Feature Request: VPN Client Compatibility in GUI

Hi. I’m a long time user of IPFire—over a decade now I think. I have occasionally contributed to this and the prior forums on IPFire (though my old accounts seem to have been deleted). I’m reviving my account to make this plea that you reconsider implementing a VPN client in IPfire.

I have spent the better part of 3-4 days trying to edit the iptables and write custom scripts in IPFire to do this. But I have no idea what I’m doing and it hasn’t work. And now I’m concerned I’ve probably created some gaping security hole in my IPfire–my editing the iptables is probably a recipe for disaster.

However, I do want to be able to use a VPN service—allowing my ISP to be the MITM is too great of a risk. I realize this may not make sense to some of you from other countries but for many of us we cannot trust our ISPs; the laws on data privacy in the U.S., for example, are minimal and I prefer to route my traffic through a VPN in a country with better privacy laws. I realize this may introduce risks of its own but in my opinion a VPN service whose business model depends on the privacy of my data has more incentive to protect it than my ISP, which has no financial interest in protecting my data, and in any event has no authority to shield it from the government. And in the U.S. at least, this is true of all ISPs.

The lack of this feature in ipfire seems to be a major limitation to me. So much so that I am seriously considering switching from IPfire to something like opnsense. I’m a huge fan of IPfire and do not want to make this change, but I can’t figure out how to implement a VPN client on IPfire myself, so I do not see a better alternative. I’ve sent you guys a little bit of money to support development of this feature, and just because I like and use IPfire. So maybe it is something you all will reconsider implementing.

There was a user who wrote a guide on who to do this!
But it was deleted.
I under stand both sides of this Debate.
It is a very polarized topic.
Much like the political climate in America.
Perhaps the user that wrote this can reach out to you.
If they spend time checking the forum.

If you think that your government does not protect enough your privacy, you may also consider to ask to your representant (congressman/woman or senator) for different laws about that. And lobby for that. Mr Louis Rossmann owns a repair shop in NYC and likes a lot a “right to repair” approach for hardware and consumer electronics, but a lot of other people stand by talking about ECU and diagnostics on their car, heavy duty vehicles, and so on. I can understand that it’s a long and tricky road, but AFAIK a lot of “not nice laws” have been changed in your country.
Or you can change your country if you like more the “newer country” laws about privacy.
Moreover, you’re not bound to… this distro. You have access to the sources, so you can learn how to change your software for fitting your needs

The request was rejected at least one time from the project. And personally, i can understand why.
First of all: in a lot of countries you don’t really need a VPN provider, unless you’re willing to circumvent national bounded license/fee access to content. Or do something worse. Not because the laws are perfect, but because you can access to a lot of resources like DNS servers (and there’s quite a tough job on DNSSEC on IPFire) who can allow you to locate al lot of servers. Also, most of the TLS-enabled protocols can be configured for HSTS, for not allowing a non secure dialogue between your device and your service provider, intended as your mailserver or your website or the content provider you’re contacting. Use of TLS/SSL is quite… everywhere, even for posting these words my connection is encrypted between my browser and the server hosting this discourse installation. ISP i’m using knows that i’m talking to the server, but cannot wiretap or change what i’m posting. Due to TLS/SSL connection.
Also… i’m not aware of every segment from my ISP to the server…

Let’s switch to a VPN provider.
Most of them use OpenVPN as “media” for connect between your computer and them connection points. It’s not the only technology used (some allows also L2TP mostly for enabling connections on mobile devices) but guess what… OpenVPN is based on TLS! In more detailed explanation, it uses OpenSSL as encryption library. It can be a bit more strict about encryption, but if most of your traffic is TLS enabled, you’re wrapping TLS around this once more. Which can only reduce performances.
Moreover: VPN Providers are companies who wants revenues. But they still have to obey laws into countries they are founded. And if a customer using the services is breaking the law, a court from another country may want do all the steps to gain access to traffic to the VPN provider, and they have to comply. They’re not immune to their domestic and international laws. And for few bucks par year, i don’t think that they’re willing to piss of cops or their domestic court. Thousands of bucks par year is still “few” for messing with courts.
But let me extend the reasoning…
If you’re using a VPN provider, exactly in the same way if you’re using a ISP, they have take logs of your traffic. What are ISP and VPN provider allowed to do with this data? Depends on the contract you subscribed so seems more a matter of what you’re signing for, instead of paying twice (ISP and VPN).

You want more privacy? If paying a second company to take note of all your traffic instead of your ISP makes you feel better, i cannot ease this false sense of security. Problem may not be really privacy, but fear.
IMHO you can do something more… effective: know what you’re doing.
What means typing www.myfavoritewebsite.splash on your browser. What means using this mail provider instead that mail provider. How any company you’re browsing on the web use the data you provide. How the software you’re using behaves… It would make me laugh if you’re using Microsoft Edge or Google Chrome How your network devices work. How internet really works. How website and web technology work.
Or pay someone enough and give him/her time and will to teach you info and how to learn. I must stress enough because it’s not only a matter of tech skill, but also human skill to understand people and deliver the full message to minds and hearts.

It’s not a nice world, but paying two companies may not be the most effective way to defend in a better way.

In your site you can publish everything you want (unless the host answers you that you can’t). This is not my courtyard, not yours.
IMVHO you are free to disagree, but circumvent what told is rather unpleasant. I prefer arguing with project managers about how they are running (or running not) the project, explaining why they should fulfill some other expectations about functionalities; i’ve been told that “my behavior is not helping”. You would like to stand for your opinion? Maybe you’re going to be scratched and yelled as happened to me. But publishing workaround is rather unpolite.

Well, you might have come to the wrong place here.

I do not want to have this debate either. It has been around for ages, and there won’t be a middle ground. But there doesn’t need to be one luckily. IPFire comes with probably enough tools to make this work with various VPN providers.

The IPFire team won’t add any such VPN client options with VPN providers because of the reasons stated many times here and the lack of presenting any valid reason to them why this would be a good idea. It doesn’t stop you from sending in any patches that add this functionality and maintain it if it is such an important feature for you.

The reason why your posts are being flagged it simply that it is not a good idea to just have a number of random commands that someone copies and pastes on their system. It is dangerous and irresponsible to give - especially people who actually need to protect their privacy - this false feeling of security.

I searched different places of how to get VPN clients working on IPFire. Some VPN providers made guides about it, but none of them were complete. One of the guides is based of wiki.ipfire.org - OpenVPN alternative configurations
That’s where my tunnel shellscript probably came from. Of course Jon’s guide is a different usecase.

I was just trying to help the thread creator.

thanks, I thought the video would help newbies but it is getting dated.
thanks for the reply

Thanks for the reply

No idea why some of the replies here were marked to be hidden when it could genuinely help those looking to find some clues to make this setup work regardless of the controversies behind it.

In any case, I too agree that there needs to be a VPN client web interface on the GUI of IPFire for this use-case as you can literally have a cloud IPFire setup acting as the OpenVPN/IPSec server and you want to connect your home network to your personal cloud network using OpenVPN/IPSec depending on the user’s preferences.

I struggled for many days trying to figure out how to get my ipfire to link up with the 1 year vpn subscription that I bought. On that note, I might not had bought it if I had known some of the background info I have found since buying it and trying to get it all setup. This should be more visible in the ipfire vpn documentation. Otherwise others like myself will keep stumbling across other routers and firewall pages that easily explain how to add in paid for vpn’s leaving us wondering why the equivalent information is not up front for ipfire users to find until we dig deep enough to uncover this thread and others…

Hello,
am a little sorry for you that you find yourself in that position. The OpenVPN explains it in the first line → wiki.ipfire.org - OpenVPN on IPFire

"# OpenVPN on IPFire

OpenVPN is a VPN service that allows remote networks or wireless clients, such as laptops, to connect to IPFire."

in the second view → wiki.ipfire.org - Global settings you can find only server settings which indicates that IPFire do provides officially OpenVPN as server and N2N is a Peer-2-Peer topology.

Although your wanted configuration is possible it should be said again, this is not that save as most people would think. Latest example → One of Biggest Android VPN Services User Data Hacked | CyberNews

" The danger of using VPNs that log your data

If the data sold by the threat actor is genuine, it appears that the VPN providers in question are logging far more information about their users than stated in their Privacy Policies."

Best,

Erik

Hi Erik,

Thanks for the info on the wiki but it misses what I was trying to say.

I think it would be beneficial for the wiki to discuss the issues you brought up in a very high level manner so someone like myself who has no prior experience with a VPN could read it and immediately understand (and get educated) on VPN’s and how ipfire handles it.

For instance, when I first heard about VPN’s it was from a VPN provider saying it was safer to browse using a VPN. When I heard this, I jumped to the conclusion that you can purchase access to a VPN to make your browsing at home safer and that this could only be done through a VPN provider - much like your internet provider. I did not think of the VPN as a client/service that could be setup on any computer which is what I’ve figured out after spending a week digging around in these forums. I assumed that in order to get access to a VPN you needed to pay for it. All the home brewed firewalls out there (i.e. ipfire) would naturally support hooking up to these VPN providers because why not? I had no idea that ipfire would setup a VPN (without a VPN provider) and be used by you for safer browsing via public wifi locations. The wiki does not explain this in details that a VPN rookie would understand. Once I had learned this, I was quick to find the posts regarding trusting a VPN provider vs trusting your internet provider and things became clearer to me. Writing up some sort of VPN intro and how VPN’s and ipfire relate (and VPN providers) would help educate a lot of people in my shoes who just don’t know.

Now setting up your personal home ipfire VPN will not help with accessing streaming sources across different countries so I would also stress in the wiki that the methodology of ipfire is not to support that functionality and explain why. This would go a long way to educating new users of ipfire (and old users) of why ipfire doesn’t do what other firewalls out there can do.

I think this would be beneficial for everyone.

I was also able to get my money back from my VPN provider seeing as I was “unable” to get it working with ipfire. I know I could have manually played with it and got the openvpn client up and running and eventually accomplished it, but after knowing the details of VPN providers I was fine with not using it. I do know if I was a roamer and visited public areas with wifi that I would be all over this but I’m not so I’ve determined I don’t need a VPN. Took me a while but at least I know now. Lets make this easier for new people to come to the same conclusion.

Hi Darren - Thank you for the interesting post! Please take a moment to update and improve the VPN wiki. It is open to you (and everyone else) to improve and make better.

If you have issues or questions, feel free to post a question. I’d be happy to help!

Thanks again!
Jon

I am no real expert here or anything and I think I understand a little bit of both sides argument. While I dont want to sound like I know it all but I was thinking of somewhat a simple compromise or idea. Nowhere near perfect but maybe a start of something,

So you need a VPN service that both works with IPFire and can be trusted with protecting your data.

I think IPfire offers a cloud appliance that could be used for that.

https://www.lightningwirelabs.com/products/ipfire/cloud

The exoscale service is based in Switzerland. How would the Privacy practices in Switzerland compare to your requirements?

Ugh, I can’t really be bothered to be reading Privacy laws right now lol
But one thing’s for sure is that I absolutely trust ProtonVPN with my internet activity-related data and they are based on Switzerland, period. XD

Well, if it’s the decision of the devs to withheld from the average user the ability to use IPFire as an OpenVPN client for their own safety then I guess that is understandable and anyone really wanting this feature can always make it and submit a pull request or other options available to them.

That said, I remembered that IPFire’s IPSec does offer a Net-to-Net setup and it’s considerably better than going the OpenVPN client route.

Darren - your changes look great! Thank you!

ProtonVPN is a new one for me, thanks for pointing to it. I don’t know anything about them at all just from reading their page they seem to be a white labeled service for other VPN provider to me, but I don’t know.

They are based in Switzerland but their servers are in 54 countries.
I am just wondering what makes you trust them more than any other provider? Did you see any court proceedings involving their customers? Marketing is one thing but I wonder how a real life can challenge any of their claims. Just curious if they are different then others.