Access to LAN PC through internet by OpenVPN

niklzz · March 22, 2020, 4:18pm

Hi, I'm trying to configure OpenVPN Server on OpenWrt 19.07.0 (Xiaomi Mi Router 3).
At the moment I am able to establish a connection to the router, for example from a mobile phone.

However, it is not possible to connect to a PC within the network via RDP protocol.

Inside the router network, the connection to a PC is no problem.

Goal: Get access to local PC trough internet. Internet connection of router not needed for vpn clinets.

OPENVPN

config openvpn 'myvpn'
	option enabled '1'
	option verb '4'
	option log '/etc/openvpn/openvpn.log'
	option log_append '/etc/openvpn/openvpn.log'									  			  
	option port '1194'		   
	option proto 'udp'
	option dev 'tun'
	option server '192.168.201.0 255.255.255.0'			  
	option keepalive '10 120'				
	option ca '/etc/openvpn/lan/ca.crt'
	option cert '/etc/openvpn/lan/lanvpnserver.crt'
	option key '/etc/openvpn/lan/lanvpnserver.key'
	option dh '/etc/openvpn/lan/dh.pem'
	option tls_crypt '/etc/openvpn/lan/tc.pem'
	option persist_tun '1'
	option persist_key '1'
	option client_to_client '1'
	option compress 'lzo'
	option mute 10
	list push 'route 192.168.1.0 255.255.255.0'
	list push 'dhcp-option DNS 192.168.1.1'

NETWORK


config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd53:f809:57a5::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option stp '1'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'
	option delegate '0'
	option macaddr 'F0:B4:29:59:C7:3F'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'
	option auto '0'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 6t'

config interface 'vpn0'
	option ifname 'tun0'
	option proto 'none'
	option auto '1'

FIREWALL


config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option drop_invalid '1'
	option forward 'DROP'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone 'vpn'
	option name 'vpn'
	option network 'vpn0'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option masq '1'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config include 'zerotier'
	option type 'script'
	option path '/etc/zerotier.start'
	option reload '1'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config rule 'Allow_OpenVPN_Inbound'
	option target 'ACCEPT'
	option src '*'
	option proto 'udp'
	option dest_port '1194'

config forwarding 'vpn_forwarding_lan_in'
	option src 'vpn'
	option dest 'lan'

config forwarding 'vpn_forwarding_lan_out'
	option src 'lan'
	option dest 'vpn'

config redirect
	option dest_port '3389'
	option src 'vpn'
	option src_dport '3389'
	option target 'DNAT'
	option dest_ip '192.168.1.156'
	option dest 'lan'
	option proto 'tcp udp'

trendy · March 22, 2020, 4:58pm

Remove masquerade from vpn zone and the 3389 redirect.
In "Allow_OpenVPN_Inbound" rule narrow down src to wan only.

niklzz · March 22, 2020, 5:27pm

same result

modified firewall

config zone 'vpn'
	option name 'vpn'
	option network 'vpn0'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'

config rule 'Allow_OpenVPN_Inbound'
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp'
	option dest_port '1194'

config redirect
	option target 'DNAT'
	option dest_ip '192.168.1.156'
	option dest 'lan'
	option proto 'tcp udp'

**OpenVPN.log**

Sun Mar 22 20:29:58 2020 us=234963 OpenVPN 2.4.7 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sun Mar 22 20:29:58 2020 us=235263 library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Sun Mar 22 20:29:58 2020 us=240383 Diffie-Hellman initialized with 2048 bit key
Sun Mar 22 20:29:58 2020 us=247633 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sun Mar 22 20:29:58 2020 us=248117 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Mar 22 20:29:58 2020 us=248514 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sun Mar 22 20:29:58 2020 us=248858 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Mar 22 20:29:58 2020 us=249115 TLS-Auth MTU parms [ L:1622 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Sun Mar 22 20:29:58 2020 us=253233 TUN/TAP device tun0 opened
Sun Mar 22 20:29:58 2020 us=255025 TUN/TAP TX queue length set to 100
Sun Mar 22 20:29:58 2020 us=255604 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Mar 22 20:29:58 2020 us=256194 /sbin/ifconfig tun0 192.168.201.1 pointopoint 192.168.201.2 mtu 1500
Sun Mar 22 20:29:58 2020 us=272564 /sbin/route add -net 192.168.201.0 netmask 255.255.255.0 gw 192.168.201.2
Sun Mar 22 20:29:58 2020 us=280351 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Sun Mar 22 20:29:58 2020 us=280737 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sun Mar 22 20:29:58 2020 us=281023 Socket Buffers: R=[163840->163840] S=[163840->163840]
Sun Mar 22 20:29:58 2020 us=281326 UDPv4 link local (bound): [AF_INET][undef]:1194
Sun Mar 22 20:29:58 2020 us=281603 UDPv4 link remote: [AF_UNSPEC]
Sun Mar 22 20:29:58 2020 us=281846 MULTI: multi_init called, r=256 v=256
Sun Mar 22 20:29:58 2020 us=282237 IFCONFIG POOL: base=192.168.201.4 size=62, ipv6=0
Sun Mar 22 20:29:58 2020 us=282855 Initialization Sequence Completed
Sun Mar 22 20:30:04 2020 us=820876 MULTI: multi_create_instance called
Sun Mar 22 20:30:04 2020 us=821512 217.xxx.xxx.xxx:xxxxx Re-using SSL/TLS context
Sun Mar 22 20:30:04 2020 us=821741 217.xxx.xxx.xxx:xxxxx LZO compression initializing
Sun Mar 22 20:30:04 2020 us=822611 217.xxx.xxx.xxx:xxxxx Control Channel MTU parms [ L:1622 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Sun Mar 22 20:30:04 2020 us=822850 217.xxx.xxx.xxx:xxxxx Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Sun Mar 22 20:30:04 2020 us=823293 217.xxx.xxx.xxx:xxxxx Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Sun Mar 22 20:30:04 2020 us=823473 217.xxx.xxx.xxx:xxxxx Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Sun Mar 22 20:30:04 2020 us=823809 217.xxx.xxx.xxx:xxxxx TLS: Initial packet from [AF_INET]217.xxx.xxx.xxx:xxxxx, sid=5e76d1b6 838e38fa
Sun Mar 22 20:30:05 2020 us=941639 217.xxx.xxx.xxx:xxxxx tls-crypt unwrap error: bad packet ID (may be a replay): [ #2 / time = (1584898205) Sun Mar 22 20:30:05 2020 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Sun Mar 22 20:30:05 2020 us=941867 217.xxx.xxx.xxx:xxxxx tls-crypt unwrap error: packet replay
Sun Mar 22 20:30:05 2020 us=942089 217.xxx.xxx.xxx:xxxxx TLS Error: tls-crypt unwrapping failed from [AF_INET]217.xxx.xxx.xxx:xxxxx
Sun Mar 22 20:30:11 2020 us=12493 217.xxx.xxx.xxx:xxxxx VERIFY OK: depth=1, C=UK, ST=Yorkshire, O=OG.Infraverse
Sun Mar 22 20:30:11 2020 us=24426 217.xxx.xxx.xxx:xxxxx VERIFY OK: depth=0, CN=lanvpnclient
Sun Mar 22 20:30:11 2020 us=148149 217.xxx.xxx.xxx:xxxxx peer info: IV_GUI_VER=OC30Android
Sun Mar 22 20:30:11 2020 us=148679 217.xxx.xxx.xxx:xxxxx peer info: IV_VER=3.git::728733ae:Release
Sun Mar 22 20:30:11 2020 us=148886 217.xxx.xxx.xxx:xxxxx peer info: IV_PLAT=android
Sun Mar 22 20:30:11 2020 us=149069 217.xxx.xxx.xxx:xxxxx peer info: IV_NCP=2
Sun Mar 22 20:30:11 2020 us=149254 217.xxx.xxx.xxx:xxxxx peer info: IV_TCPNL=1
Sun Mar 22 20:30:11 2020 us=149503 217.xxx.xxx.xxx:xxxxx peer info: IV_PROTO=2
Sun Mar 22 20:30:11 2020 us=149700 217.xxx.xxx.xxx:xxxxx peer info: IV_LZO_STUB=1
Sun Mar 22 20:30:11 2020 us=149891 217.xxx.xxx.xxx:xxxxx peer info: IV_COMP_STUB=1
Sun Mar 22 20:30:11 2020 us=150081 217.xxx.xxx.xxx:xxxxx peer info: IV_COMP_STUBv2=1
Sun Mar 22 20:30:11 2020 us=150268 217.xxx.xxx.xxx:xxxxx peer info: IV_AUTO_SESS=1
Sun Mar 22 20:30:11 2020 us=150455 217.xxx.xxx.xxx:xxxxx peer info: IV_BS64DL=1
Sun Mar 22 20:30:11 2020 us=242152 217.xxx.xxx.xxx:xxxxx Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Sun Mar 22 20:30:11 2020 us=242701 217.xxx.xxx.xxx:xxxxx [lanvpnclient] Peer Connection Initiated with [AF_INET]217.xxx.xxx.xxx:xxxxx
Sun Mar 22 20:30:11 2020 us=243042 lanvpnclient/217.xxx.xxx.xxx:xxxxx MULTI_sva: pool returned IPv4=192.168.201.6, IPv6=(Not enabled)
Sun Mar 22 20:30:11 2020 us=243682 lanvpnclient/217.xxx.xxx.xxx:xxxxx MULTI: Learn: 192.168.201.6 -> lanvpnclient/217.xxx.xxx.xxx:xxxxx
Sun Mar 22 20:30:11 2020 us=243898 lanvpnclient/217.xxx.xxx.xxx:xxxxx MULTI: primary virtual IP for lanvpnclient/217.xxx.xxx.xxx:xxxxx: 192.168.201.6
Sun Mar 22 20:30:11 2020 us=244369 lanvpnclient/217.xxx.xxx.xxx:xxxxx PUSH: Received control message: 'PUSH_REQUEST'
Sun Mar 22 20:30:11 2020 us=244880 lanvpnclient/217.xxx.xxx.xxx:xxxxx SENT CONTROL [lanvpnclient]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,dhcp-option DNS 192.168.1.1,route 192.168.201.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 192.168.201.6 192.168.201.5,peer-id 0,cipher AES-256-GCM' (status=1)
Sun Mar 22 20:30:11 2020 us=245075 lanvpnclient/217.xxx.xxx.xxx:xxxxx Data Channel: using negotiated cipher 'AES-256-GCM'
Sun Mar 22 20:30:11 2020 us=245330 lanvpnclient/217.xxx.xxx.xxx:xxxxx Data Channel MTU parms [ L:1550 D:1450 EF:50 EB:406 ET:0 EL:3 ]
Sun Mar 22 20:30:11 2020 us=246255 lanvpnclient/217.xxx.xxx.xxx:xxxxx Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Mar 22 20:30:11 2020 us=246481 lanvpnclient/217.xxx.xxx.xxx:xxxxx Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Mar 22 20:30:12 2020 us=280661 lanvpnclient/217.xxx.xxx.xxx:xxxxx PUSH: Received control message: 'PUSH_REQUEST'

eduperez · March 22, 2020, 10:00pm

Is the firewall on the PC configured to accept connections from an external IP address?

mk24 · March 23, 2020, 12:24am

If you want VPN clients full access to the lan you could include vpn0 directly in the lan firewall zone. Then check on the client machine that it was properly pushed a route so the remote LAN IPs are gatewayed into the vpn tunnel.

niklzz · March 23, 2020, 7:53am

yep, before i moving to OpenWRT i used PPTP connection on another firmware. Unfortunately iOS not support PPTP, this why i try use OpenVPN

niklzz · March 23, 2020, 8:01am

Sorry, but can you show example of config?

mk24 · March 23, 2020, 12:16pm

Instead of having a vpn firewall zone, add vpn0 to the lan zone using an additional list network line.

Run /etc/init.d/firewall restart and read the output for errors. Errors relating to network assignment are usually first and may scroll off the screen.

trendy · March 23, 2020, 1:53pm

Remove this redirect all together, not just the port options.

config redirect
	option target 'DNAT'
	option dest_ip '192.168.1.156'
	option dest 'lan'
	option proto 'tcp udp'

Can you ping the 192.168.1.156 from the Iphone when connected?

Run a tcpdump on the router and verify that packets come from the vpn interface and exit on the lan.
tcpdump -i any -vn port 3389

niklzz · March 23, 2020, 4:01pm

Can you ping the 192.168.1.156 from the Iphone when connected?

No, ping not reach IP

Result of tcpdump

trendy · March 23, 2020, 7:02pm

Seems that the OpenVPN on Iphone is not receiving the route you are pushing from the server properly. But that is just an idea, you need to verify that. Not sure how though, I've read that you cannot just view the routing table in Iphone. Maybe you need an app.

niklzz · March 23, 2020, 7:35pm

Logs from phone OpenVPN client

22:26:35.482 -- ----- OpenVPN Start -----

22:26:35.482 -- EVENT: CORE_THREAD_ACTIVE

22:26:35.487 -- OpenVPN core 3.git::728733ae:Release android arm64 64-bit PT_PROXY built on Aug 14 2019 14:13:26

22:26:35.489 -- Frame=512/2048/512 mssfix-ctrl=1250

22:26:35.502 -- UNUSED OPTIONS
0 [verb] [3] 
1 [nobind] 
5 [fast-io] 
7 [auth-nocache] 

22:26:35.502 -- EVENT: RESOLVE

22:26:35.504 -- Contacting XXX.XXX.XXX.XXX:XXXX via UDP

22:26:35.505 -- EVENT: WAIT

22:26:35.506 -- Connecting to [XXX.XXX.XXX.XXX]:XXXX (XXX.XXX.XXX.XXX) via UDPv4

22:26:35.629 -- EVENT: CONNECTING

22:26:35.632 -- Tunnel Options:V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client

22:26:35.632 -- Creds: UsernameEmpty/PasswordEmpty

22:26:35.632 -- Peer Info:
IV_GUI_VER=OC30Android
IV_VER=3.git::728733ae:Release
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_AUTO_SESS=1
IV_BS64DL=1


22:26:40.638 -- VERIFY OK : depth=1
cert. version     : 3
serial number     : ---
issuer name       : ---
subject name      : ---
issued  on        : 2020-02-01 13:55:36
expires on        : 2030-01-29 13:55:36
signed using      : RSA with SHA-256
RSA key size      : 4096 bits
basic constraints : CA=true


22:26:40.640 -- VERIFY OK : depth=0
cert. version     : 3
serial number     : ---
issuer name       : ---
subject name      : CN=lanvpnserver
issued  on        : 2020-02-01 14:00:00
expires on        : 2030-01-29 14:00:00
signed using      : RSA with SHA-256
RSA key size      : 4096 bits
key usage         : Digital Signature, Key Encipherment
ext key usage     : TLS Web Server Authentication


22:26:41.072 -- SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

22:26:41.074 -- Session is ACTIVE

22:26:41.074 -- EVENT: GET_CONFIG

22:26:41.078 -- Sending PUSH_REQUEST to server...

22:26:41.183 -- OPTIONS:
0 [route] [192.168.1.0] [255.255.255.0] 
1 [dhcp-option] [DNS] [192.168.1.1] 
2 [route] [192.168.201.0] [255.255.255.0] 
3 [topology] [net30] 
4 [ping] [10] 
5 [ping-restart] [120] 
6 [ifconfig] [192.168.201.6] [192.168.201.5] 
7 [peer-id] [3] 
8 [cipher] [AES-256-GCM] 


22:26:41.186 -- PROTOCOL OPTIONS:
  cipher: AES-256-GCM
  digest: SHA1
  compress: COMP_STUB
  peer ID: 3

22:26:41.188 -- EVENT: ASSIGN_IP

22:26:41.235 -- Connected via tun

22:26:41.236 -- LZO-ASYM init swap=0 asym=1

22:26:41.236 -- Comp-stub init swap=1

22:26:41.237 -- EVENT: CONNECTED info='XXX.XXX.XXX.XXX:XXXX (XXX.XXX.XXX.XXX) via /UDPv4 on tun/192.168.201.6/ gw=[192.168.201.5/]'

Seems like route push twice, but i don't know why and how it fix

22:26:41.183 -- OPTIONS:
0 [route] [192.168.1.0] [255.255.255.0]
1 [dhcp-option] [DNS] [192.168.1.1]
2 [route] [192.168.201.0] [255.255.255.0]

mk24 · March 23, 2020, 7:41pm

192.168.201 is the tunnel itself.

Can you ping from the iPhone through the VPN to 192.168.1.1-- assuming that is the VPN server / main router on the LAN? If that works but other server-side LAN machines are not reachable that is likely a firewall issue.

Also if you're using a wifi network as the iPhone's WAN, it's network can't be 192.168.1.0

niklzz · March 23, 2020, 7:51pm

Unfortunately, no. For WAN on phone used 4g mobile connection, not wi-fi network

Also, when connect VPN on phone, internet on phone stop working.

trendy · March 23, 2020, 8:02pm

Can you ping the gateway?

niklzz · March 23, 2020, 8:50pm

No(

trendy · March 23, 2020, 9:14pm

Is there anything in the logs?
For the server check: logread -e openvpn

niklzz · March 24, 2020, 9:08pm

I tried this recommendation,

config zone
	option name 'lan'
	list network 'lan'
	list network 'vpn0'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

result below

console output

root@MiR3G_491C:~# /etc/init.d/firewall restart

Flushing IPv4 filter table
Flushing IPv4 nat table
Flushing IPv4 mangle table
Flushing IPv6 filter table
Flushing IPv6 mangle table
Flushing conntrack table ...
Populating IPv4 filter table
- Rule 'Allow-DHCP-Renew'
- Rule 'Allow-Ping'
- Rule 'Allow-IGMP'
- Rule 'Allow-IPSec-ESP'
- Rule 'Allow-ISAKMP'
- Rule #9
- Forward 'lan' -> 'wan'
- Forward 'vpn' -> 'lan'
- Forward 'lan' -> 'vpn'
- Zone 'lan'
- Zone 'vpn'
- Zone 'wan'
Populating IPv4 nat table
- Zone 'lan'
- Zone 'vpn'
- Zone 'wan'
Populating IPv4 mangle table
- Zone 'lan'
- Zone 'vpn'
- Zone 'wan'
Populating IPv6 filter table
- Rule 'Allow-DHCPv6'
- Rule 'Allow-MLD'
- Rule 'Allow-ICMPv6-Input'
- Rule 'Allow-ICMPv6-Forward'
- Rule 'Allow-IPSec-ESP'
- Rule 'Allow-ISAKMP'
- Rule #9
- Forward 'lan' -> 'wan'
- Forward 'vpn' -> 'lan'
- Forward 'lan' -> 'vpn'
- Zone 'lan'
- Zone 'vpn'
- Zone 'wan'
Populating IPv6 mangle table
- Zone 'lan'
- Zone 'vpn'
- Zone 'wan'
Set tcp_ecn to off
Set tcp_syncookies to on
Set tcp_window_scaling to on
Running script '/etc/firewall.user'
Running script '/etc/zerotier.start'
uci: Entry not found
zt interface is started!
sh: 1: unknown operand

In log nothing new, see below

log OpenVPN

Tue Mar 24 23:05:09 2020 us=711755 OpenVPN 2.4.7 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Tue Mar 24 23:05:09 2020 us=712218 library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Tue Mar 24 23:05:09 2020 us=718927 Diffie-Hellman initialized with 2048 bit key
Tue Mar 24 23:05:09 2020 us=726991 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Tue Mar 24 23:05:09 2020 us=727566 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Mar 24 23:05:09 2020 us=727874 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Tue Mar 24 23:05:09 2020 us=728186 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Mar 24 23:05:09 2020 us=728440 TLS-Auth MTU parms [ L:1622 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Tue Mar 24 23:05:09 2020 us=733031 TUN/TAP device tun0 opened
Tue Mar 24 23:05:09 2020 us=734743 TUN/TAP TX queue length set to 100
Tue Mar 24 23:05:09 2020 us=735295 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Mar 24 23:05:09 2020 us=735769 /sbin/ifconfig tun0 192.168.201.1 pointopoint 192.168.201.2 mtu 1500
Tue Mar 24 23:05:09 2020 us=753702 /sbin/route add -net 192.168.201.0 netmask 255.255.255.0 gw 192.168.201.2
Tue Mar 24 23:05:09 2020 us=760761 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Tue Mar 24 23:05:09 2020 us=761264 Could not determine IPv4/IPv6 protocol. Using AF_INET
Tue Mar 24 23:05:09 2020 us=761641 Socket Buffers: R=[163840->163840] S=[163840->163840]
Tue Mar 24 23:05:09 2020 us=761979 UDPv4 link local (bound): [AF_INET][undef]:1194
Tue Mar 24 23:05:09 2020 us=762300 UDPv4 link remote: [AF_UNSPEC]
Tue Mar 24 23:05:09 2020 us=762723 MULTI: multi_init called, r=256 v=256
Tue Mar 24 23:05:09 2020 us=763659 IFCONFIG POOL: base=192.168.201.4 size=62, ipv6=0
Tue Mar 24 23:05:09 2020 us=764492 Initialization Sequence Completed
Tue Mar 24 23:05:12 2020 us=432914 MULTI: multi_create_instance called
Tue Mar 24 23:05:12 2020 us=433636 xxx.xxx.xxx.xxx:xxxx Re-using SSL/TLS context
Tue Mar 24 23:05:12 2020 us=433899 xxx.xxx.xxx.xxx:xxxx LZO compression initializing
Tue Mar 24 23:05:12 2020 us=434845 xxx.xxx.xxx.xxx:xxxx Control Channel MTU parms [ L:1622 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Tue Mar 24 23:05:12 2020 us=435102 xxx.xxx.xxx.xxx:xxxx Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Tue Mar 24 23:05:12 2020 us=435546 xxx.xxx.xxx.xxx:xxxx Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Tue Mar 24 23:05:12 2020 us=435730 xxx.xxx.xxx.xxx:xxxx Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Tue Mar 24 23:05:12 2020 us=436090 xxx.xxx.xxx.xxx:xxxx TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:xxxx, sid=061c62d1 2271c9c9
Tue Mar 24 23:05:13 2020 us=644046 xxx.xxx.xxx.xxx:xxxx VERIFY OK: depth=1, C=UK, ST=Yorkshire, O=OG.Infraverse
Tue Mar 24 23:05:13 2020 us=659486 xxx.xxx.xxx.xxx:xxxx VERIFY OK: depth=0, CN=lanvpnclient
Tue Mar 24 23:05:13 2020 us=771556 xxx.xxx.xxx.xxx:xxxx peer info: IV_GUI_VER=OC30Android
Tue Mar 24 23:05:13 2020 us=772009 xxx.xxx.xxx.xxx:xxxx peer info: IV_VER=3.git::728733ae:Release
Tue Mar 24 23:05:13 2020 us=772196 xxx.xxx.xxx.xxx:xxxx peer info: IV_PLAT=android
Tue Mar 24 23:05:13 2020 us=772379 xxx.xxx.xxx.xxx:xxxx peer info: IV_NCP=2
Tue Mar 24 23:05:13 2020 us=772564 xxx.xxx.xxx.xxx:xxxx peer info: IV_TCPNL=1
Tue Mar 24 23:05:13 2020 us=772749 xxx.xxx.xxx.xxx:xxxx peer info: IV_PROTO=2
Tue Mar 24 23:05:13 2020 us=772936 xxx.xxx.xxx.xxx:xxxx peer info: IV_LZO_STUB=1
Tue Mar 24 23:05:13 2020 us=773123 xxx.xxx.xxx.xxx:xxxx peer info: IV_COMP_STUB=1
Tue Mar 24 23:05:13 2020 us=773311 xxx.xxx.xxx.xxx:xxxx peer info: IV_COMP_STUBv2=1
Tue Mar 24 23:05:13 2020 us=773584 xxx.xxx.xxx.xxx:xxxx peer info: IV_AUTO_SESS=1
Tue Mar 24 23:05:13 2020 us=773943 xxx.xxx.xxx.xxx:xxxx peer info: IV_BS64DL=1
Tue Mar 24 23:05:13 2020 us=852767 xxx.xxx.xxx.xxx:xxxx Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Tue Mar 24 23:05:13 2020 us=853311 xxx.xxx.xxx.xxx:xxxx [lanvpnclient] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:xxxx
Tue Mar 24 23:05:13 2020 us=853640 xxx.xxx.xxx.xxx:xxxx PUSH: Received control message: 'PUSH_REQUEST'
Tue Mar 24 23:05:13 2020 us=853920 lanvpnclient/xxx.xxx.xxx.xxx:xxxx MULTI_sva: pool returned IPv4=192.168.201.6, IPv6=(Not enabled)
Tue Mar 24 23:05:13 2020 us=854757 lanvpnclient/xxx.xxx.xxx.xxx:xxxx MULTI: Learn: 192.168.201.6 -> lanvpnclient/xxx.xxx.xxx.xxx:xxxx
Tue Mar 24 23:05:13 2020 us=855033 lanvpnclient/xxx.xxx.xxx.xxx:xxxx MULTI: primary virtual IP for lanvpnclient/xxx.xxx.xxx.xxx:xxxx: 192.168.201.6
Tue Mar 24 23:05:14 2020 us=896320 lanvpnclient/xxx.xxx.xxx.xxx:xxxx PUSH: Received control message: 'PUSH_REQUEST'
Tue Mar 24 23:05:14 2020 us=897188 lanvpnclient/xxx.xxx.xxx.xxx:xxxx SENT CONTROL [lanvpnclient]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,dhcp-option DNS 192.168.1.1,route 192.168.201.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 192.168.201.6 192.168.201.5,peer-id 0,cipher AES-256-GCM' (status=1)
Tue Mar 24 23:05:14 2020 us=897425 lanvpnclient/xxx.xxx.xxx.xxx:xxxx Data Channel: using negotiated cipher 'AES-256-GCM'
Tue Mar 24 23:05:14 2020 us=897683 lanvpnclient/xxx.xxx.xxx.xxx:xxxx Data Channel MTU parms [ L:1550 D:1450 EF:50 EB:406 ET:0 EL:3 ]
Tue Mar 24 23:05:14 2020 us=898661 lanvpnclient/xxx.xxx.xxx.xxx:xxxx Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Mar 24 23:05:14 2020 us=898968 lanvpnclient/xxx.xxx.xxx.xxx:xxxx Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Mar 24 23:09:15 2020 us=454174 lanvpnclient/xxx.xxx.xxx.xxx:xxxx [lanvpnclient] Inactivity timeout (--ping-restart), restarting
Tue Mar 24 23:09:15 2020 us=454876 lanvpnclient/xxx.xxx.xxx.xxx:xxxx SIGUSR1[soft,ping-restart] received, client-instance restarting
Tue Mar 24 23:44:42 2020 us=296028 MULTI: multi_create_instance called
Tue Mar 24 23:44:42 2020 us=296707 xxx.xxx.xxx.xxx:xxxx Re-using SSL/TLS context
Tue Mar 24 23:44:42 2020 us=296901 xxx.xxx.xxx.xxx:xxxx LZO compression initializing
Tue Mar 24 23:44:42 2020 us=297536 xxx.xxx.xxx.xxx:xxxx Control Channel MTU parms [ L:1622 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Tue Mar 24 23:44:42 2020 us=297820 xxx.xxx.xxx.xxx:xxxx Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Tue Mar 24 23:44:42 2020 us=298272 xxx.xxx.xxx.xxx:xxxx Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Tue Mar 24 23:44:42 2020 us=298455 xxx.xxx.xxx.xxx:xxxx Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Tue Mar 24 23:44:42 2020 us=298789 xxx.xxx.xxx.xxx:xxxx TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:xxxx, sid=55ddd73b d424534d
Tue Mar 24 23:44:43 2020 us=438031 xxx.xxx.xxx.xxx:xxxx VERIFY OK: depth=1, C=UK, ST=Yorkshire, O=OG.Infraverse
Tue Mar 24 23:44:43 2020 us=449972 xxx.xxx.xxx.xxx:xxxx VERIFY OK: depth=0, CN=lanvpnclient
Tue Mar 24 23:44:44 2020 us=294280 xxx.xxx.xxx.xxx:xxxx tls-crypt unwrap error: bad packet ID (may be a replay): [ #7 / time = (1585082682) Tue Mar 24 23:44:42 2020 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Mar 24 23:44:44 2020 us=294514 xxx.xxx.xxx.xxx:xxxx tls-crypt unwrap error: packet replay
Tue Mar 24 23:44:44 2020 us=294735 xxx.xxx.xxx.xxx:xxxx TLS Error: tls-crypt unwrapping failed from [AF_INET]xxx.xxx.xxx.xxx:xxxx
Tue Mar 24 23:44:45 2020 us=295141 xxx.xxx.xxx.xxx:xxxx tls-crypt unwrap error: bad packet ID (may be a replay): [ #7 / time = (1585082682) Tue Mar 24 23:44:42 2020 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Mar 24 23:44:45 2020 us=295379 xxx.xxx.xxx.xxx:xxxx tls-crypt unwrap error: packet replay
Tue Mar 24 23:44:45 2020 us=295647 xxx.xxx.xxx.xxx:xxxx TLS Error: tls-crypt unwrapping failed from [AF_INET]xxx.xxx.xxx.xxx:xxxx
Tue Mar 24 23:44:45 2020 us=369884 xxx.xxx.xxx.xxx:xxxx peer info: IV_GUI_VER=OC30Android
Tue Mar 24 23:44:45 2020 us=370309 xxx.xxx.xxx.xxx:xxxx peer info: IV_VER=3.git::728733ae:Release
Tue Mar 24 23:44:45 2020 us=370494 xxx.xxx.xxx.xxx:xxxx peer info: IV_PLAT=android
Tue Mar 24 23:44:45 2020 us=370677 xxx.xxx.xxx.xxx:xxxx peer info: IV_NCP=2
Tue Mar 24 23:44:45 2020 us=370861 xxx.xxx.xxx.xxx:xxxx peer info: IV_TCPNL=1
Tue Mar 24 23:44:45 2020 us=371044 xxx.xxx.xxx.xxx:xxxx peer info: IV_PROTO=2
Tue Mar 24 23:44:45 2020 us=371230 xxx.xxx.xxx.xxx:xxxx peer info: IV_LZO_STUB=1
Tue Mar 24 23:44:45 2020 us=371416 xxx.xxx.xxx.xxx:xxxx peer info: IV_COMP_STUB=1
Tue Mar 24 23:44:45 2020 us=371770 xxx.xxx.xxx.xxx:xxxx peer info: IV_COMP_STUBv2=1
Tue Mar 24 23:44:45 2020 us=371968 xxx.xxx.xxx.xxx:xxxx peer info: IV_AUTO_SESS=1
Tue Mar 24 23:44:45 2020 us=372154 xxx.xxx.xxx.xxx:xxxx peer info: IV_BS64DL=1
Tue Mar 24 23:44:45 2020 us=445459 xxx.xxx.xxx.xxx:xxxx Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Tue Mar 24 23:44:45 2020 us=445988 xxx.xxx.xxx.xxx:xxxx [lanvpnclient] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:xxxx
Tue Mar 24 23:44:45 2020 us=446328 lanvpnclient/xxx.xxx.xxx.xxx:xxxx MULTI_sva: pool returned IPv4=192.168.201.6, IPv6=(Not enabled)
Tue Mar 24 23:44:45 2020 us=446969 lanvpnclient/xxx.xxx.xxx.xxx:xxxx MULTI: Learn: 192.168.201.6 -> lanvpnclient/xxx.xxx.xxx.xxx:xxxx
Tue Mar 24 23:44:45 2020 us=447180 lanvpnclient/xxx.xxx.xxx.xxx:xxxx MULTI: primary virtual IP for lanvpnclient/xxx.xxx.xxx.xxx:xxxx: 192.168.201.6
Tue Mar 24 23:45:27 2020 us=522770 MULTI: multi_create_instance called
Tue Mar 24 23:45:27 2020 us=523411 xxx.xxx.xxx.xxx:xxxx Re-using SSL/TLS context
Tue Mar 24 23:45:27 2020 us=523702 xxx.xxx.xxx.xxx:xxxx LZO compression initializing
Tue Mar 24 23:45:27 2020 us=524330 xxx.xxx.xxx.xxx:xxxx Control Channel MTU parms [ L:1622 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Tue Mar 24 23:45:27 2020 us=524622 xxx.xxx.xxx.xxx:xxxx Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Tue Mar 24 23:45:27 2020 us=525078 xxx.xxx.xxx.xxx:xxxx Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Tue Mar 24 23:45:27 2020 us=525260 xxx.xxx.xxx.xxx:xxxx Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Tue Mar 24 23:45:27 2020 us=525593 xxx.xxx.xxx.xxx:xxxx TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:xxxx, sid=15215704 da37c3e2
Tue Mar 24 23:45:28 2020 us=732794 xxx.xxx.xxx.xxx:xxxx VERIFY OK: depth=1, C=UK, ST=Yorkshire, O=OG.Infraverse
Tue Mar 24 23:45:28 2020 us=744873 xxx.xxx.xxx.xxx:xxxx VERIFY OK: depth=0, CN=lanvpnclient
Tue Mar 24 23:45:28 2020 us=863897 xxx.xxx.xxx.xxx:xxxx peer info: IV_GUI_VER=OC30Android
Tue Mar 24 23:45:28 2020 us=864393 xxx.xxx.xxx.xxx:xxxx peer info: IV_VER=3.git::728733ae:Release
Tue Mar 24 23:45:28 2020 us=864603 xxx.xxx.xxx.xxx:xxxx peer info: IV_PLAT=android
Tue Mar 24 23:45:28 2020 us=864794 xxx.xxx.xxx.xxx:xxxx peer info: IV_NCP=2
Tue Mar 24 23:45:28 2020 us=864995 xxx.xxx.xxx.xxx:xxxx peer info: IV_TCPNL=1
Tue Mar 24 23:45:28 2020 us=865185 xxx.xxx.xxx.xxx:xxxx peer info: IV_PROTO=2
Tue Mar 24 23:45:28 2020 us=865371 xxx.xxx.xxx.xxx:xxxx peer info: IV_LZO_STUB=1
Tue Mar 24 23:45:28 2020 us=865557 xxx.xxx.xxx.xxx:xxxx peer info: IV_COMP_STUB=1
Tue Mar 24 23:45:28 2020 us=865745 xxx.xxx.xxx.xxx:xxxx peer info: IV_COMP_STUBv2=1
Tue Mar 24 23:45:28 2020 us=865932 xxx.xxx.xxx.xxx:xxxx peer info: IV_AUTO_SESS=1
Tue Mar 24 23:45:28 2020 us=866117 xxx.xxx.xxx.xxx:xxxx peer info: IV_BS64DL=1
Tue Mar 24 23:45:28 2020 us=942909 xxx.xxx.xxx.xxx:xxxx Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Tue Mar 24 23:45:28 2020 us=943433 xxx.xxx.xxx.xxx:xxxx [lanvpnclient] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:xxxx
Tue Mar 24 23:45:28 2020 us=943862 xxx.xxx.xxx.xxx:xxxx PUSH: Received control message: 'PUSH_REQUEST'
Tue Mar 24 23:45:28 2020 us=944863 MULTI: new connection by client 'lanvpnclient' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Tue Mar 24 23:45:28 2020 us=945123 MULTI_sva: pool returned IPv4=192.168.201.6, IPv6=(Not enabled)
Tue Mar 24 23:45:28 2020 us=945764 MULTI: Learn: 192.168.201.6 -> lanvpnclient/xxx.xxx.xxx.xxx:xxxx
Tue Mar 24 23:45:28 2020 us=945978 MULTI: primary virtual IP for lanvpnclient/xxx.xxx.xxx.xxx:xxxx: 192.168.201.6
Tue Mar 24 23:45:29 2020 us=941800 lanvpnclient/xxx.xxx.xxx.xxx:xxxx PUSH: Received control message: 'PUSH_REQUEST'
Tue Mar 24 23:45:29 2020 us=942579 lanvpnclient/xxx.xxx.xxx.xxx:xxxx SENT CONTROL [lanvpnclient]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,dhcp-option DNS 192.168.1.1,route 192.168.201.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 192.168.201.6 192.168.201.5,peer-id 1,cipher AES-256-GCM' (status=1)
Tue Mar 24 23:45:29 2020 us=942780 lanvpnclient/xxx.xxx.xxx.xxx:xxxx Data Channel: using negotiated cipher 'AES-256-GCM'
Tue Mar 24 23:45:29 2020 us=943036 lanvpnclient/xxx.xxx.xxx.xxx:xxxx Data Channel MTU parms [ L:1550 D:1450 EF:50 EB:406 ET:0 EL:3 ]
Tue Mar 24 23:45:29 2020 us=944189 lanvpnclient/xxx.xxx.xxx.xxx:xxxx Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Mar 24 23:45:29 2020 us=944514 lanvpnclient/xxx.xxx.xxx.xxx:xxxx Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Mar 24 23:45:31 2020 us=541951 MULTI: multi_create_instance called
Tue Mar 24 23:45:31 2020 us=542611 xxx.xxx.xxx.xxx:xxxx Re-using SSL/TLS context
Tue Mar 24 23:45:31 2020 us=542803 xxx.xxx.xxx.xxx:xxxx LZO compression initializing
Tue Mar 24 23:45:31 2020 us=543440 xxx.xxx.xxx.xxx:xxxx Control Channel MTU parms [ L:1622 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Tue Mar 24 23:45:31 2020 us=543948 xxx.xxx.xxx.xxx:xxxx Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Tue Mar 24 23:45:31 2020 us=544456 xxx.xxx.xxx.xxx:xxxx Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Tue Mar 24 23:45:31 2020 us=544672 xxx.xxx.xxx.xxx:xxxx Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Tue Mar 24 23:45:31 2020 us=545026 xxx.xxx.xxx.xxx:xxxx TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:xxxx, sid=66690c5f 979f3abd
Tue Mar 24 23:45:32 2020 us=653079 xxx.xxx.xxx.xxx:xxxx VERIFY OK: depth=1, C=UK, ST=Yorkshire, O=OG.Infraverse
Tue Mar 24 23:45:32 2020 us=665993 xxx.xxx.xxx.xxx:xxxx VERIFY OK: depth=0, CN=lanvpnclient
Tue Mar 24 23:45:32 2020 us=763292 xxx.xxx.xxx.xxx:xxxx peer info: IV_GUI_VER=OC30Android
Tue Mar 24 23:45:32 2020 us=764186 xxx.xxx.xxx.xxx:xxxx peer info: IV_VER=3.git::728733ae:Release
Tue Mar 24 23:45:32 2020 us=764987 xxx.xxx.xxx.xxx:xxxx peer info: IV_PLAT=android
Tue Mar 24 23:45:32 2020 us=765204 xxx.xxx.xxx.xxx:xxxx peer info: IV_NCP=2
Tue Mar 24 23:45:32 2020 us=765388 xxx.xxx.xxx.xxx:xxxx peer info: IV_TCPNL=1
Tue Mar 24 23:45:32 2020 us=765573 xxx.xxx.xxx.xxx:xxxx peer info: IV_PROTO=2
Tue Mar 24 23:45:32 2020 us=765764 xxx.xxx.xxx.xxx:xxxx peer info: IV_LZO_STUB=1
Tue Mar 24 23:45:32 2020 us=765999 xxx.xxx.xxx.xxx:xxxx peer info: IV_COMP_STUB=1
Tue Mar 24 23:45:32 2020 us=766233 xxx.xxx.xxx.xxx:xxxx peer info: IV_COMP_STUBv2=1
Tue Mar 24 23:45:32 2020 us=766475 xxx.xxx.xxx.xxx:xxxx peer info: IV_AUTO_SESS=1
Tue Mar 24 23:45:32 2020 us=766682 xxx.xxx.xxx.xxx:xxxx peer info: IV_BS64DL=1
Tue Mar 24 23:45:32 2020 us=842072 xxx.xxx.xxx.xxx:xxxx Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Tue Mar 24 23:45:32 2020 us=842607 xxx.xxx.xxx.xxx:xxxx [lanvpnclient] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:xxxx
Tue Mar 24 23:45:32 2020 us=843913 MULTI: new connection by client 'lanvpnclient' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Tue Mar 24 23:45:32 2020 us=844305 MULTI_sva: pool returned IPv4=192.168.201.6, IPv6=(Not enabled)
Tue Mar 24 23:45:32 2020 us=845024 MULTI: Learn: 192.168.201.6 -> lanvpnclient/xxx.xxx.xxx.xxx:xxxx
Tue Mar 24 23:45:32 2020 us=845302 MULTI: primary virtual IP for lanvpnclient/xxx.xxx.xxx.xxx:xxxx: 192.168.201.6
Tue Mar 24 23:45:32 2020 us=861155 lanvpnclient/xxx.xxx.xxx.xxx:xxxx PUSH: Received control message: 'PUSH_REQUEST'
Tue Mar 24 23:45:32 2020 us=861871 lanvpnclient/xxx.xxx.xxx.xxx:xxxx SENT CONTROL [lanvpnclient]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,dhcp-option DNS 192.168.1.1,route 192.168.201.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 192.168.201.6 192.168.201.5,peer-id 0,cipher AES-256-GCM' (status=1)
Tue Mar 24 23:45:32 2020 us=862068 lanvpnclient/xxx.xxx.xxx.xxx:xxxx Data Channel: using negotiated cipher 'AES-256-GCM'
Tue Mar 24 23:45:32 2020 us=862380 lanvpnclient/xxx.xxx.xxx.xxx:xxxx Data Channel MTU parms [ L:1550 D:1450 EF:50 EB:406 ET:0 EL:3 ]
Tue Mar 24 23:45:32 2020 us=863358 lanvpnclient/xxx.xxx.xxx.xxx:xxxx Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Mar 24 23:45:32 2020 us=863729 lanvpnclient/xxx.xxx.xxx.xxx:xxxx Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Mar 24 23:49:33 2020 us=853590 lanvpnclient/xxx.xxx.xxx.xxx:xxxx [lanvpnclient] Inactivity timeout (--ping-restart), restarting
Tue Mar 24 23:49:33 2020 us=854071 lanvpnclient/xxx.xxx.xxx.xxx:xxxx SIGUSR1[soft,ping-restart] received, client-instance restarting
Tue Mar 24 23:51:39 2020 us=740511 MULTI: multi_create_instance called
Tue Mar 24 23:51:39 2020 us=741193 xxx.xxx.xxx.xxx:xxxx Re-using SSL/TLS context
Tue Mar 24 23:51:39 2020 us=741387 xxx.xxx.xxx.xxx:xxxx LZO compression initializing
Tue Mar 24 23:51:39 2020 us=742015 xxx.xxx.xxx.xxx:xxxx Control Channel MTU parms [ L:1622 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Tue Mar 24 23:51:39 2020 us=742306 xxx.xxx.xxx.xxx:xxxx Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Tue Mar 24 23:51:39 2020 us=743101 xxx.xxx.xxx.xxx:xxxx Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Tue Mar 24 23:51:39 2020 us=743638 xxx.xxx.xxx.xxx:xxxx Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Tue Mar 24 23:51:39 2020 us=744034 xxx.xxx.xxx.xxx:xxxx TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:xxxx, sid=179421d1 3f6e029e
Tue Mar 24 23:51:40 2020 us=699941 xxx.xxx.xxx.xxx:xxxx tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1585083100) Tue Mar 24 23:51:40 2020 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Mar 24 23:52:24 2020 us=922099 xxx.xxx.xxx.xxx:xxxx TLS Error: tls-crypt unwrapping failed from [AF_INET]xxx.xxx.xxx.xxx:xxxx
Tue Mar 24 23:52:27 2020 us=834619 MULTI: multi_create_instance called
Tue Mar 24 23:52:27 2020 us=835364 xxx.xxx.xxx.xxx:xxxx Re-using SSL/TLS context
Tue Mar 24 23:52:27 2020 us=835666 xxx.xxx.xxx.xxx:xxxx LZO compression initializing
Tue Mar 24 23:52:27 2020 us=836312 xxx.xxx.xxx.xxx:xxxx Control Channel MTU parms [ L:1622 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Tue Mar 24 23:52:27 2020 us=836624 xxx.xxx.xxx.xxx:xxxx Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Tue Mar 24 23:52:27 2020 us=837082 xxx.xxx.xxx.xxx:xxxx Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Tue Mar 24 23:52:27 2020 us=837265 xxx.xxx.xxx.xxx:xxxx Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Tue Mar 24 23:52:27 2020 us=837599 xxx.xxx.xxx.xxx:xxxx TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:xxxx, sid=d6f7e88c b62e8d8f
Tue Mar 24 23:52:28 2020 us=952692 xxx.xxx.xxx.xxx:xxxx tls-crypt unwrap error: bad packet ID (may be a replay): [ #2 / time = (1585083148) Tue Mar 24 23:52:28 2020 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Mar 24 23:52:28 2020 us=952987 xxx.xxx.xxx.xxx:xxxx tls-crypt unwrap error: packet replay
Tue Mar 24 23:52:28 2020 us=953302 xxx.xxx.xxx.xxx:xxxx TLS Error: tls-crypt unwrapping failed from [AF_INET]xxx.xxx.xxx.xxx:xxxx
Tue Mar 24 23:52:29 2020 us=184205 xxx.xxx.xxx.xxx:xxxx VERIFY OK: depth=1, C=UK, ST=Yorkshire, O=OG.Infraverse
Tue Mar 24 23:52:29 2020 us=196316 xxx.xxx.xxx.xxx:xxxx VERIFY OK: depth=0, CN=lanvpnclient
Tue Mar 24 23:52:29 2020 us=312763 xxx.xxx.xxx.xxx:xxxx peer info: IV_GUI_VER=OC30Android
Tue Mar 24 23:52:29 2020 us=313211 xxx.xxx.xxx.xxx:xxxx peer info: IV_VER=3.git::728733ae:Release
Tue Mar 24 23:52:29 2020 us=313398 xxx.xxx.xxx.xxx:xxxx peer info: IV_PLAT=android
Tue Mar 24 23:52:29 2020 us=313821 xxx.xxx.xxx.xxx:xxxx peer info: IV_NCP=2
Tue Mar 24 23:52:29 2020 us=314027 xxx.xxx.xxx.xxx:xxxx peer info: IV_TCPNL=1
Tue Mar 24 23:52:29 2020 us=314212 xxx.xxx.xxx.xxx:xxxx peer info: IV_PROTO=2
Tue Mar 24 23:52:29 2020 us=314397 xxx.xxx.xxx.xxx:xxxx peer info: IV_LZO_STUB=1
Tue Mar 24 23:52:29 2020 us=314584 xxx.xxx.xxx.xxx:xxxx peer info: IV_COMP_STUB=1
Tue Mar 24 23:52:29 2020 us=314807 xxx.xxx.xxx.xxx:xxxx peer info: IV_COMP_STUBv2=1
Tue Mar 24 23:52:29 2020 us=315017 xxx.xxx.xxx.xxx:xxxx peer info: IV_AUTO_SESS=1
Tue Mar 24 23:52:29 2020 us=315263 xxx.xxx.xxx.xxx:xxxx peer info: IV_BS64DL=1
Tue Mar 24 23:52:29 2020 us=394839 xxx.xxx.xxx.xxx:xxxx Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Tue Mar 24 23:52:29 2020 us=395406 xxx.xxx.xxx.xxx:xxxx [lanvpnclient] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:xxxx
Tue Mar 24 23:52:29 2020 us=395757 lanvpnclient/xxx.xxx.xxx.xxx:xxxx MULTI_sva: pool returned IPv4=192.168.201.6, IPv6=(Not enabled)
Tue Mar 24 23:52:29 2020 us=396398 lanvpnclient/xxx.xxx.xxx.xxx:xxxx MULTI: Learn: 192.168.201.6 -> lanvpnclient/xxx.xxx.xxx.xxx:xxxx
Tue Mar 24 23:52:29 2020 us=396613 lanvpnclient/xxx.xxx.xxx.xxx:xxxx MULTI: primary virtual IP for lanvpnclient/xxx.xxx.xxx.xxx:xxxx: 192.168.201.6
Tue Mar 24 23:52:29 2020 us=397126 lanvpnclient/xxx.xxx.xxx.xxx:xxxx PUSH: Received control message: 'PUSH_REQUEST'
Tue Mar 24 23:52:29 2020 us=397726 lanvpnclient/xxx.xxx.xxx.xxx:xxxx SENT CONTROL [lanvpnclient]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,dhcp-option DNS 192.168.1.1,route 192.168.201.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 192.168.201.6 192.168.201.5,peer-id 1,cipher AES-256-GCM' (status=1)
Tue Mar 24 23:52:29 2020 us=397954 lanvpnclient/xxx.xxx.xxx.xxx:xxxx Data Channel: using negotiated cipher 'AES-256-GCM'
Tue Mar 24 23:52:29 2020 us=398211 lanvpnclient/xxx.xxx.xxx.xxx:xxxx Data Channel MTU parms [ L:1550 D:1450 EF:50 EB:406 ET:0 EL:3 ]
Tue Mar 24 23:52:29 2020 us=399214 lanvpnclient/xxx.xxx.xxx.xxx:xxxx Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Mar 24 23:52:29 2020 us=399466 lanvpnclient/xxx.xxx.xxx.xxx:xxxx Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Mar 24 23:52:39 2020 us=763561 xxx.xxx.xxx.xxx:xxxx TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Mar 24 23:52:39 2020 us=764029 xxx.xxx.xxx.xxx:xxxx TLS Error: TLS handshake failed
Tue Mar 24 23:52:39 2020 us=764620 xxx.xxx.xxx.xxx:xxxx SIGUSR1[soft,tls-error] received, client-instance restarting