I have a road warrior host to net openvpn connection over BLUE to ipfire that was working fine.
Since I upgraded to the last release it does not work any more.
It seems like openvpn is disabled on BLUE interface.
Can it be reactivated ?
Hello Antonie and welcome to the IPFire community,
have set up an WLAN client via OpenVPN to test if it is working and it does.
Firstly i wanted to test it from the blue0 network to the internet (no IPFire internal subnets), i used the “FQDN” section for the blue0 subnet and have enabled also redirect-gateway which triggered the following entry in the ccd directory
[root@ipfire-rasp ccd]# cat /var/ipfire/ovpn/ccd/wlan
# OpenVPN Client Configuration File
# This client uses the dynamic pool
# Redirect all traffic to us
push redirect-gateway
# DHCP Options
and downloaded the client package which had the following configuration in it
########################################################################
# IPFire OpenVPN Client Configuration for "wlvpnan2"
########################################################################
client
dev tun
remote 192.168.11.100 1194
proto udp
tun-mtu 1420
remote-cert-tls server
verify-x509-name ipfire-rasp.localdomain name
mssfix 0
auth SHA512
auth-nocache
auth-token-user USER
auth-token TOTP
auth-retry interact
the remote entry delivered the blue0 IPFire address as i have it entered in the FQDN line in the WUI. If i used something else e.g. an DDNS address or alike in the FQDN line, i needed to set the remote address for the blue0 network in the configuration (*.ovpn) file manually (more addresses are no problem) so i could also connect to the internet.
Client Log:
$ sudo openvpn --config wlvpnan2.ovpn
[sudo] Passwort für ummeegge:
Das hat nicht funktioniert, bitte nochmal probieren.
[sudo] Passwort für ummeegge:
2025-10-19 16:32:36 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2025-10-19 16:32:36 OpenVPN 2.6.15 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2025-10-19 16:32:36 library versions: OpenSSL 3.2.6 30 Sep 2025, LZO 2.10
2025-10-19 16:32:36 DCO version: N/A
Enter Private Key Password: •••••••••
2025-10-19 16:32:38 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.11.100:1194
2025-10-19 16:32:38 UDPv4 link local: (not bound)
2025-10-19 16:32:38 UDPv4 link remote: [AF_INET]192.168.11.100:1194
2025-10-19 16:32:39 [ipfire-rasp.localdomain] Peer Connection Initiated with [AF_INET]192.168.11.100:1194
2025-10-19 16:32:41 TUN/TAP device tun0 opened
2025-10-19 16:32:41 net_iface_mtu_set: mtu 1420 for tun0
2025-10-19 16:32:41 net_iface_up: set tun0 up
2025-10-19 16:32:41 net_addr_v4_add: 10.231.67.2/24 dev tun0
2025-10-19 16:32:41 Initialization Sequence Completed
server log:
Oct 19 16:32:39 ipfire-rasp openvpnserver[29694]: 192.168.11.103:60586 VERIFY SCRIPT OK: depth=1, C=DE, ST=BW, L=Karlsruhe, O=FZeit, OU=FZeit, CN=FZeit CA, emailAddress=ue@ue.org
Oct 19 16:32:39 ipfire-rasp openvpnserver[29694]: 192.168.11.103:60586 VERIFY OK: depth=1, C=DE, ST=BW, L=Karlsruhe, O=FZeit, OU=FZeit, CN=FZeit CA, emailAddress=ue@ue.org
Oct 19 16:32:39 ipfire-rasp openvpnserver[29694]: 192.168.11.103:60586 VERIFY SCRIPT OK: depth=0, C=DE, ST=BW, O=FZeit, CN=wlan
Oct 19 16:32:39 ipfire-rasp openvpnserver[29694]: 192.168.11.103:60586 VERIFY OK: depth=0, C=DE, ST=BW, O=FZeit, CN=wlan
Oct 19 16:32:39 ipfire-rasp openvpnserver[29694]: 192.168.11.103:60586 peer info: IV_VER=2.6.15
Oct 19 16:32:39 ipfire-rasp openvpnserver[29694]: 192.168.11.103:60586 peer info: IV_PLAT=linux
Oct 19 16:32:39 ipfire-rasp openvpnserver[29694]: 192.168.11.103:60586 peer info: IV_TCPNL=1
Oct 19 16:32:39 ipfire-rasp openvpnserver[29694]: 192.168.11.103:60586 peer info: IV_MTU=1600
Oct 19 16:32:39 ipfire-rasp openvpnserver[29694]: 192.168.11.103:60586 peer info: IV_NCP=2
Oct 19 16:32:39 ipfire-rasp openvpnserver[29694]: 192.168.11.103:60586 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
Oct 19 16:32:39 ipfire-rasp openvpnserver[29694]: 192.168.11.103:60586 peer info: IV_PROTO=990
Oct 19 16:32:39 ipfire-rasp openvpnserver[29694]: 192.168.11.103:60586 peer info: IV_LZO_STUB=1
Oct 19 16:32:39 ipfire-rasp openvpnserver[29694]: 192.168.11.103:60586 peer info: IV_COMP_STUB=1
Oct 19 16:32:39 ipfire-rasp openvpnserver[29694]: 192.168.11.103:60586 peer info: IV_COMP_STUBv2=1
Oct 19 16:32:39 ipfire-rasp openvpnserver[29694]: 192.168.11.103:60586 TLS: Username/Password authentication deferred for username 'Q!_'
Oct 19 16:32:39 ipfire-rasp openvpnserver[29694]: 192.168.11.103:60586 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Oct 19 16:32:39 ipfire-rasp openvpnserver[29694]: 192.168.11.103:60586 TLS: tls_multi_process: initial untrusted session promoted to semi-trusted
Oct 19 16:32:39 ipfire-rasp openvpnserver[29694]: 192.168.11.103:60586 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519
Oct 19 16:32:39 ipfire-rasp openvpnserver[29694]: 192.168.11.103:60586 [wlan] Peer Connection Initiated with [AF_INET]192.168.11.103:60586
Oct 19 16:32:39 ipfire-rasp openvpnserver[29694]: MANAGEMENT: CMD 'client-auth-nt 2 1'
Oct 19 16:32:40 ipfire-rasp openvpnserver[29694]: wlan/192.168.11.103:60586 MULTI_sva: pool returned IPv4=10.231.67.2, IPv6=(Not enabled)
Oct 19 16:32:40 ipfire-rasp openvpnserver[29694]: wlan/192.168.11.103:60586 OPTIONS IMPORT: reading client specific options from: /var/ipfire/ovpn/ccd/wlan
Oct 19 16:32:41 ipfire-rasp openvpn-metrics[31808]: Opening session for wlan at 2025-10-19 16:32:38
Oct 19 16:32:41 ipfire-rasp openvpnserver[29694]: wlan/192.168.11.103:60586 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_49cb2902ad88e6df35260832aed11b75.tmp
Oct 19 16:32:41 ipfire-rasp openvpnserver[29694]: wlan/192.168.11.103:60586 MULTI: Learn: 10.231.67.2 -> wlan/192.168.11.103:60586
Oct 19 16:32:41 ipfire-rasp openvpnserver[29694]: wlan/192.168.11.103:60586 MULTI: primary virtual IP for wlan/192.168.11.103:60586: 10.231.67.2
Oct 19 16:32:41 ipfire-rasp openvpnserver[29694]: wlan/192.168.11.103:60586 SENT CONTROL [wlan]: 'PUSH_REPLY,route-gateway 10.231.67.1,topology subnet,ping 10,ping-restart 60,redirect-gateway,ifconfig 10.231.67.2 255.255.255.0,peer-id 0,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1420' (status=1)
Oct 19 16:32:41 ipfire-rasp openvpnserver[29694]: wlan/192.168.11.103:60586 Data Channel: cipher 'AES-256-GCM', peer-id: 0
Oct 19 16:32:41 ipfire-rasp openvpnserver[29694]: wlan/192.168.11.103:60586 Timers: ping 10, ping-restart 120
Oct 19 16:32:41 ipfire-rasp openvpnserver[29694]: wlan/192.168.11.103:60586 Protocol options: explicit-exit-notify 1, protocol-flags cc-exit tls-ekm dyn-tls-crypt
Oct 19 16:32:41 ipfire-rasp openvpnserver[29694]: wlan/192.168.11.103:60586 PUSH: Received control message: 'PUSH_REQUEST'
.
Questions:
- Did you downloaded your client package again ?
- If yes, does it have the new format (updated OpenVPN) ?
- Did you find the remote address to your blue interface in the config file ?
- Does your logs displays some problems ?
Some first ideas.
Best,
Erik