Connect IPSEC VPN to network interface

I have a StrongSwan IPSEC VPN configured on my Ubuntu 22.04.4 LTS server. The VPN starts up and connects to the primary interface (eno1) successfully.

Using qBittorrent, I bind to the IP Address that is assigned to the VPN connection so that torrent traffic is directed through the VPN. (I don't send any other network traffic through the VPN.) This works successfully so that if the VPN drops, the torrent traffic is halted.

The issue is that upon reconnection, I may get assigned a different IP address by the VPN. And so the torrent traffic never resumes.

I was hoping to solve this by setting up a tun interface (tun0) and having the VPN connect directly to that interface. Then I could have qBittorrent always stay connected to the tun0 interface rather than a specific IP address.

But I can't get data to flow through the VPN connected to the tun0 interface. Any assistance would be appreciated.

Here's what I have so far:

sudo tunctl -t tun0 # create tun0 interface sudo ip link set tun0 up # enable tun0 interface 

Edit /etc/strongswan.d/vtun.conf:

charon { install_routes = no install_virtual_ip_on = tun0 # Connect VPN to tun0 interface if_id_in = 1 if_id_out = 1 remote_ts = 10.128.0.0/16 } 

Restart VPN:

sudo ipsec down vpn-ca-torrent # shut down VPN sudo ipsec restart # restart ipsec sudo ipsec up vpn-ca-torrent # start VPN 

VPN is now connected to tun0:

> ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 98:90:96:c0:1b:8c brd ff:ff:ff:ff:ff:ff altname enp0s25 inet 192.168.0.5/24 metric 100 brd 192.168.0.255 scope global dynamic eno1 valid_lft 84935sec preferred_lft 84935sec inet6 fe80::9a90:96ff:fec0:1b8c/64 scope link valid_lft forever preferred_lft forever 3: tun0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000 link/ether 8a:2d:38:87:5d:5c brd ff:ff:ff:ff:ff:ff inet 10.128.0.2/32 scope global tun0 valid_lft forever preferred_lft forever 

I now connect qBittorrent to the tun0 interface, but no data flows.

Here is additional information:

> sudo iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p udp -m udp --dport 500 -j ACCEPT -A INPUT -p udp -m udp --dport 4500 -j ACCEPT -A INPUT -p tcp -m tcp --dport 32400 -j ACCEPT -A INPUT -s 192.168.0.0/24 -j ACCEPT -A INPUT -j DROP -A FORWARD -j DROP > cat /etc/ipsec.conf conn vpn-ca-torrent keyexchange=ikev2 dpdaction=clear dpddelay=300s [email protected] leftauth=eap-mschapv2 left=%defaultroute leftsourceip=%config right=ca-tr.vpnunlimitedapp.com rightauth=pubkey rightsubnet=0.0.0.0/0 rightid=ironnodes.com type=tunnel auto=add leftupdown=/usr/lib/ipsec/_updown > ip r default via 192.168.0.1 dev eno1 proto dhcp src 192.168.0.5 metric 100 192.168.0.0/24 dev eno1 proto static 192.168.0.0/24 dev eno1 proto kernel scope link src 192.168.0.5 metric 100 192.168.0.1 dev eno1 proto dhcp scope link src 192.168.0.5 metric 100 > resolvectl Global Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported resolv.conf mode: stub Link 2 (eno1) Current Scopes: DNS Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 192.168.0.1 DNS Servers: 192.168.0.1 Link 3 (tun0) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported 

UPDATE:

I've added the changes as suggested:

/etc/strongswan.d/vtun.conf:

charon { install_routes = no install_virtual_ip_on = tun0 if_id_in = 1 if_id_out = 1 remote_ts = 10.128.0.0/16 leftfirewall=yes leftsourceip=%config leftsubnet=10.128.0.2/32 rightsubnet=10.128.0.0/16 } 

Once the vpn comes up and attaches to the tun0 interface I add a route to the assigned IP:

sudo ip route add 10.128.0.0/16 dev tun0 via 10.128.0.XX

I can ping the remote ip at 10.128.0.XX, but qBittorrent still cannot send traffic over it.

When I look through the charon logs, I see these errors:

 11[IKE] scheduling reauthentication in 9950s 11[IKE] maximum IKE_SA lifetime 10490s 11[IKE] adding DNS server failed 11[IKE] adding DNS server failed 11[CFG] handling INTERNAL_IP4_DNS attribute failed 11[IKE] installing new virtual IP 10.128.0.2 11[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ 11[IKE] CHILD_SA vpn-ca-torrent{3} established with SPIs ca04de43_i ce23bdaf_o and TS 10.128.0.2/32 === 0.0.0.0/0 

ip r:

default via 192.168.0.1 dev eno1 proto dhcp src 192.168.0.5 metric 100 10.128.0.0/16 via 10.128.0.2 dev tun0 linkdown 192.168.0.0/24 dev eno1 proto static 192.168.0.0/24 dev eno1 proto kernel scope link src 192.168.0.5 metric 100 192.168.0.1 dev eno1 proto dhcp scope link src 192.168.0.5 metric 100 

ip a:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 98:90:96:c0:1b:8c brd ff:ff:ff:ff:ff:ff altname enp0s25 inet 192.168.0.5/24 metric 100 brd 192.168.0.255 scope global dynamic eno1 valid_lft 66730sec preferred_lft 66730sec inet6 fe80::9a90:96ff:fec0:1b8c/64 scope link valid_lft forever preferred_lft forever 3: tun0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000 link/ether 8a:2d:38:87:5d:5c brd ff:ff:ff:ff:ff:ff inet 10.128.0.2/32 scope global tun0 valid_lft forever preferred_lft forever