Client vpn wont start

Hello after 20 years with smeserver we decided to start with your great tool. Thanks for your superb work !

My actual problem is to connect my server to my nordnet provider and use our dedicated vpn ip
i try during this last days, open the firewall…but client dont want to start, openvpn server start without problem.

Is someone could help me to start client side?
wich part of the certificat need to be use?

Nord vpn .conf is:

dev tun
proto udp
remote 1194
resolv-retry infinite
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ping 15
ping-restart 0
reneg-sec 0

explicit-exit-notify 3

remote-cert-tls server

#mute 10000

verb 3
cipher AES-256-CBC
auth SHA512


key-direction 1
# 2048 bit OpenVPN static key
-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----

NethServer Version: 7
Module: openvpn

Because of the way this was posted, it stripped off the tags which identify which certificate this is. If it the “cert”, then this is the one that identifies you to the server. “ca” is the public certificate of the server you are connecting to. I’m guessing, based on the “auth-user-pass”, that this should be the “ca”.

What errors are shown in the log.

Is this being run on the NS server or a client machine on your internal network as you may need to include additional iptable rules, via shorewall, for NATting and port forwarding.


I couldn’t get Neth to take my OpenVPN .conf file through the GUI, and when I thought I entered the correct parameters into the GUI manually it wouldn’t connect. I ended up copying the config file to /etc/openvpn/client on my Neth box (named, in my case, pfsense.conf), and then did systemctl enable --now openvpn-client@pfsense. That brought up the service, and it reconnects if there’s an interruption.

Thanks for your help
This need to run directly in NS
i found the way to start it
systemctl start openvpn-client@MYVPN
but now i can’t direct my local lan inside the tunnel

Here’s my tunup script, which sorts out the NATting you need:



echo -e "# Masquerade the VPN tunnel" > $ESMITH_DIR/masq/30UKvpn
echo -e "$1" >> $ESMITH_DIR/masq/30UKvpn
echo -e "" >> $ESMITH_DIR/masq/30UKvpn

# Reload the firewall
/sbin/e-smith/signal-event firewall-adjust


:star_struck::star_struck: Hey Hey ! i write you behind my wall…
Thanks you so much for this big help

I done an error!!
nothing work for the moment

I think we need a little more details than just “It’s broken”.


You’re totaly right sorry

this is the fault with
Job for openvpn-client@fr52.nordvpn.service failed because the control process e xited with error code. See "systemctl status openvpn-client@fr52.nordvpn.service " and “journalctl -xe” for details.

Jan 31 00:43:52 server.firewall.3 libvirtd[1389]: 2018-01-30 23:43:52.990+0000: 1389: error : virFileReadAll:1409 : Failed to open file ‘/sys/class/net/tun0/operstate’: No such file or directory
Jan 31 00:43:52 server.firewall.3 libvirtd[1389]: 2018-01-30 23:43:52.990+0000: 1389: error : virNetDevGetLinkInfo:2419 : unable to read: /sys/class/net/tun0/operstate: No such file or directory
Jan 31 00:44:24 server.firewall.3 evebox[1363]: 2018-01-31 00:44:24 (evefileprocessor.go:175) – Total: 0; last minute: 0; EOFs: 60
Jan 31 00:45:24 server.firewall.3 evebox[1363]: 2018-01-31 00:45:24 (evefileprocessor.go:175) – Total: 0; last minute: 0; EOFs: 60

Ok custom template is not execute with and i don’t understand why

So this is my problem with

[root@server openvpn]# ./
-bash: ./ /bin/bash^M: bad interpreter: No such file or directory

I hope you will be agree to help a poor dummy …

Looks like you edited the file on Windows before you put it onto your Neth server.

Its not clear…i use notepad++ as usual and then chmod so…
It’s more than 2 days spend just to connect a client vpn!
this is my last log

OpenVPN 2.4.4 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 26 2017
library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
WARNING: --ping should normally be used with --ping-restart or --ping-exit
NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Outgoing Control Channel Authentication: Using 512 bit message hash ‘SHA512’ for HMAC authentication
Incoming Control Channel Authentication: Using 512 bit message hash ‘SHA512’ for HMAC authentication
TCP/UDP: Preserving recently used remote address: [AF_INET]
Socket Buffers: R=[212992->212992] S=[212992->212992]
UDP link local: (not bound)
UDP link remote: [AF_INET]
TLS: Initial packet from [AF_INET], sid=1a9ac69d 821dd3d5
WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
VERIFY OK: depth=1, C=PA, ST=PA, L=Panama, O=NordVPN, OU=NordVPN,, name=NordVPN,
Validating certificate extended key usage
++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
VERIFY OK: depth=0, C=PA, ST=PA, L=Panama, O=NordVPN, OU=NordVPN,, name=NordVPN,
Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
[] Peer Connection Initiated with [AF_INET]
PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,sndbuf 524288,rcvbuf 524288,dhcp-option DNS,dhcp-option DNS,route-gateway,topology subnet,ping 60,ping-restart 180,ifconfig,peer-id 13,cipher AES-256-GCM’
Options error: option ‘redirect-gateway’ cannot be used in this context ([PUSH-OPTIONS])
Options error: option ‘dhcp-option’ cannot be used in this context ([PUSH-OPTIONS])
Options error: option ‘dhcp-option’ cannot be used in this context ([PUSH-OPTIONS])
OPTIONS IMPORT: timers and/or timeouts modified
OPTIONS IMPORT: --sndbuf/–rcvbuf options modified
Socket Buffers: R=[212992->425984] S=[212992->425984]
OPTIONS IMPORT: --ifconfig/up options modified
OPTIONS IMPORT: route-related options modified
OPTIONS IMPORT: peer-id set
OPTIONS IMPORT: adjusting link_mtu to 1657
OPTIONS IMPORT: data channel crypto options modified
Data Channel: using negotiated cipher 'AES-256-GCM’
Outgoing Data Channel: Cipher ‘AES-256-GCM’ initialized with 256 bit key
Incoming Data Channel: Cipher ‘AES-256-GCM’ initialized with 256 bit key
TUN/TAP device tun0 opened
TUN/TAP TX queue length set to 250
do_ifconfig, tt->did_ifconfig_ipv6_setup=0
/sbin/ip link set dev tun0 up mtu 1500
/sbin/ip addr add dev tun0 broadcast
/etc/openvpn/ tun0 1500 1585 init
WARNING: Failed running command (–up/–down): could not execute external program
Exiting due to fatal error

I finally found the right way for configuring a Nordvpn client in NS see below.
I just need to know how can i write a custon template for MASQUERADE, if someone could help it would be appreciate.

1. Access your NethServer via command line as root.
2. Create and access the directory where all our configuration files will be stored:
mkdir /etc/openvpn
cd /etc/openvpn
3. Download our configuration files and unzip them:
unzip zip
rm -rf zip
4. Before connecting – you have to add additional rule to the routing table:
iptables -t nat -A POSTROUTING -s -o tun0 -j MASQUERADE
This rule will route all traffic from network via the VPN tunnel. If you use different addresses – change accordingly.

5. To connect to our service type in:
openvpn servername
For example:

6. Type in your NordVPN username and password when asked.
7. The command line will type out this line if successfully connected:
Initialization Sequence Completed
Note: If the VPN cannot start for you and you are getting this output:
ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
Then do the following:

mkdir -p /dev/net
mknod /dev/net/tun c 10 200
chmod 600 /dev/net/tun
cat /dev/net/tun
If you receive the message:

cat: /dev/net/tun: File descriptor in bad state
That means your TUN/TAP device is ready for use.

Then repeat steps 5, 6 and 7.

Just need to write in etc/shorewall started this line at the end and all work as a charme

iptables -t nat -A POSTROUTING -s -o tun0 -j MASQUERADE

That’s exactly what I gave you in my tunup script. $1 is the device name, as created by openvpn. You probably need to also create an associated tundown script to remove the rule when openvpn is stopped.

The problem with permanently creating the rule, in shorewall, is that if the firewall is started, like at boot, before the tunnel is created, then it fails, because the tunnel device doesn’t exist.


You need to understand how the e-smith template system works and how often the shorewall files are (could be) updated and re-built.