Bizarre open vpn roadwarrior issue

Hi all

I have run into a truly baffling issue, we run a nethserver openvpn basic roadwarrior setup, all was working swimmingly until just recently i am having trouble connecting to anything on the network like the vpn server for example or our crm system.

we use open vpn client with the standard vpn config file with only the remote ip adjusted.

now when i run the client on my laptop right click connect i log in icon goes green and all looks connected fine but i keep getting really intermittent issues continuous pings run but i can’t connect to the device then pings drop then i can connect to the web interfaces.

i have at least 2 other users who are working fine without problems but have now started to get other people experience the same.

as a sanity check and here is where is gets really weird, i built a new server and put it on an isolated network, so that is new server, new router, new switch, new user new config file,

and guess what same issue, has something changed for road warrior set up?

my ip range is 192.168.30.x/23 subnet

client config:

######### NethServer OpenVPN client configuration #########

dev tap
port 1194


explicit-exit-notify 1
verb 3

Server config

dev tap0
ifconfig-pool-persist host-to-net.pool 0

port 1194
script-security 3
dh /var/lib/nethserver/certs/dh1024.pem
ca /etc/pki/tls/certs/NSRV.crt
cert /etc/pki/tls/certs/NSRV.crt
key /etc/pki/tls/private/NSRV.key
crl-verify /var/lib/nethserver/certs/crl.pem
push "dhcp-option DOMAIN localdomain"
push "dhcp-option DNS"
push "dhcp-option WINS"
push "dhcp-option NBDD"
push "dhcp-option NBT 2"

# Authentication: password
auth-user-pass-verify /usr/libexec/nethserver/openvpn-pam-auth via-env

status /var/log/openvpn/host-to-net-status.log
log-append /var/log/openvpn/openvpn.log
keepalive 20 120
client-config-dir ccd
management /var/spool/openvpn/host-to-net unix
verb 3

I’m out of ideas

Do you using same user/password for every Roadwarrior client?
I had issues like yours (with a very old Nethsercurity 1.5.x products) when some users connected at the same time utilizing same credentials.

Hi Saito

Every user has a separate username and password. It’s very strange

Why TAP?

AFAICR NethServer from 6.5 used TUN setup for OpenVPN…

Hi Michael

Tbh no preference on my part. This is the set up I inherited.

You think I should change this? Happy to look at that. Just throwing me
slightly that it has been working fine up until now and weirder still is I
still have people working with thus set up without issues.

Has anything changed on nethserver recently that makes thus set up
redundant currently running on v6.8

I moved to a 6.9 build and same issue just finishing off 7.4 build this
morning will test an confirm.

How would I change to run set up what are the advantages of this over tap?
Will go over the documentation of course just interested from someone that
has experience.

I used TAP into a different linux network appliance.
It was “fast and fun”, because in 2-3 steps i was member of the green network, laying on a bridge. It was easier, because i could access to resources on GREEN without routing problems,internet access issues, routing thinking of what i were looking for. But if TAP segment has the same subnetting of the network i am member (, for instance, and this is the same subnet of the network used by the VPN client) it can not work.

TUN has quite more headaches, but a bit more of control about network access, firewalling (even user-based rules) and also can achieve hub-and-spoke architecture, therefore you can access from your OpenVPN connection to IPSEC/OpenVPN/DMZ/BLUE network resources.

At the end of the line, i think you should take a chance to try and verify if the TUN setup could solve the issue you are experiencing.
Also: do not forget that NAT could help you to ground to zero the network addressing issue.

1 Like

ok will give tun a shot.

so steps to take keep network adapter as green but not bridged

choose routed option in roadwarrior mode.

for network settings what would i put in network box if my ip range is 192.168.30.x/23 (vpn server is woud it look like this

the port is already forwarded to on firewall to vpn server

any other steps i need to take?

Is the same subnet of GREEN network interface?
If the answer is yes, you are playing it wrong, IMHO

Yes it is same subnet as green. Am I supposed to choose a random on ie Does it matter what I choose?

Hi @Matthew99,

@pike is right, you have to choose a different network, should be ok. I have just another 192.168.x.0 network for instance. I recommend to use a network you usually don’t use to avoid problems like having same networks on local/remote and vpn side.

ok so i’m back at the test machine, so the server that was running vpn was running bridged Tap setup only 1 network card

can i run tun routed on the same box with 1 card?

It does. You should not use subnets which could be used by the OpenVPN Clients.

Thanks Michael the current server has 1 nic is that ok

I don’t know, never tried that setup.
TUN/TAP adapter is a virtual adapter, therefore it should work, but i have no direct experience about that.

Hey Markus

Could you assist me with advice on your set up.

I think I am maybe missing something fundamental in the interface config.

How many nics are required for this setup?

Do I need red interface setup?

I see loads of documentation but no step by step config for that bit

I have two NICs red and green.

It works with only green network too but you have to port forward the right port (default UDP/1194) to your internal VPN server.

I found this:

My config but I plan to use passwords too in future…

Thanks for the info Markus

Ok so I have my green interface set up with static sub gateway

Under Roadwarrior I have username and password checked and route

I run the client and icon goes green it says connected with ip but
doesn’t let me connect to any devices on network,

I’m guessing its because I now have ip of

What am I missing? Am I supposed to add a route somewhere? Or should that
be working at this point.

It should work at this point, NethServer does the routing. I actually use an Android openvpn client, which client do you use? Maybe I can reproduce the problem…

How did you setup your client? Easiest way is to download the config and import it in the client.

1 Like

ok i’m re building new netserver just for Sanity.

i use the openvpn client v 2.4 on Windows Laptop and download the .vpn file and place in config folder.