The OpenVPN service in IPFire can be configured to accommodate a large number of special environments. Normally these settings don't need changing, and you should only proceed if you know what you are doing.
Protocol Settings
Transport Protocol & Destination Port
OpenVPN supports encapsulating its packets in UDP or TCP packets. UDP is the default the preferred choice to avoid extra the extra overhead of the TCP protocol. By default, the OpenVPN service listens on port 1194.
Normally, this does not need to changed, but it would be possible to disguise OpenVPN as HTTPS traffic by choosing TCP/443, or IMAPS traffic by using TCP/993.
MTU
The MTU of the OpenVPN interface. This defines the maximum size of packets that can pass through the tunnel without requiring fragmentation. The default is 1420.
mssfix & fragment
The options are an outdated way to help OpenVPN connections to perform less fragmentation. Enabling mssfix will allow OpenVPN to tell TCP connections that run through the tunnel what the maximum packet size it can transport is. fragment allows OpenVPN to split any packets into multiple parts before sending them.
These options exist to support older installations and should not be used any more.
Cryptographic Settings
Ciphers
In this list, you can select which ciphers OpenVPN will offer to any roadwarrior clients. The default is to use AES in GCM with both 256 and 128 bit key length, as well as ChaCha20-Poly1305. All those are so called AEAD ciphers and do not require the extra hashing step as described below.
For older clients, AES in CBC mode is supported as well, but should be avoided in favour of GCM if possible.
Hash Algorithm
As well as encrypting packets, OpenVPN will have to ensure the integrity of any packets traversing the tunnel. This is done using a hash algorithm which can be chosen here. If an AEAD cipher is being used, this option has no effect.
The default is SHA2-512.
TLS Channel Protection
OpenVPN uses TLS to set up a secure control channel between the client and the server. This control channel is where the two sides exchange keys, authentication data, and configuration information before the VPN tunnel itself carries your actual traffic. TLS channel protection adds an extra layer of security to this handshake by making sure that only someone who already knows a secret (like a pre-shared certificate) can even talk to the OpenVPN server.
Without this protection, an attacker could repeatedly try to connect and guess credentials, or use the handshake messages to gather information about your server. With TLS channel protection enabled, the server ignores any connection attempt that doesn’t include the correct initial secret, effectively hiding itself from unauthorized scanners and brute-force attacks.
This is enabled by default.
Fallback Cipher
Older versions of OpenVPN have not been able to negotiate the used ciphers between the server and the client. If you have any clients like these on your network, you will need to keep this setting configured as it is configured on all your clients for the connections to work.
Do not use this on new installations. This setting will be removed soon as support has been deprecated in OpenVPN.
DHCP Settings
Although OpenVPN does not directly use DHCP, it can push settings to the client - just like DHCP would do. These are as follows:
- Domain - The DNS search domain
- DNS - DNS servers that the client should use instead of those received from a local DHCP server
- WINS - Instruct the client to use these WINS servers
Routing Settings
By default, clients will only route some packets through the OpenVPN tunnel (split-tunnelling). In some setups it is desirable that the client sends all traffic through the tunnel. This can be achieved by checking the Push Default Route checkbox.
Otherwise, you can push additional routes to networks that should be reachable to all OpenVPN clients (one per line).
Misc. Settings
To avoid overloading of the OpenVPN server, you can limit the maximum number of simultaneous connected clients.