Messages

probably a broader question

Is there ANY config in opnsense (L2TP, PPTP etc.) that would allow a windows user to create a VPN, split tunnel and get the routes..

Even if it's an opnsense plugin?

On latest windows the options seem limited to SSTP, L2TP (cert or preshare) and PPTP, but opnsense does not appear to support any of these

Seems there is no way to inject routes from opnsense to a windows client from my research..

Cheers, Nick.

Hi @Monviech

Yes so this is my question...

Is there no way to establish this on a windows client without having to resort to client config?

I can get the VPN to establish fine and opnsense sends the route, but windows does respect it from my testing, and the CHILD_SA routes are never inserted into the windows routing table.

I can fix it on the client by adding the route manually (below config has 192.168.1.0/24 as LAN network on opnsense) as follows:

  Add-VpnConnection -Name "Test" -ServerAddress "vpnserver.example.com" -TunnelType IKEv2 -SplitTunneling $true -AllUserConnection
  Add-VpnConnectionRoute -ConnectionName "Test" -DestinationPrefix "192.168.1.0/24" -AllUserConnection

If I then connect, I can get to the network...

However, in opnsense if I define the CHILD_SA as a route to that network it is never added to the routing table on the windows client. It should be.. It works on other OS's and the route is created but on windows its never inserted no matter what changes I make via the UI

Is there any opnsense config available that works without client intervention on windows?. I'd be happy to use a different version of IPSEC but it seems IKEv1 is deprecated in windows 10+. I assume there is no way to actually make this work without client intervention unless I'm missing something obvious, but I keep seeing posts from older opnsense version where it works ok?

I'm not sure if this is a restriction on windows where no CHILD_SA entries on IKEv2 are respected, or if the current opnsense has a bug, or config is incorrect.

Does anyone have IKEv2 working in split tunnel with server-based routes pushed to a windows 10+ client using opnsense 25.5 or later?

Cheers, Nick.

Hi all,

I have been trying for days to get CHILD SA routes pushed to a windows client in split tunnel mode with no success

Is this just impossible on windows?

No matter what I try, the CHILD SA routes are never added to the windows routing table. I can get it working by adding the route on the client but I want windows to respect the route sent by the server

Can it be achieved?

Cheers, Nick

this is the response changing NPS from CN=VPNUsers1 to VPNUsers1

2025-10-03T19:09:25Informationalcharon11[NET1] <2d217cd3-5e93-4f42-a548-2e917000500f|30> sending packet: from x.x.x.x[4500] to 101.168.52.123[4500] (80 bytes)
2025-10-03T19:09:25Informationalcharon11[ENC1] <2d217cd3-5e93-4f42-a548-2e917000500f|30> generating IKE_AUTH response 5 [ N(AUTH_FAILED) ]
2025-10-03T19:09:25Informationalcharon11[CFG1] <2d217cd3-5e93-4f42-a548-2e917000500f|30> no alternative config found
2025-10-03T19:09:25Informationalcharon11[CFG1] <2d217cd3-5e93-4f42-a548-2e917000500f|30> selected peer config '2d217cd3-5e93-4f42-a548-2e917000500f' unacceptable: insufficient authentication rounds
2025-10-03T19:09:25Informationalcharon11[CFG1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|30> switching to peer config '2d217cd3-5e93-4f42-a548-2e917000500f'
2025-10-03T19:09:25Informationalcharon11[CFG1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|30> selected peer config 'df9e30a3-41ec-4811-a6b7-e4e0ae4f6697' unacceptable: non-matching authentication done
2025-10-03T19:09:25Informationalcharon11[CFG1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|30> constraint check failed: group membership to 'VPNUsers1' required
2025-10-03T19:09:25Informationalcharon11[IKE1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|30> authentication of '101.168.52.123' with EAP successful
2025-10-03T19:09:25Informationalcharon11[ENC1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|30> parsed IKE_AUTH request 5 [ AUTH ]
2025-10-03T19:09:25Informationalcharon11[NET1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|30> received packet: from 101.168.52.123[4500] to x.x.x.x[4500] (112 bytes)
2025-10-03T19:09:25Informationalcharon11[NET1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|30> sending packet: from x.x.x.x[4500] to 101.168.52.123[4500] (80 bytes)
2025-10-03T19:09:25Informationalcharon11[ENC1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|30> generating IKE_AUTH response 4 [ EAP/SUCC ]
2025-10-03T19:09:25Informationalcharon11[IKE1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|30> EAP method EAP_MSCHAPV2 succeeded, MSK established
2025-10-03T19:09:25Informationalcharon11[IKE1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|30> RADIUS authentication of 'vpn.user2' successful
2025-10-03T19:09:25Informationalcharon11[CFG1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|30> received group membership 'VPNUsers2' from RADIUS
2025-10-03T19:09:25Informationalcharon11[CFG1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|30> received RADIUS Access-Accept from server 'server1'
2025-10-03T19:09:25Informationalcharon11[CFG1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|30> sending RADIUS Access-Request to server 'server1'
2025-10-03T19:09:25Informationalcharon11[ENC1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|30> parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
2025-10-03T19:09:25Informationalcharon11[NET1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|30> received packet: from 101.168.52.123[4500] to x.x.x.x[4500] (80 bytes)
2025-10-03T19:09:25Informationalcharon11[NET1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|30> sending packet: from x.x.x.x[4500] to 101.168.52.123[4500] (128 bytes)
2025-10-03T19:09:25Informationalcharon11[ENC1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|30> generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
2025-10-03T19:09:25Informationalcharon11[CFG1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|30> received RADIUS Access-Challenge from server 'server1'
2025-10-03T19:09:25Informationalcharon11[CFG1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|30> sending RADIUS Access-Request to server 'server1'
2025-10-03T19:09:25Informationalcharon11[ENC1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|30> parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
2025-10-03T19:09:25Informationalcharon11[NET1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|30> received packet: from 101.168.52.123[4500] to x.x.x.x[4500] (144 bytes)
2025-10-03T19:09:25Informationalcharon11[NET1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|30> sending packet: from x.x.x.x[4500] to 101.168.52.123[4500] (112 bytes)
2025-10-03T19:09:25Informationalcharon11[ENC1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|30> generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
2025-10-03T19:09:25Informationalcharon11[IKE1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|30> initiating EAP_MSCHAPV2 method (id 0x01)
2025-10-03T19:09:25Informationalcharon11[CFG1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|30> received RADIUS Access-Challenge from server 'server1'
2025-10-03T19:09:25Informationalcharon11[CFG1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|30> sending RADIUS Access-Request to server 'server1'
2025-10-03T19:09:25Informationalcharon11[IKE1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|30> received EAP identity 'vpn.user2'

Hi all,

I'm having issues getting groups to work via Microsoft NPS server...

Configuration:
opnsense > System > Access > Groups > Create Group VPNUsers1
opnsense > System > Access > Groups > Create Group VPNUsers2
opnsense > System > Access > Servers > RADIUS Server > sync groups ON, auto user creation ON
AD User: vpn.user1
AD Group: VPNUsers1
NPS Class = VPNUsers1 (as per docs)
AD User: vpn.user2
AD Group: VPNUsers2
NPS Class = VPNUsers2 (as per docs)

If I run the tester tool, the user is authenticated OK but the 'user is a member of these groups' is NULL, so it's not mapping
If I change the NPS class to 'CN=VPNUsers1', I get the response that the user is a member of the VPNUsers1 group and the user is created and added to the group, same for VPNUsers2, it appears the class field needs to be "CN=" to function.

So the second option seems to work in the tester, when I do it that way, accounts are created locally and added to the appropriate group. I can see the group name  and the username are both created in opnsense.... lets move on...

I setup the ikev2 configuration:

VPN > IPSEC > Connections > Pools

IPPool_VPNUsers1 = 192.168.2.32/27
IPPool VPNUSers2 = 192.168.2.64/27

VPN > IPSEC > Connections > Add

Create a new connection, IKEv2, VPNUsers1 Pool
Local Auth: Public Key (I've created the CA and imported the cert etc..)
Remote Auth: EAP-RADIUS, Group VPNUsers1
Children: A-LOCAL-SUBNET

I've repeated this configuration for VPNUsers2 (entire new connection, selecting VPNUsers2 Pool in the P1 connection and changing the group to VPNUsers2 in 'Remote Auth')

So as I understand it the remote client should attempt login, be parsed and get access, however I get this:

vpn.user1 or vpn.user2
--------
2025-10-03T18:19:39Informationalcharon12[NET1] <2d217cd3-5e93-4f42-a548-2e917000500f|29> sending packet: from x.x.x.x[4500] to 101.168.52.123[4500] (80 bytes)
2025-10-03T18:19:39Informationalcharon12[ENC1] <2d217cd3-5e93-4f42-a548-2e917000500f|29> generating IKE_AUTH response 5 [ N(AUTH_FAILED) ]
2025-10-03T18:19:39Informationalcharon12[CFG1] <2d217cd3-5e93-4f42-a548-2e917000500f|29> no alternative config found
2025-10-03T18:19:39Informationalcharon12[CFG1] <2d217cd3-5e93-4f42-a548-2e917000500f|29> selected peer config '2d217cd3-5e93-4f42-a548-2e917000500f' unacceptable: non-matching authentication done
2025-10-03T18:19:39Informationalcharon12[CFG1] <2d217cd3-5e93-4f42-a548-2e917000500f|29> constraint check failed: group membership to 'VPNUsers2' required
2025-10-03T18:19:39Informationalcharon12[CFG1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> switching to peer config '2d217cd3-5e93-4f42-a548-2e917000500f'
2025-10-03T18:19:39Informationalcharon12[CFG1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> selected peer config 'df9e30a3-41ec-4811-a6b7-e4e0ae4f6697' unacceptable: non-matching authentication done
2025-10-03T18:19:39Informationalcharon12[CFG1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> constraint check failed: group membership to 'VPNUsers1' required
2025-10-03T18:19:39Informationalcharon12[IKE1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> authentication of '101.168.52.123' with EAP successful
2025-10-03T18:19:39Informationalcharon12[ENC1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> parsed IKE_AUTH request 5 [ AUTH ]
2025-10-03T18:19:39Informationalcharon12[NET1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> received packet: from 101.168.52.123[4500] to x.x.x.x[4500] (112 bytes)
2025-10-03T18:19:39Informationalcharon12[NET1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> sending packet: from x.x.x.x[4500] to 101.168.52.123[4500] (80 bytes)
2025-10-03T18:19:39Informationalcharon12[ENC1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> generating IKE_AUTH response 4 [ EAP/SUCC ]
2025-10-03T18:19:39Informationalcharon12[IKE1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> EAP method EAP_MSCHAPV2 succeeded, MSK established
2025-10-03T18:19:39Informationalcharon12[IKE1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> RADIUS authentication of 'vpn.user2' successful
2025-10-03T18:19:39Informationalcharon12[CFG1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> received group membership 'CN=VPNUsers2' from RADIUS
2025-10-03T18:19:39Informationalcharon12[CFG1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> received RADIUS Access-Accept from server 'server1'
2025-10-03T18:19:39Informationalcharon12[CFG1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> sending RADIUS Access-Request to server 'server1'
2025-10-03T18:19:39Informationalcharon12[ENC1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
2025-10-03T18:19:39Informationalcharon12[NET1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> received packet: from 101.168.52.123[4500] to x.x.x.x[4500] (80 bytes)
2025-10-03T18:19:38Informationalcharon12[NET1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> sending packet: from x.x.x.x[4500] to 101.168.52.123[4500] (128 bytes)
2025-10-03T18:19:38Informationalcharon12[ENC1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
2025-10-03T18:19:38Informationalcharon12[CFG1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> received RADIUS Access-Challenge from server 'server1'
2025-10-03T18:19:38Informationalcharon12[CFG1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> sending RADIUS Access-Request to server 'server1'
2025-10-03T18:19:38Informationalcharon12[ENC1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
2025-10-03T18:19:38Informationalcharon12[NET1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> received packet: from 101.168.52.123[4500] to x.x.x.x[4500] (144 bytes)
2025-10-03T18:19:38Informationalcharon05[NET1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> sending packet: from x.x.x.x[4500] to 101.168.52.123[4500] (112 bytes)
2025-10-03T18:19:38Informationalcharon05[ENC1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
2025-10-03T18:19:38Informationalcharon05[IKE1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> initiating EAP_MSCHAPV2 method (id 0x01)
2025-10-03T18:19:38Informationalcharon05[CFG1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> received RADIUS Access-Challenge from server 'server1'
2025-10-03T18:19:38Informationalcharon05[CFG1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> sending RADIUS Access-Request to server 'server1'
2025-10-03T18:19:38Informationalcharon05[IKE1] <df9e30a3-41ec-4811-a6b7-e4e0ae4f6697|29> received EAP identity 'vpn.user2'

So it seems that with this configuration it fails to auth the user to the group, even though the tester has established the user and the group and both are visible in the UI

I've also tried changing the Class attribute back to the VPNUsers1 on the NPS, but it still fails to match

From some additional reading there was a concept of local and remote groups in previous versions. It could be that the VPN connection cant match the group as I've created it in the GUI and it might think its local... I've tried to login to the GUI using the radius user to auto create the group as a 'remote 'group, but its a chicken and egg issue where I cant assign the web display login permission to the RADIUS user, so when I login with the RADIUS user I get an error the UI cant be displayed and its time to log off.. you need to create a local user first, assign it the permissions to the WEB UI, but it still does not create the group, probably because its auth-ing locally against the Local DB

Hoping someone can shed some clarity...

Cheers, Nick.