Text only | Text with Images

OPNsense Forum

English Forums => Tutorials and FAQs => Topic started by: gctwnl on November 26, 2022, 02:28:03 PM

Title: SOLVED: Giving each mobile VPN device its own LAN IP
Post by: gctwnl on November 26, 2022, 02:28:03 PM
I am migrating from EdgeMax/EdgeOS to OPNSense (so, newbie at OPNsense).

In my EdgeOS setup I have an IPsec/L2TP setup for a couple of devices (macOS) that can connect to my LAN. The EdgeOS setup has an IP pool (which is outside the LAN DHCP pool), and I can set a static IP address for each user inside that pool as well. Each user has their own password and they share the secret key.

This way, these individual VPN connections each get an internal static IP in my LAN when they connect their VPN. This enables me to have very specific firewall rules for each user (device).

Given that the users are non-technical and at a large distance, I need to move them over to OPNsense as is, before I can build a better setup that I then can remotely configure for them on their macOS device.

So, I want to recreate that setup, but after reading the documentation and searching I haven't found a way to do that. Is it possible? It seems like a standard L2TP/IPsec setup, but the documentation seems not to handle it.
Title: Re: Giving each mobile VPN device its own LAN IP
Post by: gctwnl on December 03, 2022, 04:01:09 AM
This is doable using EAP+IKEv2+FreeRADIUS

I was able to get IKEv2 EAP-RADIUS to work with iOS with all traffic over the VPN without a .mobileconfig file and macOS/iOS devices where each device gets its own IP based o the RADIUS User info. The key elements were:

On the device (macOS, iOS) make sure the certificate and the 'certificate authority' certificate are installed.  Make sure in macOS that they are trusted.
Text only | Text with Images