Client configuration

Client status and control

The main client control point is the section "Client status and control".

Download client .zip package
Download .p12 certificates
View certificate information
Enable (or disable) connection
Reconfigure connection
Add client

Add a new client

After configuring the server certificates, global the advanced settings and possibly the static ip-pool, the last step on in setting up OpenVPN with IPFire is to create a new connection for the client.

By clicking the Add button, the next dialog leads to the selection of the connection type. The "Host-to-Net Virtual Private Network (Roadwarrior)" should be chosen for the Roadwarrior, then press the "Add" button.

The other two options are related to a network-to-network connection and will not be introduced at this point but can be viewed here.

Now you will be prompted to choose a name for the connection (eg AtHome) and to create a certificate for the user who uses the connection (eg, the outdoor stuff, you, or a friend:-)) .

Choose a network

In this area, you can select the type of network. There are, as well as before Core 65, dynamic address ranges (ovpn-leases.db) where the server assigns the client to a dynamic pool of IP addresses. Furthermore, since Core 65 there can be selected also "Static IP address pools" so the range of potential OpenVPN subnets and clients becomes much bigger. But this will also ensure that the clients get also always the same IP address. This also can be really important , e.g. to create appropriate firewall rules.

  • Dynamic OpenVPN IP address pool ( - Assigns automatically IP's from the same subnet which is specified in the global settings. Since Core 64 the main/single option.

  • Static networks - The predefined subnets from the "Static IP address pool" can be activated for the respective client over the radio button in this section. The specific host address can be selected via the flipmenu.


Furthermore, it is also possible to upload an already existing certificate.

To generate a new client certificate, mostly fields should be self explanatory. But some fields should be looked at carefully.

Some security terms:
By the usage of a "PKCS12 file password", the user of this .p12 file will be prompted for the password before the connection will be established. This will prevent an unauthorized person from using the p.12 file unless they know the correct password, otherwise this file is useless! The password needs to have 5 or more characters.

It can also determine the validity of the certificate (in days), after this period the server won´t accept this client .p12 .

The remaining fields are mostly self-explanatory, for "Users full Name or system hostname", the name should be according to the user or the specified system so it is easier to identify the connection.

Advanced client options

Since Core 65, it is possible to provide client-specific options which are different from the global server configuration. With client-config-directory (CCD on IPFire is findable under/var/ipfire/ovpn/ccd) it is possible to save client specific configuration files for each client. For example, you can instruct a client to route his network, or to push him individual server routes. Furthermore, you can instruct the client to route all IP traffic through the tunnel (to redirect the gateway for one or more individual clients) or assign a DNS or WINS server individually.

  • Redirect Gateway: - Directs all IP traffic from that specific client through the VPN (e.g. webbrowsers). So you do not have to set this directive globally.
If this directive is set, the client can access all networks on the server side and the defined subnets under the area "Client has access to these networks on IPFire's site" will no longer be considered. However, if redirect-gateway should be set and the access to the local server zones should also be restricted, the firewall.local (findable under /etc/sysconfig/firewall.local) and some appropriate IPTable rules should be used.
  • IPFire has access to these networks on the client's site - Here, the local network of the clients can be made available over the internal OpenVPN routing directive "iroute". In combination with an route entry in server.conf both net´s (client/server) can be reached each other. This was not possible until core 64 cause the client side was not accessible by IPFire and his networks. Once the client IP_FORWARDING on the OpenVPN client has turned on, a client-side network access is possible. Access only to the OpenVPN client does not require IP_FORWARDING.
Ip_forwarding is necessary to enable the network behind the client (Road Warrior) for the OpenVPN servers network.

The activation of the IP forwarding works as follows:

ip_forwarding on client side


This was tested with Windows 7:

To enable the IP forwarding (that means to enable the routing), you have to go into the Windows Registry, click on Start → Run and type regedit. Now navigate to the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters and then change the entry IPEnableRouter from 0 to 1. After modification restart the machine. Now the client can offers his subnet to OpenVPN.


A check out if ip_forwarding is already activated, can be done with the following command:

cat /proc/sys/net/ipv4/ip_forward

if the answer is a 0 it is deactivated, by an answer of 1 it is activated .

For a temporarily activation of ip_forwarding the following command can be used:

sysctl -w net.ipv4.ip_forward=1

A permanent ip_forwarding should be made with this command:

echo 1 > /proc/sys/net/ipv4/ip_forward
  • Client has access to these networks on IPFire's site - With the CCD extension is it also possible to set specific routes for the client on IPFire side, so there is no more the need to push routes from the server globally.
In this section means the tunnel can be indeed build up, but has no furthermore functional affect for the client. Thus, over the server side can control who have access when and whereto.
  • DNS1, DNS2 - The client can be advised with two additional DNS server adresses over the webinterface.
  • WINS - Similarly, it is also possible to assign an individual WINS server per client.
These settings can also be later adjusted and at any time via the section "client status and control" and the yellow pencil.

Client Status and control:

Now package for the client can be downloaded via this button -->

over the webinterface. This. zip package can now be transmitted to the client, where it can be unpacked. In the unzipped folder is now a ".p12" file with all the certificates/keys and a ".ovpn" with the client configuration findable. In case you need ".pem" files (eg. for the the Linux Network Manager) instead of the resumed ".p12", in here is a solution how to extract the ".pem" files from a "p.12" .

Caution - For Windows versions, load the client software which are called "OpenVPN Community Software Windows Client Download" !
If you want to have a OpenVPN connection to the blue interface, you will need to do some manual configuration
Edit Page ‐ Yes, you can edit!

Older Revisions • August 11 at 2:57 pm • Stu