Getting IPsec VPN on OPNsense to work with iOS and macOS was too difficult.
OPNsense 23.1.7_3 (but verified up to OPNsense 24.7.5_3) iOS 16 and up macOS Monterey and up
This step is optional, but it helps to ensure that only users in the VPN group can obtain VPN access.
System → Access → Groups → + (Add) Group name: VPN Description: VPN users
System → Access → Users → + (Add) Username: vpnuser (or any other name that you prefer) Password: [password]
Optional (if you created the VPN group before) Group membership: make sure that "Member Of" contains "VPN"
VPN → IPsec → Mobile Clients [unless otherwise noted, all checkboxes are off] ✅ Enable IPsec Mobile Client Support Backend for authentication: Local Database (Optional, if you created a "VPN" group above): Enforce local group: VPN Virtual IPv4 Address Pool: ✅ Provide a virtual IPv4 address to clients Virtual IPv4 Address Pool: 192.168.2.0/24 DNS Servers: ✅ Provide a DNS server list to clients DNS Servers: Server #1: 192.168.1.1 (this needs to be the local IP of your OPNsense router) DNS Servers: Server #2: 8.8.8.8 (optional) DNS Servers: Server #3: 8.8.4.4 (optional) Phase 2 PFS Group: off [all other checkboxes are off]
Save, Apply changes
VPN → IPsec → Mobile Clients, press on "Create Phase1" at the top of the page, in the blue message bar. Connection method: default Key Exchange version: auto Internet Protocol: IPv4 Interface: WAN Description: Mobile VPN (or anything else descriptive)
Phase 1 proposal (Authentication) Authentication method: Mutual PSK + Xauth My identifier: My IP address Pre-Shared Key: (insert some randomly generate garbage, make sure you store it in a password manager)
Phase 1 proposal (Algorithms) Encryption algorithm: AES Encryption algorithm: 256 Hash algorithm: SHA256, SHA384, SHA512 DH key group: 2, 5, 14, 15, 16, 17, 18
Advanced options [all uncheck unless otherwise noted] Install policy: ✅ NAT Traversal: Enable Lifetime: 28800
Save, Apply changes
VPN → IPsec → Tunnel Settings [legacy], in the newly created Phase 1 row, press on the + in the "Commands" column. (Do NOT press on the + below the row, because that creates a new Phase 1 row.)
Mode: Tunnel IPv4 Description: (something descriptive or leave empty) Type: Network Address: 0.0.0.0 / 0 (that is, set "0.0.0.0" in the Address field and choose 0 from the dropdown) Protocol: ESP Encryption algorithms: AES128, AES192, AES256 Hash algorithms: SHA256, SHA384, SHA512 PFS key group: off Lifetime: 3600 Automatically ping host: [leave empty]
Save, Apply changes
VPN → IPsec → Tunnel Settings
✅ Enable IPsec (near the bottom of the page)
Apply changes
Firewall → Rules → WAN
Add the following three rules:
Interface: WAN TCP/IP Version: IPv4 Protocol: ESP Source: any Destination: WAN address Description: IPsec ESP
Interface: WAN TCP/IP Version: IPv4 Protocol: TCP/UDP Source: any Destination: WAN address Destination port range: from: ISAKMP, to: ISAKMP Description: IPsec ISAKMP
Interface: WAN TCP/IP Version: IPv4 Protocol: UDP Source: any Destination: WAN address Destination port range: from: IPsec NAT-T, to: IPsec NAT-T Description: IPsec NAT-T
The result should be:
IPv4 ESP * * WAN address * * * IPsec ESP
IPv4 UDP * * WAN address 500 (ISAKMP) * * IPsec ISAKMP
IPv4 UDP * * WAN address 4500 (IPsec NAT-T) * * IPsec NAT-T
Apply changes
Firewall → Rules → IPsec
Add the following rule:
Interface: IPsec TCP/IP Version: IPv4 Protocol: any Source: any Destination: any
The result should be:
IPv4 * * * * * * *
Apply changes
Firewall → NAT → Outbound
You should not have to touch anything here. But verify that Mode is set to "Automatic outbound NAT rule generation".
And verify that in the automatic rules you see the VPN network range listed under Source Networks (so 192.168.2.0/24 in this example).
Services → Unbound DNS → Access Lists
Add the following (using the + / Add button):
Access List name: 192.168.2.0/24 (this is an open field, it does not matter) Action: Allow Network: 192.168.2.0 / 24 (this needs to be the range you chose under Mobile Clients) Description: VPN DNS access
Save, Apply changes
Normally, a single user cannot create more than one simultaneous VPN connection (for example, using multiple devices). That means that a second device connecting to VPN with the same username would disconnect the first device's VPN connection.
You can change this by modifying/editing your Phase 1 and change the "Unique" parameter to one of the following values:
- Replace
- A new connection will replace any existing one.
- Keep
- A new connection will be blocked while there is an existing one
- No
- Multiple connections can be made
- Never
- The system will not check for multiple connections
Then save and apply the changes.
Previously, there was no UI option to fix this, so it required ssh access to the OPNsense server (via System → Settings → Administration → Enable Secure Shell).
Then ssh into the router, create file /usr/local/etc/ipsec.opnsense.d/uniqueids-override.conf and set it with the following contents:
config setup
uniqueids = no
Then trigger a VPN restart through the UI.
Yes, this is ridiculous, but it did solve DNS problems for me and a number of other problems.
First make sure that your iPhone is outside of your WLAN.
Settings → VPN → Add VPN Configuration...
Type: IPsec Description: [whatever you wish] Server: [public IP of OPNsense router] Account: vpnuser (or the user you added above) Password: [password of vpnuser] Use Certificate: [leave off] Group Name: [leave empty] Secret: [use the Pre-Shared Key configured above]
System Preferences → Network → + (Add) button near the bottom left
Interface: VPN, VPN Type: Cisco IPSec Service Name: VPN (OPNsense) (or whatever name you like) Server Address: [public IP of OPNsense router] Account Name: vpnuser (or the user you added above) Password: [password of vpnuser]
Under Authentication Settings: Shared Secret: [use the Pre-Shared Key configured above]
- OPNsense setup, albeit incomplete: https://docs.opnsense.org/manual/vpnet.html
- Netgate documentation: https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-mobile-ikev1-xauth.html
- A few forum discussions that helped
- VPN Configuration: https://forum.opnsense.org/index.php?topic=10955.0
- Debugging DNS: https://www.reddit.com/r/PFSENSE/comments/5y3qr1/pushing_dns_to_ipsec_clients/
- No internet access for VPN clients: https://forum.opnsense.org/index.php?topic=11340.0
- No internet access for VPN clients: https://forum.opnsense.org/index.php?topic=7477.0
- And more: https://forum.opnsense.org/index.php?topic=14141.0
- And even more: https://forum.opnsense.org/index.php?topic=14860.0;prev_next=prev#new
- Allowing same user to connect multpile times: https://forum.opnsense.org/index.php?topic=19462.0
Pretty much did exactly what it says on https://docs.opnsense.org/manual/how-tos/sslvpn_client.html with the added note that I checked "Redirect Gateway" to force all client traffic over the VPN. Furthermore, I used VPN → OpenVPN → Client Export to export the user's configuration as .ovpn file, which can be imported directly into OpenVPN for Windows.
You may be here looking to migrate away from OPNsense OpenVPN legacy to the new configuration.
These are unrelated to the above. To fix slow bootup problems timing out on ahcich0: https://forum.opnsense.org/index.php?topic=15727.0; in short, add # notrim to the first real line in /etc/fstab.
