OpenVPN is a VPN service that allows remote networks or wireless clients, such as laptops, to connect to IPFire. This functionality is also available with the implementation of IPsec, but OpenVPN takes a different approach, based on SSL tunnels.

Using OpenVPN instead of IPSec is a matter of preference, though there are a few very good reasons to choose one over the other.

OpenVPN

• Easier to set up and configure
• Less likely to be blocked by intermediate routers
• Much better for site-to-site connections (where an entire network is connected to another network)
• Ability to do Ethernet-layer tunneling (not possible with IPSec)
• More stable, and troubleshooting is generally simpler.
• Standard for OpenSource projects

IPSec

• More widely used in industry
• Available with proprietary routers (most proprietary routers do not support OpenVPN)
• Arguably more secure, since OpenVPN users can (and sometimes do) set their passwords empty, allowing a connection without a passphrase.
• Formally standardized via IETF RFC 3193
• De Facto standard for Microsoft products.

See this article for some additional in-depth information about the two.

OpenVPN on IPFire for Dummies

For those less informed users who are just learning and looking to setup a VPN for safer browsing, here is some important info that may affect how you proceed:

• OpenVPN on IPFire is designed to allow remote devices to connect to IPFire. This setup does not depend upon using a free or paid VPN for access to their networks. OpenVPN allows you to set up a private VPN that you control between your IPFire firewall and a remote laptop/phone/tablet connected via a public network. You are in control!
• You do not need to (and most likely should not) pay a VPN Provider to connect their VPN network to your IPFire setup. While this can be done manually behind the scenes, it is not advised which is why the IPFire OpenVPN configuration does not include a simple GUI interface to setup your IPFire to a free/paid VPN network. It is not easy to find because it is highly suggested not to do it.
• The IPFire OpenVPN will not give you the ability to connect to servers around the world for changing your apparent location for streaming purposes. This is one feature that VPN Providers can offer that a IPFire based OpenVPN setup cannot.
• The Trust Debate: Should you pay a VPN Provider to use their VPN? Can you trust them? Do some research to decide if it is right for you.

Overview

This documentation is divided into four areas. At first, everything worth knowing about is the configuration, for advanced users there are tips and tricks under extensions. Smartphones are often not so easy to configure, but there is help available in this wiki.

• Configuration - Here are the various configurations of OpenVPN on IPFire
• Extensions - A collection of expandability's from OpenVPN users
• Smartphones/Tablets - Configure Smartphones and Tablets for OpenVPN
• Troubleshooting - What can be done if something does not work
• Transition to OpenSSL 3 - Transitioning to OpenSSL 3

Initial setup

Bellow includes quick explanation on what all the settings do

• "OpenVPN on RED" = Enable OpenVPN tunnel to incoming traffic
• "Local VPN Hostname/IP" = Your IPFire public IP address/ISP assigned hostname (e.g dynamic.ispservice.com)
• "Protocol" = Protocol that the VPN uses. Set to "UDP" by default
• "OpenVPN subnet" = Default address pool OpenVPN will provide addresses from. (Pool must include ip/subnet mask. short format such as /24 is not supported)
• "MTU size" = Determine the maximum transition unit (By default 1400, max. 1500)
• "Destination port" = Port the VPN works on. IPFire automatically handles the port forwarding for OpenVPN when enabled (Default port 1194)
• "Hash algorythm" = Set the hash algorythm type (Default SHA2 (512-bit))
• "Encryption" = Set the encryption protocol for the traffic (Default AES-CBC (256-bit))
• "TLS Channel Protection" = Secures the control channel by signing and verifying the packets with a shared group key.

BEFORE STARTING!

Make sure to generate host certificates using the Certificate Authorities and -Keys bellow the page! If you don't generate host certificates you cannot proceed with this guide!

Static IP Address Pools

Static pools help to separate different user groups from each other for example. In the above example "Building X" gets the address pool 10.6.23.0 reserved to them while "Building B" gets 10.6.34.0. Please note that the addresses must be provided in format "0.0.0.0/255.255.255.0" for example. The service won't accept subnet ending in "/24" for example.

Setting up a Host-to-Net (RoadWarrior) connection

Setting up a RoadWarrior connection allows you to access devices and services such as NAS from anywhere, without the need to expose dangerous ports to the internet. RoadWarrior connection acts like commercial VPN services would by encrypting traffic and routing it through another network which in this case is your home or office.

Above section should be empty in your case if you haven't added any connections.

While looking at the Connection Status and -Control, click "Add"

Select "Host-to-Net Virtual Private Network (RoadWarrior)" and click "Add"

On this page you may name your connection and select a separate subnet. In this example we'll be using the default dynamic pool. Generate certificates for the connection or upload them if you already have them. If you want a semi-permanent connection, you may set "Valid till" for example to 7300 days instead. Bellow you can choose if you want to use OTP (One Time Passcode), redirect gateway, select which networks the client can access and even set custom DNS addresses.

Once you're happy, you may click "Save". If you chose to generate new certificates the loading might take longer depending on your hardware.

You'll be able to see the Connection Status and -Control again. If you chose to use OTP you may use the QR code. If you didn't, click "Download Insecure Client Package (zip)" this will include everything you need including keys and the .ovpn profile file. Alternatively uncheck the connection if you no longer want it to be used.

You'll need a client software to run OpenVPN Connection. You may download it here

When connected successfully from the Windows client the connection looks like this:

Tips

• OpenVPN service won't need external port forwarding rules
• You may create rules that control ports that the OpenVPN bridge can access
• Being behind a CGNAT (Carrier-Grade NAT) won't allow you to connect to the server. Please request dynamic or static address from your ISP if you are behind CGNAT

Troubleshoot

• "OpenVPN gives 'Server Poll Timeout', what do i do?"
  Make sure your IP/Hostname matches your IPFire's Hostname/IP. If that doesn't work take a note of your IPFire's public IP and run the command "curl ifconfig.me". If the IPs don't match, you're behind a CGNAT and cannot proceed.
• "The service asks me for a username/password but i didn't set one"
  Remove the following lines from the configuration file, reimport it and try again.
  

  

  

• "I don't have the options shown!"
  Make sure you picked "Host-to-Net (Roadwarrior)" and not "Net-to-Net".
• "The OpenVPN client/server is doing X, Y and Z"
  Contact the OpenVPN support people as client applications are outside of IPFire's scope. If you believe the problem you are experiencing is a problem with the IPFire service, please make a post at the Community Forums

Additional links :

• The OpenVPN Homepage
• OpenVPN on Wikipedia
• OpenVPN Forum
• OpenVPN Linux manpage