DYNDNS + OpenVPN

Hi there,
I have two IPFIRE MINI APPLIANCEs behind the same Fritzbox router. Both systems update their dyndns IP.
I added a OpenVPN Site2Site connection as it was explained in a youtube video (which is around 7y old). Anyways, The ipfire1 shows connected and online. Ipfire2 says: Reconnecting in the VPN interface and “Online” in the network field on the status page.

Do I have to forward port 2000 in the router?

Here is the protocol from the ipfire1 - (the VPN Server):
14:31:47 openvpnserver[15796]: DEPRECATED OPTION: ncp-disable. Disabling cipher negotiation is a deprecated debug feature that will be removed in OpenVPN 2.6
14:31:47 openvpnserver[15796]: WARNING: --topology net30 support for server configs with IPv4 pools will be removed in a future release. Please migrate to --topology subnet as soon as possible.
14:31:47 openvpnserver[15796]: DEPRECATED OPTION: --cipher set to ‘AES-256-CBC’ but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add ‘AES-256-CBC’ to --data-ciphers or change --cipher ‘AES-256-CBC’ to --data-ciphers-fallback ‘AES-256-CBC’ to silence this warning.
14:31:47 openvpnserver[15796]: OpenVPN 2.5.8 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 14 2023
14:31:47 openvpnserver[15796]: library versions: OpenSSL 1.1.1t 7 Feb 2023, LZO 2.10
14:31:47 openvpnserver[15797]: MANAGEMENT: unix domain socket listening on /var/run/openvpn.sock
14:31:47 openvpnserver[15797]: WARNING: --keepalive option is missing from server config
14:31:47 openvpnserver[15797]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
14:31:47 openvpnserver[15797]: Diffie-Hellman initialized with 4096 bit key
14:31:47 openvpnserver[15797]: CRL: loaded 1 CRLs from file /var/ipfire/ovpn/crls/cacrl.pem
14:31:47 openvpnserver[15797]: ROUTE_GATEWAY 192.168.150.1/255.255.255.0 IFACE=red0 HWADDR=00:0d:b9:60:5a:fb
14:31:47 openvpnserver[15797]: TUN/TAP device tun1 opened
14:31:47 openvpnserver[15797]: /sbin/ip link set dev tun1 up mtu 1400
14:31:47 openvpnserver[15797]: /sbin/ip link set dev tun1 up
14:31:47 openvpnserver[15797]: /sbin/ip addr add dev tun1 local 10.137.89.1 peer 10.137.89.2
14:31:47 openvpnserver[15797]: /sbin/ip route add 10.137.89.0/24 via 10.137.89.2
14:31:47 openvpnserver[15797]: Could not determine IPv4/IPv6 protocol. Using AF_INET
14:31:47 openvpnserver[15797]: Socket Buffers: R=[212992->212992] S=[212992->212992]
14:31:47 openvpnserver[15797]: UDPv4 link local (bound): [AF_INET][undef]:1194
14:31:47 openvpnserver[15797]: UDPv4 link remote: [AF_UNSPEC]
14:31:47 openvpnserver[15797]: GID set to nobody
14:31:47 openvpnserver[15797]: UID set to nobody
14:31:47 openvpnserver[15797]: MULTI: multi_init called, r=256 v=256
14:31:47 openvpnserver[15797]: IFCONFIG POOL IPv4: base=10.137.89.4 size=62
14:31:47 openvpnserver[15797]: IFCONFIG POOL LIST
14:31:47 openvpnserver[15797]: Initialization Sequence Completed
14:31:48 openvpnserver[15797]: MANAGEMENT: Client connected from /var/run/openvpn.sock
14:31:48 VPNHolzhausenvierteln2n[15480]: MANAGEMENT: Client connected from [AF_INET]127.0.0.1:2000
14:31:48 VPNHolzhausenvierteln2n[15480]: MANAGEMENT: CMD ‘state’
14:31:48 VPNHolzhausenvierteln2n[15480]: MANAGEMENT: Client disconnected
14:31:51 VPNHolzhausenvierteln2n[15480]: [UNDEF] Inactivity timeout (–ping-restart), restarting
14:31:51 VPNHolzhausenvierteln2n[15480]: SIGUSR1[soft,ping-restart] received, process restarting
14:31:51 VPNHolzhausenvierteln2n[15480]: Restart pause, 5 second(s)
14:31:56 VPNHolzhausenvierteln2n[15480]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
14:31:56 VPNHolzhausenvierteln2n[15480]: Preserving previous TUN/TAP instance: tun0
14:31:56 VPNHolzhausenvierteln2n[15480]: TCP/UDP: Preserving recently used remote address: [AF_INET]217.235.134.155:2000
14:31:56 VPNHolzhausenvierteln2n[15480]: Socket Buffers: R=[212992->212992] S=[212992->212992]
14:31:56 VPNHolzhausenvierteln2n[15480]: UDPv4 link local (bound): [AF_INET]192.168.150.172:2000
14:31:56 VPNHolzhausenvierteln2n[15480]: UDPv4 link remote: [AF_INET]217.235.134.155:2000
14:31:56 VPNHolzhausenvierteln2n[15480]: TLS Error: client->client or server->server connection attempted from [AF_INET]217.235.134.155:2000
14:31:59 VPNHolzhausenvierteln2n[15480]: TLS Error: client->client or server->server connection attempted from [AF_INET]217.235.134.155:2000
14:32:03 VPNHolzhausenvierteln2n[15480]: TLS Error: client->client or server->server connection attempted from [AF_INET]217.235.134.155:2000
14:32:11 VPNHolzhausenvierteln2n[15480]: TLS Error: client->client or server->server connection attempted from [AF_INET]217.235.134.155:2000
14:32:27 VPNHolzhausenvierteln2n[15480]: TLS Error: client->client or server->server connection attempted from [AF_INET]217.235.134.155:2000
14:32:56 VPNHolzhausenvierteln2n[15480]: [UNDEF] Inactivity timeout (–ping-restart), restarting
14:32:56 VPNHolzhausenvierteln2n[15480]: SIGUSR1[soft,ping-restart] received, process restarting
14:32:56 VPNHolzhausenvierteln2n[15480]: Restart pause, 5 second(s)
14:33:01 VPNHolzhausenvierteln2n[15480]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
14:33:01 VPNHolzhausenvierteln2n[15480]: Preserving previous TUN/TAP instance: tun0
14:33:01 VPNHolzhausenvierteln2n[15480]: TCP/UDP: Preserving recently used remote address: [AF_INET]217.235.134.155:2000
14:33:01 VPNHolzhausenvierteln2n[15480]: Socket Buffers: R=[212992->212992] S=[212992->212992]
14:33:01 VPNHolzhausenvierteln2n[15480]: UDPv4 link local (bound): [AF_INET]192.168.150.172:2000
14:33:01 VPNHolzhausenvierteln2n[15480]: UDPv4 link remote: [AF_INET]217.235.134.155:2000
14:33:01 VPNHolzhausenvierteln2n[15480]: TLS Error: client->client or server->server connection attempted from [AF_INET]217.235.134.155:2000
14:33:03 VPNHolzhausenvierteln2n[15480]: TLS Error: client->client or server->server connection attempted from [AF_INET]217.235.134.155:2000
14:33:07 VPNHolzhausenvierteln2n[15480]: TLS Error: client->client or server->server connection attempted from [AF_INET]217.235.134.155:2000
14:33:15 VPNHolzhausenvierteln2n[15480]: TLS Error: client->client or server->server connection attempted from [AF_INET]217.235.134.155:2000
14:33:31 VPNHolzhausenvierteln2n[15480]: TLS Error: client->client or server->server connection attempted from [AF_INET]217.235.134.155:2000
14:34:02 VPNHolzhausenvierteln2n[15480]: [UNDEF] Inactivity timeout (–ping-restart), restarting
14:34:02 VPNHolzhausenvierteln2n[15480]: SIGUSR1[soft,ping-restart] received, process restarting
14:34:02 VPNHolzhausenvierteln2n[15480]: Restart pause, 5 second(s)
14:34:07 VPNHolzhausenvierteln2n[15480]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
14:34:07 VPNHolzhausenvierteln2n[15480]: Preserving previous TUN/TAP instance: tun0
14:34:07 VPNHolzhausenvierteln2n[15480]: TCP/UDP: Preserving recently used remote address: [AF_INET]217.235.134.155:2000
14:34:07 VPNHolzhausenvierteln2n[15480]: Socket Buffers: R=[212992->212992] S=[212992->212992]
14:34:07 VPNHolzhausenvierteln2n[15480]: UDPv4 link local (bound): [AF_INET]192.168.150.172:2000
14:34:07 VPNHolzhausenvierteln2n[15480]: UDPv4 link remote: [AF_INET]217.235.134.155:2000
14:34:07 VPNHolzhausenvierteln2n[15480]: TLS Error: client->client or server->server connection attempted from [AF_INET]217.235.134.155:2000
14:34:09 VPNHolzhausenvierteln2n[15480]: TLS Error: client->client or server->server connection attempted from [AF_INET]217.235.134.155:2000
…

Thanks for the help!

Wait, are you trying to create a tunnel between two IPFire machines inside the same LAN?

Hi @pstephenson

Welcome to the IPFire community.

A hell of a lot of changes have occurred in the last 7 years. I would be very wary about following something that old for a firewall.

You have a lot of these errors. The net to net connection is based on a peer to peer approach. However one of the IPFire machines needs to have its net2net definition set up as server and the other will be set up as client. It doesn’t matter which is server and which is client.

That error message is saying that you have both defined as server or both defined as client.

On one of the IPFire systems you should define the net2net connection. That one will be taken to be the server by default. Then you download the net2net client zip package from that machine and it will have all the details for the client version automatically. You then copy that file to your other IPFire machine and upload the client config and it will be installed on that machine with it being defined as the client.

More details can be found from the wiki page. There is a link for setting up the “server” instance and another for the “client” instance at the bottom of this page.
https://wiki.ipfire.org/configuration/services/openvpn/config#Net-to-Net configuration

Is this the video that you watched?
https://www.youtube.com/watch?v=VAgrJ-tm1OI

If yes, then I just went through it and the basics should work. The main differences are that in the video you can (and need to) define the diffie-hellman key size which now is fixed at 4096bit and cannot be modified anymore as in the video.
Also some of the ciphers or the hash algorithms shown in the video are considered insecure now and should no longer be used, or are no longer available in the dropdown box for the cipher or hash algorithm in the more recent Core Updates. Accept the default that is shown as basically that will be the strongest choice out of the available list.

In the video the selection box for server or client was shown. Did you leave that as server?

When you uploaded the client configuration into the other IPFire did you press the pencil icon to edit that configuration. If you look into the client configuration it should say client if the first IPFire is set at server.
If the first IPFire is set at client then the second IPFire should have server selected.

You must not have both set at server or both set at client and that is what the error message is indicating.

@bonnietwin I think the two machines are not finding each other because he is using two public IPs (through a dyndns service) from inside his Lan (established by a fritzbox) to create the tunnel.

Aah. You might be right with that. I thought he had the two IPFire systems on the lan side of the fritzbox trying to directly contact each other within that lan segment. ie the lan of the fritzbox acting as the red network connection between the two IPFire’s.
I have that construction set up in my vm testbed na dhave successfully got a net2net connection between two vm IPFire’s that are both on the green lan of my real IPFire system.

Mine are not going out to the internet. I am not sure how that would work. It is not clear to me if there are two public IP’s or not. That should be clarified.

Either way you should not see the error about client to client or server to server connection being attempted but it could be due to a different reason than I was thinking of.

In a roadwarrior setting, when I try to connect inside my Lan to my OpenVPN server using its public IP the connection is not established. If I change the configuration and I tell the client to use the private IP, it works flawlessly. I think probably this would not change in a N2N configuration.

14:33:01 VPNHolzhausenvierteln2n[15480]: UDPv4 link local (bound): [AF_INET]192.168.150.172:2000
14:33:01 VPNHolzhausenvierteln2n[15480]: UDPv4 link remote: [AF_INET]217.235.134.155:2000

Hi, wow, thanks for your replies.

The two IPFIREs are behind the same router - same public IP. I will try and install one IPFIRE in another network and see how this will go…

Will send an update shortly…

You should NOT use the public IPs, but ONLY the private ones. Besides, there is no reason to use a public IP if you want to connect to the machine attached to the same router. When you connect to an OpenVPN server inside a LAN there is a NAT happening behind the curtain. If the other end of the tunnel is inside the same network, I suspect the routing fails. Instead if you connect using the private IPs, there is no NAT and the routing is functional. If you connect two LANs both behind two separate public IPs, you can use dyndns to allow the ends of the tunnel to find each other. But if you are behid the same router, do not complicate things, use the private IPs.

hm, both IPFIRE now have different public IPs.

How does IPFIRE1 get to know the dyndns from the IPFIRE2? How do I enter the dyndnsIP in the OPENVPN connection?

This is the client-side protocoll:

17:40:22 openvpnserver[2378]: event_wait : Interrupted system call (code=4)
17:40:22 openvpnserver[2378]: /sbin/ip route del 10.38.129.0/24
17:40:22 openvpnserver[2378]: ERROR: Linux route delete command failed: external program exited with error status: 2
17:40:22 openvpnserver[2378]: Closing TUN/TAP interface
17:40:22 openvpnserver[2378]: /sbin/ip addr del dev tun0 local 10.38.129.1 peer 10.38.129.2
17:40:22 openvpnserver[2378]: Linux ip addr del failed: external program exited with error status: 2
17:40:22 openvpnserver[2378]: SIGTERM[hard,] received, process exiting
17:41:02 VPNHolzhausenvierteln2n[3145]: Cipher negotiation is disabled since neither P2MP client nor server mode is enabled
17:41:02 VPNHolzhausenvierteln2n[3145]: WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
17:41:02 VPNHolzhausenvierteln2n[3145]: OpenVPN 2.5.8 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 14 2023
17:41:02 VPNHolzhausenvierteln2n[3145]: library versions: OpenSSL 1.1.1t 7 Feb 2023, LZO 2.10
17:41:02 VPNHolzhausenvierteln2n[3147]: MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:2000
17:41:02 VPNHolzhausenvierteln2n[3147]: RESOLVE: Cannot resolve host address: ipfire1.hauptwache:2000 (Name or service not known)
17:41:02 VPNHolzhausenvierteln2n[3147]: ROUTE_GATEWAY 192.168.146.1/255.255.255.0 IFACE=red0 HWADDR=00:0d:b9:60:6d:1b
17:41:02 VPNHolzhausenvierteln2n[3147]: TUN/TAP device tun0 opened
17:41:02 VPNHolzhausenvierteln2n[3147]: /sbin/ip link set dev tun0 up mtu 1500
17:41:02 VPNHolzhausenvierteln2n[3147]: /sbin/ip link set dev tun0 up
17:41:02 VPNHolzhausenvierteln2n[3147]: /sbin/ip addr add dev tun0 local 10.10.1.2 peer 10.10.1.1
17:41:02 VPNHolzhausenvierteln2n[3147]: /sbin/ip route add 192.168.222.0/24 via 10.10.1.1
17:41:03 VPNHolzhausenvierteln2n[3147]: RESOLVE: Cannot resolve host address: ipfire1.hauptwache:2000 (Name or service not known)
17:41:03 VPNHolzhausenvierteln2n[3147]: Could not determine IPv4/IPv6 protocol
17:41:03 VPNHolzhausenvierteln2n[3147]: GID set to nobody
17:41:03 VPNHolzhausenvierteln2n[3147]: UID set to nobody
17:41:03 VPNHolzhausenvierteln2n[3147]: SIGUSR1[soft,init_instance] received, process restarting
17:41:03 VPNHolzhausenvierteln2n[3147]: Restart pause, 5 second(s)
17:41:05 VPNHolzhausenvierteln2n[3147]: MANAGEMENT: Client connected from [AF_INET]127.0.0.1:2000
17:41:05 VPNHolzhausenvierteln2n[3147]: MANAGEMENT: CMD ‘state’
17:41:05 VPNHolzhausenvierteln2n[3147]: MANAGEMENT: Client disconnected
17:41:08 VPNHolzhausenvierteln2n[3147]: RESOLVE: Cannot resolve host address: ipfire1.hauptwache:2000 (Name or service not known)
17:41:08 VPNHolzhausenvierteln2n[3147]: Preserving previous TUN/TAP instance: tun0
17:41:08 VPNHolzhausenvierteln2n[3147]: RESOLVE: Cannot resolve host address: ipfire1.hauptwache:2000 (Name or service not known)
17:41:08 VPNHolzhausenvierteln2n[3147]: Could not determine IPv4/IPv6 protocol
17:41:08 VPNHolzhausenvierteln2n[3147]: SIGUSR1[soft,init_instance] received, process restarting
17:41:08 VPNHolzhausenvierteln2n[3147]: Restart pause, 5 second(s)
17:41:13 VPNHolzhausenvierteln2n[3147]: RESOLVE: Cannot resolve host address: ipfire1.hauptwache:2000 (Name or service not known)
17:41:13 VPNHolzhausenvierteln2n[3147]: Preserving previous TUN/TAP instance: tun0
17:41:13 VPNHolzhausenvierteln2n[3147]: RESOLVE: Cannot resolve host address: ipfire1.hauptwache:2000 (Name or service not known)
17:41:13 VPNHolzhausenvierteln2n[3147]: Could not determine IPv4/IPv6 protocol
17:41:13 VPNHolzhausenvierteln2n[3147]: SIGUSR1[soft,init_instance] received, process restarting
17:41:13 VPNHolzhausenvierteln2n[3147]: Restart pause, 5 second(s)
17:41:18 VPNHolzhausenvierteln2n[3147]: RESOLVE: Cannot resolve host address: ipfire1.hauptwache:2000 (Name or service not known)
17:41:18 VPNHolzhausenvierteln2n[3147]: Preserving previous TUN/TAP instance: tun0
17:41:18 VPNHolzhausenvierteln2n[3147]: RESOLVE: Cannot resolve host address: ipfire1.hauptwache:2000 (Name or service not known)
17:41:18 VPNHolzhausenvierteln2n[3147]: Could not determine IPv4/IPv6 protocol
17:41:18 VPNHolzhausenvierteln2n[3147]: SIGUSR1[soft,init_instance] received, process restarting
17:41:18 VPNHolzhausenvierteln2n[3147]: Restart pause, 5 second(s)
17:41:23 VPNHolzhausenvierteln2n[3147]: RESOLVE: Cannot resolve host address: ipfire1.hauptwache:2000 (Name or service not known)
17:41:23 VPNHolzhausenvierteln2n[3147]: Preserving previous TUN/TAP instance: tun0
17:41:23 VPNHolzhausenvierteln2n[3147]: RESOLVE: Cannot resolve host address: ipfire1.hauptwache:2000 (Name or service not known)
17:41:23 VPNHolzhausenvierteln2n[3147]: Could not determine IPv4/IPv6 protocol
17:41:23 VPNHolzhausenvierteln2n[3147]: SIGUSR1[soft,init_instance] received, process restarting
17:41:23 VPNHolzhausenvierteln2n[3147]: Restart pause, 10 second(s)
17:41:33 VPNHolzhausenvierteln2n[3147]: RESOLVE: Cannot resolve host address: ipfire1.hauptwache:2000 (Name or service not known)
17:41:33 VPNHolzhausenvierteln2n[3147]: Preserving previous TUN/TAP instance: tun0
17:41:33 VPNHolzhausenvierteln2n[3147]: RESOLVE: Cannot resolve host address: ipfire1.hauptwache:2000 (Name or service not known)
17:41:33 VPNHolzhausenvierteln2n[3147]: Could not determine IPv4/IPv6 protocol
17:41:33 VPNHolzhausenvierteln2n[3147]: SIGUSR1[soft,init_instance] received, process restarting
17:41:33 VPNHolzhausenvierteln2n[3147]: Restart pause, 20 second(s)
17:41:53 VPNHolzhausenvierteln2n[3147]: RESOLVE: Cannot resolve host address: ipfire1.hauptwache:2000 (Name or service not known)
17:41:53 VPNHolzhausenvierteln2n[3147]: Preserving previous TUN/TAP instance: tun0
17:41:53 VPNHolzhausenvierteln2n[3147]: RESOLVE: Cannot resolve host address: ipfire1.hauptwache:2000 (Name or service not known)
17:41:53 VPNHolzhausenvierteln2n[3147]: Could not determine IPv4/IPv6 protocol
17:41:53 VPNHolzhausenvierteln2n[3147]: SIGUSR1[soft,init_instance] received, process restarting
17:41:53 VPNHolzhausenvierteln2n[3147]: Restart pause, 40 second(s)
17:42:08 VPNHolzhausenvierteln2n[3147]: MANAGEMENT: Client connected from [AF_INET]127.0.0.1:2000
17:42:08 VPNHolzhausenvierteln2n[3147]: MANAGEMENT: CMD ‘state’
17:42:08 VPNHolzhausenvierteln2n[3147]: MANAGEMENT: Client disconnected
17:42:33 VPNHolzhausenvierteln2n[3147]: RESOLVE: Cannot resolve host address: ipfire1.hauptwache:2000 (Name or service not known)
17:42:33 VPNHolzhausenvierteln2n[3147]: Preserving previous TUN/TAP instance: tun0
17:42:33 VPNHolzhausenvierteln2n[3147]: RESOLVE: Cannot resolve host address: ipfire1.hauptwache:2000 (Name or service not known)
17:42:33 VPNHolzhausenvierteln2n[3147]: Could not determine IPv4/IPv6 protocol
17:42:33 VPNHolzhausenvierteln2n[3147]: SIGUSR1[soft,init_instance] received, process restarting
17:42:33 VPNHolzhausenvierteln2n[3147]: Restart pause, 80 second(s)

Here is the server side:

17:41:11 VPNHolzhausenvierteln2n[23120]: Cipher negotiation is disabled since neither P2MP client nor server mode is enabled
17:41:11 VPNHolzhausenvierteln2n[23120]: WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
17:41:11 VPNHolzhausenvierteln2n[23120]: OpenVPN 2.5.8 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 14 2023
17:41:11 VPNHolzhausenvierteln2n[23120]: library versions: OpenSSL 1.1.1t 7 Feb 2023, LZO 2.10
17:41:11 VPNHolzhausenvierteln2n[23121]: MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:2000
17:41:11 VPNHolzhausenvierteln2n[23121]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
17:41:11 VPNHolzhausenvierteln2n[23121]: Diffie-Hellman initialized with 4096 bit key
17:41:11 VPNHolzhausenvierteln2n[23121]: ROUTE_GATEWAY 192.168.150.1/255.255.255.0 IFACE=red0 HWADDR=00:0d:b9:60:5a:fb
17:41:11 VPNHolzhausenvierteln2n[23121]: TUN/TAP device tun0 opened
17:41:11 VPNHolzhausenvierteln2n[23121]: /sbin/ip link set dev tun0 up mtu 1500
17:41:11 VPNHolzhausenvierteln2n[23121]: /sbin/ip link set dev tun0 up
17:41:11 VPNHolzhausenvierteln2n[23121]: /sbin/ip addr add dev tun0 local 10.10.1.1 peer 10.10.1.2
17:41:11 VPNHolzhausenvierteln2n[23121]: /etc/init.d/static-routes start tun0 1500 1605 10.10.1.1 10.10.1.2 init
17:41:11 VPNHolzhausenvierteln2n[23121]: /sbin/ip route add 192.168.1.0/24 via 10.10.1.2
17:41:11 VPNHolzhausenvierteln2n[23121]: TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.1.1:2000
17:41:11 VPNHolzhausenvierteln2n[23121]: Socket Buffers: R=[212992->212992] S=[212992->212992]
17:41:11 VPNHolzhausenvierteln2n[23121]: UDPv4 link local (bound): [AF_INET]192.168.150.172:2000
17:41:11 VPNHolzhausenvierteln2n[23121]: UDPv4 link remote: [AF_INET]192.168.1.1:2000
17:41:11 VPNHolzhausenvierteln2n[23121]: GID set to nobody
17:41:11 VPNHolzhausenvierteln2n[23121]: UID set to nobody
17:41:14 VPNHolzhausenvierteln2n[23121]: MANAGEMENT: Client connected from [AF_INET]127.0.0.1:2000
17:41:14 VPNHolzhausenvierteln2n[23121]: MANAGEMENT: CMD ‘state’
17:41:14 VPNHolzhausenvierteln2n[23121]: MANAGEMENT: Client disconnected
17:41:18 openvpnserver[23278]: DEPRECATED OPTION: ncp-disable. Disabling cipher negotiation is a deprecated debug feature that will be removed in OpenVPN 2.6
17:41:18 openvpnserver[23278]: WARNING: --topology net30 support for server configs with IPv4 pools will be removed in a future release. Please migrate to --topology subnet as soon as possible.
17:41:18 openvpnserver[23278]: DEPRECATED OPTION: --cipher set to ‘AES-256-CBC’ but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add ‘AES-256-CBC’ to --data-ciphers or change --cipher ‘AES-256-CBC’ to --data-ciphers-fallback ‘AES-256-CBC’ to silence this warning.
17:41:18 openvpnserver[23278]: OpenVPN 2.5.8 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 14 2023
17:41:18 openvpnserver[23278]: library versions: OpenSSL 1.1.1t 7 Feb 2023, LZO 2.10
17:41:18 openvpnserver[23279]: MANAGEMENT: unix domain socket listening on /var/run/openvpn.sock
17:41:18 openvpnserver[23279]: WARNING: --keepalive option is missing from server config
17:41:18 openvpnserver[23279]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
17:41:18 openvpnserver[23279]: Diffie-Hellman initialized with 4096 bit key
17:41:18 openvpnserver[23279]: CRL: loaded 1 CRLs from file /var/ipfire/ovpn/crls/cacrl.pem
17:41:18 openvpnserver[23279]: ROUTE_GATEWAY 192.168.150.1/255.255.255.0 IFACE=red0 HWADDR=00:0d:b9:60:5a:fb
17:41:18 openvpnserver[23279]: TUN/TAP device tun1 opened
17:41:18 openvpnserver[23279]: /sbin/ip link set dev tun1 up mtu 1400
17:41:18 openvpnserver[23279]: /sbin/ip link set dev tun1 up
17:41:18 openvpnserver[23279]: /sbin/ip addr add dev tun1 local 10.137.89.1 peer 10.137.89.2
17:41:18 openvpnserver[23279]: /sbin/ip route add 10.137.89.0/24 via 10.137.89.2
17:41:18 openvpnserver[23279]: Could not determine IPv4/IPv6 protocol. Using AF_INET
17:41:18 openvpnserver[23279]: Socket Buffers: R=[212992->212992] S=[212992->212992]
17:41:18 openvpnserver[23279]: UDPv4 link local (bound): [AF_INET][undef]:1194
17:41:18 openvpnserver[23279]: UDPv4 link remote: [AF_UNSPEC]
17:41:18 openvpnserver[23279]: GID set to nobody
17:41:18 openvpnserver[23279]: UID set to nobody
17:41:18 openvpnserver[23279]: MULTI: multi_init called, r=256 v=256
17:41:18 openvpnserver[23279]: IFCONFIG POOL IPv4: base=10.137.89.4 size=62
17:41:18 openvpnserver[23279]: IFCONFIG POOL LIST
17:41:18 openvpnserver[23279]: Initialization Sequence Completed
17:41:18 openvpnserver[23279]: MANAGEMENT: Client connected from /var/run/openvpn.sock
17:41:18 VPNHolzhausenvierteln2n[23121]: MANAGEMENT: Client connected from [AF_INET]127.0.0.1:2000
17:41:18 VPNHolzhausenvierteln2n[23121]: MANAGEMENT: CMD ‘state’
17:41:18 VPNHolzhausenvierteln2n[23121]: MANAGEMENT: Client disconnected
17:42:11 VPNHolzhausenvierteln2n[23121]: [UNDEF] Inactivity timeout (–ping-restart), restarting
17:42:11 VPNHolzhausenvierteln2n[23121]: SIGUSR1[soft,ping-restart] received, process restarting
17:42:11 VPNHolzhausenvierteln2n[23121]: Restart pause, 5 second(s)
17:42:16 VPNHolzhausenvierteln2n[23121]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
17:42:16 VPNHolzhausenvierteln2n[23121]: Preserving previous TUN/TAP instance: tun0
17:42:16 VPNHolzhausenvierteln2n[23121]: TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.1.1:2000
17:42:16 VPNHolzhausenvierteln2n[23121]: Socket Buffers: R=[212992->212992] S=[212992->212992]
17:42:16 VPNHolzhausenvierteln2n[23121]: UDPv4 link local (bound): [AF_INET]192.168.150.172:2000
17:42:16 VPNHolzhausenvierteln2n[23121]: UDPv4 link remote: [AF_INET]192.168.1.1:2000
17:43:16 VPNHolzhausenvierteln2n[23121]: [UNDEF] Inactivity timeout (–ping-restart), restarting
17:43:16 VPNHolzhausenvierteln2n[23121]: SIGUSR1[soft,ping-restart] received, process restarting
17:43:16 VPNHolzhausenvierteln2n[23121]: Restart pause, 5 second(s)
17:43:21 VPNHolzhausenvierteln2n[23121]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
17:43:21 VPNHolzhausenvierteln2n[23121]: Preserving previous TUN/TAP instance: tun0
17:43:21 VPNHolzhausenvierteln2n[23121]: TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.1.1:2000
17:43:21 VPNHolzhausenvierteln2n[23121]: Socket Buffers: R=[212992->212992] S=[212992->212992]
17:43:21 VPNHolzhausenvierteln2n[23121]: UDPv4 link local (bound): [AF_INET]192.168.150.172:2000
17:43:21 VPNHolzhausenvierteln2n[23121]: UDPv4 link remote: [AF_INET]192.168.1.1:2000
17:44:21 VPNHolzhausenvierteln2n[23121]: [UNDEF] Inactivity timeout (–ping-restart), restarting
17:44:21 VPNHolzhausenvierteln2n[23121]: SIGUSR1[soft,ping-restart] received, process restarting
17:44:21 VPNHolzhausenvierteln2n[23121]: Restart pause, 5 second(s)
17:44:26 VPNHolzhausenvierteln2n[23121]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
17:44:26 VPNHolzhausenvierteln2n[23121]: Preserving previous TUN/TAP instance: tun0
17:44:26 VPNHolzhausenvierteln2n[23121]: TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.1.1:2000
17:44:26 VPNHolzhausenvierteln2n[23121]: Socket Buffers: R=[212992->212992] S=[212992->212992]
17:44:26 VPNHolzhausenvierteln2n[23121]: UDPv4 link local (bound): [AF_INET]192.168.150.172:2000
17:44:26 VPNHolzhausenvierteln2n[23121]: UDPv4 link remote: [AF_INET]192.168.1.1:2000
17:45:26 VPNHolzhausenvierteln2n[23121]: [UNDEF] Inactivity timeout (–ping-restart), restarting
17:45:26 VPNHolzhausenvierteln2n[23121]: SIGUSR1[soft,ping-restart] received, process restarting
17:45:26 VPNHolzhausenvierteln2n[23121]: Restart pause, 5 second(s)
17:45:31 VPNHolzhausenvierteln2n[23121]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
17:45:31 VPNHolzhausenvierteln2n[23121]: Preserving previous TUN/TAP instance: tun0
17:45:31 VPNHolzhausenvierteln2n[23121]: TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.1.1:2000
17:45:31 VPNHolzhausenvierteln2n[23121]: Socket Buffers: R=[212992->212992] S=[212992->212992]
17:45:31 VPNHolzhausenvierteln2n[23121]: UDPv4 link local (bound): [AF_INET]192.168.150.172:2000
17:45:31 VPNHolzhausenvierteln2n[23121]: UDPv4 link remote: [AF_INET]192.168.1.1:2000

Hi there,
I made it. Now then, things to do:
Router: IPFIRE → DMZ + PortForwarding: 1194 and 2000 (or whatever you set up).
In the VPN Client in the field: external host you put in the DYNDNS Name of the VPN-Server.

Thats it. Quite easy…

Thanks for your help!