FAQs
OpenVPN Open Source Frequently Asked Questions
Issue: If you're looking for comprehensive OpenVPN guides and resources, here are some recommended books that cover various topics, from troubleshooting to advanced configurations.
Solution:
OpenVPN Cookbook - 2nd Edition
Author: Jan Just Keijser
Publisher: Packt Publishing
Release Date: February 2017
ISBN-13: 9781786466662
Description: This cookbook offers practical solutions to common OpenVPN configuration and troubleshooting tasks.
Purchase: Here
Troubleshooting OpenVPN
Author: Eric F Crist
Publisher: Packt Publishing
Release Date: March 2017
ISBN-13: 9781786466938
Description: A detailed guide focused on solving OpenVPN connection issues and improving troubleshooting skills.
Purchase: Here
Mastering OpenVPN
Author: Eric F. Crist and Jan Just Keijser
Publisher: Packt Publishing
Release Date: August 2015
ISBN-13: 9781783553143
Description: This book provides an in-depth look at setting up and managing OpenVPN in various scenarios, ideal for administrators and advanced users.
Purchase: Here
OpenVPN 2 Cookbook
Author: Jan Just Keijser
Publisher: Packt Publishing
Release Date: March 2011
ISBN-13: 9781849510110
Description: A comprehensive cookbook for OpenVPN 2.x, covering installation, configuration, and advanced setup.
Purchase: Here
Issue: This issue is typically caused by a firewall blocking the TUN/TAP interface on either the server or the client. Firewalls often block incoming connections to new interfaces by default.
Solution: To resolve this, you need to allow traffic through the TUN/TAP interface explicitly:
On Linux: Use the following iptables commands to allow TUN/TAP connections:
# Allow TUN interface connections to OpenVPN server iptables -A INPUT -i tun+ -j ACCEPT # Allow TUN interface connections to be forwarded through other interfaces iptables -A FORWARD -i tun+ -j ACCEPT # Allow TAP interface connections to OpenVPN server iptables -A INPUT -i tap+ -j ACCEPT # Allow TAP interface connections to be forwarded through other interfaces iptables -A FORWARD -i tap+ -j ACCEPT
On Windows: Navigate to Control Panel > Security Center > Windows Firewall > Advanced. In the Network Connections Settings control, uncheck the box for the TAP-Win32 adapter.
Additional Considerations:
If you want OpenVPN clients to access other machines on the LAN, disable firewalling on the TUN/TAP adapter, enable IP forwarding, and set up a return route from the LAN gateway to the OpenVPN server.
Remember, firewalling the TUN/TAP interface is separate from firewalling the internet-facing interface. For example, SMTP connections will need firewall rules for both the public-facing interface (TCP/UDP port 1194) and the TUN/TAP interface.
Issue: OpenVPN allocates a /30 subnet per client to maintain compatibility with Windows clients. This behavior is due to limitations in the TAP-Win32 driver's TUN emulation mode, which does not support true Point-to-Point (PtP) links.
Solution: In OpenVPN 2.0, a single TUN interface can support multiple clients. Allocating a /30 subnet ensures that each client receives its own virtual IP address within a point-to-point-like structure, even if the operating system (OS) doesn’t support true PtP links over the TUN interface.
Here's how it works:
The server uses one IP address for the PtP link between the server OS and OpenVPN.
OpenVPN assigns a /30 subnet to each client, with one of the IP addresses used as a virtual address within the OpenVPN server.
For example:
The first PtP link is between the server OS and OpenVPN (e.g., 192.168.1.1 <-> 192.168.1.2).
The first available /30 subnet (after the server's link) is assigned to the client:
192.168.1.4/30:
192.168.1.4 — Network address
192.168.1.5 — Virtual IP within OpenVPN
192.168.1.6 — Assigned to the client
192.168.1.7 — Broadcast address
To reach the rest of the network behind the OpenVPN server, a route is pushed to the client to route traffic through the virtual IP address (192.168.1.5).
Why this happens:
Windows does not support true PtP links over TUN interfaces, so OpenVPN uses a /30 subnet to simulate this.
192.168.1.5 is only a virtual IP used for routing and doesn't respond to pings. The real server IP (e.g., 192.168.1.1) will reply to pings.
Additional Notes:
If only non-Windows clients will connect, you can avoid this behavior by using the
ifconfig-pool-lineardirective.The TAP-Win32 driver’s built-in DHCP server assigns the 192.168.1.6 address to the client, which is why 192.168.1.5 appears as the DHCP server address.
Issue: These errors occur when OpenVPN doesn’t have an internal route to the client's network (e.g., 192.168.100.249). As a result, OpenVPN doesn't know how to route the packet to this address, leading to it being dropped.
Solution: To resolve this, use the client-config-dir option and create a ccd (client configuration directory) file for the client. In this file, include the iroute directive to inform OpenVPN that the network (e.g., 192.168.100.0/24) is reachable through this client.
For example, create a ccd file with the following content:
iroute 192.168.100.0 255.255.255.0
This tells OpenVPN that the 192.168.100.0/24 network is behind this client, and it can route packets accordingly.
Issue: This error occurs because the iOS Keychain does not provide the Certificate Authority (CA) list from the PKCS#12 file to OpenVPN. If your profile lacks a ca directive, OpenVPN will not know which CA to use, resulting in the error.
Solution: To fix this, extract the CA list from the PKCS#12 file and add it to your OpenVPN profile using the ca directive. Details are in the OpenVPN Connect documentation, Certificates & Tokens.
Yes, OpenVPN Connect on Android 1.1.14 and newer supports CRLs.
To use a CRL, you must add it to the .ovpn profile, such as:
<crl-verify> -----BEGIN X509 CRL----- MIHxMFwwDQYJKoZIhvcNAQEEBQAwFTETMBEGA1UEAxMKT3BlblZQTiBDQRcNMTQw NDIyMDQzOTI3WhcNMjQwNDE5MDQzOTI3WjAWMBQCAQEYDzIwMTQwNDIyMDQzOTI3 WjANBgkqhkiG9w0BAQQFAAOBgQBQXzbNjXkx8+/TeG8qbFQD5wd6wOTe8HnypQTt eELsI7eyNtiRRhJD3qKfawPVUabSijnwhAPHfhoIOLKe67RLfzOwAsFKPNJAVdmq rYw1t2eucHvGjH8PnTh0aJPJaI67jmNbSI4CnHNcRgZ+1ow1GS+RAK7kotS+dZz9 0tc7Qw== -----END X509 CRL----- </crl-verify>
You can concatenate multiple CRLs together within the crl-verify block.
If you are importing a .ovpn file that references an external CRL file such as crl-verify crl.pem, ensure you drop the file crl.pem into the same place as the .ovpn file during import so the profile parser can access it.
Issue: Yes, an OpenVPN server can be set up on a machine with a single Network Interface Card (NIC).
Solution: To successfully set up OpenVPN on a machine with a single NIC, ensure the following:
Port Forwarding: The NAT gateway on the server’s network must have a port forwarding rule for TCP/UDP port 1194 that points to the internal address of the OpenVPN server machine.
Routing (for full LAN access): If you are using routing instead of ethernet bridging mode, and want connecting clients to access the entire LAN (not just the OpenVPN server machine), add an internal LAN route to the LAN gateway. This route should direct traffic for the private OpenVPN subnet (defined by
server,ifconfig, orifconfig-pooldirectives) to the internal address of the OpenVPN server.
Yes, An OpenVPN server can push HTTP and HTTPS proxy settings to an iOS client to be used by Safari (or other iOS browsers) for the duration of the VPN session. For example, if you want iOS clients to use an HTTP/HTTPS proxy when connected to your OpenVPN server, you can configure the proxy connection.
Suppose you have a proxy at 10.144.4.14 on port 3128. To push the proxy settings to clients, you add the following directives to the OpenVPN server-side configuration:
push "dhcp-option PROXY_HTTP 10.144.5.14 3128" push "dhcp-option PROXY_HTTPS 10.144.5.14 3128"
If you want several web domains to connect directly and go through the proxy, run a command such as this:
push "dhcp-option PROXY_BYPASS example1.tld example2.tld example3.tld"
If your site uses a Proxy Autoconfiguration URL, specify the URL as follows:
push "dhcp-option PROXY_AUTO_CONFIG_URL http://example.tld/proxy.pac"
If you don't want to (or can't) modify the OpenVPN server configuration, you can add proxy directives directly to the client .ovpn profile. Remove the enclosing push "..." from the directive:
dhcp-option PROXY_HTTP 10.144.5.14 3128 dhcp-option PROXY_HTTPS 10.144.5.14 3128
Important
When you push proxy options, it may also be necessary to push a DNS server address:
Note
This feature controls application proxy use over the VPN tunnel and is not related to the connection proxy capability of OpenVPN to connect to a server through an HTTP proxy. The connection proxy capability is under the proxies menu.
Issue: Yes, you can have multiple profiles in OpenVPN Connect.
Solution: To import multiple profiles, use the Import menu and tap the profile field to select a new one. Remember that OpenVPN will assign a name to each profile based on the server it connects to.
If you import a profile with the same name as an existing one, the new profile will replace the old one. To prevent this, rename the old profile before importing the new one.
Issue: Yes, you can have multiple proxies in OpenVPN Connect.
Solution: To add multiple proxies, use the main menu to add as many proxies as needed. After adding them, a proxy selection field will appear on the main page. You can tap this field to select a proxy, or choose "None" at the end of the list to connect directly.
Yes, you can create OpenVPN profiles using the iPhone Configuration Utility (iPCU) and export them to a .mobileconfig file. Refer to Using Mobileconfig Profiles.
Yes, you can push an IPv6 DNS by using the same format used for IPv4 ones:
push "dhcp-option DNS 2001:abde::1"
Issue: Yes, you can run multiple OpenVPN tunnels on a single machine.
Solution: To run two or more OpenVPN instances on the same machine, you need to ensure the following:
Each instance requires a separate virtual TUN/TAP adapter.
Use a different port for each instance by specifying the
portdirective.Using the
server,server-bridge, orifconfigdirectives, ensure that each TUN/TAP adapter has a unique, non-overlapping subnet.
Yes. VPN-On-Demand (VoD) is a new technology introduced by Apple in iOS 6 that allows a VPN profile to specify the conditions under which it automatically connects. In addition, you can connect and disconnect a VoD profile on iOS 7 using the iOS Settings App under the VPN tab (although note that on iOS 8 and higher, ordinary OpenVPN profiles can be connected using the Settings App, as long as they don't require credential entry). OpenVPN on iOS fully supports VoD with the following features:
You can create an OpenVPN VoD profile with iPCU by entering OpenVPN configuration file parameters as key/value pairs.
OpenVPN Connect supports connect and disconnect actions triggered by the iOS VoD subsystem.
OpenVPN Connect recognizes VoD profiles, shows them in the UI, and allows them to be monitored and controlled like other OpenVPN profiles (with the exception that VoD profiles cannot be manually connected from the app UI, they can only be disconnected — this is because a VoD profile is designed to be connected automatically by iOS).
As noted, you can create OpenVPN VoD profiles using iPCU. Unfortunately, it’s not a simple process because you must manually enter the directives of the OpenVPN profile as key/value pairs into iPCU.
To create a VoD profile with iPCU:
Open iPCU (these directions were tested with version 3.5 on a Mac tethered to an iPad running iOS 6.0.1).
Tap the File menu.
Select New Configuration Profile.
Edit the newly created configuration profile:
Tap General in the left pane.
Fill out the fields such as Name, Identifier, Organization, etc.
Tap VPN in the left pane.
A "Configure VPN" dialog box should appear in the main window.
Tap Configure.
Fill out the VPN settings as described:
Connection Name | Set this to a name that identifies the profile on the device. |
Connection Type | Set to Custom SSL. |
Identifier | Set to net.openvpn.connect.app. (On older versions, this used to be net.openvpn.OpenVPN-Connect.vpnplugin.) |
Server | Set to a hostname or DEFAULT to use the hostname(s) from the OpenVPN configuration. |
User Authentication | Set to Certificate, and attach the client certificate+key as a PKCS#12 file. |
VPN On Demand | Set to enabled and then define for iOS the conditions under which the VPN profile should automatically connect. |
In addition, you can define the key-value pairs in the Custom Data section rather than give these parameters in the OpenVPN client configuration file:
VoD requires an OpenVPN autologin profile, i.e., that authenticates using only a client certificate and key without requiring a connection password.
Define each OpenVPN directive as a key, with arguments specified as the value. As in the OpenVPN configuration file, arguments are space-delimited and may be quoted.
At a minimum, you must define key/value pairs for ca and remote. (Note that OpenVPN cannot get the CA list from the VoD profile; therefore, you must provide it using a ca key/value pair).
If the server requires them, define the key-value pairs for tls-auth, key-direction, comp-lzo, cipher, ns-cert-type, and remote-cert-tls.
Use "NOARGS" as the value for OpenVPN directives with no arguments.
If multiple instances of the same directive are present when entering the directive as a key, number the directives in the order they should be given to OpenVPN by appending .n to the directive, where n is an integer, such as remote.1 or remote.2.
For multi-line directives such as ca and tls-auth, where the argument is a multi-line file, we provide an escaping model to allow you to specify the file content as a single-line value. You must convert the multi-line data to a single line by replacing line breaks with "\n" (without the quotes). Note that because of this escaping model, you must use "\\" to pass the backslash itself.
For OpenVPN Access Server meta-directives such as "OVPN_ACCESS_SERVER_USERNAME", remove the OVPN_ACCESS_SERVER_ prefix, giving USERNAME as the directive.
Once you’ve defined the VoD profile, you have two options for exporting it to an iOS device:
If your device is currently tethered, click on your device name in the left pane. Then in the main window, click on the Configuration Profiles tab. You should see the name of your Configuration Profile and a button to install it on the device.
You can also save the Configuration Profile as a .mobileconfig file and make it available to iOS clients via email or the web. To do this, select your Configuration Profile, go to the File menu, and select "Export...". An Export Configuration Profile dialog box will appear. Select a Security option — "Sign configuration profile" is a reasonable choice. Press the Export button and save the profile.
When an iOS device receives a VoD profile (via Mail attachment, Safari download, or pushed by iPCU), it raises a dialog box to facilitate the profile import. After import, the profile is visible in the Settings App under General / Profiles. It is also visible as a profile in OpenVPN Connect. Note that the profile must be the currently enabled VPN profile for the VoD functionality to work.
Issue: Yes, OpenVPN can handle situations where both ends of the connection have dynamic IP addresses.
Solution: To achieve this, you must use a dynamic DNS service (such as dyndns.org) to map a domain name to your dynamic IP address. Alternatively, you can manage your own DNS server if it points to a static IP address.
The key to this setup lies in the ping and ping-restart options in the configuration file. If OpenVPN does not receive a ping from its peer within a certain period (e.g., 300 seconds), it will restart, resolve the domain name again (e.g., myremote.mydomain.com), and obtain the new IP address.
Here's how you can configure it:
Client-side config:
remote myremote.mydomain.com dev tun ifconfig 10.1.0.2 10.1.0.1 up ./up-script # optional # Crypto config replay-persist replay-persist-file # optional # TLS config (or omit TLS security with pre-shared key) tls-client ca key/my-ca.crt cert key/my-cert.crt key key/my-key.key tls-auth key/my-tls-password # optional # Timeouts ping 15 ping-restart 300 # 5 minutes resolv-retry 300 # 5 minutes persist-tun persist-key # Compression (optional) comp-lzo # UID (optional) user nobody group nobody # Verbosity (optional) verb 4
Server-side config:
Duplicate the client config but swap the
remoteaddress andifconfigsettings.Change
tls-clienttotls-serverif using TLS security.Ensure the appropriate local certificate and key are specified, and add the
dhfile for Diffie-Hellman.
Dynamic DNS update:
Use a tool like
ddclientto update your dynamic DNS record automatically when your IP address changes.Example of calling
ddclient:/usr/sbin/ddclient -daemon=0 -syslog -use=ip -ip=$1
Sample
ddclient.conf:login=mylogin password=mypassword custom=yes \ server=members.dyndns.org, \ protocol=dyndns2 \ myremote.mydomain.com
By using this setup, OpenVPN will "follow" the dynamic DNS address as it changes, ensuring a stable connection even with dynamic IP addresses.
Yes, you can connect from Android Settings with an autologin connection profile.
Issue: I edited my OpenVPN static key by changing some of the hex bytes, but the tunnel still connects using the original key. Is this a bug?
Solution: No, this is not a bug. The OpenVPN 2048-bit static key is designed to be large enough to extract multiple smaller keys from it, specifically for encryption and HMAC authentication. However, the default OpenVPN configuration only uses a small portion of the available key material.
By default, OpenVPN uses:
128 bits for the cipher key (e.g., Blowfish).
160 bits for the HMAC-SHA1 key.
This means OpenVPN only uses 288 bits out of the 2048-bit static key, leaving the rest unused. Therefore, you can modify many bytes in the key without affecting the operation of the connection as long as the parts used for encryption and HMAC remain intact.
To verify which parts of the key are used, you can run OpenVPN with the following command:
openvpn --dev null --verb 7 --secret key | grep 'crypt:'
This will show you the exact bits OpenVPN uses for the encryption and HMAC keys.
If you want OpenVPN to use more key material, you can configure it to use two separate sets of encryption/HMAC keys (one for each direction of communication) by using the key-direction option.
Example command to use separate keys for each direction:
openvpn --dev null --verb 7 --secret key 0 | grep 'crypt:' # Peer 1 openvpn --dev null --verb 7 --secret key 1 | grep 'crypt:' # Peer 2
Why the key is large:The 2048-bit static key is large to accommodate future cryptographic algorithms and key sizes. This design ensures compatibility with future cipher suites, which may require larger keys. The large key size allows OpenVPN to derive two separate sets of keys for encryption and HMAC, each with 512 bits of key material, one for each direction of the tunnel.
Yes, OpenVPN Connect includes support the the tls-crypt option in recent versions.
Issue: If you can’t ping across the tunnel even though everything seems to be configured correctly, it could be due to mismatched options, firewall issues, or network configuration problems.
Solution:
Check for mismatched options by ensuring that the following options are exactly matched on both sides of the connection:
--cipher--auth--keysize--dev tun|tap(unit number doesn't need to match)--link-mtu--udp-mtu--tun-mtu--no-replay--no-iv--comp-lzo--fragment--tun-ipv6--tls-auth--secret--key-method--tls-client(should match--tls-serveron the other side)--tls-server(should match--tls-clienton the other side)--ifconfig x y(should match--ifconfig y xon the other side)--proto udp(or--proto tcp-client/--proto tcp-server, which should match on both ends)
Test if the crypto setup works independently of the networking code by running:
openvpn --genkey --secret key openvpn --test-crypto --secret key
Firewall settings can cause many connectivity problems. If the OpenVPN daemon is tunneling data over a TUN or TAP interface, ensure the firewall allows incoming traffic on that interface. For example, on a Linux system using
iptables, you can enable incoming packets on the TUN interface with:iptables -A INPUT -i tun+ -j ACCEPT
Or, for the TAP interface:
iptables -A INPUT -i tap+ -j ACCEPT
Use tcpdump or wireshark to troubleshoot and analyze network traffic.
You can't mix
--dev tunand--dev tapon different ends of the connection. Ensure both sides use the same type.If you're connecting different OpenVPN versions, check the compatibility page to ensure there are no known issues between them.