Feature Request: VPN Client Compatibility in GUI

Hi. I’m a long time user of IPFire—over a decade now I think. I have occasionally contributed to this and the prior forums on IPFire (though my old accounts seem to have been deleted). I’m reviving my account to make this plea that you reconsider implementing a VPN client in IPfire.

I have spent the better part of 3-4 days trying to edit the iptables and write custom scripts in IPFire to do this. But I have no idea what I’m doing and it hasn’t work. And now I’m concerned I’ve probably created some gaping security hole in my IPfire–my editing the iptables is probably a recipe for disaster.

However, I do want to be able to use a VPN service—allowing my ISP to be the MITM is too great of a risk. I realize this may not make sense to some of you from other countries but for many of us we cannot trust our ISPs; the laws on data privacy in the U.S., for example, are minimal and I prefer to route my traffic through a VPN in a country with better privacy laws. I realize this may introduce risks of its own but in my opinion a VPN service whose business model depends on the privacy of my data has more incentive to protect it than my ISP, which has no financial interest in protecting my data, and in any event has no authority to shield it from the government. And in the U.S. at least, this is true of all ISPs.

The lack of this feature in ipfire seems to be a major limitation to me. So much so that I am seriously considering switching from IPfire to something like opnsense. I’m a huge fan of IPfire and do not want to make this change, but I can’t figure out how to implement a VPN client on IPfire myself, so I do not see a better alternative. I’ve sent you guys a little bit of money to support development of this feature, and just because I like and use IPfire. So maybe it is something you all will reconsider implementing.

1 Like

There was a user who wrote a guide on who to do this!
But it was deleted.
I under stand both sides of this Debate.
It is a very polarized topic.
Much like the political climate in America.
Perhaps the user that wrote this can reach out to you.
If they spend time checking the forum.

1 Like

If you think that your government does not protect enough your privacy, you may also consider to ask to your representant (congressman/woman or senator) for different laws about that. And lobby for that. Mr Louis Rossmann owns a repair shop in NYC and likes a lot a “right to repair” approach for hardware and consumer electronics, but a lot of other people stand by talking about ECU and diagnostics on their car, heavy duty vehicles, and so on. I can understand that it’s a long and tricky road, but AFAIK a lot of “not nice laws” have been changed in your country.
Or you can change your country if you like more the “newer country” laws about privacy.
Moreover, you’re not bound to… this distro. You have access to the sources, so you can learn how to change your software for fitting your needs

The request was rejected at least one time from the project. And personally, i can understand why.
First of all: in a lot of countries you don’t really need a VPN provider, unless you’re willing to circumvent national bounded license/fee access to content. Or do something worse. Not because the laws are perfect, but because you can access to a lot of resources like DNS servers (and there’s quite a tough job on DNSSEC on IPFire) who can allow you to locate al lot of servers. Also, most of the TLS-enabled protocols can be configured for HSTS, for not allowing a non secure dialogue between your device and your service provider, intended as your mailserver or your website or the content provider you’re contacting. Use of TLS/SSL is quite… everywhere, even for posting these words my connection is encrypted between my browser and the server hosting this discourse installation. ISP i’m using knows that i’m talking to the server, but cannot wiretap or change what i’m posting. Due to TLS/SSL connection.
Also… i’m not aware of every segment from my ISP to the server…

Let’s switch to a VPN provider.
Most of them use OpenVPN as “media” for connect between your computer and them connection points. It’s not the only technology used (some allows also L2TP mostly for enabling connections on mobile devices) but guess what… OpenVPN is based on TLS! In more detailed explanation, it uses OpenSSL as encryption library. It can be a bit more strict about encryption, but if most of your traffic is TLS enabled, you’re wrapping TLS around this once more. Which can only reduce performances.
Moreover: VPN Providers are companies who wants revenues. But they still have to obey laws into countries they are founded. And if a customer using the services is breaking the law, a court from another country may want do all the steps to gain access to traffic to the VPN provider, and they have to comply. They’re not immune to their domestic and international laws. And for few bucks par year, i don’t think that they’re willing to piss of cops or their domestic court. Thousands of bucks par year is still “few” for messing with courts.
But let me extend the reasoning…
If you’re using a VPN provider, exactly in the same way if you’re using a ISP, they have take logs of your traffic. What are ISP and VPN provider allowed to do with this data? Depends on the contract you subscribed so seems more a matter of what you’re signing for, instead of paying twice (ISP and VPN).

You want more privacy? If paying a second company to take note of all your traffic instead of your ISP makes you feel better, i cannot ease this false sense of security. Problem may not be really privacy, but fear.
IMHO you can do something more… effective: know what you’re doing.
What means typing www.myfavoritewebsite.splash on your browser. What means using this mail provider instead that mail provider. How any company you’re browsing on the web use the data you provide. How the software you’re using behaves… It would make me laugh if you’re using Microsoft Edge or Google Chrome :slight_smile: How your network devices work. How internet really works. How website and web technology work.
Or pay someone enough and give him/her time and will to teach you info and how to learn. I must stress enough because it’s not only a matter of tech skill, but also human skill to understand people and deliver the full message to minds and hearts.

It’s not a nice world, but paying two companies may not be the most effective way to defend in a better way.

2 Likes

This post was flagged by the community and is temporarily hidden.

This post was flagged by the community and is temporarily hidden.

In your site you can publish everything you want (unless the host answers you that you can’t). This is not my courtyard, not yours.
IMVHO you are free to disagree, but circumvent what told is rather unpleasant. I prefer arguing with project managers about how they are running (or running not) the project, explaining why they should fulfill some other expectations about functionalities; i’ve been told that “my behavior is not helping”. You would like to stand for your opinion? Maybe you’re going to be scratched and yelled as happened to me. But publishing workaround is rather unpolite.

Well, you might have come to the wrong place here.

I do not want to have this debate either. It has been around for ages, and there won’t be a middle ground. But there doesn’t need to be one luckily. IPFire comes with probably enough tools to make this work with various VPN providers.

The IPFire team won’t add any such VPN client options with VPN providers because of the reasons stated many times here and the lack of presenting any valid reason to them why this would be a good idea. It doesn’t stop you from sending in any patches that add this functionality and maintain it if it is such an important feature for you.

The reason why your posts are being flagged it simply that it is not a good idea to just have a number of random commands that someone copies and pastes on their system. It is dangerous and irresponsible to give - especially people who actually need to protect their privacy - this false feeling of security.

2 Likes

I searched different places of how to get VPN clients working on IPFire. Some VPN providers made guides about it, but none of them were complete. One of the guides is based of wiki.ipfire.org - OpenVPN alternative configurations
That’s where my tunnel shellscript probably came from. Of course Jon’s guide is a different usecase.

I was just trying to help the thread creator.

1 Like

thanks, I thought the video would help newbies but it is getting dated.
thanks for the reply

Thanks for the reply

No idea why some of the replies here were marked to be hidden when it could genuinely help those looking to find some clues to make this setup work regardless of the controversies behind it.

In any case, I too agree that there needs to be a VPN client web interface on the GUI of IPFire for this use-case as you can literally have a cloud IPFire setup acting as the OpenVPN/IPSec server and you want to connect your home network to your personal cloud network using OpenVPN/IPSec depending on the user’s preferences.