OpenVPN client listening on 0.0.0.0

I am testing and calibrating OpenVPN in Linux, using free VPNs initially.

According to all sources I have seen, the OpenVPN proxy should be listening on localhost:1194. In fact it consistently listens on 0.0.0.0, the origin, and a browser will only connect to OpenVPN with proxy set to this address at the usual port.

0.0.0.0 is unmentioned in man openvpn. One mention online shows this address in a server implementation, but I am running a client using a client.ovpn with no indication of 0.0.0.0. Online advice generally warns of applications listening on the origin, but more importantly, all documentation I have seen assumes OpenVPN listens on localhost:1194 and browsers should be set to this proxy.

Why is OpenVPN listening on the wrong address, and how can I fix it?

Edit:

Looking again at man openvpn I see the 0.0.0.0 mentioned as ‘default gateway’ and localhost given as management IP.

All mention I recall seeing of using commercial VPNs with OpenVPN and of using browsers with OpenVPN suggested or implied using localhost:1194. This is implied too in that most proxies listen on localhost (Tor, Privoxy, etc.). Despite the below comment, OpenVPN and VPN clients in general are indeed discussed widelyas if they are proxies – avaiable listening services, like socks or http tunnels, to which an application ports net activity.

None I saw mentioned having to enter 0.0.0.0:1194 as the working proxy, and indeed, Firefox would not work with OpenVPN unless the address:port are explicitly given.

The only tutorials I have for iptables with OpenVPN only suggest specifying dport, but never address, suggesting the port is on localhost.

All mention is in stored documents from the web for which I lack the URL, and have no time to search online right now.

Discussions of the 0.0.0.0 IP suggest that a service listening here is doing so on all interfaces, which I immediately view as problematic. I would rather restrict a listener to a specific interface, ie. localhost. For example, the following appears elsewhere on Superuser:

When a service is listening on 0.0.0.0 this means the service is
listening on all the configured network interfaces, when listening on
127.0.0.1 the service is only bound to the loopback interface (only available on the local machine)

The IP address 0.0.0.0 can have very different meanings, depending on
where it’s used.

It’s not a valid address to be given to an actual network interface,
along with any other address in the 0.0.0.0/8 subnet (i.e. any address
starting with 0.). It can’t be used as the source address on any IP
packet, unless this happens when a computer still doesn’t know its own
IP address and it’s trying to acquire one (classic example: DHCP). If
used in a routing table, it identifies the default gateway; a route to
0.0.0.0 is the default one, i.e. the one used when there is not any more specific route available to a destination address. Lastly, when
seen in the output of the netstat command (which is what you asked
for), it means that a given socket is listening on all the available
IP addresses the computer has; when a computer has more than one IP
address, a socket can be bound only to a specific address and port
pair, or to a port and all addresses; if you see an IP address there,
it means that socket is listening only on that port and that specific
address; if you see 0.0.0.0, it means it’s listening on that port on
all addresses of the machine, including the loopback one (127.0.0.1).

Similar is suggested on Lifewire with ominous tone; this is the worse for the fact that OpenVPN runs as root during its initialization phase before falling back to an unprivileged user, and no mitigation for this exists for Debian AFAIK.

https://www.lifewire.com/four-zero-ip-address-818384

As a footnote, can OpenVPN with any given server be set to listen on localhost instead?