Strongswan with routed interface gets no working DNS

Support and Help
1

Hi there, I had strongswan working without a separate interface. Since I had issues with interface switches (lan0 to wlan0 and vice versa) I now configured “route based vpn”. The steps I did:

create interface vpn0:
ip link add vpn0 type xfrm if_id 42

bring the interface up:
ip link set vpn0 up

in /etc/swanctl/swanctl.cfg I added :
if_id_in = 42
if_id_out = 42

The tunnel works. I can ping my companies servers ( 10.x.x.x and 192.x.x.x nets)

But I dont get the DNS to work properly.

resolvectl shows that the dns servers have been added/linked to my vpn0 interface:

Link 6 (vpn0)
Current Scopes: none
Protocols: -DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
DNS Servers: 10.x.x.1 10.x.x.2 10.x.x.3

The only thing that bothers me is the output of “ip a” which shows the working vpn0 interface as “state UNKNOWN”.
#: ip a

6: vpn0@NONE: <NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet6 fe80::9e19:93da:bff7:4fa/64 scope link stable-privacy
valid_lft forever preferred_lft forever

I used wireshark to verify that my traffic actually is being routed over vpn0.

In /etc/strongswan.d/resolv.conf I set the vpn0 iface (iface = vpn0).

What am I doing wrong?

Thanks for any input on this

2

If you set a static route to your DNS servers to go down the interface you define, does it help?

3

How do I do that specifically ? Have you got more information?

Like this ?

ip route add 10.x.x.x/32 dev vpn0

It did not change a thing. It feels as if the dns servers at vpn0 arent being asked at all.

4

Yeah but specify the exact IP of the DNS server in the command. It’s class C so hiding the IP doesn’t do anything

5

You are right, BUT as a matter of fact, by providing any ip of my company we might be identifiable. Maybe we don´t want that ?

Regarding the issue at hand, I could solve that problem entirely just by adding “any” ip address to the vpn interface. It seems that “resolvectl” does not use any interface that has not got an ip or the status “UP”. The vpn0 interface still has the status “UNKNOWN”, maybe because its only a virtual interface.

I used “ip addr add 169.254.x.x dev vpn0” (127.x.x.x does not work. 192.x.x.x does). I have to add that I also had to add my companies search domains by hand with “resolvectl domain vpn0 ~ourdomain.tl and ~subdomain.tl”

6

This topic was automatically closed after 29 days. New replies are no longer allowed.