Nexapp - OpenVPN Road Warrior

OpenVPN Road Warrior

Road Warrior is a mode of OpenVPN designed for remote users. It allows laptops, phones, and home PCs to securely access a private network from anywhere on the Internet. Connections are encrypted end-to-end, keeping traffic private even over untrusted networks.

OpenVPN is widely supported with free clients available for Windows, macOS, Linux, Android, and iOS.

Note: Before configuring Road Warrior, make sure you have already set up and understood the User Database (local or remote), because OpenVPN accounts are bound to it.

Server Configuration

NexappOS runs an OpenVPN server that waits for remote clients to connect.
The service must be reachable from the Internet on its listening port (default: 1194/UDP).

Multiple clients can connect at the same time. Each authenticated client receives an IP address from a dedicated VPN network, and uses that address to communicate with internal resources.

Create a new OpenVPN Road Warrior server

Go to VPN → OpenVPN Road Warrior
Click Create server
Fill in the fields:

Server name
Friendly name for the OpenVPN Road Warrior server.
User database
Select the authentication source (local users, LDAP, Active Directory, etc.).

This association cannot be changed after the server is created.
Create an account for each user
One-time option (shown only during server setup). If enabled, NexappOS automatically creates a VPN account for every user in the selected database. Certificates are valid for 3650 days.
Mode
- Routed (default / recommended): clients join a virtual VPN network and can route to internal networks.
- Bridged: clients behave as if they are on the same LAN. Use only when you specifically need L2 bridging.
Authentication mode
- Username and password
- Certificate (recommended)
- Username, password and certificate
- Username, certificate and OTP (requires client OTP support/configuration)
VPN network
The virtual subnet assigned to VPN clients. NexappOS suggests an uncommon pool to reduce overlap risk.
Dynamic range IP start / end
Defines the DHCP-like pool for clients.

Reserved IPs must be outside this range.
Public IP / hostname of this unit
Auto-filled from WAN interfaces. These addresses are embedded into client profiles.

Order matters: clients try the first address, then fail over to the next.

Click Create to finalize.

Advanced Settings

You can optionally tune:

Protocol: UDP (default) or TCP
Port: 1194 (default)
Route all client traffic through VPN:
If enabled, all user traffic (including Internet traffic) goes through the tunnel. Useful for full-tunnel monitoring, but adds latency and bandwidth use.
Push network routes:
Networks that clients must reach through the tunnel. LAN networks are auto-added.
Allow client-to-client traffic:
Lets VPN clients talk to each other. Usually disabled for security.
Compression:
Not recommended; can create security/performance issues. If changed, clients must re-download configs.
Digest: SHA-256 (default)
Cipher: AES-256-GCM (default)
Minimum TLS version: enforce lower-bound TLS compatibility
Custom DHCP options: push DNS/WINS/NTP/etc. to clients

Supported DHCP Options

DNS [addr] – push one or more DNS servers
WINS [addr] – push WINS servers
NBDD [addr] – NetBIOS datagram distribution servers
NTP [addr] – push NTP servers
NBT [type] – NetBIOS node type (1/2/4/8)
NBS [scope-id] – NetBIOS scope
DISABLE-NBT [1] – disable NetBIOS over TCP/IP

Repeat options to send multiple values.

VPN Accounts

After the server exists, create user accounts:

Click Add VPN account
Fill in:

User
Select one user from the chosen database.
Reserved IP (optional)
Static client IP within VPN network but outside dynamic range.
Useful for rules and predictable access. Leave empty for random assignment.
Certificate expiration (days)
Default is 3650.

Save the account.

Export client configuration

For each account:

Open the account menu
Click Download configuration

This produces a ready-to-import OpenVPN profile containing: - server address list - ports/protocol - certificates and keys

If server settings change (mode, auth, compression, etc.), users must download the configuration again.

Other account actions

Disable – blocks the user and disconnects active sessions immediately
Regenerate certificate – revokes old cert and creates a new one
Delete – permanently removes the account and certificate

Client Behavior

Connected clients belong to the rwopenvpn zone, treated as trusted.
By default, it can access LAN resources and WAN.
MultiWAN failover: clients try WAN endpoints in order.
Single session per account: one account can be connected by only one device at a time. A second login kicks the first session.

Client Software

Supported by all major platforms:

Windows: Official OpenVPN client
macOS: TunnelBlick or official OpenVPN client
Linux: OpenVPN packages available in most distros
Android: OpenVPN Connect
iOS: OpenVPN Connect

MTU Issue and Packet Fragmentation

VPN traffic adds encryption overhead. If packets exceed MTU, users may experience drops or slow connections.
Fix this by lowering MTU on the server TUN interface:

uci set openvpn.ns_roadwarrior1.tun_mtu='1300'
uci set openvpn.ns_roadwarrior1.mssfix='1250'
uci commit openvpn.ns_roadwarrior1
/etc/init.d/openvpn restart ns_roadwarrior1

Adjust values if your environment needs slightly higher/lower MTU.

Connection History

Each connect/disconnect event is logged to a RAM-based SQLite database.

View it in the Connection history tab.
Filter by date/time/account.
Export with Download server history (CSV).

History is lost after reboot unless the unit is connected to a Controller, in which case history is forwarded and visible in Historical Monitoring.