The very first step to activate OpenVPN on IPFire should be to generate the server certificates. After this has been done, the global settings can be made in this section.
In order to activate OpenVPN on the desired interface, you need to tick the checkbox for the interface on which the OpenVPN-service should listen. Which checkboxes you can see on the Webinterface depends on the number of installed network cards. To activate OpenVPN for Internet traffic red (VPN to / from the outside) is responsible. The blue interface should be used for OpenVPN on a W-LAN connection. The OpenVPN service for the DMZ can be activated on orange.
By enabling the connection the red interface, the firewall rules will be opened automatically for the operation of OpenVPN.
As "Local VPN Hostname/IP:" the FQDN or the IP of the red interface will be set automatically. If you use a DSL connection, it is also possible to configure your own dynamic dns addresses in IPFire. For DSL and other dial-up connections, IP-addresses are changing, and the OpenVPN-server would no longer be available! So without a static IP, a "Dynamic Domain Name System" makes the OpenVPN-service permanently available.
The "OpenVPN Subnet:" is the virtual or the transport subnet of OpenVPN. It is important to ensure that this subnet isn´t used on one of the other networks, connected to IPFire.
Under "OpenVPN device:" only the tun interface is selectable. IPFire currently only supports the tun device in routing mode.
As "Protocol:" UDP and TCP can be selected, where UDP is optimized for OpenVPN, and provides faster data throughput. Using TCP, the server waits for an unlimited time for a connection while the Client tries (approx. every 5 seconds) to establish one. When separated SPI firewalls work in front of the server or client, TCP connections can help against connection termination/interruption. Even with the use of a preceding proxy, TCP is used.
The "Destination Port:" specifies the port to the remote station (default 1194), Make sure that this port is not used by other services.
The "MTU Size:" specifies the maximum size of packets to be sent (default 1400). It should be ensured, that no fragmentation of packets is necessary, even with the additional headers, which are added to each packet by OpenVPN.
Note - Following some crypto-analysis papers the SHA-1 HMAC isn´t collision free anymore. Therfore it is it is no recommended to use it, if possible. Afterward changes needs to be done on both sides !
To be at disposal now:
The following ciphers are so called 64 bit block ciphers whereby meanwhile know practical attacks are possible. You can find a workaround on OpenVPNs wiki if these ciphers are used but difficult to change. Nevertheless they should be changed as soon as possible. See https://sweet32.info/.
Due to security reasons, it is recommended to use AES or CAMELLIA suites.
With Core 100 the a client.ovpn configuration directive has been changed from
--tls-remote directive to
Note - In case the ta.key isn´t broken (see the SHA-1 problematic) or compromised, for example the heartbleed bug would not be exploitable by unprivileged clients with an activated tls-auth protection.
To edit the server, the server must be stopped, after editing, the server can be restarted.
How to add additional networks, can be found in the "static ip-address-pool" section. The "Advanced server options" should allow by their default values already the functionality of OpenVPN, but there can be found some interesting extensions in this area.