Tuesday, April 2, 2019

Edgerouter IPSec Split Tunneling


You have a sever/network behind a Ubiquiti Edgerouter configured to be an IPSec server.

You have an Android or ChromeOS device that you have configured to connect to the IPSec server and the allowed networks/devices behind it.


There are essentially 3 types of configurations an admin or corporate security might specify... and without knowing the exact terms myself...

1. forced no way out. - all network traffic is sent thru the VPN but there is no way back to the public internet.

2. forced tunnel all. - all network traffic is sent thru the VPN and all public access too. This is what many VPN vendors are selling and how some ISPs improve performance to the last mile by compressing data.

3. just the allowed networks. - only packets destined to the allowed IPs and CIDRs will be routed through the tunnel.

This is a bit frustrating because unlike OpenVPN there is no "push" and so the client makes certain decisions about what goes where. While there are so many 3rd party companies describing #3 it seems that they own both the client and server side.

Now what?

Ubiquiti says that all of these configurations are possible, however, they stop there and provide no more. ChromeOS hints at this functionality in their docs however you gotta pay to play. The stock Android IPSec does not offer any hints.


The ERX is do incredibly buggy!!!

No comments:

Post a Comment

another bad day for open source

One of the hallmarks of a good open source project is just how complicated it is to install, configure and maintain. Happily gitlab and the ...