17.01 OpenVPN setup

HI!
I've been trying to setup a basic OpenVpn server. I tried many times, but I still can't get it to work. My setup:
Internet - ISP ( Modem and router combo - gateway: 192.168.0.1) - Archer C5v1.2 ( LEDE 17.01, WAN IP: 192.168.0.2, serves as gateway (for all other devices) 192.168.1.1). I also have a ddns aquired and the port 1194 opened (tcp+udp) on both router. In the last attempt I followed the script based setup on the OpenWrt site but didn't succeded. My OVPN file is

client
dev tun
proto tcp
fast-io
remote jazz.ddns.net 1194
remote-cert-tls server
nobind
persist-key
persist-tun
comp-lzo on
verb 7
key-direction 1
<ca>
-----BEGIN CERTIFICATE-----
ca
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
cert
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
the_key.....
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
-----BEGIN OpenVPN Static key V1-----
..
-----END OpenVPN Static key V1-----
</tls-auth>

Log file:

Mon Jun 25 14:56:40 2018 OpenVPN 2.4.4 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
 
Mon Jun 25 14:56:40 2018 library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.09
 
Mon Jun 25 14:56:40 2018 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
 
Mon Jun 25 14:56:40 2018 TUN/TAP device ovpns0 opened
Mon Jun 25 14:56:40 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
 
Mon Jun 25 14:56:40 2018 /sbin/ifconfig ovpns0 192.168.200.1 netmask 255.255.255.0 mtu 1500 broadcast 192.168.200.255
 
Mon Jun 25 14:56:40 2018 Could not determine IPv4/IPv6 protocol. Using AF_INET
 
Mon Jun 25 14:56:40 2018 UDPv4 link local (bound): [AF_INET][undef]:1194
 
Mon Jun 25 14:56:40 2018 UDPv4 link remote: [AF_UNSPEC]
 
Mon Jun 25 14:56:40 2018 Initialization Sequence Completed

Since I found another tutorial I ran that but couldn't get that ICA creation to work. I issued the commands:

openssl req -out ca/csr/vpn-server.csr -new -days 3650 -sha5
12 -newkey rsa:2048 -keyout openvpn/vpn-server.key.pem -config ./openssl.cnf -ex
tensions v3_vpn_server -nodes

Which got me the error

Error Loading extension section v3_vpn_server

Now I am totally confused and my firewall is just a mess. How to proper do this and which tutorial to follow, since there are at least 3 of them? How to clean it without deleting additional entries and keeping the system on USB?

Hello Sannyi,

Welcome to the community and hopefully we can get you up and running. I understand the confusion of there being +/- three tutorials on this and how to set it all up. As you originally posted on my post, you may have noticed @JW0914 mentioning:

The OpenVPN (Server Setup) wiki is intended to be a no-frills, get up and running as quick as possible, without having to have the user understand all of what's being done or have prior experience with OpenVPN

This explained a lot because there were some errors in "TLS handshakes" when I tried to blindly run the script and connect to the vpn server. I am currently following the other tutorials from scratch, OpenVPN Server (Comprehensive) and OpenSSL Certificates, to get a better understanding and more control on the setup and configuration of the server, each step of the way.

While I am trying to get my vpn running using another "in depth" tutorial, I would like to do my part and help as much as I can in your scenario. Plus, I would like to keep tabs and collect data from the result of your post (the results of this forum may help me in my endeavor).

Note: FFR, after you are able to get your vpnserver up and running, you may want to revisit the default port 1194 and consider using a different port number. Preferably a port number that is above 1194.

With that being said, I have a few questions and requests:

1. Your post of your log output looks to show the server starting up fine. Did you have any logs of when you tried to connect to the vpn?

2. Would you be so kind to provide the server config file? Usually this file is located here /etc/config/openvpn i.e.

cat /etc/config/openvpn

3. Based on your client file, it looks like it has all the certs. Would you post the Names and locations of where all your certs for verification purposes?

4. Would you be so kind to provide your /etc/config/firewall in combination with the contents of /etc/firewall.user by running:

cat /etc/config/firewall

&

cat /etc/firewall.user

5. You mentioned:

I have read other responses from @JW0914 where they stated the tutorials should be standalone, I would not try to run other scripts out side the main tutorial you are following especially when dealing with certs, unless you know what you are doing, otherwise this will add confusion and complications when troubleshooting.

Besides the point, it looks like it is dealing with the results of the openssl.cnf file. Try have a look at the aforementioned OpenSSL Certificates wiki and this posting, VPN Config Assistance [Solved], and their discussion of CA and ICAs and verify the changes referenced in the openssl.cnf.

Thanks for your contributions! Hope we can help.

Sincerely,

A humbly committed student

Hi!
Thank you for the quick response.
Before I sought the help of this forum. I read the OG thread.
A few days earlier I tried out the script based method you posted in the first link and gone through all the troubleshooting steps mentioned there.
Client log (Android Oreo 8.0.0 app):

15:13:47.732 -- ----- OpenVPN Start -----

15:13:47.733 -- EVENT: CORE_THREAD_ACTIVE

15:13:47.736 -- Frame=512/2048/512 mssfix-ctrl=1250

15:13:47.740 -- UNUSED OPTIONS
3 [fast-io] 
6 [nobind] 
7 [persist-key] 
8 [persist-tun] 
10 [verb] [3] 


15:13:47.741 -- EVENT: RESOLVE

15:13:57.752 -- Server poll timeout, trying next remote entry...

15:13:57.753 -- EVENT: RECONNECTING

15:13:57.759 -- EVENT: RESOLVE

15:13:58.445 -- Contacting 256.256.256.256:1194 via UDP

15:13:58.447 -- EVENT: WAIT

15:13:58.452 -- Connecting to [256.256.256.256.ddns.net]:1194 (256.256.256.256) via UDPv4

15:14:07.760 -- Server poll timeout, trying next remote entry...

15:14:07.762 -- EVENT: RECONNECTING

15:14:07.767 -- EVENT: RESOLVE

15:14:07.777 -- Contacting 256.256.256.256:1194 via UDP

15:14:07.779 -- EVENT: WAIT

15:14:07.789 -- Connecting to [256.256.256.256.ddns.net]:1194 (256.256.256.256) via UDPv4

15:14:17.764 -- Server poll timeout, trying next remote entry...

15:14:17.766 -- EVENT: RECONNECTING

15:14:17.772 -- EVENT: RESOLVE

15:14:17.778 -- Contacting 256.256.256.256:1194 via UDP

15:14:17.780 -- EVENT: WAIT

15:14:17.783 -- Connecting to [256.256.256.256.ddns.net]:1194 (256.256.256.256) via UDPv4

15:14:27.760 -- Server poll timeout, trying next remote entry...

15:14:27.762 -- EVENT: RECONNECTING

15:14:27.766 -- EVENT: RESOLVE

15:14:27.779 -- Contacting 256.256.256.256:1194 via UDP

15:14:27.781 -- EVENT: WAIT

15:14:27.784 -- Connecting to [256.256.256.256.ddns.net]:1194 (256.256.256.256) via UDPv4

15:14:37.766 -- Server poll timeout, trying next remote entry...

15:14:37.767 -- EVENT: RECONNECTING

15:14:37.775 -- EVENT: RESOLVE

15:14:37.785 -- Contacting 256.256.256.256:1194 via UDP

15:14:37.787 -- EVENT: WAIT

15:14:37.793 -- Connecting to [256.256.256.256.ddns.net]:1194 (256.256.256.256) via UDPv4

15:14:47.741 -- EVENT: CONNECTION_TIMEOUT

15:14:47.746 -- EVENT: DISCONNECTED

15:14:47.760 -- EVENT: CORE_THREAD_INACTIVE

15:14:47.761 -- Tunnel bytes per CPU second: 0

15:14:47.762 -- ----- OpenVPN Stop -----

15:14:51.370 -- ----- OpenVPN Start -----

15:14:51.371 -- EVENT: CORE_THREAD_ACTIVE

15:14:51.375 -- Frame=512/2048/512 mssfix-ctrl=1250

15:14:51.391 -- UNUSED OPTIONS
3 [fast-io] 
6 [nobind] 
7 [persist-key] 
8 [persist-tun] 
10 [verb] [3] 


15:14:51.392 -- EVENT: RESOLVE

15:14:51.470 -- Contacting 256.256.256.256:1194 via UDP

15:14:51.470 -- EVENT: WAIT

15:14:51.475 -- Connecting to [256.256.256.256.ddns.net]:1194 (256.256.256.256) via UDPv4

15:15:01.191 -- EVENT: DISCONNECTED

15:15:01.195 -- EVENT: CORE_THREAD_INACTIVE

15:15:01.196 -- Tunnel bytes per CPU second: 0

15:15:01.197 -- ----- OpenVPN Stop -----

15:15:03.267 -- ----- OpenVPN Start -----

15:15:03.268 -- EVENT: CORE_THREAD_ACTIVE

15:15:03.284 -- Frame=512/2048/512 mssfix-ctrl=1250

15:15:03.305 -- UNUSED OPTIONS
3 [fast-io] 
6 [nobind] 
7 [persist-key] 
8 [persist-tun] 
10 [verb] [3] 


15:15:03.306 -- EVENT: RESOLVE

15:15:03.310 -- Contacting 256.256.256.256:1194 via UDP

15:15:03.311 -- EVENT: WAIT

15:15:03.314 -- Connecting to [256.256.256.256.ddns.net]:1194 (256.256.256.256) via UDPv4

15:15:13.308 -- Server poll timeout, trying next remote entry...

15:15:13.310 -- EVENT: RECONNECTING

15:15:13.315 -- EVENT: RESOLVE

15:15:13.326 -- Contacting 256.256.256.256:1194 via UDP

15:15:13.329 -- EVENT: WAIT

15:15:13.334 -- Connecting to [256.256.256.256.ddns.net]:1194 (256.256.256.256) via UDPv4

15:15:23.309 -- Server poll timeout, trying next remote entry...

15:15:23.310 -- EVENT: RECONNECTING

15:15:23.315 -- EVENT: RESOLVE

15:15:23.320 -- Contacting 256.256.256.256:1194 via UDP

15:15:23.322 -- EVENT: WAIT

15:15:23.328 -- Connecting to [256.256.256.256.ddns.net]:1194 (256.256.256.256) via UDPv4

15:15:33.320 -- Server poll timeout, trying next remote entry...

15:15:33.321 -- EVENT: RECONNECTING

15:15:33.328 -- EVENT: RESOLVE

15:15:33.333 -- Contacting 256.256.256.256:1194 via UDP

15:15:33.335 -- EVENT: WAIT

15:15:33.340 -- Connecting to [256.256.256.256.ddns.net]:1194 (256.256.256.256) via UDPv4

15:15:43.315 -- Server poll timeout, trying next remote entry...

15:15:43.317 -- EVENT: RECONNECTING

15:15:43.326 -- EVENT: RESOLVE

15:15:43.340 -- Contacting 256.256.256.256:1194 via UDP

15:15:43.341 -- EVENT: WAIT

15:15:43.345 -- Connecting to [256.256.256.256.ddns.net]:1194 (256.256.256.256) via UDPv4

15:15:53.321 -- Server poll timeout, trying next remote entry...

15:15:53.323 -- EVENT: RECONNECTING

15:15:53.328 -- EVENT: RESOLVE

15:15:53.604 -- Contacting 256.256.256.256:1194 via UDP

15:15:53.606 -- EVENT: WAIT

15:15:53.616 -- Connecting to [256.256.256.256.ddns.net]:1194 (256.256.256.256) via UDPv4

15:16:03.312 -- EVENT: CONNECTION_TIMEOUT

15:16:03.317 -- EVENT: DISCONNECTED

15:16:03.321 -- EVENT: CORE_THREAD_INACTIVE

15:16:03.322 -- Tunnel bytes per CPU second: 0

15:16:03.323 -- ----- OpenVPN Stop -----

15:18:14.301 -- ----- OpenVPN Start -----

15:18:14.302 -- EVENT: CORE_THREAD_ACTIVE

15:18:14.309 -- Frame=512/2048/512 mssfix-ctrl=1250

15:18:14.331 -- UNUSED OPTIONS
3 [fast-io] 
6 [nobind] 
7 [persist-key] 
8 [persist-tun] 
10 [verb] [3] 


15:18:14.332 -- EVENT: RESOLVE

15:18:19.466 -- Contacting 256.256.256.256:1194 via UDP

15:18:19.468 -- EVENT: WAIT

15:18:19.474 -- Connecting to [256.256.256.256.ddns.net]:1194 (256.256.256.256) via UDPv4

15:18:21.658 -- EVENT: DISCONNECTED

15:18:21.661 -- EVENT: CORE_THREAD_INACTIVE

15:18:21.662 -- Tunnel bytes per CPU second: 0

15:18:21.663 -- ----- OpenVPN Stop -----

15:18:23.926 -- ----- OpenVPN Start -----

15:18:23.927 -- EVENT: CORE_THREAD_ACTIVE

15:18:23.940 -- Frame=512/2048/512 mssfix-ctrl=1250

15:18:23.957 -- UNUSED OPTIONS
3 [fast-io] 
6 [nobind] 
7 [persist-key] 
8 [persist-tun] 
10 [verb] [3] 


15:18:23.959 -- EVENT: RESOLVE

15:18:23.962 -- Contacting 256.256.256.256:1194 via UDP

15:18:23.963 -- EVENT: WAIT

15:18:23.966 -- Connecting to [256.256.256.256.ddns.net]:1194 (256.256.256.256) via UDPv4

15:18:25.488 -- EVENT: DISCONNECTED

15:18:25.491 -- EVENT: CORE_THREAD_INACTIVE

15:18:25.492 -- Tunnel bytes per CPU second: 0

15:18:25.492 -- ----- OpenVPN Stop -----

15:23:39.737 -- ----- OpenVPN Start -----

15:23:39.739 -- EVENT: CORE_THREAD_ACTIVE

15:23:39.751 -- Frame=512/2048/512 mssfix-ctrl=1250

15:23:39.765 -- UNUSED OPTIONS
3 [fast-io] 
6 [nobind] 
7 [persist-key] 
8 [persist-tun] 
10 [verb] [7] 


15:23:39.765 -- EVENT: RESOLVE

15:23:39.833 -- Contacting 256.256.256.256:1194 via TCP

15:23:39.833 -- EVENT: WAIT

15:23:49.775 -- Server poll timeout, trying next remote entry...

15:23:49.776 -- EVENT: RECONNECTING

15:23:49.781 -- EVENT: RESOLVE

15:23:49.794 -- Contacting 256.256.256.256:1194 via TCP

15:23:49.796 -- EVENT: WAIT

15:23:59.790 -- Server poll timeout, trying next remote entry...

15:23:59.793 -- EVENT: RECONNECTING

15:23:59.803 -- EVENT: RESOLVE

15:23:59.810 -- Contacting 256.256.256.256:1194 via TCP

15:23:59.811 -- EVENT: WAIT

15:24:09.805 -- Server poll timeout, trying next remote entry...

15:24:09.810 -- EVENT: RECONNECTING

15:24:09.818 -- EVENT: RESOLVE

15:24:09.822 -- Contacting 256.256.256.256:1194 via TCP

15:24:09.823 -- EVENT: WAIT

15:24:19.812 -- Server poll timeout, trying next remote entry...

15:24:19.814 -- EVENT: RECONNECTING

15:24:19.818 -- EVENT: RESOLVE

15:24:19.822 -- Contacting 256.256.256.256:1194 via TCP

15:24:19.824 -- EVENT: WAIT

15:24:29.819 -- Server poll timeout, trying next remote entry...

15:24:29.821 -- EVENT: RECONNECTING

15:24:29.827 -- EVENT: RESOLVE

15:24:29.837 -- Contacting 256.256.256.256:1194 via TCP

15:24:29.840 -- EVENT: WAIT

15:24:39.777 -- EVENT: CONNECTION_TIMEOUT

15:24:39.782 -- EVENT: DISCONNECTED

15:24:39.789 -- EVENT: CORE_THREAD_INACTIVE

15:24:39.791 -- Tunnel bytes per CPU second: 0

15:24:39.792 -- ----- OpenVPN Stop -----

//256 - my (hidden - replace) ip. My real IP is valid. Same goes for mydomain.ddns.net

Server config:

config openvpn 'custom_config'
        option enabled '0'
        option config '/etc/openvpn/my-vpn.conf'

config openvpn 'sample_server'
        option enabled '0'
        option port '1194'
        option proto 'udp'
        option dev 'tun'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/server.crt'
        option key '/etc/openvpn/server.key'
        option dh '/etc/openvpn/dh1024.pem'
        option server '10.8.0.0 255.255.255.0'
        option ifconfig_pool_persist '/tmp/ipp.txt'
        option keepalive '10 120'
        option compress 'lzo'
        option persist_key '1'
        option persist_tun '1'
        option user 'nobody'
        option status '/tmp/openvpn-status.log'
        option verb '5'

config openvpn 'sample_client'
        option enabled '0'
        option client '1'
        option dev 'tun'
        option proto 'tcp'
        list remote 'my_server_1 1194'
        option resolv_retry 'infinite'
        option nobind '1'
        option persist_key '1'
        option persist_tun '1'
        option user 'nobody'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/client.crt'
        option key '/etc/openvpn/client.key'
        option compress 'lzo'
        option verb '3'

config openvpn 'vpnserver'
        option enabled '1'
        option dev_type 'tun'
        option dev 'ovpns0'
        option proto 'udp'
        option port '1194'
        option topology 'subnet'
        option tls_server '1'
        option mode 'server'
        option server '192.168.200.0 255.255.255.0'
        option route_gateway 'dhcp'
        option comp_lzo 'yes'
        option keepalive '10 120'
        option persist_key '1'
        option persist_tun '1'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/my-server.crt'
        option key '/etc/openvpn/my-server.key'
        option dh '/etc/openvpn/dh2048.pem'
        option tls_auth '/etc/openvpn/tls-auth.key 0'
        option client_to_client '1'
        option log '/tmp/openvpn.log'
        list push 'topology subnet'
        list push 'redirect-gateway def1'
        list push 'route-gateway dhcp'
        list push 'route 192.168.200.0 255.255.255.0'
        list push 'dhcp-option DNS 192.168.1.1'
        list push 'comp-lzo yes'
        list push 'persist-key'
        list push 'persist-tun'

3. All locations are OK (also cmod 777 (!!!!) because is use root (plan to remove ASAP) and learn the chod commands.
4. The FW has the VPN already removed

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option proto 'tcp'
        option dest_port '443'
        option name 'https'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '19127'
        option dest_ip '192.168.1.100'
        option dest_port '3389'
        option name 'Laptop'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option dest_port '1912'
        option name 'ssh'
        option proto 'tcp'

Please start from scratch and either use the OpenVPN (Server Setup) wiki or the OpenVPN Server (Comprehensive) wiki

4.2 Firewall user

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

5. The other tutorial where I got the custom openssl.cnf. and my first take on VPN.. I also converterd the CRLF endings to Linux/Unix LF.

Hello Sannyi,

You made the same mistake I did. Follow @JW0914's instructions and follow either one or the other of the URL instructions they posted. Another tip I have learned from them was to not follow any instructions that has a URL pointing to "wiki.openwrt.org" as they have been deprecated and are only to be used for reading purposes. Follow instructions posted on the new "openwrt.org" URLs.

This is what I am currently doing. Let us work together to get this project off the ground.

Thank you all for your continuing support, patience, and prompt responses.

Hi!
About which tutorial on the new page are we talking exactly? About this? OpenVPN (Server Setup) If so, i already mentioned that using this script I screwed it all up. By the way I have exam till next Tuedsday, so I won't be much around here. In the meanwhile I am going to set up an OpenVPN server on my Ubuntu VPS which is directly connected to the internet (public IPv4 address, not double NAT, like I have at home. @unitelife What is your network setup ( NAT scheme, etc.)?

Please read carefully what others are writing.

Hi!
I've gone through both tutorials and read everything. As of now I probably have a messed up system, which propably needs to be resetted. I'll do this in when I have the time to backup all important configuration files, because I don't want to end up destroying all the other thing I managed to set up. Both tutorials do not give me the expected result - create a simple OpenVPN server.

Which script (there's four)?

If you cannot get a working VPN server by starting from scratch and following the two previously mentioned wikis,OpenVPN (Server Setup) or OpenVPN Server (Comprehensive), then you're deviating from the wiki and not following what's written.

• Both of those wikis have been repeatedly tested to ensure they work, and both work flawlessly, provided one does not deviate or disregard steps.

As I mentioned previously, please start from scratch, choosing one of the two aforementioned wikis to follow [I'd recommend OpenVPN (Server Setup)].

The only files you'd need to back up are /etc/config/dhcp, /etc/config/firewall, & /etc/config/network, as these are the only config files modified in either wiki (minus /etc/config/openvpn)