Skip to content

Accessing Proxmox via OpenVPN with Network Conflict Resolution on Arch Linux

If you’re trying to access your Proxmox server through OpenVPN and encountering network conflicts, particularly when both your local and remote networks use the 192.168.0.x subnet, this guide will help you resolve these issues. We’ll cover everything from initial setup to certificate management.

The guide is about NetwirkManager, not system service route. I decided to go it this way to be able switch the vpn off and on.

Prerequisites

  • Arch Linux (though principles apply to other distributions)
  • NetworkManager
  • OpenVPN configuration file (.ovpn)
  • Root access to your system

Initial Setup

1. Install Required Packages

pacman -S networkmanager-openvpn
systemctl status NetworkManager

2. Import OpenVPN Configuration

Using NetworkManager GUI:

  • Click NetworkManager applet
  • Navigate to VPN Connections -> Configure VPN
  • Select Add -> Import VPN connection
  • Choose your .ovpn file

Fixing Network Conflicts

1. Identify Current Routes

ip route
# Look for conflicting 192.168.0.0/24 routes

2. Correct Routing

# Remove conflicting route
sudo ip route del 192.168.0.0/24 via <default-gateway>
# Add specific route for Proxmox
sudo ip route add 192.168.0.0/24 via <vpn-gateway> dev tun0

Connection Verification

1. Basic Connectivity Tests

# Check VPN interface
ip a show tun0
# Test basic connectivity
ping 192.168.0.<proxmox-ip>
# Interface-specific ping
ping -I tun0 192.168.0.<proxmox-ip>

2. HTTPS Testing

# Standard HTTPS test (will fail with self-signed cert)
curl https://192.168.0.<proxmox-ip>:8006
# Bypass SSL verification (for testing)
curl -k https://192.168.0.<proxmox-ip>:8006
# With proper CA file
curl --cacert /etc/pve/pve-root-ca.pem https://192.168.0.<proxmox-ip>:8006

Certificate Management

System-Wide Certificate Trust

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain proxmox-cert.pem

On Linux (Arch):

sudo cp proxmox-cert.pem /etc/ca-certificates/trust-source/anchors/
sudo update-ca-trust

Firefox Certificate Setup

  1. Clean existing certificates:
rm -rf ~/.mozilla/firefox/*.default-release/cert*.db
  1. Import certificate:
  • Open Firefox Settings
  • Navigate to Privacy & Security -> View Certificates
  • Import proxmox-cert.pem
  • Trust for website identification
  1. Disable CSP temporarily if needed:
  • Enter about:config in URL bar
  • Set security.csp.enable to false

Obtaining Proxmox Certificate

# From Proxmox server
cp /etc/pve/pve-root-ca.pem proxmox-cert.pem
# Transfer to local machine

Accessing Proxmox

After completing the setup, access your Proxmox interface:

https://192.168.0.<proxmox-ip>:8006

Troubleshooting

Common Issues and Solutions

  1. Connection Drops
  • Recheck routing table
  • Verify VPN connection status
  • Ensure no route conflicts
  1. Certificate Errors
  • Verify certificate installation
  • Check browser certificate store
  • Confirm proper trust settings
  1. Network Connectivity
# Check routes
ip route | grep "192.168.0"
# Test connectivity
ping -c 3 192.168.0.<proxmox-ip>

Important Notes

  • Route changes are temporary and reset after reboot
  • Consider adding permanent routes via NetworkManager
  • Be cautious with self-signed certificates in production
  • Always backup network settings before making changes
  • Different OS’s have different certificate trust stores
  • Firefox maintains its own certificate store

Security Considerations

  • Using -k with curl bypasses SSL verification (unsafe for production)
  • Self-signed certificates require explicit trust configuration
  • Always verify certificate fingerprints before trusting
  • Consider using proper CA-signed certificates for production environments

To persist routing between reboots:

  1. create the dispatcher script:

sudo nano /etc/NetworkManager/dispatcher.d/02-vpn-routes

  1. Add this content:

#!/bin/bash IF=$1 STATUS=$2 if [ "$IF" = "tun0" ] && [ "$STATUS" = "up" ]; then # Wait a few seconds for the interface to be fully up sleep 2 # Delete the conflicting route /usr/bin/ip route del 192.168.0.0/24 dev wlp2s0 # Add the route through VPN /usr/bin/ip route add 192.168.0.0/24 via 10.0.8.1 dev tun0 # Log the change logger "VPN routes updated for tun0" fi

  1. Make it executable:

sudo chmod +x /etc/NetworkManager/dispatcher.d/02-vpn-routes

This should be enough to handle the routing automatically whenever the VPN connects. No service needed!

This guide should help you successfully set up and access your Proxmox server through OpenVPN, even when dealing with conflicting network configurations. Remember to adjust IP addresses and paths according to your specific setup.

Final thoughts.

I spent two days trying to open the connection to proxmox server via openvpn. I’d say it’s very sad that my beloved arch linux has so weak integration with openvpn, which is quite popular.

It might be my lack of knowledge though.

It’s easier to set it up at system service level, but I didn’t test it. Just ask any chat 🙂

Complex structure
Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *