Virtual Private Networking

A virtual private network secures public network connections and in doing so it extends the private network into the public network such as internet. With a VPN you can create large secure networks that can act as one private network.

(picture from wikipedia)

Companies use this technology for connecting branch offices and remote users (road warriors).

OPNsense supports VPN connections for branch offices as well as remote users.

Creating a single secured private network with multiple branch offices connecting to a single site can easily be setup from within the graphical user interface. For remote users, certificates can be created and revoked and a simple to use export utility makes the client configuration a breeze.

Supported VPN technologies

OPNsense offers a wide range of VPN technologies ranging from modern SSL VPNs to well known IPsec as well as older (now considered insecure) legacy options such as L2TP and PPTP.

Note

VPN technologies displayed with an open lock are considered to be insecure.

Integrated VPN options

Integrated solutions are those that are available within the GUI without installing any additional package or plugin. These include:

• IPsec

• OpenVPN (SSL VPN)

Plugin VPN options

Via plugins additional VPN technologies are offered, including:

• Legacy L2TP & PPTP

• OpenConnect - SSL VPN client, initially build to connect to commercial vendor appliances like Cisco ASA or Juniper.

• Stunnel - Provides an easy to setup universal TLS/SSL tunneling service, often used to secure unencrypted protocols.

• Tinc - Automatic Full Mesh Routing

• WireGuard - Simple and fast VPN protocol working with public and private keys.

• Zerotier - seamlessly connect everything, requires account from zerotier.com, free for up to 100 devices.

Log Files

When troubleshooting problems with your firewall, it is very likely you have to check the logs available on your system. In the UI of OPNsense, the log files are generally grouped with the settings of the component they belong to. The log files can be found here:

IPsec Log	VPN ‣ IPsec ‣ Log File	Everything around IPsec goes here
OpenVPN Log	VPN ‣ OpenVPN ‣ Log File	OpenVPN logs everything here

Note

Log files on file system: /var/log/ipsec.log (clog) /var/log/openvpn.log (clog)

Configuration

Please read our how-tos for configuration examples and more detailed information.

IPsec

• Setup IPsec Road-Warrior
• Setup IPsec site to site tunnel
• Setup a routed IPSec Tunnel
• IPSec BINAT (NAT before IPSec)
• IPsec: Setup Remote Access
• IPsec: Setup Android Remote Access
• IPsec: Setup Linux Remote Access
• IPsec: Setup OPNsense for IKEv2 EAP-RADIUS
• IPsec: Setup OPNsense for IKEv2 EAP-TLS
• IPsec: Setup OPNsense for IKEv1 using XAuth
• IPsec: Setup OPNsense for IKEv2 EAP-MSCHAPv2
• IPsec: Setup OPNsense for IKEv2 Mutual RSA + MSCHAPv2
• IPsec: Setup Windows Remote Access
• Microsoft Azure Route-based VPN

OpenVPN

• Setup SSL VPN Road Warrior
• Setup SSL VPN site to site tunnel

Other

• OpenConnect Setup
• Stunnel
• WireGuard Site-to-Site Setup
• WireGuard Road Warrior Setup
• WireGuard AzireVPN Road Warrior Setup
• WireGuard MullvadVPN Road Warrior Setup
• Zerotier Configuration