Messages

Right, I will try OpenVPN in the future.

Does anybody know if it can be done in IPsec, and how?

Mobile clients don't "enter" the LAN (192.168.10.* in my case) they have their own separate network (192.168.40.*) which can access LAN and DMZ through firewall rules.

I've added access list entry's for each of the subnet's

How did you do that?

If I try Custom Options in the GUI it gives an error; if I manually edit access_lists.conf I lose the changes at every restart.

Is there a way to give IPsec clients a list of subnets that should be routed through the tunnel?

For instance, can I have IPsec clients route the LAN subnet, DMZ subnet, and a few other custom subnets through the tunnel, while everything else would exit through their regular Internet connection?

How would I do that?

Is this generally considered bad practice?

[it works]

Hi

I'd like my IPsec clients to use the builtin Unbound DNS server, same as the LAN clients do, to get access to the same name resolution settings and overrides.

But the Unbound config page (services_unbound.php) does not list the IPsec interface under Network Interfaces, only regular interfaces: All, DMZ, LAN, WAN, Localhost. Even if I choose All, the file /var/unbound/access_lists.conf is created with specific access-control rules that exclude the IPsec address range. I tried adding an additional rule under Custom options:

Code Select Expand

access-control: 192.168.40.0/24 allow

but it results in a syntax error. Maybe Unbound wants the access-control rules to be all together? If I manually add the rule to /var/unbound/access_lists.conf, then it works and my IPsec clients can use the DNS server, but of course that file gets rewritten at every Apply.

I tried messing around with NAT rules, but could not get anything to work.

What is the correct way to let IPsec clients use the builtin Unbound DNS?