bypass-lan Plugin

Purpose

The bypass-lan plugin for libcharon automatically installs and updates passthrough/bypass policies for locally attached subnets. This is useful for mobile hosts that are used in different networks that want to access local devices in these networks (e.g. printers or NAS) while connected to a VPN that would otherwise cover that traffic too (e.g. if the remote traffic selector is 0.0.0.0/0).

The plugin is disabled by default and can be enabled with the ./configure option

--enable-bypass-lan

Behavior

When the plugin is initialized it enumerates all enabled interfaces (see below) and installs passthrough/bypass policies for the subnets that are attached directly to these interfaces. Whenever interfaces/addresses/routes are changed the local subnets are again enumerated and, if necessary, policies are added and/or removed.

The plugin’s default behavior is incompatible with route-based VPNs, so you might have to disable it or configure interfaces (see below).

Configuration

By default, the bypass-lan plugin considers all interfaces. To restrict it to selected interfaces only, the following options may be used in the charon.plugins.bypass-lan section of strongswan.conf:

Key Default Description

interfaces_ignore

A comma-separated list of network interfaces for which connected subnets should be ignored. If interfaces_use is specified this option has no effect

interfaces_use

A comma-separated list of network interfaces for which connected subnets should be considered. All other interfaces are ignored