OPNsense Forum
Archive => 18.1 Legacy Series => Topic started by: tantalizingbanana on March 07, 2018, 12:05:41 am
-
I have a machine that I want to have a constant VPN connection using credentials. This machine is on my local area network which is managed by a router/firewall. I want to put OPNSense between my router/firewall and my machine so that way a VPN connection is guaranteed.
I also want to set it up so if the VPN connection is disrupted in any way then the internet connection is terminated to all attached computers as if the cable was disconnected.
Is this possible to setup with OPNSense?
-
I have a few questions first:
1. Why would you need 2 firewall/routers? OPNsense alone should be enough. It is usually not recommended for simple home networks to use two of these.
2. Do you want to setup OPNsense for its VPN features alone?
3. Please define "disrupted VPN connection"
4. How could OPNsense cut the internet connection (or any connection) of your LAN clients, when your clients are controlled by another firewall?
-
I have a few questions first:
1. Why would you need 2 firewall/routers? OPNsense alone should be enough. It is usually not recommended for simple home networks to use two of these.
2. Do you want to setup OPNsense for its VPN features alone?
3. Please define "disrupted VPN connection"
4. How could OPNsense cut the internet connection (or any connection) of your LAN clients, when your clients are controlled by another firewall?
To answer your questions
1. The modem only has 1 port and I need to have wireless router in place.
2. Yes VPN features alone
3. If for whatever reason login fails or requires a reconnection.
4. Any machines connected to OPNsense would lose connection to the internet, not all machines connected on the LAN but only to OPNSense.
-
This is not how things work. It's either that i can't comprehend what you would like to achieve, or you still have a lot to learn about these stuff, so you could understand how all these services work together, so you could then design your network. I'm not mocking you or something, i'm sorry if it sounds like that. I very much understand and know that nobody is born with IT knowledge or something, so please don't feel bad. Or, the other possibility, i don't understand your goal, or another one, i simply never heard of such a design.
Why don't you try to setup an OpenVPN server on one of your LAN clients without OPNsense? You could have a working VPN connection at least, but killing the other LAN client's internet connection in certain cases would still be very difficult to achieve.
The way you would like to do this (again, if i understood correctly), in short, is just not possible (i'm fairly certain), with anything :-)
-
This is not how things work. It's either that i can't comprehend what you would like to achieve, or you still have a lot to learn about these stuff, so you could understand how all these services work together, so you could then design your network. I'm not mocking you or something, i'm sorry if it sounds like that. I very much understand and know that nobody is born with IT knowledge or something, so please don't feel bad. Or, the other possibility, i don't understand your goal, or another one, i simply never heard of such a design.
Why don't you try to setup an OpenVPN server on one of your LAN clients without OPNsense? You could have a working VPN connection at least, but killing the other LAN client's internet connection in certain cases would still be very difficult to achieve.
The way you would like to do this (again, if i understood correctly), in short, is just not possible (i'm fairly certain), with anything :-)
I do not know where I lost you. Ok, let say this is my network under normal circumstances:
(https://i.imgur.com/D6K3EYG.png)
I want OPNSense to connect to a REMOTE VPN SERVER that is located in another country for the network that OPNSense creates. In other words I want it to function as a OPENVPN CLIENT. The network it creates would be only the computers connected directly to OPNSense, NOT the other computers on the LAN.
Let's say the login credentials are interrupted for whatever reason, the computer connected to OPNSense DIRECTLY should lose internet access as such:
(https://i.imgur.com/MLtVcys.png)
Notice how there is only one computer that loses internet access and it is the one that is connected to OPNSense directly.
This is what I want to achieve.
-
Oh, ok, much better now. I guess it's possible.
You can definitely setup OPNsense as a VPN client directly from the GUI. The disconnecting of LAN clients part is more difficult as there is no such support in any firewall for this particular scenario.
But I'm thinking that you could write a script that parses the OpenVPN logs, looks for some strings and then brings down the WAN interface if the strings are found in the logs. This way you still have access to OPNsense from its clients while the internet connection is down for everybody, including OPNsense. You have to cleanup the logs right after that of course, otherwise you risk disabling the WAN each time the script runs. You also have to check how the logs are rotated, the debug levels for the VPN client (also to make sure your string gets logged) and find the right schedules for the script, not to risk missing the strings you are looking for because the logs are overwritten.
Integrating (running & scheduling) scripts in the GUI is easy.
Here is one example: https://forum.opnsense.org/index.php?topic=7316.0