Nethserver on Proxmox


(Beat Arnet) #1

NethServer Version: 7.4.1708
Module: VPN/Firewall

So I have successfully installed and configured Nethserver with OpenVPN and the Basic Firewall on two physical servers.

I now attempted to install Nethserver virtualized on my Proxmox machine, and seem to be having multiple network related issues.

On Proxmox, I have these two virtual Networks:

auto vmbr1
iface vmbr1 inet manual
	bridge_ports enp4s0
	bridge_stp off
	bridge_fd 0

auto vmbr2
iface vmbr2 inet manual
	bridge_ports enp6s0
	bridge_stp off
	bridge_fd 0

I use these networks to setup two virtual network devices for my Nethserver virtual machine:

Network Device (net0) - virtio=F2:XX:XX:XX:XX, bridge=vmr2
Network Device (net1) - virtio=66:XX:XX:XX:XX, bridge=vmr1

In Nethserver, those network devices provide the Green and Red ports.

I then installed the OpenVPN module and created a road warrior profile.

The first oddity (compared two my other two physical installations) is that I am unable to reach nodes on the Green network through VPN (but the connection to the Nethserver works).

traceroute to (, 64 hops max, 52 byte packets
1 ( 261.543 ms 19.583 ms 145.094 ms
2 * *^Z
[1]+ Stopped traceroute

I subsequently installed the basic firewall, and tried to configure a rule for openvpn, but got the following error message:

I also have a FreeNAS virtual machine on the same Proxmox machine connected the Nethserver Green network. Strangely, FreeNAS is unable to obtain an IP address via DHCP, while a virtual Win10 machine, also connected to the Green network is able to do so…

So now I wonder: Are there any special network related configurations required to run Nethserver with OpenVPN and Shorewall in a virtualized environment?

Any hints would be much appreciated.

(Michael Träumner) #2

Perhaps it helps to create dummy interfaces at nethserver instead creating virtual devices at proxmox.
Please have a look here:

(Andreas Schloegl) #3

Hello @bjarnet I have a similar configuration as you do running on an external provider (root server) as well as running on proxmox. If you have proxmox it’s easier to install a second network card to have red and green interface available. If you run on an external provider you usually only get one hardware interface and need to add a virtual nic to have red and green interface.
You do not need to do anything special on proxmox side!

Verify your network service sttings:

Firewall rules should show this (automatically):

My openvpn settings are theese:

I’m running the same version of nethserver as you do. I have not seen these shorewall error msg before.
I suggest you try to fix shorewall issuses on command line level before.

(Michael Träumner) #4

Here is also a Howto for installing nethserver at proxmox:

But it’s only a general Howto.

(Beat Arnet) #5

Hello all - thank you for your assistance!

@asl: I “fixed” the shorewall issues by reinstalling Nethserver from scratch. The automatic firewall rules as per your screenshot are set accordingly.

@m.traeumner: I did review the tutorial, thanks. Regarding the dummy interface, my server has two physical NICs. One (red) is connected to the Internet Router (DHCP), the second (green) is supposed to provide the DHCP/routing for my LAN, which includes both virtual machines and physical machines.

With shorewall fixed, I conducted some further testing, and concluded that the problem is most likley with the virtual Win7 machine on the (green) LAN that I was trying to reach via VPN. From this VM, I can reach Nethserver and, through it, the Internet on red, but the machine cannot ping any other machines on the LAN, nor can it be pinged by any other machines on the LAN, including Nethserver.

An Ubuntu VM on the same LAN does not have this problem and can be reached when I connect to Nethserver via VPN.

This particular Win7 VM was imported from VirtualBox, and I suspect that something is wrong with the Network driver (I chose “e1000”). I might try to install the VirtIO driver to see if that fixes the problem.

So no problem with Nethserver on Proxmox, and likely just a badly configured Win VM.

Thanks again for the support!

(Michael Träumner) #6

Do you have installed an Internet Security at this machine? Sometimes they block the ping. Here are some examples:

(Beat Arnet) #7

Problem solved:

I had to switch my bridge to DHCP, so that it will receive an IP address from Nethserver.

iface vmbr2 inet dhcp
        bridge_ports enp6s0
        bridge_stp off
        bridge_fd 0

Now all members of the LAN can ping another.

Thanks again to all for the support.

(Michael Träumner) #8

Can you please mark the answer as solution.