[Swan] Possible to setup multiple connections, partly behind NAT?
Phil Nightowl
phil.nightowl at gmail.com
Fri Feb 9 01:12:46 EET 2024
> > > I would try 4.12.
> >
> > Can you tell me that this is not strictly required to make it work? Of
> > course, I am going to upgrade at some point - but It will make my life much
> > easier if I don't have to do it on all hosts involved and right now.
>
> No I can't without knowing a lot more and getting a lot more debug msgs,
> and tracking down where we solved bugs in older versions :)
Got it. I will proceed with currently installed versions anyway -
and keep in mind that some problems might arise as a result of this.
Along your advice, I changed the config files on host1.privlan (applicable
to any host on my 192.168.1.x except server.privlan). SSH access is fixed,
the config on host1.privlan does not use opportunistic encryption any longer
and works fine. Adding
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
did help. Could you please explain why it did and how? The man page doesn't
mention 0.0.0.0/0. On the other hand, it does say that "if
[leftsubnet/rightsubnet is] omitted, essentially assumed to be left/32,
signifying that the left end of the connection goes to the left participant
only" - which is exactly my case. So I am quite confused here.
Now for server.privlan. To begin with the easier part (SSH), to switch away
from opportunistic encryption I think I need
conn privlan-ssh
type=passthrough
left=%defaultroute
auto=ondemand
authby=never
leftprotoport=tcp/22
rightprotoport=tcp/%any
plus possibly(?)
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
However, I should add something instead of
right=%any
since I probably don't want to allow SSH from all hosts to get through. That
was actually my second reason to use opportunistic encryption. The man page
says that left/right accepts IPs, FQDNs and magic values. So I assume I
cannot use netmasks here. How can I (without opportunistic encryption)
select only certain hosts to pass SSH through? That is probably only a
specific form of a general question: how do I distinguish between different
configs with identical left participant (server) without listing each
individual right participant explicitly?
> Check your spam folder. Google enforced SPF/DKIM on all mail, as in they
> started refusing large amounts of emails. We did fix the libreswan lists
> to do this, so likely this is no longer happening to you.
For me, it seems that Google doesn't refuse the messages, but marks them as
spam anyway. As a result, fetchmail doesn't get to see them and after 30
days, they get deleted. A few messages make it (randomly) in the regular
inbox anyway, but approx. 5-15 per month.
Many thanks!
Phil
More information about the Swan
mailing list