Forums

Resolved
0 votes
I am a trying to set up an OpenVPN Net-to-Net tunnel from our ClearOS 7 home gateway to our holiday apartment in Croatia. Just to make life interesting the remote gateway is on a different distro - IPFire. (There are reasons why it has to be IPFire and can't use ClearOS.)

The remote site needs to be the "client" end of the tunnel - as it uses 4G mobile for it's WAN connection Dynamic DNS doesn't work and so incoming VPN connections aren't possible. However there is nothing to prevent it "dialling out" to open a VPN tunnel.

Both ClearOS and IPFire have excellent community documentation on OpenVPN (though the later is largely translated from German...) but they don't really align on how to configure this use case. IPFire does have an option to import a client config .ZIP file though. The ZIP file would contain the .conf file for the remote site + a PKCS12 file, but there isn't a corresponding export function for these in ClearOS - unlike the user PKCS12 download for Net-to-Client configuration.

It should be possible to create a PKCS12 file from the command line using openssl or GnuTLS certtool. It looks like the private key would be the "static.key" file used as an example in the ClearOS guide but I'm not sure which other certificate(s) should be included, whether these are the same as for Net-to-Client user configuration, and if so where in the ClearOS filesystem to locate them.

Any assistance gratefully received!
In OpenVPN
Tuesday, August 20 2019, 03:07 PM
Share this post:
Responses (3)
  • Accepted Answer

    Wednesday, August 21 2019, 12:04 PM - #Permalink
    Resolved
    0 votes
    I think the secret will be opening up their zip file to see what is in it and then making the assumption that that is what they expect to receive as well. We can then provide that with suitable certificates from ClearOS. We'd also need to adjust the Server and subnet parameters and perhaps change the port

    As the same time we will need to see their server config to shoehorn it in to to ClearOS. This will probably involve replacing certificate and subnet references and perhaps the port. It also depends on what other configuration parameters they have.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, August 21 2019, 08:39 AM - #Permalink
    Resolved
    0 votes
    Hi Nick,

    Thanks for the explanation of the principles behind the ClearOS Net-to-Net method. It is of course possible to get to the IPFire command line, but as it seems to be pitched more as a "pure" firewall than ClearOS it is very much geared to be managed in the web console. There's nothing I can see in their documentation and forums mentioning a static key method that bypasses PKI.

    IPFire does have functionality very similar to ClearOS Certificate Manager for generating and importing certificates, and the OVPN setup for Net-to-Net server does have a .ZIP export option for the client-end config. What I will do is set up a test IPFire instance here, go through that process to see what the .ZIP file contains and how to correlate that with the rest of the setup, and then see how to generate the same on ClearOS. It will be a good learning exercise anyway...

    I won't be able to complete this until next time I'm in Croatia, which will likely be end-Oct, so this will have to stay on ice until then. I was hoping there might be a simple packaged option I could send out to my family to apply (they are currently there) but command line hacking is a bit much even for them...

    Thanks, and I'll update as and when I can. If I can contribute some material on generic setup of Net-to-Net tunnels between disparate firewall distros I will do.

    Andrew
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, August 20 2019, 05:15 PM - #Permalink
    Resolved
    0 votes
    Can you not get to the command line in IPFire? There is a big difference between a private key and static key. The private key is part of a Public Certificate/Private Key pair (and go with the CA Certificate). The static key is a single key file benerated in a completely different way which both ends use for authentication and then they do not use certificates at all.

    You may be able to create a configuration in IPFire, and export the remote configs. Then if you can get to the command line in IPFire, pull out the server config. You should then be able to reverse engineer it and edit it to get the remote config into a state that it can be imported back into IPFire and to somehow get the Server config into ClearOS, perhaps adding the certificates from ClearOS. It may help to set up a dummy ClearOS user to get certificates for the client end.
    The reply is currently minimized Show
Your Reply