ipfire

This refers to the open source firewall IPFire

Using a hostkey and certificates from an external certificate authority is possible with the following steps and restrictions:

• On the OpenVPN configuration page start with the button “generate root/host certificate”, but do not generate them, but use the import dialog on the bottom with an existiong file of format PKC#12 and with suffix .p12. It needs to contain the host key and certificate signed by your CA.
• Import your CA's certificate in the form below the list of OpenVPN root and host certificates
• Generate or import Diffie-Hellman parameters
• You need to deposit a valid copy of the certificate revocation list in ipfire's filesystem at /var/ipfire/ovpn/crls/cacrl.pem
• As you don't have a CA Key on the ipfire, you can't generate client certificate, but you must import them. Starting point is still the “Add” button in the client list, just use the “upload” feature instead of “generate …”.
• When creating client certificates by TinyCA2, pay attention to unset the “add email address to CN” checkbox when signing the request (i.e. creating the certificate) as ipfire obviously can't cope with that extension and throws an internal server error when using the cn value as filename, which contains a slash.

1. Replace /var/ipfire/ovpn/certs/servercert.pem
2. /usr/local/bin/openvpnctrl -r

1. Replace /etc/httpd/server.crt
2. apachectl restart

When adding a new OpenVPN client, any route configured for it - including GREEN / ORANGE - yielded in the error message “Route xyz alread in use by another client”. It turned out, cddroute and cddroute2 in /var/ipfire/ovpn contained somewhat empty or spurious lines (meaning strange network settings or referencing non-existing client names). I removed a line in cddroute that referenced a non-existing client and the networks 10.0.0.0/255.0.0.0,192.168.0.0/255.255.0.0,172.16.0.0/255.240.0.0. It seems, this fixed the issue. — peter 09.11.2021 13:43 CET

• If a clients certificate subject consists only of the comon name (CN), TLS verification will fail due to the regular expression used in /usr/lib/openvpn/verify to get the value of CN=…

IPFire