IPsec Roadwarriors: Split tunnel + Full tunnel Side-by-Side?

[d39FAPH7]

Hi,
i'm using https://docs.opnsense.org/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html with "shared pool" to connect into my home OPNsense with a split tunnel setting. Works good. Now i would like to have a full tunnel mode alongside when i'm in public unencrypted WiFis. How can i achieve this in a smart way? The decisive setting is in the "Child" config, so it's probaby not possible to filter this by login username.
Thanks

[Monviech (Cedrik)]

Hello,

I think that can be controlled by the connecting client (it depends on the used client though).

Some clients can ignore the IKE Configuration Payload, and then you can choose your own routes that should be installed.

For example the strongswan client on android could have two profiles, one with default options, the other with "Split tunneling" networks defined. (both with same user name etc... since its only a client side option thats changed).

On the OPNsense side the child would have 0.0.0.0/0 and ::/0, but on the client side its either the full tunnel profile, or a "User defined split tunnel" profile.

[d39FAPH7]

thanks for your answer. i'm on mac os / ios and a big fan of the built-in system clients as they don't give me a headache on OS updates most of the time but actually they lack this functionality.
is it possible to configure a completely new (secondary) tunnel on the OPNsense side with a different DNS name including a new certificate to distinguish by that?
thanks

[Monviech (Cedrik)]

You can only run one shared pool per public IP address.

If you want more control you have to remove the current Phase 1+2 with eap id %any.

If you want to have different profiles for multiple users, you have to use the other example in the guide. With that you can have a separate phase 1/2 + pool per user. Its more work to set up but gives you maximum flexibility per user.

Of course if you have 10000 users that option scales badly.