www.ipfire.org - Advanced server options

DHCP and routing push options

In here the extended DHCP parameters can be set, these parameters are primarily used by Windows clients. Over the "Route Push Option" is it possible to offer other networks on server side which is OS independent.

Domain [name] - The DNS suffix can be set with[name] .
DNS [addr] - Defines a DNS-server with [addr] . Only 1 can be set here. See note at end of page
WINS [addr] - Sets with [addr] the primary WINS-server
Route Push Options [IP/Subnetmask] - Beneath the default route to the green subnet, this option makes it possible to push additional routes to other subnets.

Miscellaneous options

Client-to-Client - This option makes it possible that the OpenVPN clients can communicate with each other. By the usage of different subnets, the above mentioned "Route Push Options" should be used to make the different subnets accessible for each other.
Redirect-Gateway def1 - Directs all IP traffic through the VPN client (e.g. web browser).
LZO-Compression¹ compresses the data passing through the tunnel. Thus network traffic is reduced, but CPU utilization is increased.
- Note: comp-lzo should be disabled since it could make the tunnel attackable under specific circumstances via the so called Voracle attack.
Additional configuration - Delivers the possibility to extend the server but also the client configuration with individual directives. If you activate it by setting the hook, two more configuration files named server.conf.local and client.conf.local, which are located under the path /var/ipfire/ovpn/scripts will be read out and written under the original server.conf and/or the respective client.ovpn.
- This feature was delivered with Core 89.
- This feature was a community development and you can find examples of usage at footnote ²
- All configuration needs to be done over the console/terminal.
- Already existing clients needs to be checked and possibly reconfigured if related directives are set.
- The OpenVPN server needs to be stopped, the configuration be saved (press the save button) and then be started again after the local configuration files were modified to write all made changes to the main configs.
fragment [max] - Fragments the unencrypted UDP packets to be sent through the tunnel to the [max] maximum byte size of the package. The UDP header is not included. This option works only with UDP tunnels. To deactivate "fragment" the value of the field have to be empty.
mssfix [max] - Used for TCP packets that are sent via a UDP tunnel. The TCP connection is handed over [max], the maximum packet size in bytes. Unless no other value is edited in the configuration file, mssfix uses the same value than fragment.

Note

1) To adapt "mssfix" and "fragment" for your own specific infrastructure, it is helpful to perform an MTU - Test.
2) "mssfix" and "fragment" should only be used with the UDP protocol, TCP should be regulated by the MTU size only.

Max-Clients - Limits the number of clients with parallel connections (default 100)
Keepalive - Used to control the tunnel and keep it with ping and ping-restart alive.

logfile options

Verb - Defines the debug level. Range of values:
- The value scale goes from 0 to 11. Hereby different processes of the OpenVPN connection are minuted and can be used for debugging or optimization.
- Range of values: The value scale goes from 0 to 11. There will be different sequences of the OpenVPN connection Logged and can be used for debugging or optimization. The default value is set at level 3 which delivers a good overview over the connection (interface, routing, encryption, etc.).

Note

With a verbose Mode of 6 a normal usage of the server is not properly possible. Modes 6 and more are intended for debugging purposes.
set multiple DNS servers - use additional configuration under vpn server advance options and then editing the following file /var/ipfire/ovpn/scripts/server.conf.local with the following lines

# Client gets these nameservers
push “dhcp-option DNS xx.xx.xx.xx”
push “dhcp-option DNS xx.xx.xx.xx”