docs:tips_n_tricks:ipfire.html
Table of Contents
ipfire
This refers to the open source firewall IPFire
Using external CA
Setup
Using a hostkey and certificates from an external certificate authority is possible with the following steps and restrictions:
- On the OpenVPN configuration page start with the button “generate root/host certificate”, but do not generate them, but use the import dialog on the bottom with an existiong file of format PKC#12 and with suffix
.p12
. It needs to contain the host key and certificate signed by your CA. - Import your CA's certificate in the form below the list of OpenVPN root and host certificates
- Generate or import Diffie-Hellman parameters
- You need to deposit a valid copy of the certificate revocation list in ipfire's filesystem at
/var/ipfire/ovpn/crls/cacrl.pem
- As you don't have a CA Key on the ipfire, you can't generate client certificate, but you must import them. Starting point is still the “Add” button in the client list, just use the “upload” feature instead of “generate …”.
- When creating client certificates by TinyCA2, pay attention to unset the “add email address to CN” checkbox when signing the request (i.e. creating the certificate) as ipfire obviously can't cope with that extension and throws an internal server error when using the cn value as filename, which contains a slash.
Maintenance
Renew certificate
OpenVPN Server
- Replace
/var/ipfire/ovpn/certs/servercert.pem
/usr/local/bin/openvpnctrl -r
https
- Replace
/etc/httpd/server.crt
apachectl restart
Bugs
Route ... already used by another client
When adding a new OpenVPN client, any route configured for it - including GREEN / ORANGE - yielded in the error message “Route xyz alread in use by another client”. It turned out, cddroute
and cddroute2
in /var/ipfire/ovpn
contained somewhat empty or spurious lines (meaning strange network settings or referencing non-existing client names). I removed a line in cddroute
that referenced a non-existing client and the networks 10.0.0.0/255.0.0.0,192.168.0.0/255.255.0.0,172.16.0.0/255.240.0.0. It seems, this fixed the issue.
— peter 09.11.2021 13:43 CET
IPFire 2.17 (i586) - Core Update 98
- If a clients certificate subject consists only of the comon name (CN), TLS verification will fail due to the regular expression used in
/usr/lib/openvpn/verify
to get the value of CN=…
docs/tips_n_tricks/ipfire.html.txt · Last modified: 05.08.2024 23:45 CEST by peter