If the clients route all the traffic to the server (i.e. with leftsubnet=0.0.0.0/0
) you only have to make sure the private services are only accessible via VPN. This is quite simple to achieve with strongSwan. Just accept IKE and IPsec traffic (and possibly SSH and other protocols you want to allow) on the INPUT
chain and then set the default policy to DROP
:
# allow ESP iptables -A INPUT -p 50 -j ACCEPT # allow IKE iptables -A INPUT -p udp --dport 500 -j ACCEPT # allow NAT-T (IKE and ESP-in-UDP) iptables -A INPUT -p udp --dport 4500 -j ACCEPT # allow SSH and other protocols iptables -A INPUT -p tcp --dport 22 -j ACCEPT ... # drop packets by default iptables -P INPUT DROP
Then configure leftfirewall=yes
and lefthostaccess=yes
in ipsec.conf
so that strongSwan will automatically insert rules that allow your VPN clients to access the server. These rules use the IPsec policy matching module for iptables/Netfiler (-m policy
) so they only apply to traffic coming from established IPsec tunnels.