Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
IPsec Roadwarriors: Split tunnel + Full tunnel Side-by-Side?
« previous
next »
Print
Pages: [
1
]
Author
Topic: IPsec Roadwarriors: Split tunnel + Full tunnel Side-by-Side? (Read 154 times)
d39FAPH7
Newbie
Posts: 12
Karma: 1
IPsec Roadwarriors: Split tunnel + Full tunnel Side-by-Side?
«
on:
November 08, 2024, 12:30:57 pm »
Hi,
i'm using
https://docs.opnsense.org/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html
with "shared pool" to connect into my home OPNsense with a split tunnel setting. Works good. Now i would like to have a full tunnel mode alongside when i'm in public unencrypted WiFis. How can i achieve this in a smart way? The decisive setting is in the "Child" config, so it's probaby not possible to filter this by login username.
Thanks
«
Last Edit: November 08, 2024, 01:07:56 pm by d39FAPH7
»
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1593
Karma: 176
Re: IPsec Roadwarriors: Split tunnel + Full tunnel Side-by-Side?
«
Reply #1 on:
November 08, 2024, 01:16:12 pm »
Hello,
I think that can be controlled by the connecting client (it depends on the used client though).
Some clients can ignore the IKE Configuration Payload, and then you can choose your own routes that should be installed.
For example the strongswan client on android could have two profiles, one with default options, the other with "Split tunneling" networks defined. (both with same user name etc... since its only a client side option thats changed).
On the OPNsense side the child would have 0.0.0.0/0 and ::/0, but on the client side its either the full tunnel profile, or a "User defined split tunnel" profile.
Logged
Hardware:
DEC740
d39FAPH7
Newbie
Posts: 12
Karma: 1
Re: IPsec Roadwarriors: Split tunnel + Full tunnel Side-by-Side?
«
Reply #2 on:
November 08, 2024, 02:04:59 pm »
thanks for your answer. i'm on mac os / ios and a big fan of the built-in system clients as they don't give me a headache on OS updates most of the time but actually they lack this functionality.
is it possible to configure a completely new (secondary) tunnel on the OPNsense side with a different DNS name including a new certificate to distinguish by that?
thanks
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1593
Karma: 176
Re: IPsec Roadwarriors: Split tunnel + Full tunnel Side-by-Side?
«
Reply #3 on:
November 08, 2024, 02:07:14 pm »
You can only run one shared pool per public IP address.
If you want more control you have to remove the current Phase 1+2 with eap id %any.
If you want to have different profiles for multiple users, you have to use the other example in the guide. With that you can have a separate phase 1/2 + pool per user. Its more work to set up but gives you maximum flexibility per user.
Of course if you have 10000 users that option scales badly.
«
Last Edit: November 08, 2024, 02:14:08 pm by Monviech
»
Logged
Hardware:
DEC740
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
IPsec Roadwarriors: Split tunnel + Full tunnel Side-by-Side?