see the additional routes. NetworkManager sets up the default route for WireGuard connections like that, so it might do the same for strongSwan. – Tom Hebb Sep 22 '22 at 21:41