Global settings

Back to OpenVPN main page

Next configuration section

The very first step to activate OpenVPN on IPFire should be to generate the server certificates. After this has been done, the global settings can be made in this section.

In order to activate OpenVPN on the desired interface, you need to tick the checkbox for the interface on which the OpenVPN-service should listen. Which checkboxes you can see on the Webinterface depends on the number of installed network cards. To activate OpenVPN for Internet traffic red (VPN to / from the outside) is responsible. The blue interface should be used for OpenVPN on a W-LAN connection. The OpenVPN service for the DMZ can be activated on orange.
By enabling the connection the red interface, the firewall rules will be opened automatically for the operation of OpenVPN.

• The activation of 'OpenVPN on red' needs to be done and the server to be started correctly otherwise the firewall rules for OpenVPN won´t be set automatically but also the client generation won´t work properly.
• The checkboxes for 'OpenVPN on blue' and 'OpenVPN on orange' only prints the remote line with the appropriate IP addresses and the defined port from the blue and/or orange network into the 'client.ovpn' configuration file. Nevertheless there is the need to push the routes for blue and/or orange (accept the green interface cause this will be pushed by default) over the 'advanced client options' in the box 'Client has access on these networks behind IPFire'.
• You need to edit the client.ovpn configuration file if you want to use other addresses then the 'Local VPN Hostname/IP:' or IPfire address on red0.

• As "Local VPN Hostname/IP:" the FQDN or the IP of the red interface will be set automatically. If you use a DSL connection, it is also possible to configure your own dynamic dns addresses in IPFire. For DSL and other dial-up connections, IP-addresses are changing, and the OpenVPN-server would no longer be available! So without a static IP, a "Dynamic Domain Name System" makes the OpenVPN-service permanently available.
  Answers to further questions can be found in the IPFire forum.

• The "OpenVPN Subnet:" is the virtual or the transport subnet of OpenVPN. It is important to ensure that this subnet isn´t used on one of the other networks, connected to IPFire.

• Under "OpenVPN device:" only the tun interface is selectable. IPFire currently only supports the tun device in routing mode.

• As "Protocol:" UDP and TCP can be selected, where UDP is optimized for OpenVPN, and provides faster data throughput. Using TCP, the server waits for an unlimited time for a connection while the Client tries (approx. every 5 seconds) to establish one. When separated SPI firewalls work in front of the server or client, TCP connections can help against connection termination/interruption. Even with the use of an preceding proxy, TCP is used.

• The "Destination Port:" specifies the port to the remote station (default 1194), Make sure that this port is not used by other services.

• The "MTU Size:" specifies the maximum size of packets to be sent (default 1400). It should be ensured, that no fragmentation of packets is necessary, even with the additional headers, which are added to each packet by OpenVPN.

• The "LZO-Compression:" compresses the data passing through the tunnel. Thus network traffic is reduced, but CPU utilization is increased. A table, comparing transmission-speeds with and without LZO compression and also with different protocols and different types of encryption can be found at here.

• "Encryption:" The choosen cipher will be used for the encryption of your data channel. With IPFire-2.15 a new OpenSSL library was implemented, thus some new ciphers named CAMELLIA and SEED where implemented.

To be at disposal now:

• CAMELLIA with 256, 196 und 128 Bit
• AES with 256, 196 und 128 Bit
• DES-EDE3 with 196 Bit (Should not be used anymore)
• DESX with 196 Bit (Should not be used anymore)
• SEED with 128 Bit
• DES-EDE with 128 Bit (Should not be used anymore)
• BF with 128 Bit (Should not be used anymore)
• CAST5 with 128 Bit (Should not be used anymore)

All above as "Should not be used anymore" marked ciphers are so called 64 bit block ciphers whereby meanwhile know practical attacks are possible. You can find a workaround on OpenVPNs wiki if these ciphers are used but difficult to change. Nevertheless they should be changed as soon as possible.
Due to security reasons, it is recommended to use AES or CAMELLIA suites.
With Core 100 the a client.ovpn configuration directive has been changed from '--tls-remote' directive to 'verify-x509-name'.
For more Information see: https://forum.ipfire.org/viewtopic.php?f=50&t=11182&p=96511#p96511

The buttons

To edit the server, the server must be stopped, after editing, the server can be restarted.

How to add additional networks, can be found in the "static ip-address-pool" section. The "Advanced server options" should allow by their default values ​​already the functionality of OpenVPN, but there can be found some interesting extensions in this area.

Next configuration section

Back to OpenVPN main page