Opnsense as Internet gateway for IPSec road warriors

[rungekutta]

Hi! First post on the forum. Just installed opnsense on a Qotom i5 mini pc at home and got it up and running fine (as router + firewall). I also managed to configure IPSec for road warriors as described here: https://wiki.opnsense.org/manual/how-tos/ipsec-road.html. All good so far and very happy!

There is however one thing I cannot figure out. When I connect to my opnsense firewall via IPSec (as road warrior) I would like to access my LAN (works) but also use my opnsense as Internet gateway (i.e. NAT through the WAN as if I would have been on the internal lan already). I cannot figure this out.

My setup:
VPN -> IPSec -> Mobile Clients; Virtual Address Pool = 10.10.0.0/24, DNS Servers = 192.168.1.1
Firewall -> Rules -> IPSec; single rule allowing anything to anything on the IPSEC interface
Firewall -> NAT -> Outbound; Hybrid outbound NAT rule generation, added a rule Interface = WAN, Source address=10.10.0.0/24, Translation / target = Interface address.

With this, I can connect to the VPN from an iOS client and successful access the LAN. When I try to load external pages from iOS Safari, I can see the connections being let through in Firewall -> Log Files -> Log view however iOS does not get any response and eventually times out.

I cannot figure this out... Would appreciate some pointers!

I'm running OPNsense 18.1.4-amd64 by the way...

[rungekutta]

I figured it out...!

Need to set "Local Network" to 0.0.0.0/0, instead of LAN subnet, for the routing to be set up properly at the client side. Also needed to add access from the IPSec subnet to the Unresolver DNS config.

Now it works as expected... Clients can connect via IPsec (tried iOS and Mac OS) and access the local LAN as well as use this opnsense instance as Internet gateway (NAT).

This was poorly documented.. No help text available in the GUI at all, and no mentioning of this in the docs either. Found the solution from a pfsense blog combined with trial-and-error and clicking around in the GUI. Could be improved...

[Ciprian]

I figured it out...!

Need to set "Local Network" to 0.0.0.0/0, instead of LAN subnet, for the routing to be set up properly at the client side.

I confirm it's NOT working with "IPsec net". Yet, does it work with CIDR notation of VPN segment? I expect to, but I'm not sure if default GW works as if you're in the LAN itself. Would you please test again this particular point, and write back? Thank you!

Also needed to add access from the IPSec subnet to the Unresolver DNS config.

True also!

This was poorly documented.. No help text available in the GUI at all, and no mentioning of this in the docs either. Found the solution from a pfsense blog combined with trial-and-error and clicking around in the GUI. Could be improved...

Not happily agreeing with you: most of the time tech guys avoid writing/ updating docs.

[rungekutta]

Need to set "Local Network" to 0.0.0.0/0, instead of LAN subnet, for the routing to be set up properly at the client side.

I confirm it's NOT working with "IPsec net". Yet, does it work with CIDR notation of VPN segment? I expect to, but I'm not sure if default GW works as if you're in the LAN itself. Would you please test again this particular point, and write back? Thank you!

No, setting the CIDR of the VPN (10.10.0.0/24 right?) does not work either. Needs to be 0.0.0.0/0 for it to route properly...

[Ciprian]

Thank you very much!
You have a round of applause from me, I wouldn't have thought to set the rule to "anywhere".

[malhal]

Also needed to add access from the IPSec subnet to the Unresolver DNS config.

I have the same problem so am interested in your fix but could you please explain what you mean by the above? Because there is no "Unresolver" in the menus anywhere, is it a typo?

Edit: figured out it is Unbound DNS, and here is a screenshot of the required setting, just edit the IP to your VPN virtual range:
https://imgur.com/JAZzrSJ