- Do you want to install OpenVPN on Linux as a client and route specific routes through the VPN or the normal route?
- Prerequisites
- OpenVPN installation
- Basic setup (manual execution)
- Default route control: default server behavior
- Method 1 — Send only some IPs through VPN (Split tunnel)
- Method 2 — All traffic through VPN, but a few specific IPs go through the normal route (Bypass)
- Method 3 — Policy-based Routing
- Connecting with systemd (autostart)
- DNS and name resolution problems
- Complete client.ovpn example (sample)
- Security and operational tips
- Fix common errors
- Comparison of applications and tips for different types of users
- Summary and Conclusion
Do you want to install OpenVPN on Linux as a client and route specific routes through the VPN or the normal route?
In this practical and technical step-by-step guide, we'll walk you through how to configure OpenVPN as a client on popular Linux distributions. The goal is to provide sample files, up/down scripts for managing routes, Split-Tunneling and IP bypassing methods, and tips for username/password authentication.
Prerequisites
Before you begin, make sure you have the following:
- Linux system (Ubuntu/Debian/CentOS/Fedora/Alma)
- Closed openvpn Installed
- Server configuration file or file .ovpn From the VPN provider
- Username/password in case of combined authentication (user/pass + cert)
OpenVPN installation
Installation commands for common distributions:
sudo apt update && sudo apt install openvpn
sudo dnf install openvpn
Basic setup (manual execution)
If the file client.ovpn If you have it, use this command to run it immediately:
sudo openvpn --config client.ovpnIf the server uses username/password and you don't want to enter it every time, create a credentials file:
sudo tee /etc/openvpn/credentials <<'EOF'
myuser
mypassword
EOF
sudo chmod 600 /etc/openvpn/credentialsIn the file .ovpn The following line must exist or be added:
auth-user-pass /etc/openvpn/credentialsSecurity tip: From auth-nocache Use to prevent OpenVPN from caching the password in memory:
auth-nocachechmod 600 Protect and use certificate-based authentication (client certificate) and tls-crypt/tls-auth for increased security.
Default route control: default server behavior
The default behavior of routes is often determined by the server:
- If the server
redirect-gateway def1If you push, all your traffic will go through the VPN (Full Tunnel). - To prevent the server from accepting the default route, you can use
route-nopullUse and then manually add the required routes.
Method 1 — Send only some IPs through VPN (Split tunnel)
If you want only specific addresses to be sent through the VPN, use route-nopull In the file client.ovpn Use and add the desired routes.
client
dev tun
proto udp
remote vpn.example.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
route-nopull
route 203.0.113.45 255.255.255.255
route 198.51.100.0 255.255.255.0Explanation: With route-nopull No routes are accepted from the server and you are stuck with the lines route You route specific destinations through the VPN.
Method 2 — All traffic through VPN, but a few specific IPs go through the normal route (Bypass)
When the server redirect-gateway def1 pushes and you want some specific addresses to pass through the default (Internet) route, you need to save the default gateway and rewrite the bypass routes.
A) Save the original gateway before connecting
Sample commands to get the default gateway and device before connecting:
GW=$(ip route show default | awk '/default/ {print $3}')
DEV=$(ip route show default | awk '/default/ {print $5}')After rising tun0, re-add the IPs you want to bypass via GW:
sudo ip route add 203.0.113.0/24 via $GW dev $DEV
sudo ip route add 8.8.8.8/32 via $GW dev $DEVb) Automate with up/down script
In client.ovpn Add the following lines to run the scripts:
script-security 2
up /etc/openvpn/client-up.sh
down /etc/openvpn/client-down.shExample /etc/openvpn/client-up.sh:
#!/bin/bash
echo "$(ip route show default | awk '/default/ {print $3, $5}')" > /var/run/openvpn.origgw
GW=$(awk '{print $1}' /var/run/openvpn.origgw)
DEV=$(awk '{print $2}' /var/run/openvpn.origgw)
ip route add 8.8.8.8/32 via $GW dev $DEV
ip route add 203.0.113.45/32 via $GW dev $DEV
exit 0Example /etc/openvpn/client-down.sh:
#!/bin/bash
GW=$(awk '{print $1}' /var/run/openvpn.origgw)
DEV=$(awk '{print $2}' /var/run/openvpn.origgw)
ip route del 8.8.8.8/32 via $GW dev $DEV || true
ip route del 203.0.113.45/32 via $GW dev $DEV || true
rm -f /var/run/openvpn.origgw
exit 0Don't forget to run the scripts:
sudo chmod +x /etc/openvpn/client-up.sh /etc/openvpn/client-down.sh
Method 3 — Policy-based Routing
You can use policy-based routing to direct source-specific traffic through the VPN.
echo "200 vpnroute" | sudo tee -a /etc/iproute2/rt_tables
sudo ip rule add from 10.0.0.5/32 lookup vpnroute
sudo ip route add default dev tun0 table vpnrouteTo find information tun0 And virtual gateway:
ip -4 addr show dev tun0
ip route show dev tun0
Connecting with systemd (autostart)
For configuration files in the path /etc/openvpn/client/ You can run the systemd unit:
sudo systemctl start openvpn-client@client
sudo systemctl enable openvpn-client@client
sudo journalctl -u openvpn-client@client -f
DNS and name resolution problems
If DNS is pushed by the server, some distributions require a script update-resolv-conf or coordination with systemd-resolved You have.
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-confIn systems that systemd-resolved They may require additional configuration.
Complete client.ovpn example (sample)
client
dev tun
proto udp
remote vpn.example.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
auth SHA256
auth-user-pass /etc/openvpn/credentials
auth-nocache
route-nopull
route 203.0.113.45 255.255.255.255
route 198.51.100.0 255.255.255.0
script-security 2
up /etc/openvpn/client-up.sh
down /etc/openvpn/client-down.sh
Security and operational tips
- Create the credentials file with
chmod 600Protect. - From the client certificate and
tls-auth/tls-cryptUse to prevent simple DoS. - From auth-nocache Use to avoid caching the password in memory.
- Keep OpenVPN up to date and use modern Cipher/Hash like
AES-256-GCMOrCHACHA20Use. - Monitor logs and use systemd with logrotate to rotate logs.
For environments that require the lowest latency (traders/gamers), use close locations or split-tunneling to route only the services you need to maintain ping and stability.
Fix common errors
- Connection not established: Check the port and protocol in the firewall (ufw/iptables/security group).
- DNS is not working: from
update-resolv-confOr manual adjustment/etc/resolv.confUse. - Routes are not added: Make sure
script-security 2It is enabled and the scripts are executable. - After internet connection dropped: The server probably pushed the default route; use bypass or route-nopull methods.
Comparison of applications and tips for different types of users
- Traders: Need for ping and stability; use close locations and, if possible, split-tunnel only to connect to the trading server.
- Gamers: Game traffic should usually take the shortest route; full-tunnel can increase ping, so route only the game server or use a nearby server.
- Site Administrators/DevOps: It is recommended to run the OpenVPN client on servers with systemd and use policy-based routing for specific services.
- AI/Rendering: For large data transfers, full-tunnel and high-bandwidth servers are more suitable.
Summary and Conclusion
To run the OpenVPN client on Linux, you usually need the file .ovpn In addition auth-user-pass And if needed route-nopull This is sufficient for split-tunnel. To bypass some IPs during full-tunnel, save the previous gateway and add appropriate routes. For more complex behavior, use policy-based routing.
