based on this from your config: "redirect-gateway def1 bypass-dns"
https://community.openvpn.net/openvpn/w ... n24ManPage
ignoring the part saying whether or not bypass-dns command is available for nonWindows users, I can see it may cause issue if trying to resolve a remote domain name (the check site) in order to report your public IP back to you. in terminal running this command:--redirect-gateway flags...
Automatically execute routing commands to cause all outgoing IP traffic to be redirected over the VPN. This is a client-side option.
</>
def1 -- Use this flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway.
</>
bypass-dns -- Add a direct route to the DNS server(s) (if they are non-local) which bypasses the tunnel (Available on Windows clients, may not be available on non-Windows clients).
ip route show
may explain what the routing looks like (or make it more confusing and there are ways to modify routes, but for this intents and purposes I do not believe it will be effective or useful in resolving the issue, easily anyways...I would try: delete
bypass-dns
from your config and test, if not work then try delete the entire line redirect-gateway def1 bypass-dns
as the issue may also be the def1 flag confusing things for applet/indicator. Otherwise use NM to set DNS to public/open DNS servers in both your VPN (TUN adapter) and internet adapter (wired and/or wireless) may help.
(popular public DNS are cloudflare-1.1.1.1/1.0.0.1, google- 8.8.8.8/8.8.4.4, Quad9- 9.9.9.9, etc), even better would be (imho) to use dnscrypt-proxy which is a local resolver and cache and can be setup fairly easily to use DNS over HTTPS (DoH, hard to find support- but cloudflare and google DNS do support it, I prefer cloudflare due to mistrust in google practices and policies) which is really the only way to encrypt DNS queries and keep the "everwatchfuleyes" from ever learning what sites you go to...until you get there , but thru VPN and only VPN provider would know, if they cared)
If this doesn't change applet and indicator behavior then i'm but still on task thinking of what else we could do to sort this seemingly simple task of notifying you when VPN up/down
edit to add another option in delete from ovpn config the entire redirect-gateway def1 bypass-dns line as redirect gateway is useless without the flags def1 and bypass-dns, in this case.