Nexapp - Custom OpenVPN Tunnel

Custom OpenVPN Tunnel

This guide explains how to configure an OpenVPN client on NexappOS using a .ovpn configuration file (example: myvpn.ovpn) provided by a third-party VPN service. The tunnel is created via CLI and will start automatically at boot.

Prerequisites

  • A valid OpenVPN configuration file from your VPN provider (e.g., myvpn.ovpn)
  • SSH access to the NexappOS terminal
  • Familiarity with UCI (NexappOS configuration system)

Important Notes (CLI-only Tunnel)

  • This procedure does not validate the configuration you enter. It is intended for advanced users.
  • Tunnels created this way do not appear in the NexappOS UI. They can be managed only from CLI.
  • Avoid naming conflicts: Do not use the same tunnel name in CLI and UI. There are no safeguards, and conflicts may break configuration.

Configure the VPN

1) Copy the .ovpn file into /etc/openvpn/

From your workstation:

scp myvpn.ovpn root@<NEXAPPOS_IP>:/etc/openvpn/

Fix ownership and permissions:

chmod 644 /etc/openvpn/myvpn.ovpn
chown root:root /etc/openvpn/myvpn.ovpn

2) Create the OpenVPN client section in UCI

Add a new OpenVPN client called myvpn, link the file, and enable it:

uci add openvpn openvpn
uci rename openvpn.@openvpn[-1]='myvpn'
uci set openvpn.myvpn.enabled='1'
uci set openvpn.myvpn.config='/etc/openvpn/myvpn.ovpn'
uci commit openvpn

3) Start the VPN immediately

/etc/init.d/openvpn restart

This restarts all OpenVPN instances and brings up myvpn.

4) Verify the VPN is running

Check process list:

ps -ef | grep myvpn

Expected output should include something like:

/usr/sbin/openvpn ... --config myvpn.ovpn ...

Confirm --config myvpn.ovpn matches your file.

Follow logs to ensure connection succeeds:

tail -f /var/log/messages | grep openvpn

You should see entries indicating a successful TLS handshake and tunnel up.

Note The configuration name myvpn, the UCI section name myvpn, and the file name myvpn.ovpn must stay consistent. If you rename one, update all references.

Optional: Configure Username/Password Authentication

If the provider requires credentials, create an auth file:

vi /etc/openvpn/myvpn.auth

Insert:

<username>
<password>

Secure it:

chmod 600 /etc/openvpn/myvpn.auth
chown root:root /etc/openvpn/myvpn.auth

Reference it in the .ovpn file:

echo "auth-user-pass /etc/openvpn/myvpn.auth" >> /etc/openvpn/myvpn.ovpn

Note Always keep auth files at permission 600 to protect secrets.

Allow Traffic Through the VPN (Firewall Setup)

To route/permit traffic via this tunnel, best practice is:

  1. Fix the tunnel interface name
  2. Create a dedicated firewall zone
  3. Attach the tunnel device to the zone

1) Fix the VPN device name

Edit the OpenVPN config:

vi /etc/openvpn/myvpn.ovpn

Change:

dev tun

to:

dev tunmyvpn
dev-type tun

Warning Interface names must not exceed 13 characters.

2) Create a firewall zone in the UI

In NexappOS:

  • Go to Firewall → Zones & Policies
  • Add zone named: myzone
  • Configure allowed forwards/access as required

3) Attach the tunnel device to the zone (CLI)

uci add_list firewall.ns_myzone.device=tunmyvpn
uci commit firewall
/etc/init.d/firewall restart

Now the VPN interface is consistently named and enforced by that zone.

Disable the Tunnel

If you want to stop auto-startup:

uci set openvpn.myvpn.enabled='0'
uci commit openvpn
/etc/init.d/openvpn restart

Only tunnels enabled with enabled='1' will come back up.

Discard
Save
Draft
This page has been updated since your last edit. Your draft may contain outdated content. Load Latest Version

Previous Page

Left

Next Page

Right

On this page

Review Changes ← Back to Content
Message Status Space Raised By Last update on