Setting up OpnSense as a VPN Client from VPN Provider

Started by Animal Chin, November 04, 2019, 03:42:45 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 04, 2019, 03:42:45 AM
So I'm new to OpnSense but not networks.  I'm tearing out an old ASA firewall at my home and replacing it with the current OpnSense release.  I like the software a lot, but for the life of me I cannot figure out how to set up an IPSec VPN client.  Plenty of tutorials on how to make it a VPN server.

My goal is to make it so some hosts in the house (I work from home) exit direct to my ISP, and other hosts exit via my IPSec VPN account.  The routing for this is still to be nailed down but I can't even get to that point yet.

I was able to get as far as getting the link to establish (i think) by reviewing the ipsec.log.  At least it showed it negotiated after fiddling with the DH key group.  But on the dashboard it never shows the tunnel up, no matter if I set it to start immediate or on traffic.

I'm hoping there are others that have tried this before me with success.

Thanks
November 04, 2019, 03:18:06 PM #1
Im a newbie here so Ill start off by saying I may be wrong, but I also may be a help hah..... So I was just wondering why you dont use OpenVPN, I setup OpsenVPN as a newbie for the first time and its connecting and tunneling traffic through 10.10.10.0/24 and not on my normal 192.168.2.0/24 LAN traffic as an extra step.
November 04, 2019, 07:20:01 PM #2
Thanks for the reply.  So I have a grandfathered StrongVPN account that was called VPN Lite back in the day.  It only offered PPTP nad L2TP/IPSec (I never used the PPTP part).  Unfortunately to add OpenVPN to the account takes me to a current plan, costing more, and I'm a cheap bastard.

So if it can be done with IPSec then great.  If I have to go to OpenVPN then i'll have to explore other providers because it opens up the choices.

Thanks
November 05, 2019, 03:13:54 PM #3
Did you try site-to-site ipsec? https://docs.opnsense.org/manual/how-tos/ipsec-s2s.html

Instead of using static ip for authentication, you could set something else for your 'client' site.

For configuration options that cannot be set via gui, there exist include directories where you can place your own configurations:

/usr/local/etc/ipsec.opnsense.d
/usr/local/etc/strongswan.opnsense.d
/usr/local/etc/ipsec.secrets.opnsense.d
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
November 07, 2019, 04:32:52 AM #4
@hbc thanks for the tip.  I'll give it a go
Print
Go Up Pages1
User actions