Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
NATing LAN traffic through ipsec road warrior client
« previous
next »
Print
Pages: [
1
]
Author
Topic: NATing LAN traffic through ipsec road warrior client (Read 1708 times)
Aleppo
Newbie
Posts: 2
Karma: 0
NATing LAN traffic through ipsec road warrior client
«
on:
February 20, 2021, 03:38:53 pm »
I am trying to setup opnsense as an ipsec NAT & VPN router for clients connected on the local lan. That is, I want opnsense to NAT all LAN traffic, then transparently forward to the VPN provider. I think FreeBSD supports this kind of functionality because I was able to get it to work using OpenVPN and walking through NordVPN’s OpenVPN setup guidelines (
https://support.nordvpn.com/Connectivity/Router/1292598142/OPNsense-19-1-setup-with-NordVPN.htm
), but I specifically do not want to use OpenVPN because it is single-threaded, the VPN performance is horrible, and I have opnsense installed on a multi-core system.
The VPN provider has issued ipsec config files from which it is evident that they are a road warrior server and I am a road warrior client. There’s no web UI option in opnsense to support this kind of config but I was able to get an ipsec tunnel up by SSHing to opnsense and putting the config files in /usr/local/etc.
root@opnsense:~ # curl ifconfig.co
<my public IP address>
root@opnsense:~ # ipsec up provider
…
installing new virtual IP 10.6.0.4
created TUN device: tun0
selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
CHILD_SA provider{9} established with SPIs c8ed15ee_i cfa73ef0_o and TS 10.6.0.4/32 === 0.0.0.0/0
connection ‘provider’ established successfully
root@opnsense:~ #
# curl ifconfig.co
<vpn provider’s public IP address>
The problem is that once the ipsec tunnel goes up, no traffic from LAN clients leaves the opnsense router.
I ran a packet capture from opnsense and what I see is that when the vpn tunnel is down, traffic generated by the clients and traffic generated on the router works normally and leaves via the em0 WAN interface, as I’d expect. However, when the tunnel is up, traffic generated by the router (which works) goes through the enc0 interface and traffic generated by client (which doesn’t work) goes through the tun0 interface.
Looking at web ui -> firewall -> log files -> live view, I see a curl request issued from both a LAN client and on the opnsense router showing up as green, matching on the ‘let out anything from firewall host itself’ rule. Both requests show the source as the virtual IP given by ipsec (10.6.0.4), so the client request appears to have been NATd correctly. The difference—agreeing w/ the packet capture—is that the request from the router was on interface enc0 while the request from the client was on interface tun0.
This leads me to think that I need to configure opnsense to forward client traffic through enc0 and not tun0. How would I do this?
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
NATing LAN traffic through ipsec road warrior client