After configuring the server certificates, global the advanced settings and possibly the static ip-pool, the last step on in setting up OpenVPN with IPFire is to create a new connection for the client.
By clicking the Add button, the next dialog leads to the selection of the connection type.
For a Roadwarrior click Host-to-Net Virtual Private Network (Roadwarrior) and then press the Add button.
The other two options are related to a network-to-network connection and will not be introduced at this point but can be viewed here.
Now you will be prompted to choose a name for the connection (e.g., LT4702) and an optional remark.
In this area, you can select the type of network. There are, as well as before Core 65, dynamic address ranges (ovpn-leases.db) where the server assigns the client to a dynamic pool of IP addresses. Furthermore, since Core 65 there can be selected also "Static IP address pools" so the range of potential OpenVPN subnets and clients becomes much bigger. But this will also ensure that the clients get also always the same IP address. This also can be really important , e.g. to create appropriate firewall rules.
Furthermore, it is also possible to upload an already existing certificate.
Or to generate a new client certificate click Generate a certificate and fill in the needed fields. The User's full name or system hostname is a required field.
By the usage of a PKCS12 file password, the user of this
.p12 file will be prompted for the password before the connection will be established. This will prevent an unauthorized person from using the p.12 file unless they know the correct password, otherwise this file is useless! The password needs to have 5 or more characters.
It can also determine the validity of the certificate (in days), after this period the server won´t accept this client
The remaining fields are mostly self-explanatory, for Users full Name or system hostname, the name should be according to the user or the specified system so it is easier to identify the connection.
Since Core 65, it is possible to provide client-specific options which are different from the global server configuration. With client-config-directory (CCD on IPFire is findable under
/var/ipfire/ovpn/ccd) it is possible to save client specific configuration files for each client. For example, you can instruct a client to route his network, or to push him individual server routes. Furthermore, you can instruct the client to route all IP traffic through the tunnel (to redirect the gateway for one or more individual clients) or assign a DNS or WINS server individually.
Activates the requirement of a second authentication (2FA) factor for the corresponding connection. When enabled for a connection, there is an "Show OTP QRCode" Button on the "Connection Status and -Control" list which will show the QRCode to configure an authenticator app (like OTP, FreeOTP and Authy).
/etc/sysconfig/firewall.local) and some appropriate IPTable rules should be used.
These above settings can be adjusted at any time via the section Connection Status and Control and clicking on the yellow pencil.
Icons in the Connection Status and Control section.
|Download Client Package (zip)|
|Download insecure Client Package (zip) - Created when PKCS12 File Password is blank|
|Show OTP QRCode|
|Download PKCS12 file|
|Enable or disable connection|
Now the .zip package for the client can be downloaded via this button -->
over the WebGUI. This zip package can now be transmitted to the client, where it can be unpacked. In the unzipped folder is now a
.p12 file with all the certificates/keys and a
.ovpn with the client configuration findable. In case you need
.pem files (eg. for the the Linux Network Manager) instead of the resumed
.p12, in here is a solution how to extract the
.pem files from a
|For Windows versions, load the client software from OpenVPN Community Downloads - Windows installer|
|If you want to have a OpenVPN connection to the blue interface, you will need to do some manual configuration|