OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • Tutorials and FAQs »
  • SOLVED: Giving each mobile VPN device its own LAN IP
« previous next »
  • Print
Pages: [1]

Author Topic: SOLVED: Giving each mobile VPN device its own LAN IP  (Read 1828 times)

gctwnl

  • Jr. Member
  • **
  • Posts: 60
  • Karma: 0
    • View Profile
SOLVED: Giving each mobile VPN device its own LAN IP
« on: November 26, 2022, 02:28:03 pm »
I am migrating from EdgeMax/EdgeOS to OPNSense (so, newbie at OPNsense).

In my EdgeOS setup I have an IPsec/L2TP setup for a couple of devices (macOS) that can connect to my LAN. The EdgeOS setup has an IP pool (which is outside the LAN DHCP pool), and I can set a static IP address for each user inside that pool as well. Each user has their own password and they share the secret key.

This way, these individual VPN connections each get an internal static IP in my LAN when they connect their VPN. This enables me to have very specific firewall rules for each user (device).

Given that the users are non-technical and at a large distance, I need to move them over to OPNsense as is, before I can build a better setup that I then can remotely configure for them on their macOS device.

So, I want to recreate that setup, but after reading the documentation and searching I haven't found a way to do that. Is it possible? It seems like a standard L2TP/IPsec setup, but the documentation seems not to handle it.
« Last Edit: December 03, 2022, 04:01:29 am by gctwnl »
Logged

gctwnl

  • Jr. Member
  • **
  • Posts: 60
  • Karma: 0
    • View Profile
Re: Giving each mobile VPN device its own LAN IP
« Reply #1 on: December 03, 2022, 04:01:09 am »
This is doable using EAP+IKEv2+FreeRADIUS

I was able to get IKEv2 EAP-RADIUS to work with iOS with all traffic over the VPN without a .mobileconfig file and macOS/iOS devices where each device gets its own IP based o the RADIUS User info. The key elements were:
  • In FreeRADIUS Users:
    • Provide the IP Address and the Subnet Mask
    • In Routes, add the IP-range of your LAN
  • In Mobile Clients:
    • Do not provide a range in Virtual IPv4 Address Pool (if you do, it overrides the RADIUS settings)
    • Provide a domain name and a list of split domain names (probably not important)
  • In Phase 1:
    • Connection method: default, Key Exchange V2
    • Method EAP-RADIUS, My Identifier: Distinguished Name and name is the reverse resolvable FQDN
    • encryption algorithms: AES256, hash algorithms: SHA1 & SHA256, DH: 14
  • In Phase 2:
    • set Local Network to "Network, 0.0.0.0/0" (all traffic over the tunnel)
    • encryption algorithms: AES256, hash algorithms: SHA1 & SHA256
  • In Firewall settings:
    • Disable force gateway turned on

On the device (macOS, iOS) make sure the certificate and the 'certificate authority' certificate are installed.  Make sure in macOS that they are trusted.
« Last Edit: December 05, 2022, 04:21:15 pm by gctwnl »
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • Tutorials and FAQs »
  • SOLVED: Giving each mobile VPN device its own LAN IP
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2