Tools

Tools: Full-Tunnel IPsec VPN for Remote Workers: StrongSwan Config, Split vs Full Tunnel, and Gateway Security Stack - 2025 Update

2026-05-19 0 views admin
Tools: Full-Tunnel IPsec VPN for Remote Workers: StrongSwan Config, Split vs Full Tunnel, and Gateway Security Stack - 2025 Update

Split tunnel vs full tunnel: the security difference

StrongSwan IKEv2 configuration for full tunnel

Traffic selectors for full tunnel

Gateway forwarding for VPN traffic

Client profile generation

What the remote worker gets Most remote work VPN deployments use split tunneling: only traffic destined for internal corporate IP ranges goes through the VPN tunnel; direct internet traffic bypasses it. This is the wrong default for security. Here is why, and how to configure full-tunnel mode correctly. In split-tunnel mode, a remote worker's web browsing bypasses the office gateway entirely. Gateway antivirus, URL filtering, and traffic logging do not apply. The worker's laptop connects to the office for file access and connects directly to the internet for everything else — with only endpoint security between them and web-borne threats. Full-tunnel mode routes all traffic through the gateway. The remote worker gets the same gateway-level protections as an on-site employee. The critical line is leftsubnet=0.0.0.0/0. This tells IKEv2 to install a default route through the tunnel on the client — all traffic, not just traffic to internal subnets, routes through the VPN. In IKEv2, traffic selectors (TS) define which traffic flows through the SA. For full tunnel: The gateway must forward VPN client traffic to the internet and apply the same inspection stack as local clients: For iOS/macOS (native IKEv2): With full-tunnel mode and a properly configured gateway: The home network becomes a transport layer. Everything meaningful happens at the gateway. CacheGuard implements this: IKEv2 VPN with StrongSwan in full-tunnel mode, integrated with the gateway antivirus, URL filtering, and logging stack. Client profiles generated for all major platforms through the web interface. → https://www.cacheguard.com/network-security-for-remote-workers/ Templates let you quickly answer FAQs or store snippets for re-use. Are you sure you want to ? It will become hidden in your post, but will still be visible via the comment's permalink. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse

Code Block

Copy

Remote device → [VPN tunnel] → Internal resources (192.168.1.0/24) Remote device → [Direct internet] → Web browsing (no gateway inspection) Remote device → [VPN tunnel] → Internal resources (192.168.1.0/24) Remote device → [Direct internet] → Web browsing (no gateway inspection) Remote device → [VPN tunnel] → Internal resources (192.168.1.0/24) Remote device → [Direct internet] → Web browsing (no gateway inspection) Remote device → [VPN tunnel] → Gateway → Web browsing (gateway inspection) Remote device → [VPN tunnel] → Gateway → Internal resources Remote device → [VPN tunnel] → Gateway → Web browsing (gateway inspection) Remote device → [VPN tunnel] → Gateway → Internal resources Remote device → [VPN tunnel] → Gateway → Web browsing (gateway inspection) Remote device → [VPN tunnel] → Gateway → Internal resources # /etc/ipsec.conf conn remote-workers keyexchange=ikev2 left=%any [email protected] leftcert=server.crt leftsendcert=always leftsubnet=0.0.0.0/0 # ← Full tunnel: route ALL traffic through VPN leftfirewall=yes right=%any rightauth=pubkey rightsourceip=10.8.0.0/24 # Virtual IP pool for remote workers rightdns=10.8.0.1 # Internal DNS resolver ike=aes256-sha256-ecp256! esp=aes256-sha256! dpdaction=restart dpddelay=30s auto=add # /etc/ipsec.conf conn remote-workers keyexchange=ikev2 left=%any [email protected] leftcert=server.crt leftsendcert=always leftsubnet=0.0.0.0/0 # ← Full tunnel: route ALL traffic through VPN leftfirewall=yes right=%any rightauth=pubkey rightsourceip=10.8.0.0/24 # Virtual IP pool for remote workers rightdns=10.8.0.1 # Internal DNS resolver ike=aes256-sha256-ecp256! esp=aes256-sha256! dpdaction=restart dpddelay=30s auto=add # /etc/ipsec.conf conn remote-workers keyexchange=ikev2 left=%any [email protected] leftcert=server.crt leftsendcert=always leftsubnet=0.0.0.0/0 # ← Full tunnel: route ALL traffic through VPN leftfirewall=yes right=%any rightauth=pubkey rightsourceip=10.8.0.0/24 # Virtual IP pool for remote workers rightdns=10.8.0.1 # Internal DNS resolver ike=aes256-sha256-ecp256! esp=aes256-sha256! dpdaction=restart dpddelay=30s auto=add leftsubnet=0.0.0.0/0 TSi (initiator): 0.0.0.0/0 (all traffic from client) TSr (responder): 0.0.0.0/0 (to anywhere) TSi (initiator): 0.0.0.0/0 (all traffic from client) TSr (responder): 0.0.0.0/0 (to anywhere) TSi (initiator): 0.0.0.0/0 (all traffic from client) TSr (responder): 0.0.0.0/0 (to anywhere) default via 10.8.0.1 dev tun0 # All internet traffic → VPN tunnel 10.8.0.0/24 via tun0 # VPN subnet direct 192.168.1.0/24 via tun0 # Internal LAN default via 10.8.0.1 dev tun0 # All internet traffic → VPN tunnel 10.8.0.0/24 via tun0 # VPN subnet direct 192.168.1.0/24 via tun0 # Internal LAN default via 10.8.0.1 dev tun0 # All internet traffic → VPN tunnel 10.8.0.0/24 via tun0 # VPN subnet direct 192.168.1.0/24 via tun0 # Internal LAN # Enable IP forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # NAT VPN traffic to external interface iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE # Redirect VPN client HTTP through proxy (same as LAN clients) iptables -t nat -A PREROUTING -s 10.8.0.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128 # VPN clients subject to same FORWARD rules as LAN clients iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT # Enable IP forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # NAT VPN traffic to external interface iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE # Redirect VPN client HTTP through proxy (same as LAN clients) iptables -t nat -A PREROUTING -s 10.8.0.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128 # VPN clients subject to same FORWARD rules as LAN clients iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT # Enable IP forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # NAT VPN traffic to external interface iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE # Redirect VPN client HTTP through proxy (same as LAN clients) iptables -t nat -A PREROUTING -s 10.8.0.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128 # VPN clients subject to same FORWARD rules as LAN clients iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT <!-- mobileconfig excerpt --> <key>VPNType</key> <string>IKEv2</string> <key>RemoteAddress</key> <string>vpn.example.com</string> <key>RemoteIdentifier</key> <string>vpn.example.com</string> <key>LocalIdentifier</key> <string>[email protected]</string> <key>PayloadCertificateUUID</key> <string><!-- UUID of client cert payload --></string> <!-- IPv4 routing: send all traffic through VPN --> <key>IPv4</key> <dict> <key>OverridePrimary</key> <integer>1</integer> <!-- Full tunnel --> </dict> <!-- mobileconfig excerpt --> <key>VPNType</key> <string>IKEv2</string> <key>RemoteAddress</key> <string>vpn.example.com</string> <key>RemoteIdentifier</key> <string>vpn.example.com</string> <key>LocalIdentifier</key> <string>[email protected]</string> <key>PayloadCertificateUUID</key> <string><!-- UUID of client cert payload --></string> <!-- IPv4 routing: send all traffic through VPN --> <key>IPv4</key> <dict> <key>OverridePrimary</key> <integer>1</integer> <!-- Full tunnel --> </dict> <!-- mobileconfig excerpt --> <key>VPNType</key> <string>IKEv2</string> <key>RemoteAddress</key> <string>vpn.example.com</string> <key>RemoteIdentifier</key> <string>vpn.example.com</string> <key>LocalIdentifier</key> <string>[email protected]</string> <key>PayloadCertificateUUID</key> <string><!-- UUID of client cert payload --></string> <!-- IPv4 routing: send all traffic through VPN --> <key>IPv4</key> <dict> <key>OverridePrimary</key> <integer>1</integer> <!-- Full tunnel --> </dict> Add-VpnConnection -Name "Work VPN" ` -ServerAddress "vpn.example.com" ` -TunnelType IKEv2 ` -AuthenticationMethod MachineCertificate ` -SplitTunneling $false # ← Full tunnel: route all traffic Add-VpnConnection -Name "Work VPN" ` -ServerAddress "vpn.example.com" ` -TunnelType IKEv2 ` -AuthenticationMethod MachineCertificate ` -SplitTunneling $false # ← Full tunnel: route all traffic Add-VpnConnection -Name "Work VPN" ` -ServerAddress "vpn.example.com" ` -TunnelType IKEv2 ` -AuthenticationMethod MachineCertificate ` -SplitTunneling $false # ← Full tunnel: route all traffic - Web traffic scanned by gateway antivirus (same as office) - URL filtering applied (same categories and policies as office) - Traffic logged at gateway (same visibility as office) - Internal resources accessible as if on-site

🏷️ Tags

toolsutilitiessecurity toolstunnelipsecremoteworkersstrongswanconfigsplit

More from Tools

Tools: SSH died. Spent 3 hours fixing the wrong thing. (2026)

Tools: SSH died. Spent 3 hours fixing the wrong thing. (2026)

2026-05-20 0
Tools: Ultimate Guide: MainWP vs ManageWP vs custom scripts: how I manage 15+ WordPress sites in 2025

Tools: Ultimate Guide: MainWP vs ManageWP vs custom scripts: how I manage 15+ WordPress sites in 2025

2026-05-20 0
Tools: Metrics: How cAdvisor and CRI Collect Kubernetes Stats Kubelet

Tools: Metrics: How cAdvisor and CRI Collect Kubernetes Stats Kubelet

2026-05-20 0
Tools: Essential Guide: GPU Observability for Workloads That Cannot Phone Home

Tools: Essential Guide: GPU Observability for Workloads That Cannot Phone Home

2026-05-20 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views