IPSec Clients Restricted to LAN (no WAN access)

[johnstonjs]

First, thank you for making such a fantastic firewall, keeping it updated, and enabling so many capabilities with it.

There's one function provided that I have been unable to get working as intended - IPSec Road-Warrior with Tunneled Internet Access.

I want mobile devices, including laptops, tablets, and phones, to be able to connect using IPSec VPN and have access to both the internal network [LAN] and route all internet traffic through the VPN [WAN].  So far I can get very effective access to the internal network [LAN], but depending on settings will either get non-tunneled access to the internet, or no access to the internet.

This seems to be a recurring issue, as resource [2] outlines the exact problem I'm currently having.  Unfortunately, I've attempted to implement all of the steps shown, including creation of a manual NAT rule for IPSec routing to no avail.

Following the Road-Warrior guide in resource [1], I'm able to connect to the internal network but the connection to any internet site is not routed through the VPN.  Previous form postings [3] and [4] show similar issues, while [2] and [5] provide guidance on how to resolve.  Unfortunately, none of this is working for me.

My ipsec.conf file is configured with (obscuring actual hostname):

Code Select Expand


# This file is automatically generated. Do not edit
config setup
  uniqueids = yes

conn con1
  aggressive = no
  fragmentation = yes
  keyexchange = ikev2
  mobike = yes
  reauth = yes
  rekey = yes
  forceencaps = no
  installpolicy = yes
  type = tunnel
 
  left = %any
  right = %any
 
  leftid = my.personal.domain
  ikelifetime = 1440s
  lifetime = 1440s
  rightsourceip = 192.168.2.0/24
  ike = aes256-sha256-modp2048!
  leftauth = pubkey
  rightauth = eap-radius
  rightsendcert = never
  eap_identity = %any
  leftcert = /usr/local/etc/ipsec.d/certs/cert-1.crt
  leftsendcert = always
  leftsubnet = 0.0.0.0/0
  esp = aes256-sha256-modp2048!
  auto = add

include ipsec.opnsense.d/*.conf


Finding local domains seems to work fine.  Using Unbound DNS I have an override for the OPNSense domain name (my.personal.domain in ipsec.conf) which redirects to the local IP.  This lets me use LetsEncrypt on the OPNSense web interface.  Pointing a VPN-connected client to my.personal.domain brings up the OPNSense web interface, which is only accessible on LAN.  Unfortunately, attempting to access any other domain results in a timeout.

I've tried following the guidance in [2] and [5] below, but without success.  If anyone can help, please let me know.  I'm happy to provide additional configuration details as needed.

Thanks in advance!

Online resources used:
1: https://docs.opnsense.org/manual/how-tos/ipsec-road.html
2: https://forum.opnsense.org/index.php?topic=11340.0
3: https://forum.opnsense.org/index.php?topic=6842.0
4: https://forum.opnsense.org/index.php?topic=7341.0
5: https://forum.opnsense.org/index.php?topic=9478.0

[tquade]

Have you been contacted by OPNsense development regarding this flaw?

Ted Quade

[franco]

Please contact us at https://github.com/opnsense/core/issues/new/choose ;)


Cheers,
Franco

[tquade]

I have switched to an alternate product and will not be pursuing this any further with OPNsense.

Ted Quade

[franco]

Okay, thanks for your cooperation. ;)


Cheers,
Franco

[johnstonjs]

Thanks for replying.  I'm still using OPNSense, and satisfied with everything except the IPSec functionality.  I'll open a bug report on GitHub, thank you for the link.

I've continued to try troubleshooting this, but to not avail.  As I'll note on GitHub, I'm happy to share whatever config files/logs are needed to help resolve.

[johnstonjs]

Users in another thread identified the key Firewall entry that was causing my issue:

https://forum.opnsense.org/index.php?topic=14625.0

The fix was to have a Firewall Rule for IPSec that allows traffic to ANY.  Previously, I had separate entries for LAN and WAN.

Protocol   Source   Port   Destination   Port   Gateway   Schedule   Description
IPv4 *   *           *   *                   *   *           *           Allow IPSec traffic to ANY (*)