OpenVPN is a flexible and reliable VPN solution that works well for remote users connecting to a central network—often called a “roadwarrior” setup. Unlike IPsec, which is typically used for site-to-site connections, or WireGuard, which prioritises simplicity and high performance, OpenVPN offers extensive configuration options and strong encryption. Its broad platform support and versatility make it an excellent choice for individuals and employees who need secure access from anywhere.
Overview
This documentation is divided into four areas. At first, everything worth knowing about is the configuration. Smartphones are often not so easy to configure, but there is help available in this wiki.
- Configuration - Here are the various configurations of OpenVPN on IPFire
- Smartphones/Tablets - Configure Smartphones and Tablets for OpenVPN
- Troubleshooting - What can be done if something does not work
Initial setup
The initial setup of OpenVPN is quickly done. After generating the root and host certificates, you can enable the service with the checkbox on the main page. If you set up your IPFire system with a non-globally resolvable FQDN, you can edit it in the field FQDN. This name is being resolved by clients to find this OpenVPN server. Last, you will have to choose a new subnet for the OpenVPN clients. This cannot be used anywhere else.
Hit "Save" to start the OpenVPN service.
Advanced Configuration
The OpenVPN service in IPFire is very powerful and can be configured in a versatile way to accommodate special environments:
Setting up a Host-to-Net (RoadWarrior) connection
Setting up a RoadWarrior connection allows you to access devices and services such as NAS from anywhere, without the need to expose dangerous ports to the internet. RoadWarrior connection acts like commercial VPN services would by encrypting traffic and routing it through another network which in this case is your home or office.
Above section should be empty in your case if you haven't added any connections.
While looking at the Connection Status and -Control, click "Add"
Select "Host-to-Net Virtual Private Network (RoadWarrior)" and click "Add"
On this page you may name your connection and select a separate subnet. In this example we'll be using the default dynamic pool. Generate certificates for the connection or upload them if you already have them. If you want a semi-permanent connection, you may set "Valid till" for example to 7300 days instead. Below you can choose if you want to use OTP (One Time Passcode), redirect gateway, select which networks the client can access and even set custom DNS addresses.
Once you're happy, you may click "Save". If you chose to generate new certificates the loading might take longer depending on your hardware.
You'll be able to see the Connection Status and -Control again. If you chose to use OTP you may use the QR code. If you didn't, click "Download Insecure Client Package (zip)" this will include everything you need including keys and the .ovpn profile file. Alternatively uncheck the connection if you no longer want it to be used.
You'll need a client software to run OpenVPN Connection. You can use the following links to download
OpenVPN GUI client - open source community edition
or
OpenVPN Connect official client
When connected successfully from the Windows client the connection looks like this:
