Linux Networking

Set up OpenVPN client on Linux

Practical Linux guide: set up OpenVPN client on Linux without the usual guesswork.

14 min read Intermediate Updated 9 Jun 2026
Linux library Start the guide

Step-by-step guide

Work through each section in order. Stop when your issue is resolved — you do not need every step for every situation.

What you will achieve

Import an OpenVPN profile on Linux using NetworkManager or openvpn CLI — typical for corporate VPNs and self-hosted Access Server.

1) Install client

sudo apt install openvpn network-manager-openvpn-gnome
# Fedora
sudo dnf install openvpn NetworkManager-openvpn

2) NetworkManager import

sudo nmcli connection import type openvpn file client.ovpn
nmcli connection up client

3) systemd service (headless)

sudo cp client.ovpn /etc/openvpn/client/work.conf
sudo systemctl enable --now openvpn-client@work

Store credentials in /etc/openvpn/client/work.auth with mode 600 if the profile requires username/password.

4) Routes and DNS

ip route
resolvectl status

Split-tunnel vs full-tunnel is defined in the .ovpn file (redirect-gateway). Corporate VPNs often push internal DNS — verify with dig internal.host.

Verify

ip a show tun0
curl -4 ifconfig.me

5) TLS crypt and modern ciphers

Ensure OpenVPN 2.5+ on both ends. Corporate profiles may include tls-crypt-v2 — older clients fail with cipher negotiation errors visible in journalctl -u NetworkManager.

6) Kill switch (fail closed)

# In .ovpn or NM connection:
block-outside-dns
# Or use firewall rules allowing only tun0 + LAN

7) Reconnect on sleep

nmcli connection modify client connection.autoconnect yes
nmcli connection modify client ipv4.never-default false

Troubleshooting

  • TLS handshake fail — clock skew; run timedatectl status.
  • Connected but no DNS — accept pushed DNS in NM or add script-security 2 and up /etc/openvpn/update-resolv-conf.
  • Routes missing — check ip route for pushed subnets; may need pull-filter ignore redirect-gateway on split-tunnel setups.

8) Two-factor and certificates

Some enterprises issue per-user certs plus TOTP — NetworkManager may need imported PKCS#12 via nmcli connection import type openvpn file user.ovpn after extracting cert/key.

Prerequisites

.ovpn profile or PKCS#12 bundle from IT. openvpn package. Root/sudo for systemd units. Clock sync (NTP). If profile uses user/pass, secure credential file mode 600.

Multiple VPN profiles

nmcli connection import type openvpn file work.ovpn
nmcli connection import type openvpn file homelab.ovpn

Only one full-tunnel VPN should be active — conflicting default routes break connectivity.

Layer 3 routing table

ip rule list
ip route show table all

Policy routing from VPN may need manual cleanup after disconnect on complex setups.

Corporate split tunnel policy

IT may push routes only for 10.0.0.0/8 while leaving default route on local ISP — verify with ip route get 8.8.8.8 which interface handles internet. Misconfigured split tunnel leaks DNS: use resolvectl domain to see if corp domains use internal resolvers. Reconnect scripts in NetworkManager dispatcher.d can restart services when VPN goes up.

Related guides

client linux openvpn setup

Related guides

Continue with these next if you are building a fuller setup or troubleshooting path.

Networking
Set up Wi‑Fi from the command line
Practical Linux guide: set up Wi‑Fi from the command line without the usual guesswork.
Read guide
Networking
iptables vs nftables overview
Practical Linux guide: iptables vs nftables overview without the usual guesswork.
Read guide