Trying to setup OpenVPNs to Orange device

Hi
I need redundant DDNS because not all services work in all countries. If a DDNS service doesn’t work, then I need to be able to manually choose another from the remote client end to make a connection to ipFire. eg. I don’t get ip addresses from freedns.afraid.org in my country.

I have several DDNS services configured in ipFire to provide redundancy. As I understand things, the remote client gets an IP address from the DDNS service, then openVPN uses that ip to make a connection to my ipFirewall. If that is the way it works, why does ipFire need to know about the VPN service?

This is my VPN settings

Is the “ISP=SPARK” a modem or a router?
If it’s a router you are double NAT.
And you will need a port forward in the ISP router.

Hi
I have done some more testing.
My ipFire router/firewall is a physical 4 port fanless PC.
As previously stated, I can’t ping the Raspberry Pi on Orange from my desktop PC on Green.
I also have a Raspberry Pi on the Green network. If I log onto this, I can ping and ssh into the device on Orange. No problem there.

So going back to the desktop PC on Green, I tried pinging the Raspi on the Green network, within the same sub-net as the desktop. It came back unreachable. Running arp -a did not return the ip address of the green raspi.

I went through the Win10 firewall to check settings. I could not find a setting that could create the symptoms I see.

I then checked the win10 ip4 settings. I found that the mask had been set to 255.255.0.0 (by me).
I changed this to 255.255.255.0 and everything worked. I think Win10 autofilled the 255.255.0.0 field and I didn’t spot it. I can now access the Raspi on Orange from the PC on Green.

Sorry if I seem a bit slow but I suffered a significant head injury a while ago and is has affected my thinking and memory.

Thanks for your advice.

My only remaining problem is that I can’t setup openVPN. > The remote client logs the following messages:

2022-06-05 17:17:52 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
2022-06-05 17:17:52 OpenSSL: error:0D07209B:asn1 encoding routines:ASN1_get_object:too long
2022-06-05 17:17:52 OpenSSL: error:0D068066:asn1 encoding routines:asn1_check_tlen:bad object header
2022-06-05 17:17:52 OpenSSL: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error
2022-06-05 17:17:52 OpenSSL: error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error
2022-06-05 17:17:52 MANAGEMENT: Client disconnected
2022-06-05 17:17:52 Error reading PKCS#12 file Fred20220605.p12
2022-06-05 17:17:52 Exiting due to fatal error

I started with the default ipFire settings because I assumed these would provide a working VPN configuration. There looks to be multiple problems recorded in the logs…

When I look at ipFire, I can’t find any reference to
-ns-cert-type or --remote-cert-tls, or
the other error messages.

I can’t find any entries on the ipFire logs so I am stuck. I have setup OpenVPN before on ipCop OK, but not on ipFire.

Any advice welcome.

Have you read the instructions on wiki.ipfire.org?

edit:

Did you fix “OpenVPN on RED:” just like Shaun HVAC showed

Looking at your diagram - If Fred or Tom need to connect to the networks behind IPFire, then “OpenVPN on RED:” should be checked , not ORANGE (in Global Settings).

1 Like

Hi
OK. I tried to read the instructions, but they weren’t clear to me.

The ISP supplies an Optical Network Terminal which is a modem, so no double NATing.

I have changed global settings.
image

My understanding is that the Local VPN Hostname/IP: box is automatically filled, so if the remote client selects a different DDNS service, that should work. Is that correct? This is important because practical experience shows DDNS service coverage is not global. A client needs to select a DDNS service that operates in their location. Moving from one country to the next may require manually selecting a different DDNS service. At last resort, they need to enter the current IP address of my internet connection.

A static RED address is available from the local ISP, but the price is too high. I plan to continue to use DDNS.

I have created the following rule to link the openVPN to Orange. Does this look right?

Is there any risk that VPN traffic could leak out of Orange?

Thanks for your help.

As “Local VPN Hostname/IP:” the FQDN or the IP of the red interface will be set automatically. If you use a DSL connection, it is also possible to configure your own dynamic dns addresses in IPFire. For DSL and other dial-up connections, IP-addresses are changing, and the OpenVPN-server would no longer be available! So without a static IP, a “Dynamic Domain Name System” makes the OpenVPN-service permanently available.

Below is a link to a similar topic

You should not need that
Connection status and control
Click the pencil
You want openvpn " advanced options"
You can select orange zone there.

Hi
Thanks for the advice.
I have removed the rule and selected the orange zone in the “advanced options”.

I had already selected Orange in the advanced options back mid-May based on your advice. I’d just forgotten that I had done it. Bad memory is a side -effect of head injury.

I already have a number of DDNS services/hosts configured. Not all services work in all countries.

After reviewing the instructions again, it is still not clear to me what the instructions are trying to say.

As “Local VPN Hostname/IP:” the FQDN or the IP of the red interface will be set automatically. If you use a DSL connection, it is also possible to configure your own dynamic dns addresses in IPFire. For DSL and other dial-up connections, IP-addresses are changing, and the OpenVPN-server would no longer be available! So without a static IP, a “Dynamic Domain Name System” makes the OpenVPN-service permanently available.

I still don’t understand why/how entering a value here affects ipFire operation.
Does this limit DDNS to a specific hostname (eg. ipfiretest.noip.info) ?
Will this box accept a comma separate list of multiple DDNS hostnames (important if global coverage is required)?
How would this part of ipFire know if a DDNS service is being used?
What if a VPN client/user simply enters the current isp allocated ip address for my internet connection (that’s what I do to test VPN connections to eliminate/identify a bad DDNS service)?

So I can probably rely on the default settings for “Local VPN Hostname/IP:” but I still find this section of the instructions unclear and confusing.

Did you read the page below

Hi
Yes I have.
I have used DDNS with ipCop for years. ipFire is basically the same setup.

I still don’t understand how ipFire operation is affected by the “Local VPN Hostname/IP:” setting.

This is the hostname or IP address, on the RED side, to access OpenVPN and your IPFire device. (to me it is not labeled the best). Without it being correct you cannot access OpenVPN and your IPFire device.

So for me it is an Dynamic DNS name. But it could a RED IP address.

Did you make contact with a Dynamic DNS vendor and create a new Dynamic DNS hostname? I think in Post 3 you mentioned you did.

Place that new Dynamic DNS hostname in Local VPN Hostname/IP.

Once this is done (and it is correct) you can create your new OpenVPN connections.

1 Like

Hi
I have 4 different DDNS services configured to
The valued entered by ipFire into the Local VPN Hostname/IP is from my ISP and is not related in any way to the DDNS services. The ISP address includes my current external IP address. I would expect when my ISP changes my web address, the Local VPN Hostname/IP entry will also change.

I know that when a remote client enters the text based address, the DDNS returns my IP address. That IP is then used to get to my Red network. That happens without interaction with ipFire. If I manually tell the remote person to enter my Red address manually, they can also reach my Red network and make a VPN connection without prior connection to any DDNS service, or ipFire. I do this for testing, and I do this when the person is in a country that blocks DDNS services.

I don’t understand what Local VPN Hostname/IP is, why it is necessary, or why I might need to know about it. The instructions don’t make sense to me.

I don’t think this is the case. For openvpn .
Which is why you want your DNS Name here.
So if your ip changes it updates to the correct ip.
Which will resolve to your DNS name.

1 Like

Hi
My use case is that a remote road warrior client needs to access my Orange local host network. For that they need my current exposed internet ip. They can get that from a DDNS service, I can tell them what it is currently is, or I could have a fixed ip address.

Is the Local VPN Hostname/IP for the use case where I need to initiate a VPN as a client, to connect to a remote host? If that is the case, then entering the DDNS named address in the Local VPN Hostname/IP box makes sense. If that is the case, then it is not clear to me from reading the guide. Maybe a diagram would make it easier to understand.

Yes, the info in that box is put into the .ovpn config file to be provided to your client.
The config ends up with a line:-
remote "Local VPN Hostname/IP" "Destination port"
so that the client knows where to connect to for the OpenVPN connection.

You can use multiple .ovpn configuration files.
Below is a simple example of the possibilities.

Add dyndns hosts.

Add OpenVPN connection and click Download Client Package(zip)

Save as
obraz
and unzip.

Rename the .ovpn file to a name you recognize
obraz

In the downloaded .ovpn file you have dyndns host entered in Local VPN Hostname/IP: box
obraz

Next
click again Download Client Package(zip)
and save it with a different name.

obraz
and unzip.

obraz

Then in the .ovpn file we replace the “default” dyndns host with another
(In this example, “testfordazznoip.myddns[.]me” changed to “testfordazzduckdns.duckdns[.]org”)
obraz

Note: Generally, the above connections use the same Authentication settings.

In the example windows OpenVPN client, we can select the connection we need.
obraz

Below is a working connection to the dyndns host “testfordazzduckdns.duckdns[.]org”

Or
you can create separate connections for each dyndns host and proceed as above


I hope the above example is understandable.

2 Likes

Yes do that.

Would recommend everyone using this VPN
To have separate VPN.

1 Like

Hi
Yes, I already do that. Each person has their own VPN.

Hi
Here is the log from a client attempt to make a VPN connection. He is in the Philippines and I am in New Zealand.

Blockquote
Wed Jun 08 16:48:15 2022 OpenVPN 2.4.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 31 2019
Wed Jun 08 16:48:15 2022 Windows version 6.2 (Windows 8 or greater) 64bit
Wed Jun 08 16:48:15 2022 library versions: OpenSSL 1.1.0l 10 Sep 2019, LZO 2.10
Enter Management Password:
Wed Jun 08 16:48:15 2022 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Wed Jun 08 16:48:15 2022 Need hold release from management interface, waiting…
Wed Jun 08 16:48:16 2022 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Wed Jun 08 16:48:16 2022 MANAGEMENT: CMD ‘state on’
Wed Jun 08 16:48:16 2022 MANAGEMENT: CMD ‘log all on’
Wed Jun 08 16:48:16 2022 MANAGEMENT: CMD ‘echo all on’
Wed Jun 08 16:48:16 2022 MANAGEMENT: CMD ‘bytecount 5’
Wed Jun 08 16:48:16 2022 MANAGEMENT: CMD ‘hold off’
Wed Jun 08 16:48:16 2022 MANAGEMENT: CMD ‘hold release’
Wed Jun 08 16:48:16 2022 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Wed Jun 08 16:48:16 2022 OpenSSL: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
Wed Jun 08 16:48:16 2022 OpenSSL: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error
Wed Jun 08 16:48:16 2022 OpenSSL: error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error
Wed Jun 08 16:48:16 2022 MANAGEMENT: Client disconnected
Wed Jun 08 16:48:16 2022 Error reading PKCS#12 file test20220607.p12
Wed Jun 08 16:48:16 2022 Exiting due to fatal error

To eliminate DDNS issues, he also tried connecting using my current internet IP address. He can ping my ip. He got the same OpenVPN error messages.

I created a test setup with no password because he seems to have hit this bug: Not connecting - Enter Management Password This is an old bug and should be fixed.

Any advice would be much appreciated.