Trying to setup OpenVPNs to Orange device

I am trying to setup Openvpn connections to a device in the Orange DMZ zone as shown in the diagram. The device is a Raspberry Pi with a static address. The Raspi is running a webserver under development but this server is not accessible directly from the Internet. The Raspi is also running a webcam app. Fred and Tom require access to the webserver, webcam and CLI via the VPNs.

I am having some difficulties setting things up. Reading the guides hasn’t helped enough.

I have setup the certificates OK.
I tryed to setup vpn’s. I have some questions.

The entry for the Local VPN Hostname IP was auto-filled by ipFire. It is the current ISP hostname but this will routinely change with the IP address allocated by the ISP. How do I deal with that? Will the Local VPN Hostname/IP automatically update when the ISP changes my IP address?

I have specified VPN connection to the Orange network.

Do I need to do anything to specify the Raspi device ip?
Do I need to setup any rules?

Thanks for any advice.


You can either request a static public IP from your ISP or use Dynamic DNS for that: - Dynamic DNS

I have dynamic DNS setup and working. That is OK.
What I don’t know is if the ISP hostname updates by the ISP with ISP IP address updates causes an update in ipFire.

If you have a DDNS name then use that in the Local VPN Hostname/IP: box.

OK I will try that.
I have multiple DDNS services setup to provide redundancy. If one fails, another can be used.
How do I set that up in ipFire?

You can have multiple DDNS services setup in IPFire but usage of them has to be defined manually. There is no automatic changing from one DDNS service to another if one DDNS service fails.

I need redundant DDNS because not all services work in all countries. If a DDNS service doesn’t work, then I need to be able to manually choose another from the remote client end to make a connection to ipFire. eg. I don’t get ip addresses from in my country.

I have several DDNS services configured in ipFire to provide redundancy. As I understand things, the remote client gets an IP address from the DDNS service, then openVPN uses that ip to make a connection to my ipFirewall. If that is the way it works, why does ipFire need to know about the VPN service?

This is my VPN settings

Is the “ISP=SPARK” a modem or a router?
If it’s a router you are double NAT.
And you will need a port forward in the ISP router.

I have done some more testing.
My ipFire router/firewall is a physical 4 port fanless PC.
As previously stated, I can’t ping the Raspberry Pi on Orange from my desktop PC on Green.
I also have a Raspberry Pi on the Green network. If I log onto this, I can ping and ssh into the device on Orange. No problem there.

So going back to the desktop PC on Green, I tried pinging the Raspi on the Green network, within the same sub-net as the desktop. It came back unreachable. Running arp -a did not return the ip address of the green raspi.

I went through the Win10 firewall to check settings. I could not find a setting that could create the symptoms I see.

I then checked the win10 ip4 settings. I found that the mask had been set to (by me).
I changed this to and everything worked. I think Win10 autofilled the field and I didn’t spot it. I can now access the Raspi on Orange from the PC on Green.

Sorry if I seem a bit slow but I suffered a significant head injury a while ago and is has affected my thinking and memory.

Thanks for your advice.

My only remaining problem is that I can’t setup openVPN. > The remote client logs the following messages:

2022-06-05 17:17:52 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
2022-06-05 17:17:52 OpenSSL: error:0D07209B:asn1 encoding routines:ASN1_get_object:too long
2022-06-05 17:17:52 OpenSSL: error:0D068066:asn1 encoding routines:asn1_check_tlen:bad object header
2022-06-05 17:17:52 OpenSSL: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error
2022-06-05 17:17:52 OpenSSL: error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error
2022-06-05 17:17:52 MANAGEMENT: Client disconnected
2022-06-05 17:17:52 Error reading PKCS#12 file Fred20220605.p12
2022-06-05 17:17:52 Exiting due to fatal error

I started with the default ipFire settings because I assumed these would provide a working VPN configuration. There looks to be multiple problems recorded in the logs…

When I look at ipFire, I can’t find any reference to
-ns-cert-type or --remote-cert-tls, or
the other error messages.

I can’t find any entries on the ipFire logs so I am stuck. I have setup OpenVPN before on ipCop OK, but not on ipFire.

Any advice welcome.

Have you read the instructions on


Did you fix “OpenVPN on RED:” just like Shaun HVAC showed

Looking at your diagram - If Fred or Tom need to connect to the networks behind IPFire, then “OpenVPN on RED:” should be checked , not ORANGE (in Global Settings).

1 Like

OK. I tried to read the instructions, but they weren’t clear to me.

The ISP supplies an Optical Network Terminal which is a modem, so no double NATing.

I have changed global settings.

My understanding is that the Local VPN Hostname/IP: box is automatically filled, so if the remote client selects a different DDNS service, that should work. Is that correct? This is important because practical experience shows DDNS service coverage is not global. A client needs to select a DDNS service that operates in their location. Moving from one country to the next may require manually selecting a different DDNS service. At last resort, they need to enter the current IP address of my internet connection.

A static RED address is available from the local ISP, but the price is too high. I plan to continue to use DDNS.

I have created the following rule to link the openVPN to Orange. Does this look right?

Is there any risk that VPN traffic could leak out of Orange?

Thanks for your help.

As “Local VPN Hostname/IP:” the FQDN or the IP of the red interface will be set automatically. If you use a DSL connection, it is also possible to configure your own dynamic dns addresses in IPFire. For DSL and other dial-up connections, IP-addresses are changing, and the OpenVPN-server would no longer be available! So without a static IP, a “Dynamic Domain Name System” makes the OpenVPN-service permanently available.

Below is a link to a similar topic

You should not need that
Connection status and control
Click the pencil
You want openvpn " advanced options"
You can select orange zone there.

Thanks for the advice.
I have removed the rule and selected the orange zone in the “advanced options”.

I had already selected Orange in the advanced options back mid-May based on your advice. I’d just forgotten that I had done it. Bad memory is a side -effect of head injury.

I already have a number of DDNS services/hosts configured. Not all services work in all countries.

After reviewing the instructions again, it is still not clear to me what the instructions are trying to say.

As “Local VPN Hostname/IP:” the FQDN or the IP of the red interface will be set automatically. If you use a DSL connection, it is also possible to configure your own dynamic dns addresses in IPFire. For DSL and other dial-up connections, IP-addresses are changing, and the OpenVPN-server would no longer be available! So without a static IP, a “Dynamic Domain Name System” makes the OpenVPN-service permanently available.

I still don’t understand why/how entering a value here affects ipFire operation.
Does this limit DDNS to a specific hostname (eg. ?
Will this box accept a comma separate list of multiple DDNS hostnames (important if global coverage is required)?
How would this part of ipFire know if a DDNS service is being used?
What if a VPN client/user simply enters the current isp allocated ip address for my internet connection (that’s what I do to test VPN connections to eliminate/identify a bad DDNS service)?

So I can probably rely on the default settings for “Local VPN Hostname/IP:” but I still find this section of the instructions unclear and confusing.

Did you read the page below

Yes I have.
I have used DDNS with ipCop for years. ipFire is basically the same setup.

I still don’t understand how ipFire operation is affected by the “Local VPN Hostname/IP:” setting.

This is the hostname or IP address, on the RED side, to access OpenVPN and your IPFire device. (to me it is not labeled the best). Without it being correct you cannot access OpenVPN and your IPFire device.

So for me it is an Dynamic DNS name. But it could a RED IP address.

Did you make contact with a Dynamic DNS vendor and create a new Dynamic DNS hostname? I think in Post 3 you mentioned you did.

Place that new Dynamic DNS hostname in Local VPN Hostname/IP.

Once this is done (and it is correct) you can create your new OpenVPN connections.

1 Like

I have 4 different DDNS services configured to
The valued entered by ipFire into the Local VPN Hostname/IP is from my ISP and is not related in any way to the DDNS services. The ISP address includes my current external IP address. I would expect when my ISP changes my web address, the Local VPN Hostname/IP entry will also change.

I know that when a remote client enters the text based address, the DDNS returns my IP address. That IP is then used to get to my Red network. That happens without interaction with ipFire. If I manually tell the remote person to enter my Red address manually, they can also reach my Red network and make a VPN connection without prior connection to any DDNS service, or ipFire. I do this for testing, and I do this when the person is in a country that blocks DDNS services.

I don’t understand what Local VPN Hostname/IP is, why it is necessary, or why I might need to know about it. The instructions don’t make sense to me.

I don’t think this is the case. For openvpn .
Which is why you want your DNS Name here.
So if your ip changes it updates to the correct ip.
Which will resolve to your DNS name.

1 Like