After weeks of testing with still a few unanswered areas, I finally have a stable 24/7 setup guide that has been testing for days now. Thought I would share with all the users who have helped me. Here is the setup guide.
These are the complete settings I used for a working 24/7 VPN connection to a Native Windows 10 client.
Any setting not mentioned here is the default. Variations may work, use at your own risk.
For this example. My firewall LAN is 192.168.150.0/24, remote LAN is 192.168.1.0/24, FQDN is firewall.opnsense.com, hostname is firewall.
Substitute my firewall subnet and FQDN with yours
The firewall LAN will be providing the data to the remote VPN users. I assume you know how to setup shares.
Best to have firewall and remote on different subnets, which is why I chose a rarely used local subnet for the firewall
Install Certificate Trust>Authoritties
Descriptive Name: VPN-ca (name can be anything)
Method: Create internal Certificate Authority
Digest Algorithm: SHA256
Lifetime: 3650 (I used 10 years, can be any length)
Country Code: (Fill in this and the rest with your info)
Common Name: VPN-ca
This is the cert to be exported for import to the Windows client
Install Certificate Trust>Certificates
Method: Create internal Certificate Authority
Descriptive Name: VPN
Certificate Authority: VPN-ca
Type: Server Certificate
Digest Algorithm: SHA256
Lifetime: 3650
Common Name: firewall (use your hostname)
Alternative Names: Type: DNS Value: firewall.opnsense.com (Use your FQDN)
Go to VPN>IPsec>Mobile Clients
Enable - checked - check to enable mobile clients
User Authentication - Local Database
Group Authentication - none
Virtual Address Pool - (Enter the IP range for the remote VPN clients, ie 10.4.4.0/24)
DNS Default Domain - checked - firewall.opnsense.com (Use your FQDN)
DNS Servers - 1.1.1.1 - 8.8.8.8 (plus any from your ISP)
Phase 2 PFS Group - 14 (2048 bits)
Login Banner - Welcome users (Can be anything, Optional)
Save
Create Phase1
Phase 1 Mobile Clients
Phase 1 General information
Connection method - default
Key Exchange version - V2
Internet Protocol - IPv4
Interface - WAN
Description - MobileIPsec
Phase 1 proposal (Authentication)
Authentication method - EAP-MSCHAPv2
My identifier - Distinguished Name - firewall.opnsense.com (Use your FQDN)
My Certificate - VPN
Phase 1 proposal (Algorithms)
Encryption algorithm - AES-256
Hash algoritm - SHA256
DH key group - 14(2048 bits)
Lifetime - 28800
Advanced Options
Install policy - checked
NAT Transversal - Enable
Close Action - None
Unique - Replace
Dead Peer Detection - 45 seconds - 5 Retries - Restart the tunnel
Keyingtries - 10
Save your settings.
Phase 2 Mobile Clients
Press the button + in front of the phase 1 entry to add a new phase 2.
General information
Mode - Tunnel IPv4
Description - MobileIPsecP2
Local Network
Local Network - Address - 192.168.150.0/24
Phase 2 proposal (SA/Key Exchange)
Protocol - ESP
Encryption algorithms - AES256
Hash algorithms - SHA256
PFS Key group - off
Lifetime - 3000 sec
Create 2nd Phase 2 same as previous Phase 2 except
Local Network - Network - (same as Virtual Address Pool above, ie. 10.4.4.0/24)
Enable IPsec and Save
Restart IPsec Service
Advanced Settings
Disable Auto-added VPN Rules - Disable (Checked) - Optional, if disabled, use rules below
Rules to add if Auto-added rules are disabled - add to WAN (Firewall>Rules>WAN)
1. Protocol: ESP Destination: WAN address (IPsec ESP)
2. Protocol: UDP Destination: WAN address Dest Port: 500 (IPsec ISAKMP)
3. Protocol: UDP Destination: WAN address Dest Port: 4500 (IPsec NAT-T)
Passthrough networks - (Add all local and remote/peer LAN networks here)
Add this rule in Firewall>Rules>IPsec
IPV4* * * LAN.net * * *
Add IPsec Users
Go to VPN>IPsec>Pre-Shared Keys and press Add.
local Identifier - (VPN Username to use in client)
Remote Identifier - (VPN Username to use in client)
Pre-Shared Key - (VPN password to use in client)
Type - EAP
Save to apply.
Setup Windows Client
Get exported CA cert (VPN-ca.crt) from OPNsense and copy to Temp folder
Run Powershell as admin on the Windows client
cd /temp
run the following (Use your FQDN instead of firewall.opnsense.com and your VPN Name instead of VPN)
Import-Certificate -FilePath "VPN-ca.crt" -CertStoreLocation Cert:\LocalMachine\Root\
Add-VpnConnection -Name "VPN" -TunnelType "Ikev2" -RememberCredential -EncryptionLevel Required `
-ServerAddress firewall.opnsense.com -DnsSuffix "firewall.opnsense.com" -PassThru
Set-VpnConnectionIPsecConfiguration -ConnectionName "VPN" `
-EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 `
-CipherTransformConstants AES256 -AuthenticationTransformConstants SHA256128 -PfsGroup PFS2048 `
-PassThru -Force
Set-VpnConnection -Name "VPN" -SplitTunneling $True
Add-VpnConnectionRoute -Name "VPN" -DestinationPrefix 192.168.150.0/24
To view existing routes run in PS - (Get-VpnConnection -ConnectionName 'VPN').Routes
To view the configuration run in PS - Get-VpnConnection -ConnectionName 'VPN'
When starting Windows VPN client, Username and Password (above) will be required only for the first time you connect.
Of course you need to setup shares on the firewall side that the remote peers can get to.
If you want to share entire disks, make sure that the server allows direct paths, C$,D$ etc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
DWORD(32 bit): LocalAccountTokenFilterPolicy = 1
Hello,
So I have been following a mix of this and https://docs.opnsense.org/manual/vpnet.html#road-warriors-mobile-users. Unfortunately I have not been able to get the connection working. Do you know if there are any articles or youtube videos that show how to get this setup? Seems like there is something I am missing that is not really pointed out here. Thank you again for all your help.
Use this guide for the modern approach:
https://docs.opnsense.org/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html