The main client control point is the section "Client status and control".
|Download client .zip package|
|Download .p12 certificates|
|View certificate information|
|Enable (or disable) connection|
After configuring the server certificates, global the advanced settings and possibly the static ip-pool, the last step on in setting up OpenVPN with IPFire is to create a new connection for the client.
By clicking the Add button, the next dialog leads to the selection of the connection type. The "Host-to-Net Virtual Private Network (Roadwarrior)" should be chosen for the Roadwarrior, then press the "Add" button.
The other two options are related to a network-to-network connection and will not be introduced at this point but can be viewed here.
Now you will be prompted to choose a name for the connection (eg AtHome) and to create a certificate for the user who uses the connection (eg, the outdoor stuff, you, or a friend:-)) .
In this area, you can select the type of network. There are, as well as before Core 65, dynamic address ranges (ovpn-leases.db) where the server assigns the client to a dynamic pool of IP addresses. Furthermore, since Core 65 there can be selected also "Static IP address pools" so the range of potential OpenVPN subnets and clients becomes much bigger. But this will also ensure that the clients get also always the same IP address. This also can be really important , e.g. to create appropriate firewall rules.
Furthermore, it is also possible to upload an already existing certificate.
To generate a new client certificate, mostly fields should be self explanatory. But some fields should be looked at carefully.
Some security terms:
By the usage of a "PKCS12 file password", the user of this .p12 file will be prompted for the password before the connection will be established. This will prevent an unauthorized person from using the p.12 file unless they know the correct password, otherwise this file is useless! The password needs to have 5 or more characters.
It can also determine the validity of the certificate (in days), after this period the server won´t accept this client .p12 .
The remaining fields are mostly self-explanatory, for "Users full Name or system hostname", the name should be according to the user or the specified system so it is easier to identify the connection.
Since Core 65, it is possible to provide client-specific options which are different from the global server configuration. With client-config-directory (CCD on IPFire is findable under/var/ipfire/ovpn/ccd) it is possible to save client specific configuration files for each client. For example, you can instruct a client to route his network, or to push him individual server routes. Furthermore, you can instruct the client to route all IP traffic through the tunnel (to redirect the gateway for one or more individual clients) or assign a DNS or WINS server individually.
|If this directive is set, the client can access all networks on the server side and the defined subnets under the area "Client has access to these networks on IPFire's site" will no longer be considered. However, if redirect-gateway should be set and the access to the local server zones should also be restricted, the firewall.local (findable under
|Ip_forwarding is necessary to enable the network behind the client (Road Warrior) for the OpenVPN servers network.|
The activation of the IP forwarding works as follows:
This was tested with Windows 7:
To enable the IP forwarding (that means to enable the routing), you have to go into the Windows Registry, click on Start → Run and type regedit. Now change the key HKEY_LOCAL_MACHINESYSTEM CurrentControlSet Services Tcpip Parameters and then the entry IPEnableRouter needs to be changed to 1. After modification restart the machine. Now the client can offers his subnet to OpenVPN.
A check out if ip_forwarding is already activated, can be done with the following command:
if the answer is a 0 it is deactivated, by an answer of 1 it is activated .
For a temporarily activation of ip_forwarding the following command can be used:
sysctl -w net.ipv4.ip_forward=1
A permanent ip_forwarding should be made with this command:
echo 1 > /proc/sys/net/ipv4/ip_forward
|In this section means the tunnel can be indeed build up, but has no furthermore functional affect for the client. Thus, over the server side can control who have access when and whereto.|
|These settings can also be later adjusted and at any time via the section "client status and control" and the yellow pencil.|
Now the.zip package for the client can be downloaded via this button --> over the webinterface. This. zip package can now be transmitted to the client, where it can be unpacked. In the unzipped folder is now a ".p12" file with all the certificates/keys and a ".ovpn" with the client configuration findable. In case you need ".pem" files (eg. for the the Linux Network Manager) instead of the resumed ".p12", in here is a solution how to extract the ".pem" files from a "p.12" .
|Caution - For Windows versions, load the client software which are called "OpenVPN Community Software Windows Client Download" !|
|If you want to have a OpenVPN connection to the blue interface, you will need to do some manual configuration|