Hello!
I am trying to setup the VPN so each client has access only to a /24, but I am not sure how to do it, for example:
Client1 → 10.0.0.0/24
Client2 → 10.0.1.0/24
etc…
I have tried to setup with Remote Network, but from what I understood it is the network for the client, not for what he can acess (the client gets the acess to all networks except the remote network defined).
I don’t really understant if it is possible to do with nethserver.
Thanks in advance for anyone that helps!
Each client => Roadwarrior VPN (not site to site)?
Client would have one IP like 172.16.0.1 and can access only its defined subnet (10.0.0.0/24 for client1 example).
i would like to only have to give a .ovpn file to the client (or whatever other format that allows me to do this).
My problem is routing, the default roadwarrior VPN creates routes for all network interfaces in nethserver (if I’m not in error). What I would like is to change the routes that each client has access to.
IMVHO you should use “par VPN ip” firewall rules.
Thanks that worked!
Don’t know if I should create a separated question, but what should I do to delete old vpn users from appearing as an option?
Sorry, would you please add more info on what you’re asking?
I’m not sure i can correctly understand…
You have “too many VPN users”?
For example when creating the rules in firewall there appears options like vpn-rw-client1 that I have deleted from the VPN accounts, and if I create a new client1 the name appears as vpn-rw-client1vpn-rw-client1.
I think it will become worse after, since I will regularly be deleting the vpn files and creating new ones.
You can selectively delete the firewall rules that you don’t need.
Then delete the unnecessary objects used from the rules.
Why create and delete regularly the VPN users?
Thanks! I had missed the objects in the firewall section.
It’s a service that my company will have, where users get access for x time to a subnet that have cloned vms, and managing with client1, client2, etc would be easier instead of names (maybe saying regularly wasn’t the best word).
Just so I know I’m not missing anything, it isn’t possible to regenerate keys for a user, making the first ovpn file unusable, without deleting the vpn account, right?
IDK. If you’re using a configuration file with included user-certificate… IMVHO no.
Moreover, the case scenario in mind ofNethServer is for employee or well known “guests” (accountancy studios, legal firms, subcontractors, whatever) so long-lasting setups/certificates are seen as less time-loss for managing access.
If you want you can disable the access always via Firewall rules. Sincerely, IDR if there’s any “until that time at that day” for time conditions, but you can still disable the rule if you want. Until re-enabiling, the user can connect but should not access anywhere.
Maybe in a future a “expire date” setting/prop will be user accessible. But for that, a feature request is… due.
Thanks for all the help. I was able to accomplish what I intended to do.
From what I see, it won’t be so frequent that I will need to substitute nethserver.
Would you please share what is your “solution” for your need? 
Since my problem was roadwarrior clients having access to all subnets, as pike sugested, I simply created par VPN cidr subnet for each client VPN.
I’ll simply delete and regenerate all vpn files when the client is no longer allowed access, since I wont have a big number of clients at the same time.