OpenVPN stops working after network restart

Encountering the following problem – OpenVPN works perfectly when started or restarted, but when the network connection of the computer restarts or for example, the WIFI device resets (or loses the wifi network and connects again when it becomes available) the VPN never recovers. All networks routed via the VPN never seem to work again and they become dead ends to the computer despite the Internet connectivity is OK.
The logs show only attempts to connect again to the servers, but apparently with no success:

Oct 13 02:22:55 www openvpn[7744]: Attempting to establish TCP connection with [AF_INET] [nonblock]
Oct 13 02:24:55 www openvpn[7744]: TCP: connect to [AF_INET] failed: Connection timed out
Oct 13 02:22:55 www openvpn[7744]: Attempting to establish TCP connection with [AF_INET] [nonblock]
Oct 13 02:24:55 www openvpn[7744]: TCP: connect to [AF_INET] failed: Connection timed out

The server is unreachable and it stays unreachable even the network connectivity recovered and the Internet of the computer is OK.
In this case, the OpenVPN server is part of a route network push to the client, and the OpenVPN IP is part of the pushed network to be routed via the VPN. And when the client’s network connection resets, the additional server’s IP route to the gateway disappears, but the pushed route does not, and now the OpenVPN server’s IP is part of a VPN route, which is dead because the VPN channel is dead. A restart of all OpenVPN routes is required (remove the special VPN device tun device with its routes and then add the device and routes again after successful reconnection to the OpenVPN server), but when an OpenVPN client option persist-tun is in the configuration, the restart won’t happen in the mentioned way. Only a restart of the service will remove the tun and its routes and then add them after a successful reconnection to the OpenVPN server.

Removing the persist-tun from the client’s configuration will trigger a full restart of the VPN channel – remove the special tun device and all OpenVPN routes and then reconnect and initialize the special tun device and then add the pushed routes.

Here is the example:

  • The OpenVPN server’s IP is
  • The OpenVPN server pushes several networks to the client. Networks, which must be routed via the VPN. One of them happened to be, which includes the OpenVPN server’s IP.
  • The OpenVPN server adds a route for its IP to be routed via the default client’s gateway, which is This is how the VPN channel works despite it pushed the whole network via the VPN.

The problem appears when the network resets and the client’s OpenVPN process removes the route for the OpenVPN IP via the gateway because the gateway is not valid anymore! With persist-tun the pushed OpenVPN routes won’t be removed only reconnect attempts will be tried. But the OpenVPN IP now routes via the pushed server’s route via the dead VPN channel.
Keep on reading!

How to configure openvpn client with an ovpn single configuration file

One file for configuration is always a good thing. We can pack everything needed for a openvpn client configuration in one single file, when using certificate authorization. If you use password authorization it is not possible, because the username and password must be in another file, but with certificate we can inline everything in one configuration file. Below is the template of such file:

dev tun
proto tcp
verb 3
remote [IP] [PORT]
resolv-retry infinite



#uncomment to route these IP/Networks requested by the client
#route [IP1] [MASK1]
#route [IP2] [MASK2]

To get it working you should change the

  • Remote IP and port – replace [IP] [PORT] with your IP and PORT of the openvpn server you use.
  • copy everything between “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” from the certificate authority (CA) file and replace with [CA_CERTIFICATE]
  • copy everything between “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” from the certificate file and replace with [CLIENT_CERTIFICATE]
  • copy everything between “—–BEGIN PRIVATE KEY—–” and “—–END PRIVATE KEY—-” from the certificate file and replace with [CLIENT_KEY]

You can also uncomment the route lines to enable specific routes through the VPN, such routes are probably not included in the server configuration, but the user could add them, too.
Save the above file (best with extension .ovpn) and then import it in any openvpn client under Linux, Windows and Android. The file contains everything the openvpn client needs to establish a vpn connection