Add a new client

After configuring the server certificates, global the advanced settings and possibly the static ip-pool, the last step on in setting up OpenVPN with IPFire is to create a new connection for the client.

By clicking the Add button, the next dialog leads to the selection of the connection type.

Connection Type

For a Roadwarrior click Host-to-Net Virtual Private Network (Roadwarrior) and then press the Add button.

The other two options are related to a network-to-network connection and will not be introduced at this point but can be viewed here.


Now you will be prompted to choose a name for the connection (e.g., LT4702) and an optional remark.

Choose network

In this area, you can select the type of network. There are, as well as before Core 65, dynamic address ranges (ovpn-leases.db) where the server assigns the client to a dynamic pool of IP addresses. Furthermore, since Core 65 there can be selected also "Static IP address pools" so the range of potential OpenVPN subnets and clients becomes much bigger. But this will also ensure that the clients get also always the same IP address. This also can be really important , e.g. to create appropriate firewall rules.

  • Dynamic OpenVPN IP address pool ( - Assigns automatically IP's from the same subnet which is specified in the global settings. Since Core 64 the main/single option.

  • Static networks - The predefined subnets from the "Static IP address pool" can be activated for the respective client over the radio button in this section. The specific host address can be selected via the flipmenu.


Furthermore, it is also possible to upload an already existing certificate.

Or to generate a new client certificate click Generate a certificate and fill in the needed fields. The User's full name or system hostname is a required field.

Some security terms:

By the usage of a PKCS12 file password, the user of this .p12 file will be prompted for the password before the connection will be established. This will prevent an unauthorized person from using the p.12 file unless they know the correct password, otherwise this file is useless! The password needs to have 5 or more characters.

It can also determine the validity of the certificate (in days), after this period the server won´t accept this client .p12.

The remaining fields are mostly self-explanatory, for Users full Name or system hostname, the name should be according to the user or the specified system so it is easier to identify the connection.

Advanced client options

Since Core 65, it is possible to provide client-specific options which are different from the global server configuration. With client-config-directory (CCD on IPFire is findable under /var/ipfire/ovpn/ccd) it is possible to save client specific configuration files for each client. For example, you can instruct a client to route his network, or to push him individual server routes. Furthermore, you can instruct the client to route all IP traffic through the tunnel (to redirect the gateway for one or more individual clients) or assign a DNS or WINS server individually.

Enable OTP

Activates the requirement of a second authentication (2FA) factor for the corresponding connection. When enabled for a connection, there is an "Show OTP QRCode" Button on the "Connection Status and -Control" list which will show the QRCode to configure an authenticator app (like OTP, FreeOTP and Authy).

Redirect Gateway

  • Directs all IP traffic from the specific client through the VPN (e.g. web browsers). So you do not have to set this directive globally.
    • If Redirect Gateway is set, the client can access all networks on the server side AND the defined subnets under the area Client has access to these networks on IPFire's site will no longer be considered.
    • However, if redirect-gateway should be set and the access to the local server zones should also be restricted, the firewall.local (findable under /etc/sysconfig/firewall.local) and some appropriate IPTable rules should be used.


  • IPFire has access to these networks on the client's site
    • Here, the local network of the clients can be made available over the internal OpenVPN routing directive "iroute". In combination with an route entry in server.conf both net´s (client/server) can be reached each other. This was not possible until core 64 cause the client side was not accessible by IPFire and his networks. Once the client IP_FORWARDING on the OpenVPN client has turned on, a client-side network access is possible. Access only to the OpenVPN client does not require IP_FORWARDING.
    • IP_FORWARDING is necessary to enable the network behind the client (Road Warrior) for the OpenVPN servers network.
    • The activation of the IP Forwarding (IP_FORWARDING) can be found at IP Forwarding on client side
  • Client has access to these networks on IPFire's site
    • With the CCD extension is it also possible to set specific routes for the client on IPFire side, so there is no more the need to push routes from the server globally.
    • Note: In this section means the tunnel can be indeed build up, but has no furthermore functional affect for the client. Thus, over the server side can control who have access when and whereto.
  • DNS1, DNS2 - The client can be advised with two additional DNS server addresses over the WebGUI.
  • WINS - Similarly, it is also possible to assign an individual WINS server per client.

These above settings can be adjusted at any time via the section Connection Status and Control and clicking on the yellow pencil.

Connection Status and Control

Icons in the Connection Status and Control section.

Download Client Package (zip)
Download insecure Client Package (zip) - Created when PKCS12 File Password is blank
Show file
Show OTP QRCode
Download PKCS12 file
Enable or disable connection
Edit connection
Remove connection

Now the .zip package for the client can be downloaded over the WebGUI. This zip package can now be transmitted to the client, where it can be unpacked. In the unzipped folder is now a .p12 file with all the certificates/keys and a .ovpn with the client configuration findable. In case you need .pem files (eg. for the the Linux Network Manager) instead of the resumed .p12, in here is a solution how to extract the .pem files from a p.12 .

For Windows versions, load the client software from OpenVPN Community Downloads - Windows installer. As of now (February 2024) the only client version that supports 2FA/OTP is the Community Version OpenVPN 2.5.7 released in May 2022.
If you want to have a OpenVPN connection to the blue interface, you will need to do some manual configuration