OpenVPN Tunnel not working

NethServer Version: 7.3.1611
Module: openVPN tunnel

I have 2 sites I need to connect. I use openVPN tunnel on one side the Server, on the other side the Client.
should everyone on the server side also see everything on the client side or do I need to configure on both sides a openVPN tunnel Server and Client?

do I need to open anything on the firewall?

Thank you for your help

Yes, every client should be able to see any other client.
The firewall is automatically configured to allow the traffic.

well, then its not working :frowning:

on my local site I use network,remote is
on the local Nethserver:

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface         UG    0      0        0 ens34   U     0      0        0 tunschwimu     U     1003   0        0 ens34     U     1006   0        0 br0   UG    0      0        0 tunschwimu   U     0      0        0 ens34   UG    0      0        0 tunrw UH    0      0        0 tunrw   U     0      0        0 br0

the Network is used for openVPN Roadwarrior
on the OpenVPN tunnel page under Server the State is green
I cant ping any host, not even the Nethserver on the remote site.

on the Remote Site:
# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface UG 0 0 0 eno1 U 0 0 0 tuncschwimu U 1002 0 0 eno1 U 1003 0 0 eno2 U 0 0 0 eno1 U 0 0 0 eno2 UG 0 0 0 tunrw UH 0 0 0 tunrw UG 0 0 0 tuncschwimu

When I connect to the Remote Site with roadwarrior then I cann “see” the hosts on my local net.

EDIT: I can see only from the Nethserver everything on my local net, with my Laptop connected via Roadwarrior I can’t.

has anyone an idea what could be wrong?

Look in /etc/openvpn/ccd/<vpn_name>. If you find route <lan> <netmask> change route to iroute (add an i at the beginning).
Then restart the vpn and let us know if it fixes.

I found route and changed it to iroute.

did’nt change anything :frowning:

after a reboot it works.
Thank you for your great help

Thank you for the feedback.
Please, could you post your vpn configuration?
Either a screenshot of the web UI or the output of the command db vpn show (erase your psk).

still not working as expected
from my laptop I cannot accsess the other net. as soon as I’m at the other location I’ll try the other way.

I’m new here (sorry about my English). I have the same problem. Anyone with a solution?

I just released a testing rpm, see:

Try to install the update:

yum --enablerepo=nethserver-testing update nethserver-openvpn

Then access the web interface and try to make a change, then click the submit button.

@Thomas_Spalovsky @pnemenz could you check if the update works?

did not change anything for me.
now I have a red exclamation on the openVPN tunnels page :frowning:

btw. I did the update on both nethserver installations.

in wich log could I see whats wrong?


Please check the content of /etc/openvpn/ccd/ files.

Logs are available here:

in /etc/openvpn/ccd/ there is a tunnel file with content iroute and then the correct network and mask

I find in the logs of the client:

TLS: Initial packet from [AF_INET] (via [AF_INET], sid=a8e4cdf9 4f0db9d7
VERIFY ERROR: depth=0, error=certificate revoked: C=–, ST=SomeState, L=XXX, O=xxxx, OU=xxxx, CN=xxxx, emailAddress=xx@xxx.xx.xx
OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
BIO read tls_read_plaintext error
XXX.XXX.XXX.XXX:58482 TLS Error: TLS object -> incoming plaintext read error
TLS handshake failed
XXX.XXX.XXX.XXX:58482 SIGUSR1[soft,tls-error] received, client-instance restarting

I don’t see anything on the server side.

You’re client is using a revoked certificate.
It could happen if the other end point is a NethServer and you changed the certificate values.
In this case, download again the certificate and copy it to the client.

I already did this.twice :smiley:

after I deleted the tunnel and made a new one,opend the port on the router it seems like the tunnel is now working from one net to the other.

what NOT is working right now:
If I am connected to either of the nethserver via roadworrier, I see only the net behind the nethserver I’m connected to. What do I have to do to see the other net?


If you want to reach another VPN network behind your firewall, you need to manually add a route to your client.