Is there a way to check the VPN server is actually running correctly? Ive set it up and followed the GLiNet guide, but my phone OpenVPN client cannot connect to it. The Flint 2 is connected directly to my fibre modem so it is operating as a normal router and shouldnt need any port forwards….
Ive got a custom DDNS setup through Namecheap, and when checking they do know my correct IP address, so that is fully working. Ive tried changing from UDP to TCP, and 1194 to a random other port, but in all cases my phone doesnt show any response from the server at all (‘Server poll timeout, trying next remote entry’ in the logs). It does resolve the DDNS to the correct IP address, but otherwise nothing else. Meanwhile the VPN server logs on the Flint 2 show no activity at all.
Is there a good debug tool/process to work out what is broken? E.g. things that would stop the OpenVPN server from being visible on the internet, or whether my phone is not allowing access for some reason?
If do, try using some online open port checkers to see whether your ISP has opened ports for you.
Also try some high, non-standard ports, such as 21194 and 51194.
Thank you, yes I have a public IP address, and I have tried picking a different (high) port.
The logs in Windows show this (phone OpenVPN were totally blank), which I will start to dig into, but I dont quite know if this is “always the case” with OpenVPN connections or if Ive done something wrong given I think I followed the steps.
Wed Jan 28 09:22:46 2026 TCP_CLIENT link local: (not bound)
Wed Jan 28 09:22:46 2026 TCP_CLIENT link remote: [AF_INET]1xxx8:1xxx4
Wed Jan 28 09:22:46 2026 MANAGEMENT: >STATE:1769592166,WAIT,,,,,,
Wed Jan 28 09:23:46 2026 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Jan 28 09:23:46 2026 NOTE: --mute triggered...
Wed Jan 28 09:23:46 2026 1 variation(s) on previous 5 message(s) suppressed by --mute
Wed Jan 28 09:23:46 2026 Fatal TLS error (check_tls_errors_co), restarting
Wed Jan 28 09:23:46 2026 Closing DCO interface
Wed Jan 28 09:23:46 2026 SIGUSR1[soft,tls-error] received, process restarting
Wed Jan 28 09:23:46 2026 MANAGEMENT: >STATE:1769592226,RECONNECTING,tls-error,,,,,
Wed Jan 28 09:23:46 2026 Restart pause, 1 second(s)
Wed Jan 28 09:23:47 2026 WARNING: No server certificate verification method has been enabled. See 2x HOW TO for more info.
Wed Jan 28 09:23:47 2026 MANAGEMENT: >STATE:1769592227,RESOLVE,,,,,,
Wed Jan 28 09:23:47 2026 TCP/UDP: Preserving recently used remote address: [AF_INET]1xxx8:1xxx4
Wed Jan 28 09:23:47 2026 ovpn-dco device [OpenVPN Data Channel Offload] opened
Wed Jan 28 09:23:47 2026 TCP_CLIENT link local: (not bound)
Wed Jan 28 09:23:47 2026 TCP_CLIENT link remote: [AF_INET]1xxx8:1xxx4
Wed Jan 28 09:23:47 2026 MANAGEMENT: >STATE:1769592227,WAIT,,,,,,
Apologies for wasting your time, but Ive recently switched ISP connection and they now use CGNAT, hence the WAN IP address that I get is partially shared and hence ports are not opening correctly.
I assume I will have the same problem with Wireguard? If so Tailscale is probably my only option… How annoying!!
Yes, setting up an OpenVPN or WireGuard server both requires your home network to have a public IP address.
If you don’t have one, then Tailscale or ZeroTier would be the remaining options.
