VPN RoadWarrior Connection Fritzbox --> IPFIRE --> Ipfire (red) --> Ipfire (blue)

		                    |--- Ipfire (orange)
    			            |--- Ipfire (red), with openVPN
 Internet --- Fritzbox ---|--- Ipfire (blue), with openVPN 
                       |            |--- Ipfire (green)
                       |
           other PCs and NAS

The OpenVPN server is running and the certificates have been created properly.
There must be a rule missing, I suspect, because no connection is established, regardless of whether it is Windows or Linux.
What does the rule have to look like to access Ipfire (blue) from the Internet.
Default firewall behavior is:
“Forward” to “Blocked”
“Outgoing” to “Approved”

In which log does it say whether a connection was attempted (failed)?

With Forward set to Blocked then you might have to create the required OpenVPN firewall rules to allow access. I am not totally sure on that as the OpenVPN traffic might only be stopped if you put Outgoing to Blocked.
If it is the case that rules are needed for the OpenVPN then I can’t help you with that as I am using OpenVPN with Forward set to Allowed. Changing to Blocked is something on my plans to evaluate but probably on my virtual machine testbed system first.

Additionally, I see that you have a Fritzbox before the IPFire. If the Fritzbox is operating in firewall/router mode and not bridged mode then you would have a double NAT system so you will also need to add a rule that allows the OpenVPN traffic coming in to be forwarded to your IPFire box.

Go to the WUI menu Logs - System Logs, select OpenVPN in the dropdown box labelled Section: and then press the Update button. You can choose All in the Day optio if you have been trying over more than one day.

Damn ax so easy there is nothing in it =))

I have set the rule in the FritzBox for IPFIRE:
“openvpn UDP 1194”

I suspect that a firewall rule is missing in Fire.

How does this have to look like?

I get the following error when importing SB-TO-IPFire.ovpn:
Error message: ssl_contex_error OpenSSLContex: CA not defined!

Which client are you importing the profile into?

Are you using the secure (password defined) or insecure (no password defined) download package?

That error message often occurs because the client requires the CA details to be defined in-line in the .ovpn but the secure download package has the CA (and other certificates/keys) defined as separate files.

Under Linux I have the following options:
(Certificates(TLS), Password, Password and Certificates(TLS), Static Key)

What would be the correct method once I have downloaded and unpacked the client package?

With Linux “import saved VPN configuration” it doesn’t work.
There is also an error in Windows.

That depends on the specific client being used.

On my Computer systems I use Linux and use Network Manager together with the OpenVPN plugin package.

I choose “Import a saved VPN configuration…” and it opens up a file manager window and I select the .ovpn file in the directory where all the contents of the zip file were placed.

The .ovpn file specifies the file names for the pkcs12 certificate and tls-auth key and Network Manager then looks for those in the same directory that the .ovpn file was located in.

Network Manager then automatically specifies the CA certificate, User certificate and User private key as all coming from the pkcs12 file.

I then enter the password for the Network Manager form and it then is able to extract all the above parts from the pkcs12 file.

Here is what the Network Manager main input screen looks like after importing the .ovpn file.
Screenshot_2023-05-23_12-39-19

I would then save it and can then make my connection without any problem.

If the import of the .ovpn file is not working then you need to look into the logs on your client machine to see what problems it had with the profile.

I can’t help with windows as I don’t have that on my network and haven’t used it for 15 years os so.
Other forum members will have to help with that. It would be useful for them to know what the error message was.

Thanks for your help!

That’s how I tried it, but it works
“Failed to activate network connection”. There are no entries in the log files.

Under which Linux distri do you do it where it works?

I am using Arch Linux on my systems.

Peculiar if there is nothing in the logs. Even with a failed attempt I would expect something in the logs.
Not sure how to move forward on that.

You could try and make an opevpn connection directly in the command line using openvpn. That removes all issues with other clients etc.

It is a while since i did that so can’t remember the details. At that time i just searched for info on the internet.

Something is wrong with the client package, or I can’t even get to IPFire…

Can I also check for vpn activity in the IPFire console like tail -f /var/log/messages | grep vpn?

Something is wrong with the client package, or I can’t even get to IPFire…

Can I also check for vpn activity in the IPFire console like tail -f /var/log/messages | grep vpn?

If your client isn’t getting set up and started then there will be no traffic from your client to the server to see in the server logs.

The client is set up and activated (check mark)
Still nothing in the GUI logs.

That check mark is on the server.

You said that your client showed the message

when you tried to set it up. That needs to be resolved first before your client will even be able to send any vpn traffic.

Is that the exact error message that was shown? I have tried to search on that and been unsuccessful to find anything. I found entries related to the error message

Error: Connection activation failed:

I set up the connection client under Linux by hand, the client packet could not simply be imported.
I think I’m at a dead end.
Is there a command in the console that I can use to test whether we can get from the client to the server at all?

The “Local VPN Hostname/IP” says “192.168.10.2:1194”
The FritzBox forwards port 1194 to this IP.

Can it be that the public IP address has to be entered for Remote?

I have found the commands to run openvpn directly from the command line on your client and I have confirmed it by making a successful connection that showed up as CONNECTED in green on the IPFire OpenVPN status table.

First let’s confirm that you do have openvpn installed on your client.

Run the following command on your client

openvpn --version
you should see something similar to
OpenVPN 2.6.4 [git:makepkg/b4f749f14a8edc75+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] built on May 11 2023
library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10
DCO version: N/A
Originally developed by James Yonan
Copyright (C) 2002-2023 OpenVPN Inc sales@openvpn.net
Compile time defines:

That shows that on my Arch Linux system OpenVPN-2.6.4 is installed.

If OpenVPN is not installed then you will just get a message that vthe command openvpn is not recognised.

Then extract all the files from your IPFire zip file into some location.

I used /etc/openvpn/client

Then you will need to edit the .ovpn file to add a path to the pkcs12 and tls-auth lines.
In my case I changed

pkcs12 tethysvm.p12
tls-auth ta.key

to

pkcs12 /etc/openvpn/client/tethysvm.p12
tls-auth /etc/openvpn/client/ta.key

Then run the following command

openvpn --config /etc/openvpn/client/your-ipfire-connection-file-name.ovpn

You may need to do this as sudo depending on the permissions in the directory that you have saved the files into. I had to use sudo for mine.

I then had the messages

2023-05-23 15:57:51 Note: Kernel support for ovpn-dco missing, disabling data channel offload.
2023-05-23 15:57:51 OpenVPN 2.6.4 [git:makepkg/b4f749f14a8edc75+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] built on May 11 2023
2023-05-23 15:57:51 library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10
2023-05-23 15:57:51 DCO version: N/A
Enter Private Key Password: **********

I entered the password that I had entered when I set up the connection on the IPFire.

I then got a whole lot more messages which near the end included

2023-05-23 15:58:20 Initialization Sequence Completed

At that point when I looked at the IPFire OpenVPN server page that connection was showing as connected.

1 Like

Yes. Or usually a Dynamic DNS name that is updated when your ISP’s IP assigned to you changes.

2 Likes

Linux system is “Manjaro” (Arch)

2023-05-23 21:19:53 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations. 
2023-05-23 21:19:53 Note: Kernel support for ovpn-dco missing, disabling data channel offload.
2023-05-23 21:19:53 WARNING: cannot stat file '/etc/openvpn/client/ta.key': No such file or directory (errno=2)

I’m missing the “ta.key” where did you get it? Is it in the client package?
In the zip file I only have “Employees.p12” and Employees-TO-IPFire.ovpn.

Then you didn’t select the TLS Channel Protection checkbox on the Global Settings page for the OpenVPN server.

If you select that checkbox then when you create the client connection, the ta.key is included in the zip file.

I have now added it to the command line in Manjaro:
When trying to connect comes: The VPN connection could not be established because there are no valid VPN secrets…