@ -26,6 +26,8 @@ The example users are ``John`` and ``Laura``. The example FQDN is ``vpn1.example
..Hint::
Any IPv6 functionality is optional. If you don't want to use IPv4+IPv6 dual stack, just skip all IPv6 addresses/networks and focus on IPv4. Its also possible to skip IPv4 and create native IPv6 tunnels.
..Warning::
Don't copy security relevant configuration parameters like passwords into your configuration. Create your own!
-----------------------------
Methods for Roadwarrior Setup
@ -49,6 +51,9 @@ Methods for Roadwarrior Setup
Prerequisites
-------------
..Attention::
In all following examples, parameters that should be empty or at default are **omitted**. *Don't change them without a good reason.*
System: Trust: Authorities
--------------------------
@ -73,7 +78,7 @@ Create a certificate authority which will be used to create server certificates
System: Trust: Certificates
---------------------------
Create a server certificate for your IPsec VPN. The lifetime of the certificate is around 1 year, if it expires you have to renew the certificate on the OPNsense or your clients can't connect anymore.
Create a server certificate for your IPsec VPN. The lifetime of the certificate is 1 year, if it expires you have to renew the certificate on the OPNsense or your clients can't connect anymore.
@ -83,7 +88,7 @@ Create a server certificate for your IPsec VPN. The lifetime of the certificate
**Key Type:** RSA
**Key lenght (bits):** 2048
**Digest Algorithm:** SHA256
**Lifetime (days):** 397
**Lifetime (days):** 365
**Country Code:** Enter your Country Code
**State or Province:** Enter Your State
**City:** Enter your City
@ -170,15 +175,104 @@ Method 1 - Shared IP pool for all roadwarriors
1.1 - VPN: IPsec: Connections: Pools
------------------------------------
Create an IPv4 pool that all roadwarriors will share. This configuration will result in 256 usable IPv4 addresses. Please note that this is not a network, it's a pool of IP addresses that will be leased.
The IPv6 pool is not a /64 Prefix, because it's used to define a pool of IPv6 addresses that can be used as leases. Prefix /120 means there are 256 IPv6 addresses available. The hard limit of strongswan pools is Prefix /97.
1.2 - VPN: IPsec: Pre-Shared Keys
---------------------------------
Create EAP Pre-Shared Keys. The local identifier is the username, and the Pre-Shared Key is the password for the VPN connection.
Instead of ``john@vpn1.example.com`` you can use any string as local identifier, for example only ``john``. If you have multiple VPN servers, the FQDN makes it easier to know which one the user is assigned to.
1.3 - VPN: IPsec: Connections
-----------------------------
- Enable IPsec with the checkbox at the bottom left and apply. If you forget to do this nothing will work.
- Press **+** to add a new Connection, enable **advanced mode** with the toggle.
This is where you select the networks your roadwarrior should be able to access. In a split tunnel scenario, you would specify the example LAN nets ``192.168.1.0/24`` and ``2001:db8:1234:1::/64`` as local traffic selectors. In a full tunnel scenario (all traffic forced through the tunnel) you would specify ``0.0.0.0/0`` and ``::/0`` as local traffic selectors. The following example child will use the full tunnel method. A full tunnel is generally more secure - especially with IPv6 involved - since no traffic can leak.
Press **+** to add a new Child, enable **advanced mode** with the toggle.
If a roadwarrior has more than one device, you can provide them a larger pool. For example /31 would result in 2 IPv4 addresses, and /127 in 2 IPv6 addresses. You will have to keep track of this yourself though, don't configure pools that overlap.
2.2 - VPN: IPsec: Pre-Shared Keys
---------------------------------
Create EAP Pre-Shared Keys. The local identifier is the username, and the Pre-Shared Key is the password for the VPN connection.
Instead of ``john@vpn1.example.com`` you can use any string as local identifier, for example only ``john``. If you have multiple VPN servers, the FQDN makes it easier to know which one the user is assigned to.
2.3 - VPN: IPsec: Connections
-----------------------------
- Enable IPsec with the checkbox at the bottom left and apply. If you forget to do this nothing will work.
**2.3.1 Create connection for john@vpn1.example.com:**
- Press **+** to add a new Connection, enable **advanced mode** with the toggle.
This is where you select the networks your roadwarrior should be able to access. In a split tunnel scenario, you would specify the example LAN nets ``192.168.1.0/24`` and ``2001:db8:1234:1::/64`` as local traffic selectors. In a full tunnel scenario (all traffic forced through the tunnel) you would specify ``0.0.0.0/0`` and ``::/0`` as local traffic selectors. The following example child will use the full tunnel method. A full tunnel is generally more secure - especially with IPv6 involved - since no traffic can leak.
Press **+** to add a new Child, enable **advanced mode** with the toggle.
This is where you select the networks your roadwarrior should be able to access. In a split tunnel scenario, you would specify the example LAN nets ``192.168.1.0/24`` and ``2001:db8:1234:1::/64`` as local traffic selectors. In a full tunnel scenario (all traffic forced through the tunnel) you would specify ``0.0.0.0/0`` and ``::/0`` as local traffic selectors. The following example child will use the full tunnel method. A full tunnel is generally more secure - especially with IPv6 involved - since no traffic can leak.
Press **+** to add a new Child, enable **advanced mode** with the toggle.