Giter Club home page Giter Club logo

Comments (4)

GBH avatar GBH commented on May 13, 2024

Why not just install (PiHole)[https://pi-hole.net/] and use it as DNS? Why would VPN be responsible for it?

from ikev2-setup.

Bougakov avatar Bougakov commented on May 13, 2024

@GBH , unfortunately, PiHole wouldn't reliably work with StrongSwan: pi-hole/pi-hole#2021

I hoped for a simpler hint (like "here is the path to file containing blacklisted hostnames that StrongSwan won't be establishing outgoing connections to"). That would be so much easier.

from ikev2-setup.

Bougakov avatar Bougakov commented on May 13, 2024

I ended up by borrowing the adblocking mechanism from https://github.com/trailofbits/algo

StrongSwan uses locally installed DNSmasq, here is my /etc/ipsec.conf, note rightdns parameter (172.16.0.1). Also note that StrongSwan assigns VPN users IP addresses from the following pools: IPv4: 10.19.48.0/24, IPv6: fd9d:bc11:4020::/48.

config setup
	strictcrlpolicy=yes
	uniqueids=never
	charondebug="cfg 2, dmn 2, ike 2, net 2"
conn roadwarrior
	auto=add
	compress=no
	type=tunnel
	keyexchange=ikev2
	fragmentation=yes
	forceencaps=yes
	ike=aes256gcm16-sha256-ecp521,aes256-sha256-ecp384!
	esp=aes256gcm16-sha256! 
	dpdaction=clear
	dpddelay=35s
	rekey=no
	left=%any
	[email protected]
	leftcert=cert.pem
	leftsendcert=always
	leftsubnet=0.0.0.0/0,::/0
	right=%any
	rightid=%any
	rightauth=eap-mschapv2
	eap_identity=%any
	rightsendcert=never
	right=%any
	rightsourceip=10.19.48.0/24,fd9d:bc11:4020::/48
	rightdns=172.16.0.1

Here is my iptables configuration (/etc/iptables/rules.v4):

# Generated by iptables-save v1.6.1 on Sun Mar  4 16:52:20 2018
*filter
:INPUT DROP [2:104]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [16:5089]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m hashlimit --hashlimit-upto 5/sec --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name icmp-echo-drop -j ACCEPT
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p ipencap -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -d 172.16.0.1/32 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -d 172.16.0.1/32 -p tcp -m multiport --dports 8080,8118 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 88 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 445 -j DROP
-A FORWARD -p udp -m multiport --ports 137,138 -j DROP
-A FORWARD -p tcp -m multiport --ports 137,139 -j DROP
-A FORWARD -s 10.19.48.0/24 -m conntrack --ctstate NEW -m policy --dir in --pol ipsec -j ACCEPT
COMMIT
# Completed on Sun Mar  4 16:52:20 2018
# Generated by iptables-save v1.6.1 on Sun Mar  4 16:52:20 2018
*mangle
:PREROUTING ACCEPT [11453:14482861]
:INPUT ACCEPT [5513:9776070]
:FORWARD ACCEPT [5938:4706107]
:OUTPUT ACCEPT [6253:4976319]
:POSTROUTING ACCEPT [12183:9682115]
COMMIT
# Completed on Sun Mar  4 16:52:20 2018
# Generated by iptables-save v1.6.1 on Sun Mar  4 16:52:20 2018
*nat
:PREROUTING ACCEPT [232:26485]
:INPUT ACCEPT [90:7741]
:OUTPUT ACCEPT [186:12036]
:POSTROUTING ACCEPT [186:12036]
-A POSTROUTING -s 10.19.48.0/24 -m policy --dir out --pol none -j MASQUERADE
COMMIT
# Completed on Sun Mar  4 16:52:20 2018

Here is IPv6 config (/etc/iptables/rules.v4):

# Generated by ip6tables-save v1.6.1 on Sun Mar  4 16:52:20 2018
*filter
:INPUT DROP [3:210]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [41:3434]
:ICMPV6-CHECK - [0:0]
:ICMPV6-CHECK-LOG - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -m ah -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m hashlimit --hashlimit-upto 5/sec --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name icmp-echo-drop --hashlimit-srcmask 32 -j ACCEPT
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 137 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -d fe80::/64 -p udp -m state --state NEW -m udp --dport 546 -j ACCEPT
-A INPUT -d fcaa::1/128 -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -j ICMPV6-CHECK
-A FORWARD -p tcp -m tcp --dport 445 -j DROP
-A FORWARD -p udp -m multiport --ports 137,138 -j DROP
-A FORWARD -p tcp -m multiport --ports 137,139 -j DROP
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s fd9d:bc11:4020::/48 -m conntrack --ctstate NEW -m policy --dir in --pol ipsec -j ACCEPT
-A ICMPV6-CHECK -p ipv6-icmp -m hl ! --hl-eq 255 -m icmp6 --icmpv6-type 133 -j ICMPV6-CHECK-LOG
-A ICMPV6-CHECK -p ipv6-icmp -m hl ! --hl-eq 255 -m icmp6 --icmpv6-type 134 -j ICMPV6-CHECK-LOG
-A ICMPV6-CHECK -p ipv6-icmp -m hl ! --hl-eq 255 -m icmp6 --icmpv6-type 135 -j ICMPV6-CHECK-LOG
-A ICMPV6-CHECK -p ipv6-icmp -m hl ! --hl-eq 255 -m icmp6 --icmpv6-type 136 -j ICMPV6-CHECK-LOG
-A ICMPV6-CHECK-LOG -j LOG --log-prefix "ICMPV6-CHECK-LOG DROP "
-A ICMPV6-CHECK-LOG -j DROP
COMMIT
# Completed on Sun Mar  4 16:52:20 2018
# Generated by ip6tables-save v1.6.1 on Sun Mar  4 16:52:20 2018
*mangle
:PREROUTING ACCEPT [53:5647]
:INPUT ACCEPT [28:2034]
:FORWARD ACCEPT [19:2797]
:OUTPUT ACCEPT [41:3434]
:POSTROUTING ACCEPT [63:6441]
COMMIT
# Completed on Sun Mar  4 16:52:20 2018
# Generated by ip6tables-save v1.6.1 on Sun Mar  4 16:52:20 2018
*nat
:PREROUTING ACCEPT [1:80]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [7:646]
:POSTROUTING ACCEPT [7:646]
-A POSTROUTING -s fd9d:bc11:4020::/48 -m policy --dir out --pol none -j MASQUERADE
COMMIT
# Completed on Sun Mar  4 16:52:20 2018

The following script (/usr/local/sbin/adblock.sh) was added to crontab:

#!/bin/sh
# Block ads, malware, etc..

TEMP="$(mktemp)"
TEMP_SORTED="$(mktemp)"
DNSMASQ_WHITELIST="/var/lib/dnsmasq/white.list"
DNSMASQ_BLACKLIST="/var/lib/dnsmasq/black.list"
DNSMASQ_BLOCKHOSTS="/etc/dnsmasq.d/block.hosts.conf"
BLOCKLIST_URLS="http://winhelp2002.mvps.org/hosts.txt https://adaway.org/hosts.txt https://www.malwaredomainlist.com/hostslist/hosts.txt https://hosts-file.net/ad_servers.txt "

#Delete the old block.hosts to make room for the updates
rm -f $DNSMASQ_BLOCKHOSTS

echo 'Downloading hosts lists...'
#Download and process the files needed to make the lists (enable/add more, if you want)
for url in $BLOCKLIST_URLS; do
  wget --timeout=2 --tries=3 -qO- "$url" | grep -Ev "(localhost)" | grep -Ew "(0.0.0.0|127.0.0.1)" | awk '{sub(/\r$/,"");print $2}'  >> "$TEMP"
done

#Add black list, if non-empty
if [ -s "$DNSMASQ_BLACKLIST" ]
then
    echo 'Adding blacklist...'
    cat $DNSMASQ_BLACKLIST >> "$TEMP"
fi

#Sort the download/black lists
awk '/^[^#]/ { print "local=/" $1 "/" }' "$TEMP" | sort -u > "$TEMP_SORTED"

#Filter (if applicable)
if [ -s "$DNSMASQ_WHITELIST" ]
then
   #Filter the blacklist, suppressing whitelist matches
   #  This is relatively slow =-(
    echo 'Filtering white list...'
    grep -v -E "^[[:space:]]*$" $DNSMASQ_WHITELIST | awk '/^[^#]/ {sub(/\r$/,"");print $1}' | grep -vf - "$TEMP_SORTED" > $DNSMASQ_BLOCKHOSTS
else
    cat "$TEMP_SORTED" > $DNSMASQ_BLOCKHOSTS
fi

echo 'Restarting dnsmasq service...'
#Restart the dnsmasq service
systemctl restart dnsmasq.service

Here is my /etc/dnsmasq.conf (please note that it binds the service to the same IP that is listed in StrongSwan's config):

bind-interfaces
conf-dir=/etc/dnsmasq.d
group=nogroup
listen-address=127.0.0.1,FCAA::1,172.16.0.1
# I use DNS provided by dns.yandex.ru (it blocks malware hosts), but feel free to use Google DNS or any other
server=77.88.8.2
server=77.88.8.88
user=nobody`

To unblock certain host, add them to /var/lib/dnsmasq/white.list (one hostname per line).

from ikev2-setup.

jawj avatar jawj commented on May 13, 2024

A simple solution here is to set the VPN DNS servers to AdGuard's, at 176.103.130.130,176.103.130.131

from ikev2-setup.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.