Can't establish connection with the OpenVPN server

desn92n · April 2, 2020, 10:34am

Hi, I've set up an openvpn server on my openwrt router, following the basic guide at https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic.

All went well.

The problem is when I try to connect to the openvpn from outside the network, it times out. The handshake doesn't finalize, apparently.

Here's the output generated by the client:

Thu Apr  2 12:08:16 2020 TLS Error: TLS handshake failed
Thu Apr  2 12:08:16 2020 SIGUSR1[soft,tls-error] received, process restarting
Thu Apr  2 12:08:16 2020 Restart pause, 5 second(s)
Thu Apr  2 12:07:01 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Apr  2 12:07:01 2020 TLS Error: TLS handshake failed
Thu Apr  2 12:07:01 2020 SIGUSR1[soft,tls-error] received, process restarting
Thu Apr  2 12:07:01 2020 Restart pause, 5 second(s)
Enter Private Key Password: ************
Thu Apr  2 12:07:16 2020 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Thu Apr  2 12:07:16 2020 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Apr  2 12:07:16 2020 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Thu Apr  2 12:07:16 2020 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Apr  2 12:07:16 2020 TCP/UDP: Preserving recently used remote address: [AF_INET] (public ip address of the vpn server)
Thu Apr  2 12:07:16 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]

Here's what the log on the server says:

Thu Apr  2 10:17:40 2020 daemon.notice openvpn(server)[4825]: OpenVPN 2.4.7 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Thu Apr  2 10:17:40 2020 daemon.notice openvpn(server)[4825]: library versions: OpenSSL 1.1.1e  17 Mar 2020, LZO 2.10
Thu Apr  2 10:17:40 2020 daemon.notice openvpn(server)[4825]: Diffie-Hellman initialized with 2048 bit key
Thu Apr  2 10:17:40 2020 daemon.notice openvpn(server)[4825]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Thu Apr  2 10:17:40 2020 daemon.notice openvpn(server)[4825]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Apr  2 10:17:40 2020 daemon.notice openvpn(server)[4825]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Thu Apr  2 10:17:40 2020 daemon.notice openvpn(server)[4825]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Apr  2 10:17:40 2020 daemon.err openvpn(server)[4825]: ERROR: Cannot ioctl TUNSETIFF tun0: Resource busy (errno=16)
Thu Apr  2 10:17:40 2020 daemon.notice openvpn(server)[4825]: Exiting due to fatal error

resource busy
I tried reloading and stopping/restarting the openvpn server process but to no avail.

What's missing?

trendy · April 2, 2020, 11:33am

At the bottom of the page is the troubleshooting section.
Collect these and post them here. You can omit the ip -6 commands if you don't use IPv6.

desn92n · April 2, 2020, 12:31pm

logread -e openvpn; netstat -l -n -p | grep -e openvpn

Thu Apr  2 12:18:17 2020 daemon.err openvpn(server)[1418]: event_wait : Interrupted system call (code=4)
Thu Apr  2 12:18:17 2020 daemon.notice openvpn(server)[1418]: Closing TUN/TAP interface
Thu Apr  2 12:18:17 2020 daemon.notice openvpn(server)[1418]: /sbin/ifconfig tun0 0.0.0.0
Thu Apr  2 12:18:17 2020 daemon.warn openvpn(server)[1418]: Linux ip addr del failed: external program exited with error status: 1
Thu Apr  2 12:18:17 2020 daemon.notice openvpn(server)[1418]: SIGTERM[hard,] received, process exiting
Thu Apr  2 12:18:17 2020 daemon.notice openvpn(server)[2414]: OpenVPN 2.4.7 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Thu Apr  2 12:18:17 2020 daemon.notice openvpn(server)[2414]: library versions: OpenSSL 1.1.1e  17 Mar 2020, LZO 2.10
Thu Apr  2 12:18:17 2020 daemon.notice openvpn(server)[2414]: Diffie-Hellman initialized with 2048 bit key
Thu Apr  2 12:18:17 2020 daemon.notice openvpn(server)[2414]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Thu Apr  2 12:18:17 2020 daemon.notice openvpn(server)[2414]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Apr  2 12:18:17 2020 daemon.notice openvpn(server)[2414]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Thu Apr  2 12:18:17 2020 daemon.notice openvpn(server)[2414]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Apr  2 12:18:17 2020 daemon.notice openvpn(server)[2414]: TUN/TAP device tun0 opened
Thu Apr  2 12:18:17 2020 daemon.notice openvpn(server)[2414]: TUN/TAP TX queue length set to 100
Thu Apr  2 12:18:17 2020 daemon.notice openvpn(server)[2414]: /sbin/ifconfig tun0 192.168.8.1 netmask 255.255.255.0 mtu 1500 broadcast 192.168.8.255
Thu Apr  2 12:18:17 2020 daemon.warn openvpn(server)[2414]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Thu Apr  2 12:18:17 2020 daemon.notice openvpn(server)[2414]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Thu Apr  2 12:18:17 2020 daemon.notice openvpn(server)[2414]: UDPv4 link local (bound): [AF_INET][undef]:1194
Thu Apr  2 12:18:17 2020 daemon.notice openvpn(server)[2414]: UDPv4 link remote: [AF_UNSPEC]
Thu Apr  2 12:18:17 2020 daemon.notice openvpn(server)[2414]: GID set to nogroup
Thu Apr  2 12:18:17 2020 daemon.notice openvpn(server)[2414]: UID set to nobody
Thu Apr  2 12:18:17 2020 daemon.notice openvpn(server)[2414]: MULTI: multi_init called, r=256 v=256
Thu Apr  2 12:18:17 2020 daemon.notice openvpn(server)[2414]: IFCONFIG POOL: base=192.168.8.2 size=252, ipv6=0
Thu Apr  2 12:18:17 2020 daemon.notice openvpn(server)[2414]: Initialization Sequence Completed
udp        0      0 0.0.0.0:1194            0.0.0.0:*                           2414/openvpn

Now:
ip address show
ip route show
ip rule show
iptables-save

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    link/ether 68:ff:7b:ab:9b:85 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::6aff:7bff:feab:9b85/64 scope link 
       valid_lft forever preferred_lft forever
6: br-subnet2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 68:ff:7b:ab:9b:85 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.129/25 brd 192.168.0.255 scope global br-subnet2
       valid_lft forever preferred_lft forever
    inet6 fd28:4af7:12e6:10::1/60 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::6aff:7bff:feab:9b85/64 scope link 
       valid_lft forever preferred_lft forever
7: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-subnet2 state UP qlen 1000
    link/ether 68:ff:7b:ab:9b:85 brd ff:ff:ff:ff:ff:ff
8: eth0.3@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 68:ff:7b:ab:9b:85 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/28 brd 192.168.1.15 scope global eth0.3
       valid_lft forever preferred_lft forever
    inet6 fe80::6aff:7bff:feab:9b85/64 scope link 
       valid_lft forever preferred_lft forever
9: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 68:ff:7b:ab:9b:86 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::6aff:7bff:feab:9b86/64 scope link 
       valid_lft forever preferred_lft forever
10: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN qlen 3
    link/ppp 
    inet 188.212.158.52 peer 80.96.202.254/32 scope global pppoe-wan
       valid_lft forever preferred_lft forever
11: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 68:ff:7b:ab:9b:85 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.1/25 brd 192.168.0.127 scope global wlan1
       valid_lft forever preferred_lft forever
    inet6 fd28:4af7:12e6::1/60 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::6aff:7bff:feab:9b85/64 scope link 
       valid_lft forever preferred_lft forever
12: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-subnet2 state UP qlen 1000
    link/ether 68:ff:7b:ab:9b:84 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::6aff:7bff:feab:9b84/64 scope link 
       valid_lft forever preferred_lft forever
14: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
    link/[65534] 
    inet 192.168.8.1/24 brd 192.168.8.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::fa71:83e3:404:969b/64 scope link 
       valid_lft forever preferred_lft forever
default via 80.96.202.254 dev pppoe-wan 
80.96.202.254 dev pppoe-wan scope link  src 188.212.158.52 
192.168.0.0/25 dev wlan1 scope link  src 192.168.0.1 
192.168.0.128/25 dev br-subnet2 scope link  src 192.168.0.129 
192.168.1.0/28 dev eth0.3 scope link  src 192.168.1.1 
192.168.8.0/24 dev tun0 scope link  src 192.168.8.1 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
# Generated by iptables-save v1.8.3 on Thu Apr  2 12:19:52 2020
*nat
:PREROUTING ACCEPT [1964:142256]
:INPUT ACCEPT [481:37568]
:OUTPUT ACCEPT [676:51455]
:POSTROUTING ACCEPT [7:1461]
:postrouting_rule - [0:0]
:postrouting_subnet1_rule - [0:0]
:postrouting_subnet2_rule - [0:0]
:postrouting_tenda_eth03_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_subnet1_rule - [0:0]
:prerouting_subnet2_rule - [0:0]
:prerouting_tenda_eth03_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_subnet1_postrouting - [0:0]
:zone_subnet1_prerouting - [0:0]
:zone_subnet2_postrouting - [0:0]
:zone_subnet2_prerouting - [0:0]
:zone_tenda_eth03_postrouting - [0:0]
:zone_tenda_eth03_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_subnet1_prerouting
-A PREROUTING -i wlan1 -m comment --comment "!fw3" -j zone_subnet1_prerouting
-A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i br-subnet2 -m comment --comment "!fw3" -j zone_subnet2_prerouting
-A PREROUTING -i eth0.3 -m comment --comment "!fw3" -j zone_tenda_eth03_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_subnet1_postrouting
-A POSTROUTING -o wlan1 -m comment --comment "!fw3" -j zone_subnet1_postrouting
-A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o br-subnet2 -m comment --comment "!fw3" -j zone_subnet2_postrouting
-A POSTROUTING -o eth0.3 -m comment --comment "!fw3" -j zone_tenda_eth03_postrouting
-A zone_subnet1_postrouting -m comment --comment "!fw3: Custom subnet1 postrouting rule chain" -j postrouting_subnet1_rule
-A zone_subnet1_postrouting -s 192.168.0.0/25 -d 192.168.0.1/32 -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: openvpn (reflection)" -j SNAT --to-source 192.168.0.1
-A zone_subnet1_postrouting -s 192.168.0.0/25 -d 192.168.0.1/32 -p udp -m udp --dport 1194 -m comment --comment "!fw3: openvpn (reflection)" -j SNAT --to-source 192.168.0.1
-A zone_subnet1_prerouting -m comment --comment "!fw3: Custom subnet1 prerouting rule chain" -j prerouting_subnet1_rule
-A zone_subnet1_prerouting -s 192.168.0.0/25 -d 188.212.158.52/32 -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: openvpn (reflection)" -j DNAT --to-destination 192.168.0.1:1194
-A zone_subnet1_prerouting -s 192.168.0.0/25 -d 188.212.158.52/32 -p udp -m udp --dport 1194 -m comment --comment "!fw3: openvpn (reflection)" -j DNAT --to-destination 192.168.0.1:1194
-A zone_subnet2_postrouting -m comment --comment "!fw3: Custom subnet2 postrouting rule chain" -j postrouting_subnet2_rule
-A zone_subnet2_prerouting -m comment --comment "!fw3: Custom subnet2 prerouting rule chain" -j prerouting_subnet2_rule
-A zone_tenda_eth03_postrouting -m comment --comment "!fw3: Custom tenda_eth03 postrouting rule chain" -j postrouting_tenda_eth03_rule
-A zone_tenda_eth03_prerouting -m comment --comment "!fw3: Custom tenda_eth03 prerouting rule chain" -j prerouting_tenda_eth03_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
-A zone_wan_prerouting -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: openvpn" -j DNAT --to-destination 192.168.0.1:1194
-A zone_wan_prerouting -p udp -m udp --dport 1194 -m comment --comment "!fw3: openvpn" -j DNAT --to-destination 192.168.0.1:1194
COMMIT
# Completed on Thu Apr  2 12:19:52 2020
# Generated by iptables-save v1.8.3 on Thu Apr  2 12:19:52 2020
*mangle
:PREROUTING ACCEPT [32126:11059066]
:INPUT ACCEPT [2138:183078]
:FORWARD ACCEPT [29781:10843170]
:OUTPUT ACCEPT [2117:196885]
:POSTROUTING ACCEPT [31656:11028849]
-A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Thu Apr  2 12:19:52 2020
# Generated by iptables-save v1.8.3 on Thu Apr  2 12:19:52 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_rule - [0:0]
:forwarding_subnet1_rule - [0:0]
:forwarding_subnet2_rule - [0:0]
:forwarding_tenda_eth03_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_rule - [0:0]
:input_subnet1_rule - [0:0]
:input_subnet2_rule - [0:0]
:input_tenda_eth03_rule - [0:0]
:input_wan_rule - [0:0]
:output_rule - [0:0]
:output_subnet1_rule - [0:0]
:output_subnet2_rule - [0:0]
:output_tenda_eth03_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_subnet1_dest_ACCEPT - [0:0]
:zone_subnet1_forward - [0:0]
:zone_subnet1_input - [0:0]
:zone_subnet1_output - [0:0]
:zone_subnet1_src_ACCEPT - [0:0]
:zone_subnet2_dest_ACCEPT - [0:0]
:zone_subnet2_forward - [0:0]
:zone_subnet2_input - [0:0]
:zone_subnet2_output - [0:0]
:zone_subnet2_src_ACCEPT - [0:0]
:zone_tenda_eth03_dest_ACCEPT - [0:0]
:zone_tenda_eth03_dest_REJECT - [0:0]
:zone_tenda_eth03_forward - [0:0]
:zone_tenda_eth03_input - [0:0]
:zone_tenda_eth03_output - [0:0]
:zone_tenda_eth03_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_subnet1_input
-A INPUT -i wlan1 -m comment --comment "!fw3" -j zone_subnet1_input
-A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i br-subnet2 -m comment --comment "!fw3" -j zone_subnet2_input
-A INPUT -i eth0.3 -m comment --comment "!fw3" -j zone_tenda_eth03_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_subnet1_forward
-A FORWARD -i wlan1 -m comment --comment "!fw3" -j zone_subnet1_forward
-A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i br-subnet2 -m comment --comment "!fw3" -j zone_subnet2_forward
-A FORWARD -i eth0.3 -m comment --comment "!fw3" -j zone_tenda_eth03_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_subnet1_output
-A OUTPUT -o wlan1 -m comment --comment "!fw3" -j zone_subnet1_output
-A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o br-subnet2 -m comment --comment "!fw3" -j zone_subnet2_output
-A OUTPUT -o eth0.3 -m comment --comment "!fw3" -j zone_tenda_eth03_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_subnet1_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_subnet1_dest_ACCEPT -o wlan1 -m comment --comment "!fw3" -j ACCEPT
-A zone_subnet1_forward -m comment --comment "!fw3: Custom subnet1 forwarding rule chain" -j forwarding_subnet1_rule
-A zone_subnet1_forward -m comment --comment "!fw3: Zone subnet1 to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_subnet1_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_subnet1_forward -m comment --comment "!fw3" -j zone_subnet1_dest_ACCEPT
-A zone_subnet1_input -m comment --comment "!fw3: Custom subnet1 input rule chain" -j input_subnet1_rule
-A zone_subnet1_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_subnet1_input -m comment --comment "!fw3" -j zone_subnet1_src_ACCEPT
-A zone_subnet1_output -m comment --comment "!fw3: Custom subnet1 output rule chain" -j output_subnet1_rule
-A zone_subnet1_output -m comment --comment "!fw3" -j zone_subnet1_dest_ACCEPT
-A zone_subnet1_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_subnet1_src_ACCEPT -i wlan1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_subnet2_dest_ACCEPT -o br-subnet2 -m comment --comment "!fw3" -j ACCEPT
-A zone_subnet2_forward -m comment --comment "!fw3: Custom subnet2 forwarding rule chain" -j forwarding_subnet2_rule
-A zone_subnet2_forward -m comment --comment "!fw3: Zone subnet2 to subnet1 forwarding policy" -j zone_subnet1_dest_ACCEPT
-A zone_subnet2_forward -m comment --comment "!fw3: Zone subnet2 to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_subnet2_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_subnet2_forward -m comment --comment "!fw3" -j zone_subnet2_dest_ACCEPT
-A zone_subnet2_input -m comment --comment "!fw3: Custom subnet2 input rule chain" -j input_subnet2_rule
-A zone_subnet2_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_subnet2_input -m comment --comment "!fw3" -j zone_subnet2_src_ACCEPT
-A zone_subnet2_output -m comment --comment "!fw3: Custom subnet2 output rule chain" -j output_subnet2_rule
-A zone_subnet2_output -m comment --comment "!fw3" -j zone_subnet2_dest_ACCEPT
-A zone_subnet2_src_ACCEPT -i br-subnet2 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_tenda_eth03_dest_ACCEPT -o eth0.3 -m comment --comment "!fw3" -j ACCEPT
-A zone_tenda_eth03_dest_REJECT -o eth0.3 -m comment --comment "!fw3" -j reject
-A zone_tenda_eth03_forward -m comment --comment "!fw3: Custom tenda_eth03 forwarding rule chain" -j forwarding_tenda_eth03_rule
-A zone_tenda_eth03_forward -m comment --comment "!fw3: Zone tenda_eth03 to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_tenda_eth03_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_tenda_eth03_forward -m comment --comment "!fw3" -j zone_tenda_eth03_dest_REJECT
-A zone_tenda_eth03_input -m comment --comment "!fw3: Custom tenda_eth03 input rule chain" -j input_tenda_eth03_rule
-A zone_tenda_eth03_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_tenda_eth03_input -m comment --comment "!fw3" -j zone_tenda_eth03_src_ACCEPT
-A zone_tenda_eth03_output -m comment --comment "!fw3: Custom tenda_eth03 output rule chain" -j output_tenda_eth03_rule
-A zone_tenda_eth03_output -m comment --comment "!fw3" -j zone_tenda_eth03_dest_ACCEPT
-A zone_tenda_eth03_src_ACCEPT -i eth0.3 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o pppoe-wan -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_subnet1_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_subnet1_dest_ACCEPT
-A zone_wan_forward -m comment --comment "!fw3: Zone wan to subnet1 forwarding policy" -j zone_subnet1_dest_ACCEPT
-A zone_wan_forward -m comment --comment "!fw3: Zone wan to subnet2 forwarding policy" -j zone_subnet2_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: Allow-OpenVPN" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i pppoe-wan -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT

uci show network; uci show firewall; uci show openvpn

network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd28:4af7:12e6::/48'
network.subnet1=interface
network.subnet1.proto='static'
network.subnet1.ip6assign='60'
network.subnet1.ipaddr='192.168.0.1'
network.subnet1.netmask='255.255.255.128'
network.subnet2=interface
network.subnet2.type='bridge'
network.subnet2.proto='static'
network.subnet2.ip6assign='60'
network.subnet2.ipaddr='192.168.0.129'
network.subnet2.netmask='255.255.255.128'
network.subnet2.ifname='eth0.1'

network.wan=interface
network.wan.ifname='eth0.2'
network.wan.proto='pppoe'
#
#
network.wan.ipv6='auto'
network.wan_dev=device
network.wan_dev.name='eth0.2'
network.wan_dev.macaddr='68:ff:7b:ab:9b:86'
network.wan6=interface
network.wan6.ifname='eth0.2'
network.wan6.proto='dhcpv6'
network.wan6.reqaddress='try'
network.wan6.reqprefix='auto'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='5 4 0t'
network.@switch_vlan[0].vid='1'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='3'
network.@switch_vlan[1].ports='2 0t'
network.@switch_vlan[1].vid='3'
network.@switch_vlan[2]=switch_vlan
network.@switch_vlan[2].device='switch0'
network.@switch_vlan[2].vlan='2'
network.@switch_vlan[2].ports='1 0t'
network.@switch_vlan[2].vid='2'
network.tenda_lan=interface
network.tenda_lan.proto='static'
network.tenda_lan.ipaddr='192.168.1.1'
network.tenda_lan.netmask='255.255.255.240'
network.tenda_lan.ifname='eth0.3'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.lan=zone
firewall.lan.input='ACCEPT'
firewall.lan.output='ACCEPT'
firewall.lan.forward='ACCEPT'
firewall.lan.device='tun0'
firewall.lan.name='subnet1'
firewall.lan.network='subnet1'
firewall.wan=zone
firewall.wan.name='wan'
firewall.wan.input='REJECT'
firewall.wan.output='ACCEPT'
firewall.wan.forward='REJECT'
firewall.wan.masq='1'
firewall.wan.mtu_fix='1'
firewall.wan.network='wan wan6'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[7].dest='subnet1'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[8].dest='subnet1'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[2]=zone
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='ACCEPT'
firewall.@zone[2].name='subnet2'
firewall.@zone[2].network='subnet2'
firewall.lan_wan=forwarding
firewall.lan_wan.dest='wan'
firewall.lan_wan.src='subnet1'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='subnet1'
firewall.@forwarding[1].src='wan'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].dest='subnet1'
firewall.@forwarding[2].src='subnet2'
firewall.@forwarding[3]=forwarding
firewall.@forwarding[3].dest='wan'
firewall.@forwarding[3].src='subnet2'
firewall.@forwarding[4]=forwarding
firewall.@forwarding[4].dest='subnet2'
firewall.@forwarding[4].src='wan'
firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].dest='subnet2'
firewall.@redirect[0].proto='tcp'
firewall.@redirect[0].src_dport='14571'
firewall.@redirect[0].dest_ip='192.168.0.152'
firewall.@redirect[0].dest_port='14571'
firewall.@redirect[0].name='pyth'
firewall.@redirect[0].enabled='0'
firewall.@zone[3]=zone
firewall.@zone[3].network='tenda_lan'
firewall.@zone[3].input='ACCEPT'
firewall.@zone[3].forward='REJECT'
firewall.@zone[3].output='ACCEPT'
firewall.@zone[3].name='tenda_eth03'
firewall.@forwarding[5]=forwarding
firewall.@forwarding[5].dest='wan'
firewall.@forwarding[5].src='tenda_eth03'
firewall.ovpn=rule
firewall.ovpn.name='Allow-OpenVPN'
firewall.ovpn.src='wan'
firewall.ovpn.dest_port='1194'
firewall.ovpn.proto='udp'
firewall.ovpn.target='ACCEPT'
firewall.@redirect[1]=redirect
firewall.@redirect[1].dest_port='1194'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].name='openvpn'
firewall.@redirect[1].src_dport='1194'
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].dest_ip='192.168.0.1'
firewall.@redirect[1].dest='subnet1'
firewall.@forwarding[6]=forwarding
firewall.@forwarding[6].dest='subnet1'
firewall.@forwarding[6].src='openvpn'
firewall.@forwarding[7]=forwarding
firewall.@forwarding[7].dest='wan'
firewall.@forwarding[7].src='openvpn'
firewall.@forwarding[8]=forwarding
firewall.@forwarding[8].dest='openvpn'
firewall.@forwarding[8].src='subnet1'
firewall.@forwarding[9]=forwarding
firewall.@forwarding[9].dest='openvpn'
firewall.@forwarding[9].src='wan'
openvpn.custom_config=openvpn
openvpn.custom_config.enabled='0'
openvpn.custom_config.config='/etc/openvpn/my-vpn.conf'
openvpn.sample_server=openvpn
openvpn.sample_server.enabled='0'
openvpn.sample_server.port='1194'
openvpn.sample_server.proto='udp'
openvpn.sample_server.dev='tun'
openvpn.sample_server.ca='/etc/openvpn/ca.crt'
openvpn.sample_server.cert='/etc/openvpn/server.crt'
openvpn.sample_server.key='/etc/openvpn/server.key'
openvpn.sample_server.dh='/etc/openvpn/dh1024.pem'
openvpn.sample_server.server='10.8.0.0 255.255.255.0'
openvpn.sample_server.ifconfig_pool_persist='/tmp/ipp.txt'
openvpn.sample_server.keepalive='10 120'
openvpn.sample_server.compress='lzo'
openvpn.sample_server.persist_key='1'
openvpn.sample_server.persist_tun='1'
openvpn.sample_server.user='nobody'
openvpn.sample_server.status='/tmp/openvpn-status.log'
openvpn.sample_server.verb='3'
openvpn.sample_client=openvpn
openvpn.sample_client.enabled='0'
openvpn.sample_client.client='1'
openvpn.sample_client.dev='tun'
openvpn.sample_client.proto='udp'
openvpn.sample_client.remote='my_server_1 1194'
openvpn.sample_client.resolv_retry='infinite'
openvpn.sample_client.nobind='1'
openvpn.sample_client.persist_key='1'
openvpn.sample_client.persist_tun='1'
openvpn.sample_client.user='nobody'
openvpn.sample_client.ca='/etc/openvpn/ca.crt'
openvpn.sample_client.cert='/etc/openvpn/client.crt'
openvpn.sample_client.key='/etc/openvpn/client.key'
openvpn.sample_client.compress='lzo'
openvpn.sample_client.verb='3'
root@OpenWrt:~# head -n -0 /etc/openvpn/*.conf
verb 3
user nobody
group nogroup
dev tun0
port 1194
proto udp
server 192.168.8.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 120
persist-tun
persist-key
duplicate-cn
push "dhcp-option DNS 8.8.8.8"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"

<dh>

trendy · April 2, 2020, 1:32pm

Server seems to have started normally now. Did you try to reconnect?

desn92n · April 2, 2020, 2:25pm

Can't for a few more hours, unfortunately. I'll get back to you on it as soon as I do.

desn92n · April 2, 2020, 5:22pm

just gave it another shot. Same thing as before

aboaboit · April 2, 2020, 5:43pm

@desn92n I find this bit odd:

firewall.@redirect[1]=redirect
firewall.@redirect[1].dest_port='1194'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].name='openvpn'
firewall.@redirect[1].src_dport='1194'
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].dest_ip='192.168.0.1'
firewall.@redirect[1].dest='subnet1'

If the server runs on the router, why do you need port forwarding? You just have to open the port on the wan side and you're good to go.

config rule
        option target 'ACCEPT'
        option src 'wan'
        option proto 'udp'
        option dest_port '1194'
        option name 'router - openvpn'

desn92n · April 2, 2020, 5:57pm

It's not longer in the configuration, with the same result. I'd just forgotten to take it out when I posted that.

Something I noticed is
server 192.168.8.0 255.255.255.0 --> the openvpn server sets up a network of its own. Should it be this way, or should I change it to the address of a present network instead?

aboaboit · April 2, 2020, 8:11pm

It is correct to have a dedicated network for the VPN, then you'll also need to configure the firewall accordingly: most likely, you want to allow outgoing connections from vpn to wan and quite possibly also incoming connections from vpn to lan.

config forwarding
        option dest 'lan'
        option src 'vpn'

config forwarding
        option dest 'wan'
        option src 'vpn'

(mind you: my config assumes a "vpn" zone containing only "vpn0" as openwrt interface and "tun0" as physical interface)

trendy · April 2, 2020, 9:08pm

Are you absolutely sure it is the same? In the first log the server was not initializing, but in the second log it was initialized. So I would expect to see some log from the server regarding the connection too.
Post also the output of iptables-save -c | grep 1194

desn92n · April 3, 2020, 9:50am

It's the same as before in t hat the connection times out and it ends with the 'tun0 resource busy' message.

iptables-save -c | grep 119

[0:0] -A zone_subnet1_postrouting -s 192.168.0.0/25 -d 192.168.0.1/32 -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: openvpn (reflection)" -j SNAT --to-source 192.168.0.1
[0:0] -A zone_subnet1_postrouting -s 192.168.0.0/25 -d 192.168.0.1/32 -p udp -m udp --dport 1194 -m comment --comment "!fw3: openvpn (reflection)" -j SNAT --to-source 192.168.0.1
[0:0] -A zone_subnet1_prerouting -s 192.168.0.0/25 -d 89.34.127.48/32 -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: openvpn (reflection)" -j DNAT --to-destination 192.168.0.1:1194
[0:0] -A zone_subnet1_prerouting -s 192.168.0.0/25 -d 89.34.127.48/32 -p udp -m udp --dport 1194 -m comment --comment "!fw3: openvpn (reflection)" -j DNAT --to-destination 192.168.0.1:1194
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: openvpn" -j DNAT --to-destination 192.168.0.1:1194
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 1194 -m comment --comment "!fw3: openvpn" -j DNAT --to-destination 192.168.0.1:1194
[63:3119] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: Allow-OpenVPN" -j ACCEPT

client output:

Fri Apr  3 11:44:49 2020 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Apr  3 11:44:49 2020 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Apr  3 11:44:49 2020 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Apr  3 11:44:49 2020 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Apr  3 11:44:49 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]89.34.127.48:1194
Fri Apr  3 11:44:49 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]
Fri Apr  3 11:44:49 2020 UDP link local: (not bound)
Fri Apr  3 11:44:49 2020 UDP link remote: [AF_INET]89.34.127.48:1194
Fri Apr  3 11:45:49 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Apr  3 11:45:49 2020 TLS Error: TLS handshake failed
Fri Apr  3 11:45:49 2020 SIGUSR1[soft,tls-error] received, process restarting
Fri Apr  3 11:45:49 2020 Restart pause, 5 second(s)

---> connection times out, just as before

server:
initialization completed, but tun0 is still identified as 'resource busy' and the connection doesn't go through


server: 
Fri Apr  3 09:46:26 2020 daemon.err openvpn(server)[15742]: ERROR: Cannot ioctl TUNSETIFF tun0: Resource busy (errno=16)
Fri Apr  3 09:46:26 2020 daemon.notice openvpn(server)[15742]: Exiting due to fatal error
Fri Apr  3 09:46:31 2020 daemon.notice openvpn(server)[15743]: OpenVPN 2.4.7 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Fri Apr  3 09:46:31 2020 daemon.notice openvpn(server)[15743]: library versions: OpenSSL 1.1.1e  17 Mar 2020, LZO 2.10
Fri Apr  3 09:46:31 2020 daemon.notice openvpn(server)[15743]: Diffie-Hellman initialized with 2048 bit key
Fri Apr  3 09:46:31 2020 daemon.notice openvpn(server)[15743]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Apr  3 09:46:31 2020 daemon.notice openvpn(server)[15743]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Apr  3 09:46:31 2020 daemon.notice openvpn(server)[15743]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Apr  3 09:46:31 2020 daemon.notice openvpn(server)[15743]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Apr  3 09:46:31 2020 daemon.err openvpn(server)[15743]: ERROR: Cannot ioctl TUNSETIFF tun0: Resource busy (errno=16)
Fri Apr  3 09:46:31 2020 daemon.notice openvpn(server)[15743]: Exiting due to fatal error
Fri Apr  3 09:46:36 2020 daemon.notice openvpn(server)[15745]: OpenVPN 2.4.7 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Fri Apr  3 09:46:36 2020 daemon.notice openvpn(server)[15745]: library versions: OpenSSL 1.1.1e  17 Mar 2020, LZO 2.10
Fri Apr  3 09:46:36 2020 daemon.notice openvpn(server)[15745]: Diffie-Hellman initialized with 2048 bit key
Fri Apr  3 09:46:36 2020 daemon.notice openvpn(server)[15745]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Apr  3 09:46:36 2020 daemon.notice openvpn(server)[15745]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Apr  3 09:46:36 2020 daemon.notice openvpn(server)[15745]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Apr  3 09:46:36 2020 daemon.notice openvpn(server)[15745]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Apr  3 09:46:36 2020 daemon.err openvpn(server)[15745]: ERROR: Cannot ioctl TUNSETIFF tun0: Resource busy (errno=16)
Fri Apr  3 09:46:36 2020 daemon.notice openvpn(server)[15745]: Exiting due to fatal error
Fri Apr  3 09:46:40 2020 authpriv.info dropbear[15746]: Child connection from 192.168.0.66:35416
Fri Apr  3 09:46:41 2020 daemon.notice openvpn(server)[15747]: OpenVPN 2.4.7 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Fri Apr  3 09:46:41 2020 daemon.notice openvpn(server)[15747]: library versions: OpenSSL 1.1.1e  17 Mar 2020, LZO 2.10
Fri Apr  3 09:46:41 2020 daemon.notice openvpn(server)[15747]: Diffie-Hellman initialized with 2048 bit key
Fri Apr  3 09:46:41 2020 daemon.notice openvpn(server)[15747]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Apr  3 09:46:41 2020 daemon.notice openvpn(server)[15747]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Apr  3 09:46:41 2020 daemon.notice openvpn(server)[15747]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Apr  3 09:46:41 2020 daemon.notice openvpn(server)[15747]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Apr  3 09:46:41 2020 daemon.err openvpn(server)[15747]: ERROR: Cannot ioctl TUNSETIFF tun0: Resource busy (errno=16)

krazeh · April 3, 2020, 9:59am

Are you needing to definitely use OpenVPN or would Wireguard work just as well for your purposes? If so, it might be easier to set up and get working..

desn92n · April 3, 2020, 12:08pm

Is there a basic guide for getting wireguard working on openwrt?

trendy · April 3, 2020, 12:21pm

Nothing has reached the server. Check if the remote address is correct on the client.

As for the server, it keeps restarting, so no, the initialization is not completed.

ERROR: Cannot ioctl TUNSETIFF tun0: Resource busy (errno=16)
openvpn(server)[15745]: Exiting due to fatal error

Stop and start the OpenVPN server manually
service openvpn stop; sleep 5; service openvpn start
Then make sure it is listening;
netstat -anp | grep 1194
Check the counters in iptables:
iptables-save -c | grep Allow-OpenVPN
Start connection from the client and measure the counters once again to verify that it is getting something from the client.

krazeh · April 3, 2020, 12:48pm

https://openwrt.org/docs/guide-user/services/vpn/wireguard/start

desn92n · April 3, 2020, 5:53pm

Stop and start the OpenVPN server manually

I did, a bunch of times. It doesn't change anything.

Nothing has reached the server. Check if the remote address is correct on the client.

It is correct. Every time I reboot the router, it gets a new Ip from the ISP, so every time I check and modify the address accordingly. This is until I get it running, after I can figure something out with a cronjob or something.

Then make sure it is listening;

root@OpenWrt:~#  netstat -anp | grep 1194
udp        0      0 0.0.0.0:1194            0.0.0.0:*                           15569/openvpn

Start connection from the client and measure the counters once again to verify that it is getting something from the client.

It does seem to be getting something

[5:410] -A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: Allow-OpenVPN" -j ACCEPT

desn92n · April 3, 2020, 5:54pm

thanks, I'll have a look right away

tmomas · April 3, 2020, 9:22pm

desn92n:

Fri Apr 3 09:46:26 2020 daemon.err openvpn(server)[15742]: ERROR: Cannot ioctl TUNSETIFF tun0: Resource busy (errno=16)
Fri Apr 3 09:46:31 2020 daemon.err openvpn(server)[15743]: ERROR: Cannot ioctl TUNSETIFF tun0: Resource busy (errno=16)
Fri Apr 3 09:46:36 2020 daemon.err openvpn(server)[15745]: ERROR: Cannot ioctl TUNSETIFF tun0: Resource busy (errno=16)
Fri Apr 3 09:46:41 2020 daemon.err openvpn(server)[15747]: ERROR: Cannot ioctl TUNSETIFF tun0: Resource busy (errno=16)

service openvpn stop
Post the output of ps | grep openvpn

desn92n · April 3, 2020, 9:37pm

PS | grep openvpn doesn't return anything. The only process left is grep itself, after stopping the openvpn server

desn92n · April 4, 2020, 10:08am

I've stopped trying with openvpn. I'll give wireguard a shot, see if I have any luck there