IPCop Addons
Howto Openvpn
OpenVPN for IPCop 1.4.10

I use IPCop now for several years, and VPN was allways a mainly used feature.

With the 1.4 release it was possible to define roadwarrior connection but this part is hard to configure except when using certificates, so i was allways searching for alternatives ways to use roadwarrior VPN connections.

Inspiered through an article in the c't magazine about OpenVPN, i googled for existing OpenVPN addons.
I found several links, one off them LINK was an addon from Markus Hoffman wich adds OpenVPN support to IPCop >=1.42 but this addon has no gui, so i contacted Markus about adding a gui for his addon, and so i started.

After two days of programming, i found a page where some people had allready build and OpenVPN addon with guil called Zerina, as their gui was more ready then my two days of work, i contacted them to cooperate for an improved gui, that was the start for my ongoing attemp of a new gui for OpenVPN. The code mainly depens on part of the IPCop cgi pages vpnmain.cgi, xtaccess.cgi and portfw.cgi

The idea

..was to provide an easy way for roadwarrior clients to connect to the LAN (green interface) based on certificates.


- running and configuring an OpenVPN Server Daemon for accessing the IPCop Lan (Green interface)
- all necessary functions can be configured
- uses/creates a secon PKI wich does not involve the ipsec PKI
- experimanetal function to enable/disable a client certificate, without revoking the client (verify script)
- support for BLUE and ORANGE
- new proxy.cgi with OpenVPN support
- new connections.cgi with OpenVPN support
- new  functionality, display Connections Statistics, adapted from  R.I.Pienaar's php source to perl
- easy client handling, download a client package zip archive with certificate(s) + config file
- some more things i cannot remeber anymore

Todo / bugs / missing functions

- note! only tun support is implemented if you choose tap it won't work
- only roadwarrior (host2net)connections are possibe, net2net will come later
- only vertificate based connections are possible (static keys will probably come later)
- configuring the authentication mode
- integrate Kevin Stefanik scripts to restrict the client access
- when the first final version is ready we will package the whole thing for the addon-server
-etc etc

Install and download Instructions

Download the 4th public beta


NOTE! If you are upgrading from an earlier release
  1. stop the server
  2. This package will only run under IPCop 1.4.10
  3. You don't need to uninstall a 0.9.2b release 
  4. copy this file into a an empty directory on your IPCop (for example with winscp)
  5. extract the archive tar -xzvf ./ZERINA-0.9.3b-Installer.tar.gz
  6. change to the extraction directory
  7. run the installer ./install
  8. install the new package
  9. acess the ovpnmain.cgi page and hit the advanced button, once you are in the advanced settings hit the save button (due to extended settings).
  10. follow the howto for the first steps

If you want the to grab the latest unstable developer release

We have now a subversion repository
grab the latest from:
1.) chmod 770 make_release.sh
2.)  ./make_release.sh
3.) then you get an installer package called ZERINA-Installer.tar.gz
4.) please note, that grabed code from the svn is mostly unuseable/unstable


You can get support at the Forum it is mainly held in german, but english makes no problem


Date: Remark:
19.11.2005 new public beta has been released ZERINA-0.9.3b-Installer.tar.gz 

-Bugfix for Compress-Zlip (old uninstall did not knew that compress-zlip is included in IPCop 1.4.10) ;-) (Raised by Geert Vackier) see http://www.vpnforum.de/viewtopic.php?p=6544#6544

-Bugfix Slash/Backslash problem in the server.conf (Raised by Geert Vackier) see http://www.vpnforum.de/viewtopic.php?p=6544#6544

-Bugfix Regex problem wich caused wrong staus display information (Raised by Geert Vackier)

- small bugfix for the language files

New Feature:
Via the advanced button follwing settings are now configurable

- Log settings
- Keepalive
-redirect-gw def1
dhcp-option domain
dhcp-option dns
dhcp-option wins

14.11.2005 third public beta has been released ZERINA-0.9.2b-Installer.tar.gz net2net (client) support will come next week (sorry guys) but i did not had enough time to test

-Compress-Zlip is now removed from the package, cause this now a part of IPCop

-updated Archive::Zip to 1.16

-Due to serveral security fixes OpenVPN 2.05 is now used

- now with swedish language support (thanks to Mats Berndtson )

- revoke certificate, when connection/Certificate is removed.

- now we are using Certificate Revocation List, wich is also viewable via the gui

- it is now possible to generate Certificates without a password.

- Bugfix there is no need to read blue and orange device settings, when they are not abled

- Bugfix mtu parameter was missing in the client conf (raised by Jürgen Schmidt)

- server certificate now is beeing generated with the extension nsCertType=server client conf is using now the new command --ns-cert-type server, to prevent Man in the middle attacks.(raised by Jürgen Schmidt)

- restart after reeboot is now working again

and some other small cosmetics wich i cannot remember anymore
06.09.2005 third public beta has been released ZERINA-0.9.1b-Installer.tar.gz
This release, brings no new functions, we pushed this out, as off the IPCop 1.4.8 Problems with this Addon
It took longer than expacted, as off missing time.
ZERINA now uses OpenVPN 2.0.2 and lzo 2.01
The installer now detects an old installation and keeps the certificates, so no more need to uninstall an old installation.

Now with french language support, thanks to the ixus forum

The next upcoming release (with for example net2net support and lother things) will also be released shortly

Some words,
We want to thank, the IPCop Developer team for theire unbelivable support for IPCOp,
also James Yonan for his funtastic OpenVPN and Mathias Sundman for his great Win32 Client, without them this addon never had been possible.
06.09.2005 Big modify/restructure for new installer/uninstaller, still not the best. Installer automaticly operates in update modus when an old installation is found
03.09.2005 minor fixes for new release
03.09.2005 new file updatefiles wich will be used by the installer bump to Version 0.9.1b
03.09.2005 Proxy support removed, if   proxy support is wnated please use advancedprox with openvpn   support old liblzo removed first step to new install package, the  installer still sucks, and is not finished yet, it will be finished tomorrow
22.09.2005 updated for IPCOp 1.4.8
31.08.2005 added new openvpn 2.02 binary added new lzo 2.01 library Installer still is not changed
22.07.2005 Fix error in  verify script reported by Seboss   http://www.vpnforum.de/viewtopic.php?t=901it remains to say, that   i hate regex :(
16.06.2005 second public beta has been released ZERINA-0.9.0b-Installer.tar.gz
several know bugs are fixed (to much to write them down)
Now support for OpenVPN on BLUE and Orange
The wrapper openvpnctrl was totaly rewritten
New function to download a client package zip archive with certificate(s) + config file
wich reduces the client part to a minimum
New  functionality, display Connections Statistics, adapted from  R.I.Pienaar's php source to perl
New Proxy.cgi with OpenVPN support
New connections.cgi with OpenVPN support
The first beta act during the certificate generation like the original vpnmain.cgi.
The same serial number was assigned to all produced certificates.
We had a small disscussion on this issue on ipcop-dev mailinglist, now this addons assigns
unique serial numbers to each generated certificate, that is the reason, why you have to uninstall
the old release.
20.05.2005 first public beta has been released ZERINA-0.8.5.tar.gz
the missing changes from 11.05.2005 - 20.05.2005 will be written later
11.05.2005 NOTE! If you are upgrading from an earlier release
  1. stop the server
  2. install the new package
  3. open the gui and save the settings (important, as the server settings have changed)
  4. start openvpn again
  5. done
openvpn runs now after init as nobody.nobody
there is a nowing warning message when you stop/restart the server
"ERROR: Linux route delete command failed: shell command exited with error status: 7 "
this happens as off the downgrade to nobody
but the route gets deleted, as the device gets closed
openvpnctrl changed
server.conf extend (user nobody group nobody persist-key persist-tun)
10.05.2005 several Bugfixes
  • upload ca is now working
  • some typos corrected
  • removed blue point at MTU(that indicates not nessecary input)
  • added example for OpenVPN Subnet
  • xtaccess rule for OpenVPN port is now setted correctly
  • removed advanced settings when editing a connection
  • gui opens now with default values if no settings are availible
  • chipher = bf-cbc
  • lzo = on
  • protocol = udp
  • port = 1194
  • mtu = 1400
  • experimental function to disable client connection without revoking the certificate works now
  • status is now IPCop style and will be displayed on the status page 
07.05.2005 initial Alpha release