@filippo_carletti After downloading a copy of NS and installing it under VirtualBox to investigate, I eventually found where the Client OpenVPN configuration is built. It’s not built from templates, but from /etc/e-smith/events/actions/nethserver-openvpn-genclient
Is there an official way to override this script.
Also is it possible to trigger a script when the Client tun interface is started to make updates to the firewall, based on the tun IPs.
Cheers.
why? can you please explain thew problem and not the solution?
TIA
@zamboni As explained throughout the thread. I would like to start an OpenVPN Client session to a paid VPN Provider, not a net2net session.
Cheers.
it is only IPsec , so you want to NS be a client of payed VPN and openvpn server for internal users!
I think that’s not the file you’re interested in.
You need a openvpn config file, you could even copy it from your working system.
The working file probably already has a scripts triggered by tun going up.
What I’m saying: do not think about templates, actions and events now. Make it work, we will create customizations together if necessary.
So @EddieA i have created client VPN , paste there certificate in box - it connected to External VPN , then i create a Local VPN Server with other Routed Network that doesnot mutch with any others .
All work fine BUT @filippo_carletti openVPN create in Shorewall one ZONE ovpn for Client instance and for Server instance! I think that @EddieA want to MASQUARADE OpenVPN CLIENT to OpenVPN SERVER Network .
that is why Client Instance should create separate Shorewall Zone for next management
That is why Shorewall LOG :
Shorewall:sfilter1:DROP:IN=tun0 OUT=tun1 SRC=10.10.1.6 DST=172.16.1.5
Finnaly make some changes to Shorewall:
mkdir /etc/e-smith/templates-custom/etc/shorewall/policy
cp /etc/e-smith/templates/etc/shorewall/policy/20policy_openvpn /etc/e-smith/templates-custom/etc/shorewall/policy/20policy_openvpn
then edit file:
vi /etc/e-smith/templates-custom/etc/shorewall/policy/20policy_openvpn
add line
ovpn ovpn ACCEPT
finnaly run :
signal-event firewall-adjust
And dont forget about routing between openvpn networks if you need it 
@nas: could you please add new posts instead of editing many times the same one?
thank you
If a zone had multiple interfaces and neither ‘routefilter’ nor
’routeback’ was specified on the interfaces, then traffic between
the interfaces could fail with a log message such as this one:
Sep 4 22:20:41 pilot kernel: [427181.381412]
Shorewall:sfilter1:DROP:IN=eth3 OUT=eth4
so one of improvements is to add to shorewall interfaces:
ovpn tun+ routeback
@filippo_carletti I understand that I can just create my config file and as long as NS is using the standard way of starting the daemons, which it appears to be, letting OpenVPN look for the files in /etc/openvpn, then everything will work. It’s not quite that easy in Zentyal as they hold the files in a subdirectory and pass the path to openvpn, hence having to hack their configurator.
What I was trying to do, was to incorporate my Client set-up into the NS framework, so that I could use the UI to just change the host and NS would automatically take care of the stop/start etc.
Cheers.
@Nas I’m not sure what you mean: MASQUARADE OpenVPN CLIENT to OpenVPN SERVER Network
All I am trying to do is set up 2 distinct and separate VPN instances. One is a server, that will allow me to connect to my system when I am working on the road.
The other is a client, that I will use to send “some” outbound requests to, the remainder of the requests going to my “normal” ethernet WAN. I have a series of iproute/ip settings that take care of the routing, which I will have to replicate in ShoreWall.
Cheers.
So post your ip route and we try to help you