Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Adapting IPFire net-to-net client config for OpenVPN in ASUS WRT routers

Adapting IPFire net-to-net client config for OpenVPN in ASUS WRT routers

IPFire supports net-to-net connections.

Part of setting up the connection with non-IPFire peers often involves generating a .ovpn file from the client package.

There are some client docs about how to do this, but not net-to-net.

For net-to-net clients, IPFire generates a zip file containing two files. Both files are named based on the name you choose for the VPN.

  • vpnname.conf is the configuration file for OpenVPN.
  • vpnname.p12 is a PKCS12 file containing the certs and the private key to be used by the client.

The ASUS router wants a combined OpenVPN config file (which we'll call vpnname.ovpn). This file has the certificates and the private key embedded, using XML-like notation.

First issue: what's the password on the vpnname.p12 file? You can't read it without knowing the password. It turns out that for net-to-net connections, the private key in the vpnname.p12 file has an empty password. Next question: what password shoud we use on the private key When setting up an ASUS OpenWRT router, you will want to generate the private key without any encryption (possibly different than an empty password).

Armed with this info, we can get the info manually:

$ openssl pkcs12 -in vpnname.p12 -passin pass: -nodes -info
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
    localKeyID: ..redacted..
    friendlyName: ..redacted..
subject=C = US, ST = NY, O = Example Corp., CN = ..redacted..
issuer=C = US, ST = NY, L = Anytown, O = Example Corp., OU = sysadmin, CN = Example Corp. CA, emailAddress =

Certificate bag
Bag Attributes
    friendlyName: Example Corp. CA
subject=C = US, ST = NY, L = Anytown, O = Example Corp., OU = sysadmin, CN = Example Corp. CA, emailAddress =

issuer=C = US, ST = NY, L = Anytown, O = Example Corp., OU = sysadmin, CN = Example Corp. CA, emailAddress =

PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Bag Attributes
    localKeyID: ..redacted..
    friendlyName: ..redacted..
Key Attributes: <No Attributes>

With this info, and the info on the net (e.g., iOS manual configuration, iOS scripted configuration, and Magnus Wedberg's IpCop config for OpenVPN and iOS, it's not too hard to create a combined .ovpn file that will authenticate properly.

Some editing of the configuration portion of the script is needed.

Unzip the client zip file in a temporary directory, cd to that directory, and use the following commands to generate the .ovpn file.

function _wrap { awk -vkey="$1" '/^----/ { if (f == 0) printf("<%s>\n", key); f = 1; } { if (f) print } END { if(f) printf( "</%s>\n", key); }' ; }
sed -e '/^status/d' -e '/^pkcs12/d' -e '/^management/d' ${BASENAME}.conf >${BASENAME}.ovpn
openssl pkcs12 -in ${BASENAME}.p12 -passin pass: -nodes -cacerts -nokeys | _wrap ca >> ${BASENAME}.ovpn
openssl pkcs12 -in ${BASENAME}.p12 -passin pass: -nodes -clcerts -nokeys | _wrap cert >> ${BASENAME}.ovpn
openssl pkcs12 -in ${BASENAME}.p12 -passin pass: -nodes -nocerts | _wrap key >> ${BASENAME}.ovpn

The above command deletes the management port command, if present, because there's no way to give it a password in the Asus setup.

If you're doing this on Windows, get git bash; that includes a suitable version of the openssl command.

You'll get something like this:

# IPFire n2n Open VPN Client Config by ummeegge und m.a.d
# User Security
user nobody
group nobody
script-security 2
# IP/DNS for remote Server Gateway
remote XX.XX.XX.XX
# IP adresses of the VPN Subnet
ifconfig YY.YY.YY.2 YY.YY.YY.1
# Server Gateway Network
route ZZ.ZZ.ZZ.0
# tun Device
dev tun
#Logfile for statistics
# Port and Protokoll
port 1195
proto udp
# Paketsize
tun-mtu 1500
fragment 1300
remote-cert-tls server
# Auth. Client
# Cipher
cipher AES-256-CBC
# HMAC algorithm
auth SHA512
# Debug Level
verb 3
# Tunnel check
keepalive 10 60
# Start as daemon
daemon VPNNAMEn2n
writepid /var/run/
# Activate Management Interface and Port
# remsub WW.WW.WW.0/

Asus AC68U setup

Log into the router's web-admin page.

Select VPN (on left), then VPN client.

Add a profile.

Import the .ovpn profile you chose above. Leave username and password blank. Save. Don't start yet.

IPFire setup

Add rules allowing inbound and outbound traffic from the new openVPN net-to-net connection.

Enable the VPN.

For some reason, the IPFire program /usr/local/openvpnctrl always explicitly blocks traffic from net-to-net communications as part of its setup, in rule OVPNBLOCK. This makes things not work for inbound traffic. At time of writing, I'd not investigated why this is. The solution is to edit /etc/sysconfig/firewall.local and add a CUSTOMFORWARD rule that accepts traffic from the remote side. A simple solution, but arguably not terribly secure, is For example, if you're using as your remote, you could say:

# Used for private firewall rules

function _start {
    # allow all packets from VPN address group over any tunnel to be forwarded.
    iptables -A CUSTOMFORWARD -s -i tun+ -j ACCEPT

function _stop {
    # remove the custom rules.
    iptables -F CUSTOMFORWARD

# See how we were called.
case "$1" in
        ## add your 'start' rules here
        ## add your 'stop' rules here
        $0 stop
        $0 start
        ## add your 'reload' rules here
        echo "Usage: $0 {start|stop|reload}"


Now enable the VPN.

Notes on setting things up

It is very much easier to do this if you have a system on the remote network that can be accessed via Splashtop, RDP, etc. This will let you access the AC68U configuration web page.

I've only tried this using public IP addresses on each end.

Work was done with IPFire 2.25 (x86_64) - Core Update 147, and AC68U firmware version

Copy link

Hi we are seriously struggling with this setup.
My config:
Act as: OpenVPN server (I think this is wrong, but does not work)
Local Subnet: the OpenVPN network spce
OpenVPN: some range that I want to map to
Remote host/IP: I left empty
Remote subnet: is the one I want to route to (The network on Asus)

Maybe I got this all backwards. Any help is appreciated

Copy link

Hi Benjamin, sorry, missed this comment. Hope you managed to get things working. --Terry

Copy link

Hi @terrillmoore , thanks for the inquiry. Yes, I we got it working after a lot of trial and error.
This is a great guide, and helped us get started.

Now we just struggle with DNS forwarding, so that a VPN cliend also gets to use the DNS from the ZenWifi router.

Copy link

Great. In my use case, the default DNS settings were fine, so didn't have to figure that out. Good luck!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment