So I’m trying to run an OpenVPN server at home so I make use of my home connection when I’m abroad.
I followed a few guides and I have a server and client configs running. I’m able to ping and ssh to the internal IP that OpenVPN sets up (on the 10.8.0.X subnet), but traffic in general isn’t routing through OpenVPN. Any public internet traffic just hangs.
I suspect the routes are mangled, but I can post whatever would help suss out the issue.
Server OpenVPN info:
sudo openvpn --version
OpenVPN 2.6.14 [git:makepkg/f588592ee6c6323b+] aarch64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] built on Apr 3 2025
library versions: OpenSSL 3.5.1 1 Jul 2025, LZO 2.10
DCO version: N/A
Originally developed by James Yonan
Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
Compile time defines:
Server OpenVPN config:
port 2688
proto udp
dev tun
ca /etc/openvpn/server/pki/ca.crt
cert /etc/openvpn/server/pki/issued/strickland.crt
key /etc/openvpn/server/pki/private/strickland.key # This file should be kept secret
dh /etc/openvpn/server/dh.pem
tls-crypt /etc/openvpn/server/ta.key
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
;client-to-client
;duplicate-cn
keepalive 10 120
cipher AES-256-CBC
data-ciphers-fallback AES-256-CBC
;compress lz4-v2
;push "compress lz4-v2"
;comp-lzo
;max-clients 100
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
;log openvpn.log
;log-append openvpn.log
verb 4 # debug
;mute 20
explicit-exit-notify 1
Server routing table (in case it matters) before launching OpenVPN server:
$ sudo ip route
[sudo] password for boomhauer:
default via 192.168.1.1 dev br0 proto dhcp src 192.168.1.153 metric 1004
192.168.1.0/24 dev br0 proto dhcp scope link src 192.168.1.153 metric 1004
Server routing table after launching OpenVPN server:
$ sudo ip route
[sudo] password for boomhauer:
default via 192.168.1.1 dev br0 proto dhcp src 192.168.1.153 metric 1004
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
192.168.1.0/24 dev br0 proto dhcp scope link src 192.168.1.153 metric 1004
Client OpenVPN info:
$ openvpn --version
OpenVPN 2.6.14 [git:makepkg/f588592ee6c6323b+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] built on Apr 2 2025
library versions: OpenSSL 3.5.1 1 Jul 2025, LZO 2.10
DCO version: N/A
Originally developed by James Yonan
Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
Compile time defines:
Client OpenVPN config:
client
proto udp
remote arlen.doesnotexist3.com
port 2688
dev tun
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-crypt>
nobind
auth-nocache
script-security 2
persist-key
persist-tun
user nobody
group nobody
redirect-gateway def1 bypass-dhcp
Client routing table before launching OpenVPN (for comparison):
$ sudo ip route
default via 192.168.192.246 dev wlan0 proto dhcp src 192.168.192.193 metric 600
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
172.18.0.0/16 dev br-9238d926a4f9 proto kernel scope link src 172.18.0.1 linkdown
192.168.192.0/24 dev wlan0 proto kernel scope link src 192.168.192.193 metric 600
Routing table after:
$ sudo ip route
0.0.0.0/1 via 10.8.0.1 dev tun0
default via 192.168.192.246 dev wlan0 proto dhcp src 192.168.192.193 metric 600
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.2
128.0.0.0/1 via 10.8.0.1 dev tun0
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
172.18.0.0/16 dev br-9238d926a4f9 proto kernel scope link src 172.18.0.1 linkdown
174.172.88.163 via 192.168.192.246 dev wlan0
192.168.192.0/24 dev wlan0 proto kernel scope link src 192.168.192.193 metric 600
Here’s the logs from running OpenVPN on the client (I can supply the server logs too, but they’re sorta long):
$ sudo openvpn new_arlen_tun_openvpn.conf
[sudo] password for boomhauer:
Sorry, try again.
[sudo] password for boomhauer:
2025-07-30 14:56:48 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2025-07-30 14:56:48 OpenVPN 2.6.14 [git:makepkg/f588592ee6c6323b+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] built on Apr 2 2025
2025-07-30 14:56:48 library versions: OpenSSL 3.5.1 1 Jul 2025, LZO 2.10
2025-07-30 14:56:48 DCO version: N/A
2025-07-30 14:56:48 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2025-07-30 14:56:48 TCP/UDP: Preserving recently used remote address: [AF_INET]174.172.88.163:2688
2025-07-30 14:56:48 UDPv4 link local: (not bound)
2025-07-30 14:56:48 UDPv4 link remote: [AF_INET]174.172.88.163:2688
2025-07-30 14:56:48 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
2025-07-30 14:56:49 [strickland] Peer Connection Initiated with [AF_INET]174.172.88.163:2688
2025-07-30 14:56:50 WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
2025-07-30 14:56:50 TUN/TAP device tun0 opened
2025-07-30 14:56:50 net_iface_mtu_set: mtu 1500 for tun0
2025-07-30 14:56:50 net_iface_up: set tun0 up
2025-07-30 14:56:50 net_addr_v4_add: 10.8.0.2/24 dev tun0
2025-07-30 14:56:50 UID set to nobody
2025-07-30 14:56:50 GID set to nobody
2025-07-30 14:56:50 Capabilities retained: CAP_NET_ADMIN
2025-07-30 14:56:50 Initialization Sequence Completed
Anything particularly stark jump out at anyone? I would really appreciate any pointers, thanks!
