The biggest problem I have with IPFire is that I can’t easily add and configure a VPN service (NordVPN, WindScribe, PIA, etc.) through which I can route some or all traffic. I have read how it might be done manually, but I’d trust an IPFire web interface much more than I would my own ability to do manual editing. Might this feature be coming in the near future?
Thanks for the great work!
Hi,
this is a frequently asked feature. We do not plan to implement this, as it
is dangerous unless (and even if) you are not aware what you are doing. A
VPN provider basically is a self-made MITM (Man In The Middle), and even if
they promise not to keep logs, etc., there is no way of telling whether they
are doing so or not.
In the past, some VPN providers have been blamed of being owned and/or controlled
by intelligence agencies. Since you cannot be sure the VPN provider of your least
distrust does not belong to this category, you never want to route any traffic
through them.
For increased privacy, please consider running an upstream proxy (which you
can easily configure in the web interface) and/or use something like Tor.
I am aware of security problems with Tor as well (deanonymisation via traffic
flow monitoring, etc.), but at least it is more complicated to disclose your
identity that way. If you are behind a VPN provider, there is one entity
knowing both your true identity (i. e. public IP address) and the one you hide
behind (i. e. public IP address of the VPN provider) - if this entity is compromised
or forced to cooperate, your privacy is gone.
Thanks, and best regards,
Peter Müller
Thank you, Peter, for your quick, clear, and comprehensive answer. For myself, I’m still inclined to use a VPN service. The reason is that I consider my Internet provider to be a MitM. Here in the States, at least, they know everything about our data history and are permitted to cash in on it. They are also almost certainly willing to share our data with government agencies.
So, to me, it comes down to which MitM I trust more: my Internet provider, or a VPN provider that I and others I trust have deemed relatively safe. It would be very helpful if Ipfire could accommodate me and others who feel so inclined.
Ipfire, I believe, offers all sorts of ways that users can mess up. I’ve always appreciated it when a potentially dangerous choice is indicated as such (i.e., “not recommended”). You could do this on a page that easily allows users to employ the VPN service of their choice. Leaving us to set this up manually seems to me to be an even riskier option.
Kindly reconsider.
Again, thanks for all your efforts on a great product.
There is a page on the wiki that shows how to enable an OpenVPN client configuration on IPFire, so all is not lost:
https://wiki.ipfire.org/configuration/services/openvpn/extensions/addconf
While it might not have been the intention, suggesting that not providing an OpenVPN front-end is actually to protect us from some bad VPN operators comes across as being rather patenalistic. We are adults and, with respect, these are decisions we should be taking for ourselves.
It’s a point of view, @krasnal. Yours and the one who create/adapt this distro for they needs.
They believe in a way to do things and they sustain it with the code and the product they make. I don’t agree for several choices they make but i cannot disrespect that with facts and code they sustain them ideas.
Do you know any firewall distro who uses a “drop in” OpenVPN client configuration as you wish?
Thanks @krasnal krasnal and @hvacguy for your links. I’m aware that there are those who have achieved this manually. But, I’m not comfortable attempting it, whereas a built-in solution in Ipfire would work for me.
Re. @pike_it 's question about whether there is a distro that does offer this, I believe that dd-wrt and Asuswrt does. I switched from dd-wrt to ipfire a few years ago and was hoping ipfire would eventually add this feature. It sound’s like it won’t, so I’m glad I asked.
If anyone can recommend other router software that has this feature and runs on x86-64 hardware, I’d appreciate it. Thank you all.
@teliac Have you looked at OpenWRT?
Here is how you can install and operate the OpenVPN client using LuCi OpenWRT web interface: https://openwrt.org/docs/guide-user/services/vpn/openvpn/client-luci
And here is a VPN overview providing other options using OpenWRT: https://openwrt.org/docs/guide-user/services/vpn/overview
@teliac i hope that you’ll find something that suits your needs. But compare ddwrt and asuswrt to IPfire it’s like comparing an apple with a long time cooked dish. You can both eat them, you can find the apple the most satisfying, but in any case not the same thing.
I would like to be more precise: i doubt that a business/corporate grade firewall software will provide such kind of feature today.
The first issue is gave to another company a way to earn to by your product; without a business partnership, it won’t happen.
The second issue is that these kind of VPN are consumer-oriented, and not business oriented, and except for specific countries or specific job cases, it’s… useless and unnecessary risky.
The third issue is a bit more… subtle: which CTO will be allowed by the CEO and the Privacy Officer for pay to sell all traffic data about the company to a VPN Service Provider?
Commercial VPN service providers “hide” non-encrypted data from the ISP (but it’s still fully available to the VPN provider) and hide the source and destination of encrypted traffic from the ISP (but it will be contractually sold by the customer to the VSP) and also could add a least one more MITM possibility due to VSP infrastructure.
Without the intent to circumvent the country limits of buying services and software, very few user cases can justify this kind of service. But now it seems than the “fear of the net” can make these services a goldmine for the one which are providing. First for money received, second for the data they gather and can be sold or used for advertising.
If tomorrow a customer will ask me to setup that kind of thing, my first choice will be setup a computer out of the green segment only for that kind of activity.
Are you afraid of your privacy? IMVHO setup a Pi-Hole is far more secure that buy this services.
Can I ask why you are with an ISP that you do not trust at all and why that is?
Why do you trust the VPN providers?
Sad but true. Micheal.
And we still do not trust the VPN provider.
Hi,
The reason is that I consider my Internet provider to be a MitM.
in such cases, you would just swap one MitM by another.
Here in the States, at least, they know everything about our data history and are permitted to cash in on it.
Why do you think VPN providers are not going to do the same? Further, why to you think their uplinks/ISPs will not share or sell the data? Those will be Tier-1 providers such as Level3, NTT, AT&T, etc. in most cases. They don’t sell cookies.
They are also almost certainly willing to share our data with government agencies.
well, if they are not willing to do so, governments usually have enough possibilities to “encourage” them to share data. 
Leaving us to set this up manually seems to me to be an even riskier option.
I agree, but to be honest, I never came across a single argument for using a VPN provider.
If I got it right, your ISP seems to be the problem. Why don’t you set up a proxy in a datacenter (perhaps in another country), build a net-to-net VPN connection to it, and route your traffic through it? If this is not possible or too expensive, please consider using Tor instead.
Again, thanks for all your efforts on a great product.
You’re welcome. We’re here to help.
Thanks, and best regards,
Peter Müller
I use IPFire on stand alone PC to front end all of my on-line PC’s.
The on-line PC’s run Mint, Kubuntu, and a few Windows boxes.
If you use Free VPN’s you are giving info to google, facebook, etc.
If you buy VPN service you have increased privacy and security.
I use PerfectPrivayVPN or NordVPN on my on-line PC’s
I have been using this config for years without any problems.
Thank you IPFire.
Do you have any research that can prove this?
Excellent question … While there is no tool available to the end user to prove
that one has increased privacy and security with a purchased VPN, there are
some realities that one can consider. Such as whether or not one has had problems
or not.
In the case of PerfectPrivacyVPN one must spend some time on their web site
to learn and understand what they offer. An interesting clue is that they have page
called “Warrant Canary” which lists whether they have received any legal requests
for info. Since they have no logs, they can not provide any info to snoops.
In the case of NordVPN check out the recommendations and reviews.
Others have had problems with free VPN’s that log info and enrich google, etc.
Freedom is not free.
Note Both PerfectPrivacyVPN and NordVPN have affiliate programs.
Perhaps they would be worth considering to enhance IPFire donations.
And what does that canary guarantee? That they are not capturing or analysing any client data?
The question is always who you are protecting yourself against. I suppose most of us are not specifically targeted by a government, but there are potentially more dangerous parties out there depending on who you are.
As long as they cannot guarantee those things with technology, I personally would not trust them. A promise is nice, but not credible at all.
And for the reasons above, I would personally never consider that. IPFire should be independent and funded by its users - not by some advertisement money from a dubious company.
@pmueller & @ms I think it’s great that you feel you can trust your ISP. However, in my opinion your position on VPNs ignores the plight of billions of people who’s internet activity is not only monitored by their ISP, but reported to their government.
Their actions on the web can land them in jail or executed. Accordingly, their ability to access a VPN service can be the difference between life and death. I think for these people, all router software should have an easy way for individuals to add a VPN service.
Hi,
just to make it clear: I have never written that I trust my ISP (or any ISP in general).
If you do not trust your ISP, consider building your own VPN and/or use something like Tor. Especially if you are in such a critical situation as described by @yoda, the last thing you need is a shady company (which wants to earn money!) between your real identity and your enemies.
Despite of that, many applications are not prepared to have their traffic being routed through a VPN. Although this is technically possible in most cases, there are features commonly (ab)used for deanonymisation, such as Canvas fingerprinting, TCP clock skew, keyboard typing fingerprinting, and so on. Staying anonymous is much more difficult than just setting up a VPN connection, and requires changes of the users’ behaviour and his/her client, which are obviously out of scope for IPFire.
Simply enabling a user do route all traffic through a VPN provider creates a false sense of security, which I consider being worse than no security at all. If a government is on to you, a VPN service will not stop them.
Thanks, and best regards,
Peter Müller
I have no idea where I would have suggested this.
I am genuinely trying to understand why a VPN provider is more trustworthy than any ISP. If anyone is getting a “national security letter”, they will have to comply with it - if they want it or not. I do not believe that there is any legal wiggling room, even if you are based on the Cayman Islands. And who says that the canary will disappear after they have received such a letter?