The example users are ``John`` and ``Laura``. The example FQDN is ``vpn1.example.com``.
..Hint::
Any IPv6 functionality is optional. If you don't want to use IPv4+IPv6 dual stack, just skip all IPv6 addresses/networks and focus on IPv4. Its also possible to skip IPv4 and create native IPv6 tunnels.
-----------------------------
Methods for Roadwarrior Setup
@ -30,14 +34,15 @@ Methods for Roadwarrior Setup
:ref:`Method 1 - Shared IP pool for all roadwarriors <rw-swanctl-method1>`
- Benefit: Easy configuration and works with most clients out of the box.
- Drawback: All configured EAP Identities can authenticate with this connection, so you can't have tight access control. Roadwarriors don't have unique IP addresses.
- **Benefit:** Easy configuration and works with most clients out of the box.
- **Drawback:** All configured EAP Identities can authenticate with this connection, so you can't have tight access control. Roadwarriors don't have unique IP addresses.
:ref:`Method 2 - Static IP address per roadwarrior <rw-swanctl-method2>`
- Benefit: Tight security because every user can be controlled individually with firewall rules. The whole configuration is stored in one file (swanctl.conf). There are no other dependencies, so it won't break suddenly in the future.
- Drawback: Configuration needs more time and might not scale with large user counts. Windows native VPN client doesn't like this configuration very much because it demands the eap identity exchange method.
- **Benefit:** Tight security because every user can be controlled individually with firewall rules. The whole configuration is stored in one file (swanctl.conf). There are no other dependencies, so it won't break suddenly in the future.
- **Drawback:** Configuration needs more time and might not scale with large user counts. Windows native VPN client doesn't like this configuration very much because it demands the eap identity exchange method.
-------------
@ -47,14 +52,112 @@ Prerequisites
System: Trust: Authorities
--------------------------
Create a certificate authority which will be used to create server certificates for your IPsec VPN. The lifetime of the CA is 10 years, if it expires you have to deploy new CA certificates to all clients.
Create a server certificate for your IPsec VPN. The lifetime of the certificate is around 1 year, if it expires you have to renew the certificate on the OPNsense or your clients can't connect anymore.
Your OPNsense Firewall has the example IP Subnets ``203.0.113.0/24`` and ``2001:db8:1234::/48``. The FQDN can point to any bindable IPv4 and IPv6 address in those subnets. It will be used by clients to connect to the IPsec VPN Server - and by the OPNsense to bind the local listen address.
- Create an A-Record with your external DNS provider, for example ``vpn1.example.com in A 203.0.113.1``
- *Optional:* Create an AAAA-Record Record, for example ``vpn1.example.com in AAAA 2001:db8:1234::1``
Firewall: Aliases
-----------------
Create an alias for the IP addresses of your FQDN. That way you can create a combined IPv4/IPv6 rule to allow incoming connections to your IPsec VPN server.
Since this roadwarrior configuration will use UDP encapsulation, the ESP packets will be encapsulated inside UDP packets. That's why you don't need a rule to allow the ESP protocol. You only need a firewall rule to allow UDP 500 and UDP 4500. Use the aliases you created in the prior step.
Update your OPNsense at least to Version 23.7.4, that's the version that introduced ``EAP id: %any`` which is used in Method 1. If you stay on a lower Version, you can only configure Method 2.
..Note::
- Now that the Prerequisites have been met, you can choose where to continue:
- :ref:`Method 1 - Shared IP pool for all roadwarriors <rw-swanctl-method1>`
- :ref:`Method 2 - Static IP address per roadwarrior <rw-swanctl-method2>`
..Attention::
- Don't create both methods on your OPNsense at the same time, it's a potential security risk.
- Only create **one connection** where you use ``EAP id: %any`` (Method 1). If you create multiple connections with ``EAP id: %any``, any roadwarrior can connect to any of them.