Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Tutorials and FAQs
»
SOLVED: Giving each mobile VPN device its own LAN IP
« previous
next »
Print
Pages: [
1
]
Author
Topic: SOLVED: Giving each mobile VPN device its own LAN IP (Read 1809 times)
gctwnl
Jr. Member
Posts: 60
Karma: 0
SOLVED: Giving each mobile VPN device its own LAN IP
«
on:
November 26, 2022, 02:28:03 pm »
I am migrating from EdgeMax/EdgeOS to OPNSense (so, newbie at OPNsense).
In my EdgeOS setup I have an IPsec/L2TP setup for a couple of devices (macOS) that can connect to my LAN. The EdgeOS setup has an IP pool (which is outside the LAN DHCP pool), and I can set a static IP address for each user inside that pool as well. Each user has their own password and they share the secret key.
This way, these individual VPN connections each get an internal
static
IP in my LAN when they connect their VPN. This enables me to have very specific firewall rules for each user (device).
Given that the users are non-technical and at a large distance, I need to move them over to OPNsense as is, before I can build a better setup that I then can remotely configure for them on their macOS device.
So, I want to recreate that setup, but after reading the documentation and searching I haven't found a way to do that. Is it possible? It seems like a standard L2TP/IPsec setup, but the documentation seems not to handle it.
«
Last Edit: December 03, 2022, 04:01:29 am by gctwnl
»
Logged
gctwnl
Jr. Member
Posts: 60
Karma: 0
Re: Giving each mobile VPN device its own LAN IP
«
Reply #1 on:
December 03, 2022, 04:01:09 am »
This is doable using EAP+IKEv2+FreeRADIUS
I was able to get IKEv2 EAP-RADIUS to work with iOS with all traffic over the VPN without a .mobileconfig file and macOS/iOS devices where each device gets its own IP based o the RADIUS User info. The key elements were:
In FreeRADIUS Users:
Provide the IP Address and the Subnet Mask
In Routes, add the IP-range of your LAN
In Mobile Clients:
Do not provide a range in
Virtual IPv4 Address Pool
(if you do, it overrides the RADIUS settings)
Provide a domain name and a list of split domain names (probably not important)
In Phase 1:
Connection method: default, Key Exchange V2
Method EAP-RADIUS, My Identifier:
Distinguished Name
and name is the reverse resolvable FQDN
encryption algorithms: AES256, hash algorithms: SHA1 & SHA256, DH: 14
In Phase 2:
set Local Network to "Network, 0.0.0.0/0" (all traffic over the tunnel)
encryption algorithms: AES256, hash algorithms: SHA1 & SHA256
In Firewall settings:
Disable force gateway
turned on
On the device (macOS, iOS) make sure the certificate and the 'certificate authority' certificate are installed. Make sure in macOS that they are trusted.
«
Last Edit: December 05, 2022, 04:21:15 pm by gctwnl
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Tutorials and FAQs
»
SOLVED: Giving each mobile VPN device its own LAN IP