Comments (4)
Why not just install (PiHole)[https://pi-hole.net/] and use it as DNS? Why would VPN be responsible for it?
from ikev2-setup.
@GBH , unfortunately, PiHole wouldn't reliably work with StrongSwan: pi-hole/pi-hole#2021
I hoped for a simpler hint (like "here is the path to file containing blacklisted hostnames that StrongSwan won't be establishing outgoing connections to"). That would be so much easier.
from ikev2-setup.
I ended up by borrowing the adblocking mechanism from https://github.com/trailofbits/algo
StrongSwan uses locally installed DNSmasq, here is my /etc/ipsec.conf, note rightdns parameter (172.16.0.1). Also note that StrongSwan assigns VPN users IP addresses from the following pools: IPv4: 10.19.48.0/24, IPv6: fd9d:bc11:4020::/48.
config setup strictcrlpolicy=yes uniqueids=never charondebug="cfg 2, dmn 2, ike 2, net 2" conn roadwarrior auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes ike=aes256gcm16-sha256-ecp521,aes256-sha256-ecp384! esp=aes256gcm16-sha256! dpdaction=clear dpddelay=35s rekey=no left=%any [email protected] leftcert=cert.pem leftsendcert=always leftsubnet=0.0.0.0/0,::/0 right=%any rightid=%any rightauth=eap-mschapv2 eap_identity=%any rightsendcert=never right=%any rightsourceip=10.19.48.0/24,fd9d:bc11:4020::/48 rightdns=172.16.0.1
Here is my iptables configuration (/etc/iptables/rules.v4):
# Generated by iptables-save v1.6.1 on Sun Mar 4 16:52:20 2018 *filter :INPUT DROP [2:104] :FORWARD DROP [0:0] :OUTPUT ACCEPT [16:5089] -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p esp -j ACCEPT -A INPUT -p ah -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -m hashlimit --hashlimit-upto 5/sec --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name icmp-echo-drop -j ACCEPT -A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT -A INPUT -p ipencap -m policy --dir in --pol ipsec --proto esp -j ACCEPT -A INPUT -d 172.16.0.1/32 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -d 172.16.0.1/32 -p tcp -m multiport --dports 8080,8118 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 88 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -p tcp -m tcp --dport 445 -j DROP -A FORWARD -p udp -m multiport --ports 137,138 -j DROP -A FORWARD -p tcp -m multiport --ports 137,139 -j DROP -A FORWARD -s 10.19.48.0/24 -m conntrack --ctstate NEW -m policy --dir in --pol ipsec -j ACCEPT COMMIT # Completed on Sun Mar 4 16:52:20 2018 # Generated by iptables-save v1.6.1 on Sun Mar 4 16:52:20 2018 *mangle :PREROUTING ACCEPT [11453:14482861] :INPUT ACCEPT [5513:9776070] :FORWARD ACCEPT [5938:4706107] :OUTPUT ACCEPT [6253:4976319] :POSTROUTING ACCEPT [12183:9682115] COMMIT # Completed on Sun Mar 4 16:52:20 2018 # Generated by iptables-save v1.6.1 on Sun Mar 4 16:52:20 2018 *nat :PREROUTING ACCEPT [232:26485] :INPUT ACCEPT [90:7741] :OUTPUT ACCEPT [186:12036] :POSTROUTING ACCEPT [186:12036] -A POSTROUTING -s 10.19.48.0/24 -m policy --dir out --pol none -j MASQUERADE COMMIT # Completed on Sun Mar 4 16:52:20 2018
Here is IPv6 config (/etc/iptables/rules.v4):
# Generated by ip6tables-save v1.6.1 on Sun Mar 4 16:52:20 2018 *filter :INPUT DROP [3:210] :FORWARD DROP [0:0] :OUTPUT ACCEPT [41:3434] :ICMPV6-CHECK - [0:0] :ICMPV6-CHECK-LOG - [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p esp -j ACCEPT -A INPUT -m ah -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m hashlimit --hashlimit-upto 5/sec --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name icmp-echo-drop --hashlimit-srcmask 32 -j ACCEPT -A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m hl --hl-eq 255 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 137 -m hl --hl-eq 255 -j ACCEPT -A INPUT -d fe80::/64 -p udp -m state --state NEW -m udp --dport 546 -j ACCEPT -A INPUT -d fcaa::1/128 -p udp -m udp --dport 53 -j ACCEPT -A FORWARD -j ICMPV6-CHECK -A FORWARD -p tcp -m tcp --dport 445 -j DROP -A FORWARD -p udp -m multiport --ports 137,138 -j DROP -A FORWARD -p tcp -m multiport --ports 137,139 -j DROP -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s fd9d:bc11:4020::/48 -m conntrack --ctstate NEW -m policy --dir in --pol ipsec -j ACCEPT -A ICMPV6-CHECK -p ipv6-icmp -m hl ! --hl-eq 255 -m icmp6 --icmpv6-type 133 -j ICMPV6-CHECK-LOG -A ICMPV6-CHECK -p ipv6-icmp -m hl ! --hl-eq 255 -m icmp6 --icmpv6-type 134 -j ICMPV6-CHECK-LOG -A ICMPV6-CHECK -p ipv6-icmp -m hl ! --hl-eq 255 -m icmp6 --icmpv6-type 135 -j ICMPV6-CHECK-LOG -A ICMPV6-CHECK -p ipv6-icmp -m hl ! --hl-eq 255 -m icmp6 --icmpv6-type 136 -j ICMPV6-CHECK-LOG -A ICMPV6-CHECK-LOG -j LOG --log-prefix "ICMPV6-CHECK-LOG DROP " -A ICMPV6-CHECK-LOG -j DROP COMMIT # Completed on Sun Mar 4 16:52:20 2018 # Generated by ip6tables-save v1.6.1 on Sun Mar 4 16:52:20 2018 *mangle :PREROUTING ACCEPT [53:5647] :INPUT ACCEPT [28:2034] :FORWARD ACCEPT [19:2797] :OUTPUT ACCEPT [41:3434] :POSTROUTING ACCEPT [63:6441] COMMIT # Completed on Sun Mar 4 16:52:20 2018 # Generated by ip6tables-save v1.6.1 on Sun Mar 4 16:52:20 2018 *nat :PREROUTING ACCEPT [1:80] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [7:646] :POSTROUTING ACCEPT [7:646] -A POSTROUTING -s fd9d:bc11:4020::/48 -m policy --dir out --pol none -j MASQUERADE COMMIT # Completed on Sun Mar 4 16:52:20 2018
The following script (/usr/local/sbin/adblock.sh) was added to crontab:
#!/bin/sh # Block ads, malware, etc.. TEMP="$(mktemp)" TEMP_SORTED="$(mktemp)" DNSMASQ_WHITELIST="/var/lib/dnsmasq/white.list" DNSMASQ_BLACKLIST="/var/lib/dnsmasq/black.list" DNSMASQ_BLOCKHOSTS="/etc/dnsmasq.d/block.hosts.conf" BLOCKLIST_URLS="http://winhelp2002.mvps.org/hosts.txt https://adaway.org/hosts.txt https://www.malwaredomainlist.com/hostslist/hosts.txt https://hosts-file.net/ad_servers.txt " #Delete the old block.hosts to make room for the updates rm -f $DNSMASQ_BLOCKHOSTS echo 'Downloading hosts lists...' #Download and process the files needed to make the lists (enable/add more, if you want) for url in $BLOCKLIST_URLS; do wget --timeout=2 --tries=3 -qO- "$url" | grep -Ev "(localhost)" | grep -Ew "(0.0.0.0|127.0.0.1)" | awk '{sub(/\r$/,"");print $2}' >> "$TEMP" done #Add black list, if non-empty if [ -s "$DNSMASQ_BLACKLIST" ] then echo 'Adding blacklist...' cat $DNSMASQ_BLACKLIST >> "$TEMP" fi #Sort the download/black lists awk '/^[^#]/ { print "local=/" $1 "/" }' "$TEMP" | sort -u > "$TEMP_SORTED" #Filter (if applicable) if [ -s "$DNSMASQ_WHITELIST" ] then #Filter the blacklist, suppressing whitelist matches # This is relatively slow =-( echo 'Filtering white list...' grep -v -E "^[[:space:]]*$" $DNSMASQ_WHITELIST | awk '/^[^#]/ {sub(/\r$/,"");print $1}' | grep -vf - "$TEMP_SORTED" > $DNSMASQ_BLOCKHOSTS else cat "$TEMP_SORTED" > $DNSMASQ_BLOCKHOSTS fi echo 'Restarting dnsmasq service...' #Restart the dnsmasq service systemctl restart dnsmasq.service
Here is my /etc/dnsmasq.conf (please note that it binds the service to the same IP that is listed in StrongSwan's config):
bind-interfaces conf-dir=/etc/dnsmasq.d group=nogroup listen-address=127.0.0.1,FCAA::1,172.16.0.1 # I use DNS provided by dns.yandex.ru (it blocks malware hosts), but feel free to use Google DNS or any other server=77.88.8.2 server=77.88.8.88 user=nobody`
To unblock certain host, add them to /var/lib/dnsmasq/white.list (one hostname per line).
from ikev2-setup.
A simple solution here is to set the VPN DNS servers to AdGuard's, at 176.103.130.130,176.103.130.131
from ikev2-setup.
Related Issues (20)
- generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ] HOT 2
- Neither new message via email nor new file in home folder HOT 1
- Possible kernel problem in charon? HOT 1
- some problems HOT 1
- Speed limit HOT 1
- entered username and password is correct but 'user authentication failed' error is received HOT 6
- Received disconnect from x.x.x.x port 22:2: Too many authentication failures
- let's encrypt chain HOT 2
- Certificate is Not Signed (iOS) HOT 2
- no session limit for account HOT 1
- Windows 11 - Policy match error HOT 5
- Not connecting on older macOS HOT 1
- apache2 only VPN
- RouterOS as client HOT 1
- Python error when installing HOT 3
- Unable to register an account with ACME server HOT 1
- DNS leak Windows 11 HOT 2
- "The specified port is already open" error? HOT 3
- Strongswan: no private key found. Windows 10: error 13801 HOT 8
- certbot: error: unrecognized arguments: --key-type rsa HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ikev2-setup.