OpenVPN Tunnel not working



NethServer Version: 7.3.1611
Module: openVPN tunnel

I have 2 sites I need to connect. I use openVPN tunnel on one side the Server, on the other side the Client.
should everyone on the server side also see everything on the client side or do I need to configure on both sides a openVPN tunnel Server and Client?

do I need to open anything on the firewall?

Thank you for your help

(Giacomo Sanchietti) #2

Yes, every client should be able to see any other client.
The firewall is automatically configured to allow the traffic.


well, then its not working :frowning:

on my local site I use network,remote is
on the local Nethserver:

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface         UG    0      0        0 ens34   U     0      0        0 tunschwimu     U     1003   0        0 ens34     U     1006   0        0 br0   UG    0      0        0 tunschwimu   U     0      0        0 ens34   UG    0      0        0 tunrw UH    0      0        0 tunrw   U     0      0        0 br0

the Network is used for openVPN Roadwarrior
on the OpenVPN tunnel page under Server the State is green
I cant ping any host, not even the Nethserver on the remote site.

on the Remote Site:
# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface UG 0 0 0 eno1 U 0 0 0 tuncschwimu U 1002 0 0 eno1 U 1003 0 0 eno2 U 0 0 0 eno1 U 0 0 0 eno2 UG 0 0 0 tunrw UH 0 0 0 tunrw UG 0 0 0 tuncschwimu

When I connect to the Remote Site with roadwarrior then I cann “see” the hosts on my local net.

EDIT: I can see only from the Nethserver everything on my local net, with my Laptop connected via Roadwarrior I can’t.


has anyone an idea what could be wrong?

(Filippo Carletti) #5

Look in /etc/openvpn/ccd/<vpn_name>. If you find route <lan> <netmask> change route to iroute (add an i at the beginning).
Then restart the vpn and let us know if it fixes.


I found route and changed it to iroute.

did’nt change anything :frowning:

after a reboot it works.
Thank you for your great help

(Filippo Carletti) #7

Thank you for the feedback.
Please, could you post your vpn configuration?
Either a screenshot of the web UI or the output of the command db vpn show (erase your psk).


still not working as expected
from my laptop I cannot accsess the other net. as soon as I’m at the other location I’ll try the other way.

(Thomas Spalovsky) #9

I’m new here (sorry about my English). I have the same problem. Anyone with a solution?

(Giacomo Sanchietti) #10

I just released a testing rpm, see:

Try to install the update:

yum --enablerepo=nethserver-testing update nethserver-openvpn

Then access the web interface and try to make a change, then click the submit button.

@Thomas_Spalovsky @pnemenz could you check if the update works?


did not change anything for me.
now I have a red exclamation on the openVPN tunnels page :frowning:

btw. I did the update on both nethserver installations.

in wich log could I see whats wrong?


(Giacomo Sanchietti) #12

Please check the content of /etc/openvpn/ccd/ files.

Logs are available here:


in /etc/openvpn/ccd/ there is a tunnel file with content iroute and then the correct network and mask

I find in the logs of the client:

TLS: Initial packet from [AF_INET] (via [AF_INET], sid=a8e4cdf9 4f0db9d7
VERIFY ERROR: depth=0, error=certificate revoked: C=–, ST=SomeState, L=XXX, O=xxxx, OU=xxxx, CN=xxxx, emailAddress=xx@xxx.xx.xx
OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
BIO read tls_read_plaintext error
XXX.XXX.XXX.XXX:58482 TLS Error: TLS object -> incoming plaintext read error
TLS handshake failed
XXX.XXX.XXX.XXX:58482 SIGUSR1[soft,tls-error] received, client-instance restarting

I don’t see anything on the server side.

(Giacomo Sanchietti) #14

You’re client is using a revoked certificate.
It could happen if the other end point is a NethServer and you changed the certificate values.
In this case, download again the certificate and copy it to the client.


I already did this.twice :smiley:


after I deleted the tunnel and made a new one,opend the port on the router it seems like the tunnel is now working from one net to the other.

what NOT is working right now:
If I am connected to either of the nethserver via roadworrier, I see only the net behind the nethserver I’m connected to. What do I have to do to see the other net?


(Giacomo Sanchietti) #17

If you want to reach another VPN network behind your firewall, you need to manually add a route to your client.