help to understand openvpn

there are two types of openvpn in the settings

  1. roadwarrior

  2. openvpn

  3. used when you hook up users

  4. I do not understand why then did ? an entire subnet is allocated and it does not allow you to make two connections using one certificate .

there are 5 Mikrotik-initially made settings in openvpn, created a server port subnet, thought that from this subnet will be issued tunnel addresses to my devices, but it does not allow one certificate to connect multiple devices. Good people explain why then this type of connection . And right h realized that Mikrotik need to connect via roadwarrior ?



And welcome to the Nethserver forum!

Maybe when asking a question about NethServer, it may help to explain why you’re talking about Microtik?
What does Microtik created VPNs have to do with NethServer?

A few simple statements like:
I want NethServer to be my firewall and gateway, also for VPN.
I have a Microtik router that I need to connect to the Internet (from my provider).
Would help a lot in understanding your situation / network - and give you usefull pointers…

NethServer can be your firewall, no need for Microtik.

Using the same certificate is for several users is actually a security no-go: how would you stop one user alone from using VPN?

An entire subnet is allocated, to allow your users to use these addresses when connecting.
This has nothing to do with the certificate, see above.

If connected as such:

Internet - Microtik - NethServer (RED) - NethServer - NethServer (GREEN) - LAN - Your-PC

You have no need to use VPN to connect to your router (microtik)!
Just enter in the internal IP adress of your Microtik.
Note: the RED and GREEN networks must be different!

My 2 cents


Thank you for such promptness!
I’ll try to tell you what it is about!
I am using centos7 as gateway and openvpn server.
Found that there is nethserver decided to test it and there were questions, although everything is clear, but:

I have, say, 100 offices with their subnets 10.10.1-100.0 / 24 as routers there are mikrotik, I want them to connect to my nerhserver.
On centos, I know how to do this without any questions. But how is this done correctly on nethserver?
What I ran into:
i started creating openvpn server
Created - allocated a pool of addresses - everything works fine.
I started to connect mikrotik, distributed one certificate that I downloaded on the web, and found out that they could not work under one certificate! They’re taking the session away from each other!
I thought it means that each mikrotik has its own server, but no, it’s 100 ports, assign a subnet to each mikrotik for one connection !?
And then I thought it means we need to do this in a road warrior? do you need to use roadwarrior to connect offices with their own subnets?
If so, why then OpenVPN server (which is not a roadwarrior)?
Tell us how to do it right?
I did not find any explanatory documentation and the answer, so I ask this question!


In VPNs, there’s basically two typical situations, and this applies to all VPNs, no matter if IPsec, OpenVPN or Wireguard…

  • Site2Site: This is to connect two sites together. Can be understood also as server to server connection. (NethServer is the server on one / both sites)
  • Roadwarrior: This is the user with a notebook or tablet “on the road”, that is from anywhere, and wants / needs to connect with the site. This is a typical client / server application. (NethServer is the server)

As I understand you, you probably need about 100 site2site VPNs, and maybe a few additional RoadWarrior VPNs, say for yourself as supporter.
This depends on the capabilities of the other Microtics, if they can be OpenVPN Server or only Client.

As Microtik is the router, you may need to add in a portforwarding (1194, the default port of OpenVPN) from your Microtik to your NethServer (At the sites where you have a NethServer).

Note: The same port can be used for multiple VPN connections (at the same time!).
But not the same certificate. BTW: NethServer CAN generate Certs for your other sites.
For OpenVPN, it’s accepted best practice that you generate a certificate for each connection. Each certificate can be individually be revoked, if needed. As you generate the certs, there’s no shortage!
It would be advisable to additionally use a LetsEncrypt SSL cert to the domain name of your NethServer (externally reachable!).

My 2 cents


Example remote subnet
I go to the server and configure the connection address pool for this connection example
Configuring connections, the remote point received an SP from the subnet.
Now we set up another point, take the keys for the connection and find that there is no way to connect 2 or more points using one key!
Then why should I give so many addresses from the pool for the sake of one end, the rest will be free, for what ??? You can make subnet 29, but again, why so many addresses for one connection?
It is wrong to create 100 server instances and issue such a pool to each connection.
Or how are certificates generated for a specific connection?

I don’t want to discourage you from using Nethserver but @Andy_Wismer and myself might agree that you should consider a dedicated firewall OS such as PfSense (my preference) or OPNSense (Andy’s preference) that are purpose built to do exactly what you intend. Though the firewall/VPN setup is officially supported I tend to find that I always move away from Nethserver for routing/firewall to PfSense because it offers many more features with half the headache.


I think now the answer
On centos 7, you issue your certificate to each client and it connects to one server instance. for example, to the server x.x .x .x: 1195 with a pool of addresses, you can connect different clients but with different certificates.
I have not found where and how to issue certificates for different clients in Nethserver.
In the roadwarrior server, everything is clear there - you go to the Roadwarrior accounts, create and receive a certificate.
Where to issue certificates for OpenVPN tunnels ?!
Roadwarrior accounts looking for certificates in both OpenVPN tunnels and roadwarrior?

thank you very much for your reply

I’m already testing OPNSense, everything is clear and understandable.
But now I have problems how to make friends switch channel and OpenVPN.
support is 1000 times worse than here.

Great respect to you and many thanks for answering and helping to sort out the questions



If you have an OPNsense question, send me a PM…
Royce is right in that sense, I do have 30 clients using OPNsense, and a few friends and myself using OPNsense at home… :slight_smile:
All clients and at home I use a hardware box (PCEngines), some friends have OPNsense virtualized in Proxmox.
On OPNsense, I tend to use IPsec for site2site and OpenVPN for Roadwarrior VPNs.
This is VERY stable!



Thank you for offering to help solve my question. :slightly_smiling_face:
It is with great pleasure that I want to write to you and learn from people like you, but I cannot find how to write to you in a private message. :pensive:


Click on the Name/Symbol/Logo next to the message, a small summary of the person will appear, along with a message option

1 Like

Do not consider it rude, but I did it right away, even went to your page.

1 Like

Can I ask You to write me a private message ?

Tell me how to issue certificates for clients so that they can connect to the server that is OpenVPN tunnels?