OpenVPN with NetworkManager
FIXME (needs some more details and maybe a screenshot)
The GNOME Desktop in Ubuntu, Fedora and other recent distributions comes with NetworkManager which is a tool to easily maintain the network connections.
You need to install the openvpn plugin to get to a dialog windows which will accept several configuration settings.
Ubuntu (e.g)
sudo apt-get install network-manager-openvpn
For the certificate there is some extra work to do. As NetworkManager does only accept the certificate in the pem format we need to run these commands where IPFIRE.p12 is the certificate file from the configuration archive you downloaded from the webinterface.
openssl pkcs12 -in IPFIRE.p12 -clcerts -nokeys -nodes -out user.pem
openssl pkcs12 -in IPFIRE.p12 -nocerts -nodes -out keys.pem
openssl pkcs12 -in IPFIRE.p12 -cacerts -nodes -out ca.pem
OpenVPNs cipher and digests tests with OpenSSL version 1.0.1g
This table lists the compatibility for operating systems in relation to the OpenSSL library (at this time version 1.0.1g) and his ciphers but also his digests algorithm.
| Systems | Ciphers | Digests | Updates |
|---|---|---|---|
| Android | All/ |
SHA1/SHA256/SHA384/SHA512 | ? |
| iOS 7.04 | All/ |
SHA1/SHA256/SHA384/SHA512 | ? |
| OS X 10.6 | All | All | OpenSSL update needed, tested with Macports |
| OS X 10.6 10.9 | All/ |
SHA1/SHA256/SHA384 | Without update |
| Windows 7 | All | SHA1/SHA256/SHA384/SHA512 | Without update |
| Fedora-19 | All | All | Without updated |
| Ubuntu-12.04 | All | All | Without updated |
| IPFire Core 71 tested with Net-to-Net connection | ALL/ |
SHA1/SHA256 |
This table lists the generation time of the whole PKI with 4096 bit for the root certificate, 2048 bit for the host certificate and the CRL, but also the generation of the Diffie-Hellman key lenght with 1024 bit (default), 2048 bit, 3072 bit and 4096 bit on different systems.
| Systems | Diffi-Hellman key lenght | Generation Time | Hardware crypto support |
|---|---|---|---|
| 1024 bit | 1:12 min. | NO | |
| " | 2048 bit | 9 min. | |
| " | 3072 bit | 2h 12 min. | |
| " | 4096 bit | 3h 48 min.\ (Partly considerable differences) | |
| 1024 bit | |||
| " | 2048 bit | 01h 41 min. | |
| " | 4096 bit | 12h 52 min.\ (Partly considerable differences) | |
| 1024 bit | 0:03 min. | YES / Dynamic | |
| " | 2048 bit | 5:10 min. | |
| " | 3072 bit | 08:15 min. | |
| " | 4096 bit | 16:00 min.\ (Partly considerable differences) |
This sheet lists crypto engine support for OpenSSL respectively OpenVPN. You can test your client systems with
openssl engine
OpenVPN tests for crypto engines can be done with this command
openvpn --show-engines
| IPFire system | Clients | OpenSSL crypto engine | Works in OpenVPN environment |
|---|---|---|---|
| OS X 10.6.8/Fedora 19/Ubuntu 12.0.4 | cryptodev | YES | |
| " | " | dynamic | YES |
| " | " | rsax | NO |
| OS X 10.6.8/Fedora 19/Ubuntu 12.0.4 | cryptodev | YES | |
| " | " | dynamic | YES |
| " | " | rsax | NO |
