Convert certificates

Back to OpenVPN main

Back to extensions section

OpenVPN with NetworkManager

FIXME (needs some more details and maybe a screenshot)

The GNOME Desktop in Ubuntu, Fedora and other recent distributions comes with NetworkManager which is a tool to easily maintain the network connections.

You need to install the openvpn plugin to get to a dialog windows which will accept several configuration settings.

Ubuntu (e.g)

sudo apt-get install network-manager-openvpn

None

For the certificate there is some extra work to do. As NetworkManager does only accept the certificate in the pem format we need to run these commands where IPFIRE.p12 is the certificate file from the configuration archive you downloaded from the webinterface.

openssl pkcs12 -in IPFIRE.p12 -clcerts -nokeys -nodes -out user.pem
openssl pkcs12 -in IPFIRE.p12 -nocerts -nodes -out keys.pem
openssl pkcs12 -in IPFIRE.p12 -cacerts -nodes -out ca.pem

OpenVPNs cipher and digests tests with OpenSSL version 1.0.1g

This table lists the compatibility for operating systems in relation to the OpenSSL library (at this time version 1.0.1g) and his ciphers but also his digests algorithm.

Systems Ciphers Digests Updates
Android All/except Camellia SHA1/SHA256/SHA384/SHA512 ?
iOS 7.04 All/except Camellia SHA1/SHA256/SHA384/SHA512 ?
OS X 10.6 All All OpenSSL update needed, tested with Macports
OS X 10.6 10.9 All/except Camellia SHA1/SHA256/SHA384 Without update
Windows 7 All SHA1/SHA256/SHA384/SHA512 Without update
Fedora-19 All All Without updated
Ubuntu-12.04 All All Without updated
IPFire Core 71 tested with Net-to-Net connection ALL/Except Camellia SHA1/SHA256

This table lists the generation time of the whole PKI with 4096 bit for the root certificate, 2048 bit for the host certificate and the CRL, but also the generation of the Diffie-Hellman key lenght with 1024 bit (default), 2048 bit, 3072 bit and 4096 bit on different systems.

Systems Diffi-Hellman key lenght Generation Time Hardware crypto support
1024 bit 1:12 min. NO
" 2048 bit 9 min.
" 3072 bit 2h 12 min.
" 4096 bit 3h 48 min.\ (Partly considerable differences)
1024 bit tdb
" 2048 bit 01h 41 min.
" 4096 bit 12h 52 min.\ (Partly considerable differences)
1024 bit 0:03 min. YES / Dynamic
" 2048 bit 5:10 min.
" 3072 bit 08:15 min.
" 4096 bit 16:00 min.\ (Partly considerable differences)

This sheet lists crypto engine support for OpenSSL respectively OpenVPN. You can test your client systems with
openssl engine
OpenVPN tests for crypto engines can be done with this command
openvpn --show-engines

IPFire system Clients OpenSSL crypto engine Works in OpenVPN environment
OS X 10.6.8/Fedora 19/Ubuntu 12.0.4 cryptodev YES
" " dynamic YES
" " rsax NO
OS X 10.6.8/Fedora 19/Ubuntu 12.0.4 cryptodev YES
" " dynamic YES
" " rsax NO

Back to extensions section

Back to OpenVPN main

Edit Page ‐ Yes, you can edit!

Older Revisions • March 19 at 4:18 am • Derek McWilliams