Setup of a VPN server using IPFire
Homeoffice without limits
The coronavirus is currently presenting us with some major challenges, and employers and employees in particular need to consider in the short term how they can continue to ensure the business viability of their company due to the recommended precautions. Many companies are already following the recommendation to let their employees work from their home office. This is intended to keep social contacts to a minimum and slow down the spread of the coronavirus.
However, the possibility of the home office is not only discussed in connection with the coronavirus. For some time now, the home office has been a sensible option due to increasing digitalisation and is a frequent benefit for employees in terms of work-life balance and working hours based on trust.
In the homeoffice itself, just like in the office, we need our hardware and software to be able to work without restrictions. So there are employees who set up the complete office equipment including PC, several screens, keyboard, mouse and telephone in their own four walls. Others just need a laptop to be able to carry out their daily tasks.
Whether in the office or at home, one of the most important issues is the security of IT or internal data. Even in the home office, employees must access the company's own ERP system and servers or exchange sensitive data. For this purpose, it is advisable to set up a VPN server to which the employees connect in the home office and thus have unrestricted access to all company information.
The VPN, Virtual Private Network, thus offers the possibility to move within the company's own network and to process data securely. In today's blog we show you how you can easily set up a VPN server in your company using IPFire.
The download of IPFire is done for example via the website of IPFire. During installation, we select the desired language, confirm the license and select both the data carrier for the installation and the corresponding file system.
Then we get into the setup. There we select our keyboard layout and our time zone and set the host and domain name and a password for "root" and "admin". In the next step we take care of the network configuration.
Different types of network configuration can be selected under "Type of network configuration". We keep the default type GREEN + RED for a simple VPN configuration. Within the "Network card assignment" we now assign a network card to the interfaces GREEN and RED. The network card to be connected to the Internet must be defined as RED and the network card for the internal network as GREEN.
In the "address settings" we assign an IPv4 address to the interface GREEN, with which the IPFire can be reached in the internal network. Additionally we assign the interface RED how it gets its IP address. We select between "Static", "DHCP" and "PPPoE".
We must define the "Gateway Settings" if a static IP address is used for the RED interface. If we have now completed our network configuration, we confirm with "Done". The next step is the configuration of the VPN via Services --> OpenVPN.
In the global settings, the most important entry is "Local VPN Hostname/IP". If our company has a fixed IP address for the Internet connection or if a DNS name exists for this fixed IP address, we enter it here. If we only have an ADSL/VDSL line with changing IP addresses available, we integrate the IP beforehand via a DynDNS service, for example www.noip.com. We can also integrate the DynDNS service in IPFire. In this case we enter the DynDNS name in the field "Local VPN Hostname/IP".
The "OpenVPN subnet" is the network used for routing on the Internet gateway (as described above) if the IPFire is not your default gateway. If additional subnets are required for security reasons, we can add them under "Static IP address pools". Under "Advanced Server Options" we recommend to activate the option "mssfix". Then we save our changes.
In the next step we generate the "Root/Host certificates" in the "Certification Authority and Keys" section. This may take a short time.
After the certificate has been created, the OpenVPN server can be started. To do this, we set the check mark in OpenVPN to RED in the global settings and start the server by clicking on "Start OpenVPN server". If we want to make changes in the settings afterwards, we stop the server temporarily.
Now we create the VPN users. In the area "Connection status and control" we add a new user via the button "Add". Then we select the connection type, whereby the "Host-to-net Virtual Private Network (RoadWarrior)" is the correct selection for working in the homeoffice.
The following configuration page is divided into three parts. All fields marked with a red star are mandatory. In the section "Connection" we specify a name for the client connection, which must not contain any spaces. In case we have created additional VPN subnets, we could use them under "Select network".
In the section "Authentication" we specify the name and validity of the user. In addition, we recommend entering a password to decrypt the certificate.
The section "Advanced Client Options" remains unchanged. The new VPN user is created by saving the entries.
In the section "Connection status and control" of the OpenVPN overview all created users are now displayed. In order for the VPN to be available on the client, the client must receive the client package. The legend shows the corresponding symbol.
To set up the VPN client, we download the client from www.openvpn.net After we have installed and started the VPN client, the icon appears in the lower right task bar. Then we unpack the corresponding client package, which consists of two files - a VPNName.ovpn file and a certificate.
By right-clicking on the VPN icon of the client, we import the .ovpn file, which is also stored in the folder c:\User\Name\OpenVPN\config\OpenVPNName\. The certificate file is also copied into this folder.
Now we can connect the VPN, either by double clicking on the VPN icon or by right clicking on the VPN icon and selecting "Connect". For the first connection of the VPN client we need administrative rights.
In the best case, the entire setup and configuration is done by the company's IT administrator. Once set up, any number of users can be added and the setup can be done in a few steps. The configuration effort is worthwhile not only because of the possible access to the company internal network from the home office, but also because of the security when processing or exchanging sensitive data.
You would like to enable your employees to work from their home office and are looking for a reliable partner for your IT support? Contact us now and we are always at your side!