OpenVPN problem LAN unreachable

NethServer Version: 7.9
Module: OpenVPN RoadWarrior

Hi guys,
I’ve seen there are a lot of topic about similar question, but still not found any solutions (hope isn’t a problem :slight_smile: )

Actually i’ve installed a NethServer on a site, with a single green interface (LAN, network 192.168.10.x/24), after i’ve installed the OpenVPN module and configured a server RoadWarrior (authentication only certificate).

I want to connect from external, (VPN host 2 network), and since the NethServer isn’t the router/firewall, there is a forwarding by my router (I call my public IP on the VPN port, and the router redirect the call to

The connection work at the first try! but not all works correctly, I can only ping the NethServer (, but I can’t reach other host on LAN

So i’ve tried to use my NethServer as a gateway for an host, after that the host become contactable, but it can’t reach internet; i’ve read that the trick it can be shorewall clear, but if the NethServer restart this don’t remain

I have 2 questions: 1: there is a way to ping or connect the rest of LAN without using NS as gateway? in the logs there is a “shorewall sfilter drop packets”, and I don’t know how to modify it (I have the basic firewall module installed). 2: if there is no way to do it, how to make shorewall clear definitive?

Thanks in advance

you should try putting a routing rule on your router/firewall (the device that is the default gateway of your network) that for the ip class you have assigned to the vpn, the gateway is the ip address of the nethserver

you have assigned to the vpn the class
the ip of your nethserver is

You have to create a router rule on the firewall/router so for addresses the gateway is

hi @saitobenkei,
i’ve already tried it, and still don’t work, I think isn’t a problem of the router, but of the shorewall; the forward work and I reach the NS, I don’t think that the route is ruled by the router once I’m connected to the VPN server

Also try checking that in the Nethserver configuration interface (cockpit), under “system” → “Trusted networks,” the network class associated with the VPN is entered.

From the above example there should be a network with netmask

If it is not there try entering it.

However, the point in the previous post also applies, if the gateway is not the nethserver, the other devices will respond to the ping of the vpn to the router/gateway and not to the nethserver running the VPN.
The rule described above is precisely to redirect the responses from the router to the nethserver, which will then forward it into the VPN.

already checked and updated the trusted network, is not that.
I understood the point in the previous post, but is not that the problem, I reach the NethServer with my VPN, so it’s the NethServer that should forward my request to the LAN that block my request;
I’m actually working on the same place with a VPN on Zentyal, my goal is to substitute it, but Zentyal works in the same way:
call to public IP, forward by the router to the private IP of Zentyal, and I can connect to all devices on LAN.
I do the same with NethServer, call public IP, forward by the router to the private IP of NS ( but i can only see him

who is the DNS in your Open VPN Configuration?



hi @transocean
in the Open VPN configuration there isn’t a DNS option, if you mean the “Push DHCP option” that open options also on a DNS (I don’t understand that) it’s disabled

if you mean the settings of the nethserver, the the first DNS is the router ( and the second is

I think when your Nethserver is also the DNS in your LAN, you have to put him in the Configfile of your Client.
But i can also be wrong with this.

my NS is not the DNS, the router is also the DNS server (for the wan)
I only need to ping / connect from my tunnel to the rest of the LAN, other than NethServer which is ok

Thanks for your answer :pray:

Hi @fffeal

You will ylso need a route on your router pointing to “the other side” and using your NethServer as a gateway / router…

At the moment, if you’re pinging from Site 2 to Site 1, your servers will try to respond. As they only have a default route (to your router) they will send the responce to the ping there. That router doesn’t (yet) know about any “other” site, and forwards the packets to the Internet, your Provider.

And your provider, correctly, discards internal IP packets…

→ Your router needs to know how to route packets destined for the other Site…

My 2 cents

Hi @Andy_Wismer , thanks for replying,

I show you some images about my situation, but unfortunately if I set a route on my router, nothing happens; this is the route I’ve added on the router:

(now it’s disabled because it don’t work), the network is the tunnel VPN network; the point is that with Zentyal the connection works without touching the router!

If I use NS IP as gateway in the LAN all is OK, but I need to reach the LAN without this!
Maybe is the router that don’t work well…

I think maybe you’re right.
I’ve never used TP-Link, so I cannot talk from experience…

The route you added looks fine, I’ve used that in similiar cases, but…

My 2 cents


Hi all!
today I’ve replicated the same situation on another site, this time with a different router (PosteMobile), and this time too the route on it didn’t work; i can reach NS, hosts that have him as gateway, but not the rest of LAN.

I keep thinking that the problem is the shorewall on NS, for 3 reasons:

first: with another router, nothing changed, it’s so strange that 2 router on 2 can’t make a static route

second: If i trace the packets, they arrive to NS and to the other host, but the packets for the unreachable host are stopped at NS IP

third: although I don’t understand how it works shorewall (also because it also won’t let me to go on internet when it’s up), in the log I keep see it drops packets, it seems this are related to the connection to internet (?), but I’m not sure about that:

I’m going to search how works properly this firewall, It makes me crazy :laughing:

If someone have suggestion they are welcome!


It seems to me that there is an error on that route:

the gateway must be (as per previous posts it is the IP of the nethserver)

sorry, my bad, the network is 192.168.1.x, in my first post I’ve written 10; anyway, is not that the problem, I’ve tried even with the IP of the NS in the tunnel, and didn’t work