How to choose, use and configure a VPN in NethServer (Tutorial)

Choosing the Right VPN Solution for NethServer

NethServer is an RPM-based, CentOS-derived distribution tailored to small offices and home offices. It uses yum (or dnf on version 8 ) for package management, and is typically managed through its Cockpit-powered web interface rather than a traditional desktop environment. Server administrators working with NethServer expect a modular approach: you install “modules” for mail, DNS, web proxy and indeed VPN. With that in mind, the best VPN solutions for NethServer are those that can be deployed as modules or easily integrated via the command line, leverage EPEL when necessary, and play nicely with systemd and Cockpit.

The usual audience for NethServer tends to be sysadmins who prefer minimal GUI dependencies (no GNOME or KDE by default) and rely heavily on SSH, Cockpit, and the config engine (NethServer’s in-house wrapper around nethserver-install and yum). Any VPN you choose should respect this ecosystem, integrate with the existing firewall template engine, and be easy to back up via NethServer’s built-in backup tool.

Comparative Overview

Solution	Integration	Protocol	Management	Kernel Support
OpenVPN Module	Cockpit amp Web UI	OpenVPN (UDP/TCP)	Web certificate manager	Userland, requires no extra kernel module
StrongSwan	CLI amp systemd	IPsec (IKEv2)	ipsec.conf amp ipsec.secrets	Built into kernel
WireGuard	CLI amp manual	WireGuard UDP	wg-quick amp wg	Requires kernel ≥5.6 (available in EPEL for NS8)
SoftEther VPN	CLI amp web-based admin	SSL-VPN, L2TP/IPsec, OpenVPN, MS-Secure	vpncmd or SoftEther Manager	Userland daemon

Deep Dive: Installation Configuration

1. OpenVPN (NethServer Module)

The built-in module is by far the quickest way to get road-warriors connected. It handles certificates, firewall, and routing automatically.

Enable the VPN module:

yum install nethserver-openvpn
config set vpn.OpenVPNEnabled true
signal-event nethserver‐openvpn-update

Generate server certificates via Cockpit’s VPN section and create user profiles. The module will drop .ovpn files into /etc/e-smith/openvpn.
Distribute .ovpn files to clients they connect with any OpenVPN client:
```
sudo openvpn --config client-profile.ovpn
      
```

2. StrongSwan (IPsec)

For sites requiring IPsec tunnels or IKEv2 road-warriors, StrongSwan is rock solid.

Install from EPEL and enable the service:

yum install epel-release
yum install strongswan
systemctl enable --now strongswan

Edit /etc/strongswan/ipsec.conf:

config setup
  uniqueids=never

conn roadwarrior
  keyexchange=ikev2
  left=%any
  leftcert=serverCert.pem
  leftsendcert=always
  leftsubnet=0.0.0.0/0
  right=%any
  rightauth=eap-mschapv2
  rightsourceip=10.10.10.0/24
  rightsendcert=never
  eap_identity=%identity

Add credentials in /etc/strongswan/ipsec.secrets:

: RSA serverKey.pem
user1 : EAP password123

Reload configuration:
```
systemctl reload strongswan
      
```

3. WireGuard

On NethServer 8 (Rocky 8 base), WireGuard is available in EPEL. It gives you super-efficient tunnels.

Enable EPEL and install:

yum install epel-release
yum install kmod-wireguard wireguard-tools

Generate server keys:

wg genkey  tee /etc/wireguard/server.private  wg pubkey > /etc/wireguard/server.public

Create /etc/wireguard/wg0.conf:

[Interface]
Address = 10.200.200.1/24
ListenPort = 51820
PrivateKey = 

[Peer]
PublicKey = 
AllowedIPs = 10.200.200.2/32

Bring up the interface:

systemctl enable --now wg-quick@wg0

Each of these solutions taps into NethServer’s robust RPM-based OS, integrates with systemd, and can be backed up using the native backup-data tool. OpenVPN is unbeatable for a quick, user-friendly setup StrongSwan excels in enterprise-grade IPsec and WireGuard offers low-latency, kernel-driven performance when running on NethServer 8. Choose the one that best fits your network topology and client compatibility requirements.

LINUXMIND.DEV