Setup OpenVPN on IPFire for Road Warriors

Table of Contents


This tutorial is a follow-up to the Install IPFire Linux Firewall tutorial. The goal is to configure OpenVPN from inside IPFire to support a client-to-network or host-to-net configuration. This can also be referred to as a "road warrior" configuration. It is most often used when you would like to establish a secure connection into the private network from various remote locations. This is in contrast with a network-to-network (site-to-site) configuration where you are linking two private networks that are each protected by IPFire or OpenVPN servers.


Complete part one of the tutorial OR have an available IPFire virtual machine configured in your data center.

Access to the IPFire web interface. (Typically listens on port 444)

Optional: SSH access to the IPFire server. (Typically listens on port 222)

Configure OpenVPN on the IPFire Server

Open Services -> OpenVPN from the top navigation menu once you have logged in as admin.

OpenVPN Services Menu

Click Generate root/host certificates.

OpenVPN Services Main Screen

Fill out the required fields Organization Name and IPFire's Hostname. The hostname should be populated automatically. 2048 is a reasonable value to select from the Diffie-Hellman parameters length drop-down menu.

OpenVPN Generate Certificates

The WARNING in the screenshot above is valid. Generating the root and host certificate can take a long time. If you want to confirm that it is working, open a SSH session to the IPFire server and use the top command to see the openssl process running with significant %CPU activity while the certificates are being generated. The certificate generation process took 10 - 15 minutes to complete for this tutorial.

OpenVPN Generate Certificates top

You will be returned to the Services -> OpenVPN screen once the certificates have been generated. The Certificate Authorities and Keys section will contain new values for Subject and Action.

Click Advanced Server Options.

OpenVPN Generate Certificates done

Under Advanced server options you can select SHA2 (256 bit) for the Hash algorithm and also check the box for HMAC tls-auth. Use the Save advanced options button when you are done.

OpenVPN Advanced Options

Now check the boxes for OpenVPN on RED and LZO-Compression and then press the Save and Start OpenVPN Server buttons. We want to have OpenVPN listening on the "RED" interface so we can establish an OpenVPN connection across the public internet. The "LZO-Compression" option reduces bandwidth usage by compressing traffic that passes over the VPN.

OpenVPN Start

The OpenVPN server will start and this will be reflected by the value of Current OpenVPN server status changing from STOPPED to RUNNING.

OpenVPN Started


Now that OpenVPN has started, you can verify it is listening on port 1194 from the shell using netstat.

[root@ipfire ~]# netstat -na |grep 1194
udp        0      0  *

or using ss with the -u for UDP and -l for LISTEN options, like this:

[root@ipfire ~]# ss -u -l |grep openvpn
State      Recv-Q Send-Q                 Local Address:Port          Peer Address:Port
UNCONN     0      0                       *:openvpn                  *:*

Add a User

In the Connection Status and -Control section, press the Add button to begin the process of adding a new user.

Connection Status Control Add

The Host-to-Net Virtual Private Network (Roadwarrior) connection type should be selected by default. Confirm the selection and press Add to continue.

Connection Status Control Add Host-to-Net

We will now complete the fields on this screen. Under Connection: we need to fill out Name:. You may wish to add a Remark: as a comment or note to yourself regarding who this user is. Please make sure Enabled: is checked.

Under Authentication: we want to Generate a certificate: so we will need to enter the User's full name or system hostname: and enter a password in the PKCS12 File Password fields. The Valid till (days) field controls the expiration date of the certificate. If your organization doesn't have to comply with any specific regulations regarding certificate replacement, then entering a value of 999 gives this user a little under three years until expiration.

Connection Status Control Add Host to Net User Details

For this tutorial, we will ignore the Advanced client options section. Additional details on the various configuration options available here can be found in the OpenVPN client config section of the IPFire Wiki.

When you have the necessary fields filled out, press the Save button.

NOTE: Keep track of the PKCS12 File Password assigned here as the client will need it to connect.

The Connection Status and -Control section of Services->OpenVPN should now show the newly-added user.

Connection Status Control New User

Download and Install the OpenVPN Client Software

The OpenVPN client can be downloaded from OpenVPN.net

You will want to choose the appropriate installer for the OS you are installing on. For Windows 10 64-bit, you would select the "Installer (64-bit) Windows Vista and Later". At the time of writing, the file you would end up downloading is called openvpn-install-2.3.8-1601-x86_64.exe. Be aware that this filename will change as new versions of the OpenVPN client software are released.

Once you have the installer file downloaded, go ahead and start the installation. The installation process on Windows 10 is quite typical with one exception. During the install you will be prompted to approve the installation of the 'device software' "TAP-Windows Provider V9 Network adapters"

TAP Network Adapter Prompt

Click the Install button to approve the installation and continue.

After a few minutes, you should see a screen indicating that the installation has completed successfully.

OpenVPN client install completed successfully

At this point, I would suggest that you do NOT launch the software, but instead take a look through the README file. For version 2.3.8, the following important information is contained in the INSTALL-win32.txt file:

Finally, install the new version of OpenVPN and copy over
your configuration files and certificates, which now go to

    C:\Program Files\OpenVPN\config

provided you did not install the 32-bit version on 64-bit


Note that on Windows Vista, you will need to run the OpenVPN
GUI with administrator privileges, so that it can add routes
to the routing table that are pulled from the OpenVPN server.
You can do this by right-clicking on the OpenVPN GUI
desktop icon, and selecting "Run as administrator".

We will follow that advice and copy the configuration files to our local system and put them in the appropriate directory.

Client Configuration

The config files are available in a zip archive which can be downloaded from the ipfire web interface.

OpenVPN download client package

Use the Download Client Package (zip) action icon to save a copy of the config files to your local system.

OpenVPN download client package save

Once the file is downloaded, extract the contents to a temporary location and we will proceed to copy the files to the correct location. For this tutorial there are three files in the zip archive:


Here is a screenshot of the default config directory C:\Program Files\OpenVPN\config on Windows 10 (64-bit):

OpenVPN default config directory

We need to provide administrator permissions in order to copy the files into the config directory successfully.

OpenVPN config directory needs administrator permissions

Once the files have been copied in, you should have something similar to the following:

OpenVPN config directory

Finally we can connect to OpenVPN by launching the OpenVPN GUI with "Administrative Permissions". To do this, right-click the "OpenVPN GUI" shortcut or menu item, go to "More" and then "Run as administrator". Press the Yes button when the "User Account Control" warning pops up.

OpenVPN GUI launch as administrator

The OpenVPN GUI icon should appear in your task bar. Right-click it and you should see the options available, including one to Connect.

OpenVPN GUI connect

If the configuration files are NOT present, the menu is much shorter. So, if you happen to see something like this:

OpenVPN GUI connect no config

then double-check that you have copied the configuration files into the correct location.

When we Connect, we will be prompted for the PKCS12 File Password that we set earlier when adding the Host-to-Net user. Enter it now, and some information will scroll by as the connection is established.

OpenVPN GUI connecting

If successful, we will briefly see a notification in the lower right corner of the screen:

OpenVPN GUI connected

The OpenVPN GUI taskbar icon has changed to a green color indicating a successful active connection. If you want to see the status of your connection, you can right-click the taskbar icon and select Show Status from the menu.

OpenVPN GUI connected show status

Everything looks good, so we can proceed to test the connection. How you do this will somewhat depend on what other resources you have configured on your data center network. At the very least though, we should now be able to ping the GREEN network interface of the IPFire server from our local machine that is now connected via OpenVPN.


Pinging with 32 bytes of data: 
Reply from bytes=32 time=43ms TTL=64
Reply from bytes=32 time=44ms TTL=64
Reply from bytes=32 time=43ms TTL=64
Reply from bytes=32 time=44ms TTL=64

Ping statistics for
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 43ms, Maximum = 44ms, Average = 43ms

We should also be able to access the IPFire web interface over the GREEN network ( via the VPN instead of having to access it over the RED network.


If you are having difficulty connecting to resources on the private network over the OpenVPN connection there are a few things you can check.

The OpenVPN client needs elevated permissions in order to modify the Windows system routing table. If your traffic is not being routed properly, make sure that you launched the OpenVPN client/GUI with Administrator permissions. Generally this is done by right-clicking the icon for the program and choosing "Run as administrator".

Make sure the appropriate route has been added so that you can access the private network from your OpenVPN client. If you are running the OpenVPN client on Windows, you can use netstat -nr to take a look at the system routing table.

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
     10     20         On-link    276         On-link    276     21

The last entry in the table above shows that traffic destined for the network will be routed through to the IPFire server running OpenVPN. This will allow us to access any servers using an IP address in the ip range, including the management interface of IPFire itself. For the tutorial, we have IPFire listening on

The route(s) the server automatically pushes to the client when connecting are controlled by an individual CCD (Client Configuration Directive) file on the server. These files are stored in /var/ipfire/ovpn/ccd/ with a filename that matches the user we added. For purposes of this tutorial, the full path to the file is /var/ipfire/ovpn/ccd/jdoe. If we take a look at that file, we can see that a route for our private network is properly configured to be pushed to the connecting OpenVPN client.

[root@ipfire ccd]# more jdoe
# OpenVPN clientconfig from ccd extension by Copymaster#

#This client uses the dynamic pool

#Client gets routes to these networks (behind IPFire)
push "route"

You may find that a different route is set here if you have changed the ip network the GREEN/Private interface is using since initially configuring OpenVPN or adding the user.


You are welcome to post questions or comments related to this tutorial and we will endeavor to provide assistance.

  • Hi Eric

    Great Tutorial.

    Could you make another one for Net-to-Net connection under IPFIRE?

    Please let me know if there would be any cost to it.

    Guillermo Villanueva newtonmac@gmail.com

  • Hello Guillermo,

    I'm glad to know that you enjoyed the tutorial. There is new one available on establishing a Net2Net connection between two IPFire servers using IPsec. You are welcome to view it at:


    I'll see what can be done to get a tutorial put together that utilizes OpenVPN for the connection.


Log In, Add a Comment