This article describes a basic installation and configuration of OpenVPN, suitable for private and small business use. For more detailed information, please see the OpenVPN 2.4 man page and the OpenVPN documentation. OpenVPN is a robust and highly flexible VPN daemon. It supports SSL/TLS security, Ethernet bridging, TCP or UDP tunnel transport through proxies or NAT. Additionally it has support for dynamic IP addresses and DHCP, scalability to hundreds or thousands of users, and portability to most major OS platforms.
OpenVPN is tightly bound to the OpenSSL library, and derives much of its crypto capabilities from it. It supports conventional encryption using a pre-shared secret key (Static Key mode) or public key security (SSL/TLS mode) using client & server certificates. Additionally it supports unencrypted TCP/UDP tunnels.
OpenVPN is designed to work with the TUN/TAP virtual networking interface that exists on most platforms. Overall, it aims to offer many of the key features of IPSec but with a relatively lightweight footprint. OpenVPN was written by James Yonan and is published under the GNU General Public License (GPL).
- 1 Installation
- 2 Kernel configuration
- 3 Connect to a VPN provided by a third party
- 4 Create a Public Key Infrastructure (PKI) from scratch
- 5 A basic L3 IP routing configuration
- 5.1 Example configuration
- 5.2 The server configuration file
- 5.3 The client config profile
- 5.4 Converting certificates to encrypted .p12 format
- 5.5 Testing the OpenVPN configuration
- 5.6 Configure the MTU with Fragment and MSS
- 5.7 IPv6
- 6 Starting OpenVPN
- 7 Routing client traffic through the server
- 8 L3 IPv4 routing
- 9 DNS
- 10 L2 Ethernet bridging
- 11 Config generators
- 12 Troubleshooting
- 13 See also
Install the package, which provides both server and client mode.
- NetworkManager OpenVPN — NetworkManager VPN plugin for OpenVPN.
- QOpenVPN — Simple OpenVPN GUI written in PyQt for systemd based distributions.
OpenVPN requires TUN/TAP support, which is already configured in the default kernel. Users of custom kernel should make sure to enable the
Kernel config file
Device Drivers --> Network device support [M] Universal TUN/TAP device driver support
Read Kernel modules for more information.
Connect to a VPN provided by a third party
To connect to a VPN service provided by a third party, most of the following can most likely be ignored, especially regarding server setup. Begin with #The client config profile and skip ahead to #Starting OpenVPN after that. One should use the provider certificates and instructions, see Category:VPN providers for examples that can be adapted to other providers. OpenVPN client in Linux Containers also has general applicable instructions, while it goes a step further by isolating an OpenVPN client process into a container.
Create a Public Key Infrastructure (PKI) from scratch
When setting up an OpenVPN server, users need to create a Public Key Infrastructure (PKI) which is detailed in the Easy-RSA article. Once the needed certificates, private keys, and associated files are created via following the steps in the separate article, one should have 5 files in
/etc/openvpn/server at this point:
ca.crt dh.pem servername.crt servername.key ta.key
Alternatively, as of OpenVPN 2.4, one can use Easy-RSA to generate certificates and keys using elliptic curves. See the OpenVPN documentation for details.
A basic L3 IP routing configuration
OpenVPN is an extremely versatile piece of software and many configurations are possible, in fact machines can be both servers and clients.
With the release of v2.4, server configurations are stored in
/etc/openvpn/server and client configurations are stored in
/etc/openvpn/client and each mode has its own respective systemd unit, namely,
The OpenVPN package comes with a collection of example configuration files for different purposes. The sample server and client configuration files make an ideal starting point for a basic OpenVPN setup with the following features:
- Uses Public Key Infrastructure (PKI) for authentication.
- Creates a VPN using a virtual TUN network interface (OSI L3 IP routing).
- Listens for client connections on UDP port 1194 (OpenVPN's official IANA port number).
- Distributes virtual addresses to connecting clients from the 10.8.0.0/24 subnet.
For more advanced configurations, please see the OpenVPN documentation.man page and the
The server configuration file
Copy the example server configuration file
Edit the file making a minimum of the following changes:
ca ca.crt cert servername.crt key servername.key dh dh.pem . tls-crypt ta.key . user nobody group nobody
Hardening the server
If security is a priority, additional configuration is recommended including: limiting the server to use a strong cipher/auth method and (optionally) limiting the set of enabled TLS ciphers to the newer ciphers.
Add the following to
. cipher AES-256-CBC auth SHA512 tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA .
- The .ovpn client profile must contain a matching cipher and auth line to work properly (at least with the iOS and Android client).
tls-cipherincorrectly may cause difficulty with debugging connections and may not be necessary. See OpenVPN’s community wiki for more information.
Enabling compression is not recommended by upstream; doing so opens to the server the so-called VORACLE attack vector. See this article.
Deviating from the standard port and/or protocol
Some networks may disallow OpenVPN connections on the default port and/or protocol. One strategy to circumvent this is to mimic HTTPS traffic which is very likely unobstructed.
To do so, configure
/etc/openvpn/server/server.conf as such:
. port 443 proto tcp .
Running multiple instances of OpenVPN on different ports on the physical machine
One can have multiple, concurrent instances of OpenVPN running on the same box. Each server needs to be defined in
/etc/openvpn/server/ as a separate .conf file. At a minimum, the parallel servers need to be running on different ports. A simple setup directs traffic connecting in to a separate IP pool. More advanced setups are beyond the scope of this guide.
Consider this example, running 2 concurrent servers, one port 443/udp and another on port 80/tcp.
/etc/openvpn/server/server.conf created as so:
. port 443 proto udp server 10.8.0.0 255.255.255.0 .
Now copy it and modify the copy to run on 80/tcp:
. port 80 proto tcp server 10.8.1.0 255.255.255.0 .
Be sure to setup the corresponding entries in the firewall, see the relevant sections in #Firewall configuration.
The client config profile
Copy the example client configuration file
Edit the following:
remotedirective to reflect either the server's Fully Qualified Domain Name, hostname (as known to the client), or its IP address.
- Uncomment the
groupdirectives to drop privileges.
keyparameters to reflect the path and names of the keys and certificates.
- Enable the TLS HMAC handshake protection (
client remote elmer.acmecorp.org 1194 . user nobody group nobody ca ca.crt cert client.crt key client.key . tls-crypt ta.key # Replaces tls-auth ta.key 1
Run as unprivileged user
Using the options
user nobody and
group nobody in the configuration file makes OpenVPN drop its
root privileges after establishing the connection. The downside is that upon VPN disconnect the daemon is unable to delete its set network routes again. If one wants to limit transmitting traffic without the VPN connection, then lingering routes may be considered beneficial. It can also happen, however, that the OpenVPN server pushes updates to routes at runtime of the tunnel. A client with dropped privileges will be unable to perform the update and exit with an error.
As it could seem to require manual action to manage the routes, the options
user nobody and
group nobody might seem undesirable. Depending on setup, however, there are different ways to handle these situations:
- For errors of the unit, a simple way is to edit it and add a
[Service]section. Though, this alone will not delete any obsoleted routes, so it may happen that the restarted tunnel is not routed properly.
- The package contains the
/usr/lib/openvpn/plugins/openvpn-plugin-down-root.so, which can be used to let openvpn fork a process with root privileges with the only task to execute a custom script when receiving a down signal from the main process, which is handling the tunnel with dropped privileges (see also its README).
The OpenVPN HowTo's linked below go further by creating a dedicated non-privileged user/group, instead of the already existing
nobody. The advantage is that this avoids potential risks when sharing a user among daemons:
- The OpenVPN HowTo explains another way how to create an unprivileged user mode and wrapper script to have the routes restored automatically.
- It is possible to let OpenVPN start as a non-privileged user in the first place, without ever running as root, see this OpenVPN wiki (howto). The howto assumes the presence of System V init, rather than Systemd and does not cover the handling of
--downscripts - those should be handled the same way as the ip command, with additional attention to access rights.
Converting certificates to encrypted .p12 format
Some software will only read VPN certificates that are stored in a password-encrypted .p12 file. These can be generated with the following command:
# openssl pkcs12 -export -inkey keys/bugs.key -in keys/bugs.crt -certfile keys/ca.crt -out keys/bugs.p12
Testing the OpenVPN configuration
# openvpn /etc/openvpn/server/server.conf on the server, and
# openvpn /etc/openvpn/client/client.conf on the client. Example output should be similar to the following:
# openvpn /etc/openvpn/server/server.conf
Wed Dec 28 14:41:26 2011 OpenVPN 2.2.1 x86_64-unknown-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011 Wed Dec 28 14:41:26 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Wed Dec 28 14:41:26 2011 Diffie-Hellman initialized with 2048 bit key . . Wed Dec 28 14:41:54 2011 bugs/126.96.36.199:48904 MULTI: primary virtual IP for bugs/188.8.131.52:48904: 10.8.0.6 Wed Dec 28 14:41:57 2011 bugs/184.108.40.206:48904 PUSH: Received control message: 'PUSH_REQUEST' Wed Dec 28 14:41:57 2011 bugs/220.127.116.11:48904 SENT CONTROL [bugs]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
# openvpn /etc/openvpn/client/client.conf
Wed Dec 28 14:41:50 2011 OpenVPN 2.2.1 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011 Wed Dec 28 14:41:50 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables . . Wed Dec 28 14:41:57 2011 GID set to nobody Wed Dec 28 14:41:57 2011 UID set to nobody Wed Dec 28 14:41:57 2011 Initialization Sequence Completed
Configure the MTU with Fragment and MSS
The following message may indicate the MTU value should be adjusted:
read UDPv4 [EMSGSIZE Path-MTU=1407]: Message too long (code=90)
In order to get the maximum segment size (MSS), the client needs to discover the smallest MTU along the path to the server. In order to do this ping the server and disable fragmentation, then specify the maximum packet size :
# ping -M do -s 1500 -c 1 example.com
Decrease the 1500 value by 10 each time, until the ping succeeds.
mtu-testas alternative solution.
Update the client configuration to use the succeeded MTU value, e.g.:
remote example.com 1194 ... tun-mtu 1400 mssfix 1360
OpenVPN may be instructed to test the MTU every time on client connect. Be patient, since the client may not inform about the test being run and the connection may appear as nonfunctional until finished. The following will add about 3 minutes to OpenVPN start time. It is advisable to configure the fragment size unless a client will be connecting over many different networks and the bottle neck is not on the server side:
remote example.com 1194 ... mtu-test ...
Connect to the server via IPv6
In order to enable Dual Stack for OpenVPN, change
proto udp to
proto udp6 in both server.conf and client.conf. Afterwards both IPv4 and IPv6 are enabled.
Provide IPv6 inside the tunnel
In order to provide IPv6 inside the tunnel, have an IPv6 prefix routed to the OpenVPN server. Either set up a static route on the gateway (if a static block is assigned), or use a DHCPv6 client to get a prefix with DHCPv6 Prefix delegation (see IPv6 Prefix delegation for details). Also consider using a unique local address from the address block fc00::/7. Both methods have advantages and disadvantages:
- Many ISPs only provide dynamically changing IPv6 prefixes. OpenVPN does not support prefix changes, so change the server.conf every time the prefix is changed (Maybe can be automated with a script).
- ULA addresses are not routed to the Internet, and setting up NAT is not as straightforward as with IPv4. This means one cannot route the entire traffic over the tunnel. Those wanting to connect two sites via IPv6, without the need to connect to the Internet over the tunnel, may want to use the ULA addresses for ease.
After having received a prefix (a /64 is recommended), append the following to the server.conf:
This is the IPv6 equivalent to the default 10.8.0.0/24 network of OpenVPN and needs to be taken from the DHCPv6 client. Or use for example fd00:1234::/64.
Those wanting to push a route to a home network (192.168.1.0/24 equivalent), need to also append:
push "route-ipv6 2001:db8:0:abc::/64"
OpenVPN does not yet include DHCPv6, so there is no method to e.g. push DNS server over IPv6. This needs to be done with IPv4. The OpenVPN Wiki provides some other configuration options.
To troubleshoot a VPN connection, start the client's daemon manually with
openvpn /etc/openvpn/client/client.conf as root. The server can be started the same way using its own configuration file (e.g.,
systemd service configuration
To start the OpenVPN server automatically at system boot, enable
openvpn-server@<configuration>.service on the applicable machine. For a client, enable
openvpn-client@<configuration>.service instead. (Leave
.conf out of the
For example, if the client configuration file is
/etc/openvpn/client/client.conf, the service name is
email@example.com. Or, if the server configuration file is
/etc/openvpn/server/server.conf, the service name is
Letting NetworkManager start a connection
One might not always need to run a VPN tunnel and/or only want to establish it for a specific NetworkManager connection. This can be done by adding a script to
/etc/NetworkManager/dispatcher.d/. In the following example "Provider" is the name of the NetworkManager connection:
#!/bin/bash case "$2" in up) if [ "$CONNECTION_ID" == "Provider" ]; then systemctl start openvpn-client@<configuration> fi ;; down) systemctl stop openvpn-client@<configuration> ;; esac
See NetworkManager#Network services with NetworkManager dispatcher for more details.
To connect to an OpenVPN server through Gnome's built-in network configuration do the following. First, install #The client config profile. Yet, be aware NetworkManager does not show error messages for options it does not import. To connect to the VPN simply turn the connection on and check the options are applied (e.g. via
journalctl -b -u NetworkManager).
Routing client traffic through the server
By default only traffic directly to and from an OpenVPN server passes through the VPN. To have all traffic (including web traffic) pass through the VPN, append
push "redirect-gateway def1 bypass-dhcp" to the configuration file (i.e.
/etc/openvpn/server/server.conf)  of the server. Note this is not a requirement and may even give performance issue:
push "redirect-gateway def1 bypass-dhcp"
push "route <address pool> <subnet>" option to allow clients reaching other subnets/devices behind the server:
push "route 192.168.1.0 255.255.255.0" push "route 192.168.2.0 255.255.255.0"
Optionally, push local DNS settings to clients (e.g. the DNS-server of the router and domain prefix .internal):
push "dhcp-option DNS 192.168.1.1" push "dhcp-option DOMAIN internal"
After setting up the configuration file, enable packet forwarding on the server. Additionally, the server's firewall needs to be adjusted to allow VPN traffic, which is described below for both ufw and iptables.
/etc/ufw/before.rules, and append the following code after the header and before the "*filter" line:
- Change the IP/subnet mask to match the
serverset in the OpenVPN server configuration.
- Change the network interface to the connection used by OpenVPN server.
# NAT (Network Address Translation) table rules *nat :POSTROUTING ACCEPT [0:0] # Allow traffic from clients to the interface -A POSTROUTING -s 10.8.0.0/24 -o interface -j MASQUERADE # Optionally duplicate this line for each subnet if your setup requires it -A POSTROUTING -s 10.8.1.0/24 -o interface -j MASQUERADE # do not delete the "COMMIT" line or the NAT table rules above will not be processed COMMIT # Don't delete these required lines, otherwise there will be errors *filter ..
Make sure to open the chosen OpenVPN port (default 1194/udp):
# ufw allow 1194/udp
# ufw reload
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
If running multiple servers on different IP pools, add a corresponding line for each one, for example:
iptables -t nat -A POSTROUTING -s 10.8.1.0/24 -o eth0 -j MASQUERADE
If the server cannot be pinged through the VPN, one may need to add explicit rules to open up TUN/TAP interfaces to all traffic. If that is the case, do the following :
iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A INPUT -i tap+ -j ACCEPT iptables -A FORWARD -i tap+ -j ACCEPT
Additionally be sure to accept connections from the OpenVPN port (default 1194) and through the physical interface.
When satisfied, make the changes permanent as shown in iptables#Configuration and usage.
Those with multiple
tap interfaces, or more than one VPN configuration can "pin" the name of the interface by specifying it in the OpenVPN config file, e.g.
tun22 instead of
tun. This is advantageous if different firewall rules for different interfaces or OpenVPN configurations are wanted.
Prevent leaks if VPN goes down
This prevents all traffic through the default interface (enp3s0 for example) and only allows traffic through tun0. If the OpenVPN connection drops, the system will lose its internet access thereby preventing connections through the default network interface.
One may want to set up a script to restart OpenVPN if it goes down.
# Default policies ufw default deny incoming ufw default deny outgoing # Openvpn interface (adjust interface accordingly to your configuration) ufw allow in on tun0 ufw allow out on tun0 # Local Network (adjust ip accordingly to your configuration) ufw allow in on enp3s0 from 192.168.1.0/24 ufw allow out on enp3s0 to 192.168.1.0/24 # Openvpn (adjust port accordingly to your configuration) ufw allow in on enp3s0 from any port 1194 ufw allow out on enp3s0 to any port 1194
Alternatively, one can allow DNS leaks. Be sure to trust your DNS server!
# DNS ufw allow in from any to any port 53 ufw allow out from any to any port 53
Alternatively, the vpnfailsafe ( AUR) script can be used by the client to prevent DNS leaks and ensure that all traffic to the internet goes over the VPN. If the VPN tunnel goes down, internet access will be cut off, except for connections to the VPN server(s). The script contains the functionality of update-resolv-conf, so the two do not need to be combined.
L3 IPv4 routing
This section describes how to connect client/server LANs to each other using L3 IPv4 routing.
Prerequisites for routing a LAN
For a host to be able to forward IPv4 packets between the LAN and VPN, it must be able to forward the packets between its NIC and its tun/tap device. See Internet sharing#Enable packet forwarding for configuration details.
By default, all IP packets on a LAN addressed to a different subnet get sent to the default gateway. If the LAN/VPN gateway is also the default gateway, there is no problem and the packets get properly forwarded. If not, the gateway has no way of knowing where to send the packets. There are a couple of solutions to this problem.
- Add a static route to the default gateway routing the VPN subnet to the LAN/VPN gateway's IP address.
- Add a static route on each host on the LAN that needs to send IP packets back to the VPN.
- Use iptables' NAT feature on the LAN/VPN gateway to masquerade the incoming VPN IP packets.
Connect the server LAN to a client
The server is on a LAN using the 10.66.0.0/24 subnet. To inform the client about the available subnet, add a push directive to the server configuration file:
push "route 10.66.0.0 255.255.255.0"
Connect the client LAN to a server
- Any subnets used on the client side, must be unique and not in use on the server or by any other client. In this example we will use 192.168.4.0/24 for the clients LAN.
- Each client's certificate has a unique Common Name, in this case bugs.
- The server may not use the duplicate-cn directive in its config file.
- The CCD folder must be accessible via user and group defined in the server config file (typically nobody:nobody)
Create a client configuration directory on the server. It will be searched for a file named the same as the client's common name, and the directives will be applied to the client when it connects.
# mkdir -p /etc/openvpn/ccd
Create a file in the client configuration directory called bugs, containing the
iroute 192.168.4.0 255.255.255.0 directive. It tells the server what subnet should be routed to the client:
iroute 192.168.4.0 255.255.255.0
Add the client-config-dir and the
route 192.168.4.0 255.255.255.0 directive to the server configuration file. It tells the server what subnet should be routed from the tun device to the server LAN:
client-config-dir ccd route 192.168.4.0 255.255.255.0
Connect both the client and server LANs
Combine the two previous sections:
push "route 10.66.0.0 255.255.255.0" . . client-config-dir ccd route 192.168.4.0 255.255.255.0
iroute 192.168.4.0 255.255.255.0
Connect clients and client LANs
By default clients will not see each other. To allow IP packets to flow between clients and/or client LANs, add a client-to-client directive to the server configuration file:
In order for another client or client LAN to see a specific client LAN, add a push directive for each client subnet to the server configuration file (this will make the server announce the available subnet(s) to other clients):
client-to-client push "route 192.168.4.0 255.255.255.0" push "route 192.168.5.0 255.255.255.0" ..
The DNS servers used by the system are defined in
/etc/resolv.conf. Traditionally, this file is the responsibility of whichever program deals with connecting the system to the network (e.g. Wicd, NetworkManager, etc.). However, OpenVPN will need to modify this file to be able to resolve names on the remote side. To achieve this in a sensible way, install openresolv, which makes it possible for more than one program to modify
resolv.conf without stepping on each-other's toes.
Before continuing, test openresolv by restarting the network connection and ensuring that
resolv.conf states that it was generated by resolvconf, and that DNS resolution still works as before. No reconfiguration of openresolv should be required; it should be automatically detected and used by the network system.
For Linux, OpenVPN can send DNS host information, but expects an external process to act on it. This can be done with the
client.down scripts packaged in
/usr/share/openvpn/contrib/pull-resolv-conf/. See their comments on how to install them to
/etc/openvpn/client/. The following is an excerpt of a resulting client configuration using the scripts in conjunction with resolvconf and options to #Run as unprivileged user:
user nobody group nobody # Optional, choose a suitable path to chroot into chroot /srv script-security 2 up /etc/openvpn/client/client.up plugin /usr/lib/openvpn/plugins/openvpn-plugin-down-root.so "/etc/openvpn/client/client.down tun0"
Update resolv-conf script
Once the script is installed add lines like the following into the OpenVPN client configuration file:
script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf
Now, when launching the OpenVPN connection,
resolv.conf should be updated accordingly, and also should get returned to normal when the connection is closed.
openresolvwith the -p or -x options in a script (as both the included
update-resolv-confscripts currently do), a DNS resolver like or is required for
openresolvto correctly update
/etc/resolv.conf. In contrast, when using the default DNS resolution from
libcthe -p and -x options must be removed in order for
/etc/resolv.confto be correctly updated by
openresolv. For example, if the script contains a command like
resolvconf -p -aand the default DNS resolver from
libcis being used, change the command in the script to be
Update systemd-resolved script
Since systemd 229, systemd-networkd has exposed an API through DBus allowing management of DNS configuration on a per-link basis. Tools such as may not work reliably when
/etc/resolv.conf is managed by
systemd-resolved, and will not work at all if using
resolve instead of
/etc/nsswitch.conf. The update-systemd-resolved script is another alternative and links OpenVPN with
systemd-resolved via DBus to update the DNS records.
client remote example.com 1194 udp .. script-security 2 setenv PATH /usr/bin up /etc/openvpn/scripts/update-systemd-resolved down /etc/openvpn/scripts/update-systemd-resolved down-pre
Override DNS servers using NetworkManager
/etc/resolv.conf. This may result in DNS instability (leakage).
The NetworkManager GUI does not provide any way to change this behavior, but it is possible to completely override DNS using connection configuration file.
If the override is applied, queries for non-public DNS records are sent to the external resolver, see .
To use DNS settings provided by the VPN connection add
dns-priority=-1 (ipv4 section) to the file located at
your_vpn_name is the name of your VPN connection.
Making changes to the VPN connection with the NetworkManager GUI will remove the setting above.
To verify that the correct DNS server(s) are configured, see
resolvectl status if systemd-resolved is in use, for other resolvers see Domain name resolution.
L2 Ethernet bridging
For now see: OpenVPN Bridge
TheAUR package provides a simple shell script that creates OpenVPN compatible tunnel profiles in the unified file format suitable for the OpenVPN Connect app for Android and iOS.
Simply invoke the script with 5 tokens:
- Server Fully Qualified Domain Name of the OpenVPN server (or IP address).
- Full path to the CA cert.
- Full path to the client cert.
- Full path to the client private key.
- Full path to the server TLS shared secret key.
- Optionally a port number.
- Optionally a protocol (udp or tcp).
# ovpngen example.org /etc/openvpn/server/ca.crt /etc/easy-rsa/pki/signed/client1.crt /etc/easy-rsa/pki/private/client1.key /etc/openvpn/server/ta.key > foo.ovpn
If the server is configured to use tls-crypt, as is suggested in #The server configuration file, manually edit the resulting
foo.ovpn can be edited if desired as the script does insert some commented lines.
The client expects this file to be located in
/etc/openvpn/client/foo.conf. Note the change in file extension from 'ovpn' to 'conf' in this case.
It automates the actions required for the OpenVPN howto by adapting it to systemd, and also working around the bug for persistent tun devices mentioned in the note.
Client daemon not reconnecting after suspend
AUR, available on the AUR, solves this problem by sending a SIGHUP to openvpn after waking up from suspend.
Alternatively, restart OpenVPN after suspend by creating the following systemd service:
[Unit] Description=Restart OpenVPN after suspend [Service] ExecStart=/usr/bin/pkill --signal SIGHUP --exact openvpn [Install] WantedBy=sleep.target
Enable this service for it to take effect.
Connection drops out after some time of inactivity
If the VPN-Connection drops some seconds after it stopped transmitting data and, even though it states it is connected, no data can be transmitted through the tunnel, try adding a
keepalivedirective to the server's configuration:
. . keepalive 10 120 . .
In this case the server will send ping-like messages to all of its clients every 10 seconds, thus keeping the tunnel up. If the server does not receive a response within 120 seconds from a specific client, it will assume this client is down.
A small ping-interval can increase the stability of the tunnel, but will also cause slightly higher traffic. Depending on the connection, also try lower intervals than 10 seconds.
PID files not present
The default systemd service file for openvpn-client does not have the --writepid flag enabled, despite creating /var/run/openvpn-client. If this breaks a config (such as an i3bar VPN indicator), simply change
openvpn-client@.service using a drop-in snippet:
[Service] ExecStart= ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config %i.conf --writepid /var/run/openvpn-client/%i.pid
Route configuration fails with systemd-networkd
When using systemd-networkd to manage network connections and attempting to tunnel all outgoing traffic through the VPN, OpenVPN may fail to add routes. This is a result of systemd-networkd attempting to manage the tun interface before OpenVPN finishes configuring the routes. When this happens, the following message will appear in the OpenVPN log.
openvpn: RTNETLINK answers: Network is unreachable openvpn: ERROR: Linux route add command failed: external program exited with error status: 2
From systemd-233, systemd-networkd can be configured to ignore the tun connections and allow OpenVPN to manage them. To do this, create the following file:
[Match] Name=tun* [Link] Unmanaged=true
systemd-networkd.service to apply the changes. To verify that the changes took effect, start the previously problematic OpenVPN connection and run
networkctl. The output should have a line similar to the following:
7 tun0 none routable unmanaged
tls-crypt unwrap error: packet too short
This error shows up in the server log when a client that does not support tls-crypt, or a client that is misconfigured to use tls-auth while the server is configured to use tls-crypt, attempts to connect.
To support clients that do not support tls-crypt, replace
tls-crypt ta.key with
tls-auth ta.key 0 (the default) in
server.conf. Also replace
tls-crypt ta.key with
tls-auth ta.key 1 (the default) in