I have followed https://openwrt.org/docs/guide-user/services/vpn/openvpn/server precisely. On starting the server via CLI it appears to be running.
at Jun 26 21:16:13 2021 daemon.err openvpn(server)[22504]: event_wait : Interrupted system call (code=4)
Sat Jun 26 21:16:13 2021 daemon.notice openvpn(server)[22504]: net_addr_v4_del: 192.168.8.1 dev tun0
Sat Jun 26 21:16:13 2021 daemon.warn openvpn(server)[22504]: sitnl_send: rtnl: generic error (-1): Operation not permitted
Sat Jun 26 21:16:13 2021 daemon.warn openvpn(server)[22504]: Linux can't del IP from iface tun0
Sat Jun 26 21:16:13 2021 daemon.notice openvpn(server)[22504]: /usr/libexec/openvpn-hotplug down server tun0 1500 1621 192.168.8.1 255.255.255.0 init
Sat Jun 26 21:16:13 2021 daemon.notice openvpn(server)[22504]: SIGTERM[hard,] received, process exiting
Sat Jun 26 21:16:13 2021 daemon.warn openvpn(server)[23243]: --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
Sat Jun 26 21:16:13 2021 daemon.notice openvpn(server)[23243]: OpenVPN 2.5.2 aarch64-openwrt-linux-gnu [SSL (OpenSSL)] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Jun 26 21:16:13 2021 daemon.notice openvpn(server)[23243]: library versions: OpenSSL 1.1.1k 25 Mar 2021
Sat Jun 26 21:16:13 2021 daemon.warn openvpn(server)[23243]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Jun 26 21:16:13 2021 daemon.notice openvpn(server)[23243]: TUN/TAP device tun0 opened
Sat Jun 26 21:16:13 2021 daemon.notice openvpn(server)[23243]: net_iface_mtu_set: mtu 1500 for tun0
Sat Jun 26 21:16:13 2021 daemon.notice openvpn(server)[23243]: net_iface_up: set tun0 up
Sat Jun 26 21:16:13 2021 daemon.notice openvpn(server)[23243]: net_addr_v4_add: 192.168.8.1/24 dev tun0
Sat Jun 26 21:16:13 2021 daemon.notice openvpn(server)[23243]: /usr/libexec/openvpn-hotplug up server tun0 1500 1621 192.168.8.1 255.255.255.0 init
Sat Jun 26 21:16:13 2021 daemon.warn openvpn(server)[23243]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Sat Jun 26 21:16:13 2021 daemon.notice openvpn(server)[23243]: UDPv4 link local (bound): [AF_INET][undef]:1194
Sat Jun 26 21:16:13 2021 daemon.notice openvpn(server)[23243]: UDPv4 link remote: [AF_UNSPEC]
Sat Jun 26 21:16:13 2021 daemon.notice openvpn(server)[23243]: GID set to nogroup
Sat Jun 26 21:16:13 2021 daemon.notice openvpn(server)[23243]: UID set to nobody
Sat Jun 26 21:16:13 2021 daemon.notice openvpn(server)[23243]: Initialization Sequence Completed
udp 0 0 0.0.0.0:1194 0.0.0.0:* 23243/openvpn
When I try to connect to the server I get TLS Error: TLS key negotiation failed to occur within 60 seconds
uci show network; uci show firewall; uci show openvpn
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd33:6941:36c1::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.wan=interface
network.wan.proto='dhcp'
network.wan.ifname='eth1'
network.wan.peerdns='0'
network.wan.dns='1.1.1.1' '1.0.0.1'
network.@device[0]=device
network.@device[0].name='eth1'
network.@device[0].macaddr='mac..'
network.wan6=interface
network.wan6.proto='dhcpv6'
network.wan6.ifname='eth1'
network.wan6.reqaddress='try'
network.wan6.reqprefix='auto'
network.wan6.peerdns='0'
network.wan6.dns='2606:4700:4700::1111' '2606:4700:4700::1001'
network.@device[1]=device
network.@device[1].name='wlan0'
network.@device[1].macaddr='mac...'
network.@device[2]=device
network.@device[2].name='eth0'
network.@device[2].macaddr='mac...'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.lan=zone
firewall.lan.name='lan'
firewall.lan.network='lan'
firewall.lan.input='ACCEPT'
firewall.lan.output='ACCEPT'
firewall.lan.forward='ACCEPT'
firewall.lan.device='tun+'
firewall.wan=zone
firewall.wan.name='wan'
firewall.wan.network='wan' 'wan6'
firewall.wan.input='REJECT'
firewall.wan.output='ACCEPT'
firewall.wan.forward='REJECT'
firewall.wan.masq='1'
firewall.wan.mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[9]=rule
firewall.@rule[9].name='Support-UDP-Traceroute'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest_port='33434:33689'
firewall.@rule[9].proto='udp'
firewall.@rule[9].family='ipv4'
firewall.@rule[9].target='REJECT'
firewall.@rule[9].enabled='false'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@include[0].reload='1'
firewall.ovpn=rule
firewall.ovpn.name='Allow-OpenVPN'
firewall.ovpn.src='wan'
firewall.ovpn.dest_port='1194'
firewall.ovpn.proto='udp'
firewall.ovpn.target='ACCEPT'
client.ovpn
dev tun
nobind
client
remote my.ddns.domain.com 1194 udp
auth-nocache
remote-cert-tls server
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-crypt>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
server.conf
user nobody
group nogroup
dev tun
port 1194
proto udp
server 192.168.8.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
push "dhcp-option DNS 192.168.8.1"
push "dhcp-option DOMAIN lan"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>
-----BEGIN DH PARAMETERS-----
-----END DH PARAMETERS-----
</dh>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-crypt>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>