The very first step to activate OpenVPN on IPFire should be to generate the server certificates. After this has been done, the global settings can be made in this section.
In order to activate OpenVPN on the desired interface, you need to tick the checkbox for the interface on which the OpenVPN-service should listen. Which checkboxes you can see on the Webinterface depends on the number of installed network cards. To activate OpenVPN for Internet traffic red (VPN to / from the outside) is responsible. The blue interface should be used for OpenVPN on a W-LAN connection. The OpenVPN service for the DMZ can be activated on orange.
By enabling the connection the red interface, the firewall rules will be opened automatically for the operation of OpenVPN.
- The activation of 'OpenVPN on red' needs to be done and the server to be started correctly otherwise the firewall rules for OpenVPN won´t be set automatically but also the client generation won´t work properly.
- The checkboxes for 'OpenVPN on blue' and 'OpenVPN on orange' only prints the remote line with the appropriate IP addresses and the defined port from the blue and/or orange network into the 'client.ovpn' configuration file. Nevertheless there is the need to push the routes for blue and/or orange (except the green interface because this will be pushed by default) over the 'advanced client options' in the box 'Client has access on these networks behind IPFire'.
- You need to edit the client.ovpn configuration file if you want to use other addresses than the 'Local VPN Hostname/IP:' or IPfire address on red0.
Network configuration
-
As "Local VPN Hostname/IP:" the FQDN or the IP of the red interface will be set automatically. If you use a DSL connection, it is also possible to configure your own dynamic dns addresses in IPFire. For DSL and other dial-up connections, IP-addresses are changing, and the OpenVPN-server would no longer be available! So without a static IP, a "Dynamic Domain Name System" makes the OpenVPN-service permanently available.
-
The "OpenVPN Subnet:" is the virtual or the transport subnet of OpenVPN. It is important to ensure that this subnet isn´t used on one of the other networks, connected to IPFire.
-
Under "OpenVPN device:" only the tun interface is selectable. IPFire currently only supports the tun device in routing mode.
-
As "Protocol:" UDP and TCP can be selected, where UDP is optimized for OpenVPN, and provides faster data throughput. Using TCP, the server waits for an unlimited time for a connection while the Client tries (approx. every 5 seconds) to establish one. When separated SPI firewalls work in front of the server or client, TCP connections can help against connection termination/interruption. Even with the use of a preceding proxy, TCP is used.
-
The "Destination Port:" specifies the port to the remote station (default 1194), Make sure that this port is not used by other services.
-
The "MTU Size:" specifies the maximum size of packets to be sent (default 1400). It should be ensured, that no fragmentation of packets is necessary, even with the additional headers, which are added to each packet by OpenVPN.
Cryptographic options
- Hash algorithm - The hash algorithm (--auth directive) defined here is used to secure the integrity of the IP packages which belongs throught the data canal and will be prooved by the funtion of a so-called Hash Message Authentication Code (HMAC). This authentication serves the integrity of the data and prevents a manipulation of the data. The following algorithms are available.
- Whirlpool (512 Bit)
- SHA2 (512 Bit)
- SHA2 (384 Bit)
- SHA2 (256 Bit)
- SHA1 (160 Bit) old default value.
Note - Following some crypto-analysis papers the SHA-1 HMAC isn´t collision free anymore. Therfore it is it is no recommended to use it, if possible. Afterward changes needs to be done on both sides !
- "Encryption:" The choosen cipher will be used for the encryption of your data channel.
Note - With IPFire-2.15 a new OpenSSL library was implemented, thus some new ciphers named CAMELLIA and SEED where implemented.
- With IPFire-2.19-Core120 a new OpenSSL library but also an update to OpenVPN-2.4.x has been introduced which entails a new block cipher called Galoise/Counter Mode .
To be at disposal now:
- Galois/Counter Mode with 256, 196 and 128 Bit
- CAMELLIA with 256, 196 und 128 Bit
- AES with 256, 196 und 128 Bit
- SEED with 128 Bit
Ciphers deprecated - not be used anymore
The following ciphers are so called 64 bit block ciphers whereby meanwhile know practical attacks are possible. You can find a workaround on OpenVPNs wiki if these ciphers are used but difficult to change. Nevertheless they should be changed as soon as possible. See https://sweet32.info/.
Due to security reasons, it is recommended to use AES or CAMELLIA suites.
With Core 100 the a client.ovpn configuration directive has been changed from --tls-remote directive to verify-x509-name.
- TLS Channel Protection - Is a TLS-Authentication (--tls-auth) which uses the same above configured hash algorithm although in a different way. By the usage of this option a 2048 bit static key is responsible (which can be found under/var/ipfire/ovpn/certs) to sign every OpenVPN package with an additional hash based signatur. This is a little like a firewall for the TLS channel, cause if a package doesn´t provides an appropriate signatur, OpenVPN will drop this package before the TLS-handshake procedure. This is a additional protection for DoS or replay attacks, but can also be helpful against programming errors (e.g. buffer overflows) on behalf of the crypto libraries in our case in the OpenSSL library.
Note - In case the ta.key isn´t broken (see the SHA-1 problematic) or compromised, for example the heartbleed bug would not be exploitable by unprivileged clients with an activated tls-auth protection.
The buttons
To edit the server, the server must be stopped, after editing, the server can be restarted.
How to add additional networks, can be found in the "static ip-address-pool" section. The "Advanced server options" should allow by their default values already the functionality of OpenVPN, but there can be found some interesting extensions in this area.