SOLVED: Giving each mobile VPN device its own LAN IP

Started by gctwnl, November 26, 2022, 02:28:03 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 26, 2022, 02:28:03 PM Last Edit: December 03, 2022, 04:01:29 AM by gctwnl
I am migrating from EdgeMax/EdgeOS to OPNSense (so, newbie at OPNsense).

In my EdgeOS setup I have an IPsec/L2TP setup for a couple of devices (macOS) that can connect to my LAN. The EdgeOS setup has an IP pool (which is outside the LAN DHCP pool), and I can set a static IP address for each user inside that pool as well. Each user has their own password and they share the secret key.

This way, these individual VPN connections each get an internal static IP in my LAN when they connect their VPN. This enables me to have very specific firewall rules for each user (device).

Given that the users are non-technical and at a large distance, I need to move them over to OPNsense as is, before I can build a better setup that I then can remotely configure for them on their macOS device.

So, I want to recreate that setup, but after reading the documentation and searching I haven't found a way to do that. Is it possible? It seems like a standard L2TP/IPsec setup, but the documentation seems not to handle it.
December 03, 2022, 04:01:09 AM #1 Last Edit: December 05, 2022, 04:21:15 PM by gctwnl
This is doable using EAP+IKEv2+FreeRADIUS

I was able to get IKEv2 EAP-RADIUS to work with iOS with all traffic over the VPN without a .mobileconfig file and macOS/iOS devices where each device gets its own IP based o the RADIUS User info. The key elements were:

  • In FreeRADIUS Users:

    • Provide the IP Address and the Subnet Mask
    • In Routes, add the IP-range of your LAN
  • In Mobile Clients:

    • Do not provide a range in Virtual IPv4 Address Pool (if you do, it overrides the RADIUS settings)
    • Provide a domain name and a list of split domain names (probably not important)
  • In Phase 1:

    • Connection method: default, Key Exchange V2
    • Method EAP-RADIUS, My Identifier: Distinguished Name and name is the reverse resolvable FQDN
    • encryption algorithms: AES256, hash algorithms: SHA1 & SHA256, DH: 14
  • In Phase 2:

    • set Local Network to "Network, 0.0.0.0/0" (all traffic over the tunnel)
    • encryption algorithms: AES256, hash algorithms: SHA1 & SHA256
  • In Firewall settings:

    • Disable force gateway turned on

On the device (macOS, iOS) make sure the certificate and the 'certificate authority' certificate are installed.  Make sure in macOS that they are trusted.
Print
Go Up Pages1
User actions