Now a VPN project

So dear people,

now further in the program :slight_smile: :slight_smile:

I now have 2 Ipfire’s at the start and they work as expected. Email, firewall rules, proxy, everything is top notch.

Now comes the last big order/project. As can be seen in the picture, all computers are in the blue network, both private and business.

The two servers should now synchronize as a backup.
According to this guide:
I tried it. The connection is also there. But I don’t have access to devices in the blue network. They can’t be reached via ping either. Is this even possible in the blue network? The blue network is a bit safer, isn’t it?
The only thing that could still be possible (if it helps) I could connect the server from the private network to the green network. Unfortunately this doesn’t work with the other server.

The two Ipfire devices are next to each other if that helps.

What should I choose here? The best thing would be that the connection could be switched on or off at a certain time.

Is my plan even possible?

That link is for a video from 7 years ago.

If you want a net 2 net vpn i would start with the wiki.
I followed that for my n2n openvpn setup on my vm testbed.


Is there a reason why everything is in BLUE and not in GREEN on both sides?

I think I read that the blue network is more closed than the green one

Well, you seem to experience exactly that now. :wink:

For all normal use cases, resources should be put in the GREEN zones.

Then I’ll try IPSec.

The questions are:
Since both red interfaces of the Ipfire devices are connected to the Fritzbox, I don’t need a DYNDNS address, right?

Does Global IPSec have to be switched on or does this only apply to the Roadworriar connection?

I have now the Connection over IPSec with a PreShared Key.

The Connections startet correctly but i can not find all Clients with PING…

What also seems strange to me is that I can also reach the private red interface from the business network via PING. But from the private network I cannot reach the business red interface via PING.
Could this be the problem?

Hello dear users,

So I have now set up an OpenVPN in Ipfire and with a Windows tool I access the Ipfire from a Windows client and also reach the other clients in the remote network.

Now I have to set up a VPN connection in the QNAP server. I cannot upload the Config.opvn to the Qnap because an error message appears. Error that the file contains incorrect data.

Now I wanted to test an IP Sec connection in IPFire and then set it up in Qnap. However, as in the screenshot, I have to enter the user name and password AND the pre-shred key. It doesn’t all work together, does it?

How can I create this now?

Best regards

L2TP/IPSec is not used in IPFire.

You need to be looking for IKEv2/IPSec PSK for use with preshared key or if you changed the cipher set to IKEv1 instead of IKEv2 then you need to look for IPSec Xauth PSK on the qnap.

1 Like

Thanks for the reply,

So in QNAP I only have these options like in the screenshot.
And it’s a shame that OpenVPN doesn’t work because there is some incorrect data in the config file. I’ll post this in the QNAP forum

I’m currently trying to set up the IP Sec server for my mobile devices.

Everything is set up as shown in the picture and the profile is imported into the iPhone. The connection attempt then terminates at some point without an error message.
Are the settings correct? I did it that way according to the WIki. I read about the new network in some post.

QNAP OVPN does not accept this line in the config file:

pkcs12 QnapTS473aufPT.p12

Maybe qnap is using an older version of openvpn that does not accept the pkcs12 line.

What version of openvpn is qnap using?

You can find out by running
openvpn --version
on the qnap system.

OpenVPN 2.4.11 x86_64-QNAP-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Sep 28 2023
library versions: OpenSSL 1.1.1t 7 Feb 2023, LZO 2.10

OpenVPN-2.4.11 is three years old.

I suspect that there is a mismatch between that version and format that IPFire is providing with its openvpn-2.5.9 version.

Unfortunately, from my reading up about qnap the likelihood of them updating the software is low. I have seen similar issues with clamav on qnap as they are using clamav versions that are EOL and no longer supported for database downloads.
You could try to contact qnap and ask them about software updates, especially for the security issues.

Also fro the version info you can see that openssl-1.1.1t is the version.

The last version of the 1.1.1 branch was 1.1.1w and that went EOL on 11th September 2023. There are 7 CVE’s in the 1.1.1 branch between 1.1.1t and 1.1.1w

Unfortunately I suspect the same thing will exist with qnap and the openssl versions. Doing a search I could not find anything related to qnap and moving from openssl-1.1.1x to openssl-3.x

The qnap wiki on openssl certificate generation is from 2012 and dealing with openssl-1.0.1e
Searching on the wiki for openvpn comes back with 0 results.

Unfortunately it looks like I don’t have any good news on how to overcome this problem, other than obtaining newer hardware.

I think I need to set up a VPN connection from IPfire to IPfire in the local network.

A VPN connection from private to business already works. If necessary, I access the business using Windows Client.

Does IPSec also work in the local network? You could switch the connection over time. The OpenVPN would have to be permanently on, but that wouldn’t necessarily be a problem.


So I finally got an IPSec connection and it works perfectly.

Now it’s just a matter of establishing an IPSec connection from external (table or cell phone) via

I think I’ll start a separate topic :slight_smile:

Anyway, thanks again to you

So now I have a small problem with the OpenVPN connection.
It works great with Windows 10. However, if I install OpenVPN on the Windows 11 machine and enter the same configuration, the Windows 11 client does not connect to the Ipfire machine. Could it be because of Windows 11?