Table of Contents
- Configure OpenVPN on the IPFire Server
- Add a User
- Download and Install the OpenVPN Client Software
- Client Configuration
This tutorial is a follow-up to the Install IPFire Linux Firewall tutorial. The goal is to configure OpenVPN from inside IPFire to support a client-to-network or host-to-net configuration. This can also be referred to as a "road warrior" configuration. It is most often used when you would like to establish a secure connection into the private network from various remote locations. This is in contrast with a network-to-network (site-to-site) configuration where you are linking two private networks that are each protected by IPFire or OpenVPN servers.
Complete part one of the tutorial OR have an available IPFire virtual machine configured in your data center.
Access to the IPFire web interface. (Typically listens on port 444)
Optional: SSH access to the IPFire server. (Typically listens on port 222)
Configure OpenVPN on the IPFire Server
Open Services -> OpenVPN from the top navigation menu once you have logged in as
Click Generate root/host certificates.
Fill out the required fields Organization Name and IPFire's Hostname. The hostname should be populated automatically. 2048 is a reasonable value to select from the Diffie-Hellman parameters length drop-down menu.
The WARNING in the screenshot above is valid. Generating the root and host certificate can take a long time. If you want to confirm that it is working, open a SSH session to the IPFire server and use the
top command to see the
openssl process running with significant %CPU activity while the certificates are being generated. The certificate generation process took 10 - 15 minutes to complete for this tutorial.
You will be returned to the Services -> OpenVPN screen once the certificates have been generated. The Certificate Authorities and Keys section will contain new values for Subject and Action.
Click Advanced Server Options.
Under Advanced server options you can select SHA2 (256 bit) for the Hash algorithm and also check the box for HMAC tls-auth. Use the Save advanced options button when you are done.
Now check the boxes for OpenVPN on RED and LZO-Compression and then press the Save and Start OpenVPN Server buttons. We want to have OpenVPN listening on the "RED" interface so we can establish an OpenVPN connection across the public internet. The "LZO-Compression" option reduces bandwidth usage by compressing traffic that passes over the VPN.
The OpenVPN server will start and this will be reflected by the value of Current OpenVPN server status changing from STOPPED to RUNNING.
Now that OpenVPN has started, you can verify it is listening on port 1194 from the shell using
[root@ipfire ~]# netstat -na |grep 1194 udp 0 0 0.0.0.0:1194 0.0.0.0:*
ss with the
-u for UDP and
-l for LISTEN options, like this:
[root@ipfire ~]# ss -u -l |grep openvpn State Recv-Q Send-Q Local Address:Port Peer Address:Port UNCONN 0 0 *:openvpn *:*
Add a User
In the Connection Status and -Control section, press the Add button to begin the process of adding a new user.
The Host-to-Net Virtual Private Network (Roadwarrior) connection type should be selected by default. Confirm the selection and press Add to continue.
We will now complete the fields on this screen. Under Connection: we need to fill out Name:. You may wish to add a Remark: as a comment or note to yourself regarding who this user is. Please make sure Enabled: is checked.
Under Authentication: we want to Generate a certificate: so we will need to enter the User's full name or system hostname: and enter a password in the PKCS12 File Password fields. The Valid till (days) field controls the expiration date of the certificate. If your organization doesn't have to comply with any specific regulations regarding certificate replacement, then entering a value of 999 gives this user a little under three years until expiration.
For this tutorial, we will ignore the Advanced client options section. Additional details on the various configuration options available here can be found in the OpenVPN client config section of the IPFire Wiki.
When you have the necessary fields filled out, press the Save button.
NOTE: Keep track of the PKCS12 File Password assigned here as the client will need it to connect.
The Connection Status and -Control section of Services->OpenVPN should now show the newly-added user.
Download and Install the OpenVPN Client Software
The OpenVPN client can be downloaded from OpenVPN.net
You will want to choose the appropriate installer for the OS you are installing on. For Windows 10 64-bit, you would select the "Installer (64-bit) Windows Vista and Later". At the time of writing, the file you would end up downloading is called
openvpn-install-2.3.8-1601-x86_64.exe. Be aware that this filename will change as new versions of the OpenVPN client software are released.
Once you have the installer file downloaded, go ahead and start the installation. The installation process on Windows 10 is quite typical with one exception. During the install you will be prompted to approve the installation of the 'device software' "TAP-Windows Provider V9 Network adapters"
Click the Install button to approve the installation and continue.
After a few minutes, you should see a screen indicating that the installation has completed successfully.
At this point, I would suggest that you do NOT launch the software, but instead take a look through the README file. For version 2.3.8, the following important information is contained in the
Finally, install the new version of OpenVPN and copy over your configuration files and certificates, which now go to C:\Program Files\OpenVPN\config provided you did not install the 32-bit version on 64-bit Windows. IMPORTANT NOTE FOR WINDOWS VISTA/7 USERS Note that on Windows Vista, you will need to run the OpenVPN GUI with administrator privileges, so that it can add routes to the routing table that are pulled from the OpenVPN server. You can do this by right-clicking on the OpenVPN GUI desktop icon, and selecting "Run as administrator".
We will follow that advice and copy the configuration files to our local system and put them in the appropriate directory.
The config files are available in a zip archive which can be downloaded from the ipfire web interface.
Use the Download Client Package (zip) action icon to save a copy of the config files to your local system.
Once the file is downloaded, extract the contents to a temporary location and we will proceed to copy the files to the correct location. For this tutorial there are three files in the zip archive:
JDoe.p12 JDoe-TO-IpFire.ovpn ta.key
Here is a screenshot of the default config directory
C:\Program Files\OpenVPN\config on Windows 10 (64-bit):
We need to provide administrator permissions in order to copy the files into the config directory successfully.
Once the files have been copied in, you should have something similar to the following:
Finally we can connect to OpenVPN by launching the OpenVPN GUI with "Administrative Permissions". To do this, right-click the "OpenVPN GUI" shortcut or menu item, go to "More" and then "Run as administrator". Press the Yes button when the "User Account Control" warning pops up.
The OpenVPN GUI icon should appear in your task bar. Right-click it and you should see the options available, including one to Connect.
If the configuration files are NOT present, the menu is much shorter. So, if you happen to see something like this:
then double-check that you have copied the configuration files into the correct location.
When we Connect, we will be prompted for the PKCS12 File Password that we set earlier when adding the Host-to-Net user. Enter it now, and some information will scroll by as the connection is established.
If successful, we will briefly see a notification in the lower right corner of the screen:
The OpenVPN GUI taskbar icon has changed to a green color indicating a successful active connection. If you want to see the status of your connection, you can right-click the taskbar icon and select Show Status from the menu.
Everything looks good, so we can proceed to test the connection. How you do this will somewhat depend on what other resources you have configured on your data center network. At the very least though, we should now be able to
ping the GREEN network interface of the IPFire server from our local machine that is now connected via OpenVPN.
C:\>ping 172.16.1.1 Pinging 172.16.1.1 with 32 bytes of data: Reply from 172.16.1.1: bytes=32 time=43ms TTL=64 Reply from 172.16.1.1: bytes=32 time=44ms TTL=64 Reply from 172.16.1.1: bytes=32 time=43ms TTL=64 Reply from 172.16.1.1: bytes=32 time=44ms TTL=64 Ping statistics for 172.16.1.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 43ms, Maximum = 44ms, Average = 43ms
We should also be able to access the IPFire web interface over the GREEN network (https://172.16.1.1:444) via the VPN instead of having to access it over the RED network.
If you are having difficulty connecting to resources on the private network over the OpenVPN connection there are a few things you can check.
The OpenVPN client needs elevated permissions in order to modify the Windows system routing table. If your traffic is not being routed properly, make sure that you launched the OpenVPN client/GUI with Administrator permissions. Generally this is done by right-clicking the icon for the program and choosing "Run as administrator".
Make sure the appropriate
route has been added so that you can access the private network from your OpenVPN client. If you are running the OpenVPN client on Windows, you can use
netstat -nr to take a look at the system routing table.
=========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.10.1 192.168.10.246 10 10.71.202.1 255.255.255.255 10.71.202.5 10.71.202.6 20 10.71.202.4 255.255.255.252 On-link 10.71.202.6 276 10.71.202.6 255.255.255.255 On-link 10.71.202.6 276 172.16.1.0 255.255.255.0 10.71.202.5 10.71.202.6 21
The last entry in the table above shows that traffic destined for the
172.16.1.0/24 network will be routed through
10.71.202.5 to the IPFire server running OpenVPN. This will allow us to access any servers using an IP address in the
172.16.1.0/24 ip range, including the management interface of IPFire itself. For the tutorial, we have IPFire listening on
The route(s) the server automatically pushes to the client when connecting are controlled by an individual CCD (Client Configuration Directive) file on the server. These files are stored in
/var/ipfire/ovpn/ccd/ with a filename that matches the user we added. For purposes of this tutorial, the full path to the file is
/var/ipfire/ovpn/ccd/jdoe. If we take a look at that file, we can see that a route for our private
172.16.1.0/24 network is properly configured to be pushed to the connecting OpenVPN client.
[root@ipfire ccd]# more jdoe # OpenVPN clientconfig from ccd extension by Copymaster# #This client uses the dynamic pool #Client gets routes to these networks (behind IPFire) push "route 172.16.1.0 255.255.255.0"
You may find that a different route is set here if you have changed the ip network the GREEN/Private interface is using since initially configuring OpenVPN or adding the user.
You are welcome to post questions or comments related to this tutorial and we will endeavor to provide assistance.