Configuring OpenVPN Server with LuCI

Hi, i don't know if this issue has been posted already but I don't know what im doing wrong here.
Ive installed the packadges openvpn-openssl and lici-app-openvpn, also Ive created all certs on my machine so I can save some space at the router, then deleted all example configs and created this one:

verb: 3
port: 8443
dev_tun: tun
server: 192.168.10.0 255.255.255.0
keepalive: 10 60
ca: /etc/openvpn/ca.crt (uploaded, using LuCI)
dh: /etc/openvpn/dh.pem (uploaded, using LuCI)
cert: /etc/openvpn/server.crt (uploaded, using LuCI)
key: /etc/openvpn/server.key (uploaded, using LuCI)
proto: tcp6-server

Then I've added the OPENVPN interface with tun0 and Unmanaged with the firewall zone WAN.

One of my clients config is:

client
dev tun
proto tcp6-client
float
resolv-retry infinite
remote-cert-tls server
persist-key
persist-tun
remote (my hostname) 8443
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>

That seems wrong mixing ipv4 and ipv6

Have tried with different protocols like tcp-server, udp6 and udp. None of them works.
Also for what I know is that tcp6-server and udp6, covers IPv6 and IPv4, the thing is that when its unable to establish communication on one stack it failover to the other without that much of waiting time.
What I have tried with it, its because of my dynamic domain that has A records and AAAA records and when I used another firmware that only supported 4 on OpenVPN, first my client was trying to establish the connection through 6 several times before it failed back to 4, so the client had to wait, what I want is that the server accepts connection on 6 and 4 so my clients hasn't have to wait that fallback time even if when its connected only assigns you a IPv4 address.

Test IPv4 and IPv6 connection separately on the client side.
It should work with the current IPs for a limited time interval.
Check connection attempts in the VPN server log.

Well this Webpage says differently
https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
" From the OpenVPN 2.4, OpenVPN will try both IPv6 and IPv4 when just using udp/tcp-client/tcp-server. To enforce only IPv4-only, you need to use udp4, tcp4-client or tcp4-server; and similar to enforce IPv6-only with udp6/tcp6-client/tcp6-server."

But as @vgaetera check VPN logs to figure out where the connection fails or if it may not even been tried to be established (e.g. I assume you opened port 8443)

So I have tried with changing in both sides to "proto udp" and this is the log on the client side:

2021-07-06 22:36:06.686109 MANAGEMENT: CMD 'hold release'
2021-07-06 22:36:06.693805 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2021-07-06 22:36:06.705464 MANAGEMENT: >STATE:1625628966,RESOLVE,,,,,,
2021-07-06 22:36:06.892958 TCP/UDP: Preserving recently used remote address: [AF_INET6]<MY WAN IPv6>:8443
2021-07-06 22:36:06.893143 Socket Buffers: R=[786896->786896] S=[9216->9216]
2021-07-06 22:36:06.893179 setsockopt(IPV6_V6ONLY=0)
2021-07-06 22:36:06.893248 UDP link local (bound): [AF_INET6][undef]:1194
2021-07-06 22:36:06.893284 UDP link remote: [AF_INET6]<MY WAN IPv6>:8443
2021-07-06 22:36:06.893458 MANAGEMENT: >STATE:1625628966,WAIT,,,,,,
2021-07-06 22:37:06.596554 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2021-07-06 22:37:06.596714 TLS Error: TLS handshake failed
2021-07-06 22:37:06.597838 SIGUSR1[soft,tls-error] received, process restarting
2021-07-06 22:37:06.597991 MANAGEMENT: >STATE:1625629026,RECONNECTING,tls-error,,,,,
2021-07-06 22:37:06.629993 MANAGEMENT: CMD 'hold release'
2021-07-06 22:37:06.630056 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2021-07-06 22:37:06.630214 TCP/UDP: Preserving recently used remote address: [AF_INET]<MY WAN IPv4>:8443
2021-07-06 22:37:06.630284 Socket Buffers: R=[786896->786896] S=[9216->9216]
2021-07-06 22:37:06.630320 UDP link local (bound): [AF_INET][undef]:1194
2021-07-06 22:37:06.630334 UDP link remote: [AF_INET]<MY WAN IPv4>:8443
2021-07-06 22:37:06.630444 MANAGEMENT: >STATE:1625629026,WAIT,,,,,,
2021-07-06 22:37:06.630853 MANAGEMENT: CMD 'hold release'
2021-07-06 22:38:06.228294 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2021-07-06 22:38:06.228430 TLS Error: TLS handshake failed
2021-07-06 22:38:06.228674 SIGUSR1[soft,tls-error] received, process restarting
2021-07-06 22:38:06.228704 MANAGEMENT: >STATE:1625629086,RECONNECTING,tls-error,,,,,

Unfortunately since I can't connect to the server side right now Im unable to post the server log, tomorrow that I can reach fiscally to the server then Ill post the logs.

Also, I forgot to add that as said by @faser when I read the docs on OpenVPN site Ive got it in some sort of way backwards, you're totally right.

Did you changed your firewall rules for that?

Surely the server logs would be interesting to see if the request arrives (which I doubt).
I am still confused why the client tries IPv6 initially.

Did you changed your firewall rules for that?

The only firewall rule that Ive got is the tun0 adapter on OPENVPN interface created Unmanaged and added to the WAN zone.

I am still confused why the client tries IPv6 initially.

Both sides, client and server has IPv6 address enabled, and as default IPv6 almost all the time is preferred over IPv4, if its able to resolve the DNS request through IPv6.

Well normally on WAN you would not have any port open on openwrt. So unless you open UDP 8443 this will all be blocked on the Incoming Filter of the WAN side.
Also not sure why you would add the tun0 to the WAN zone?

The required firewall changes are in the chapter "3. Firewall", so you would just have the protocol/port be allowed on the WAN (in your case UDP 8443).

Well I made some changes to the config.

1. Stayed in both sides with "proto udp" on both config (server and the client)
2. Modified the interface "OPENVPN" with the adapter "tun0" as protocol "Unmanaged" and firewall zone "Unspecified"
3. Added on firewall "Traffic Rules" the rule "Allow-OpenVPN" with protocol "UDP", source zone "WAN", destination zone "Device (input)", destination port 8443 and action "ACCEPT"
4. For now, client side only enabled IPv4 access (so it won't try to connect on IPv6)

Still can't connect to the vpn.
Server log is:

Wed Jul  7 01:11:40 2021 daemon.notice openvpn(server)[30610]: OpenVPN 2.4.7 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Wed Jul  7 01:11:40 2021 daemon.notice openvpn(server)[30610]: library versions: OpenSSL 1.1.1k  25 Mar 2021, LZO 2.10
Wed Jul  7 01:11:41 2021 daemon.notice openvpn(server)[30610]: Diffie-Hellman initialized with 2048 bit key
Wed Jul  7 01:11:41 2021 daemon.notice openvpn(server)[30610]: TUN/TAP device tun0 opened
Wed Jul  7 01:11:41 2021 daemon.notice openvpn(server)[30610]: TUN/TAP TX queue length set to 100
Wed Jul  7 01:11:41 2021 daemon.notice openvpn(server)[30610]: /sbin/ifconfig tun0 192.168.10.1 pointopoint 192.168.10.2 mtu 1500
Wed Jul  7 01:11:41 2021 daemon.notice openvpn(server)[30610]: /sbin/route add -net 192.168.10.0 netmask 255.255.255.0 gw 192.168.10.2
Wed Jul  7 01:11:41 2021 daemon.warn openvpn(server)[30610]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Wed Jul  7 01:11:41 2021 daemon.notice openvpn(server)[30610]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Wed Jul  7 01:11:41 2021 daemon.notice openvpn(server)[30610]: UDPv4 link local (bound): [AF_INET][undef]:8443
Wed Jul  7 01:11:41 2021 daemon.notice openvpn(server)[30610]: UDPv4 link remote: [AF_UNSPEC]
Wed Jul  7 01:11:41 2021 daemon.notice openvpn(server)[30610]: MULTI: multi_init called, r=256 v=256
Wed Jul  7 01:11:41 2021 daemon.notice openvpn(server)[30610]: IFCONFIG POOL: base=192.168.10.4 size=62, ipv6=0
Wed Jul  7 01:11:41 2021 daemon.notice openvpn(server)[30610]: Initialization Sequence Completed

Client log is:

2021-07-07 08:44:08.034167 MANAGEMENT: CMD 'hold release'
2021-07-07 08:44:08.034440 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2021-07-07 08:44:08.037973 MANAGEMENT: >STATE:1625665448,RESOLVE,,,,,,
2021-07-07 08:44:08.101761 TCP/UDP: Preserving recently used remote address: [AF_INET]<MY WAN IPv4>:8443
2021-07-07 08:44:08.101899 Socket Buffers: R=[786896->786896] S=[9216->9216]
2021-07-07 08:44:08.101940 UDP link local (bound): [AF_INET][undef]:1194
2021-07-07 08:44:08.101986 UDP link remote: [AF_INET]<MY WAN IPv4>:8443
2021-07-07 08:44:08.102056 MANAGEMENT: >STATE:1625665448,WAIT,,,,,,
2021-07-07 08:45:09.173617 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2021-07-07 08:45:09.173811 TLS Error: TLS handshake failed
2021-07-07 08:45:09.174407 SIGUSR1[soft,tls-error] received, process restarting
2021-07-07 08:45:09.174516 MANAGEMENT: >STATE:1625665509,RECONNECTING,tls-error,,,,,

The server log doesn't show any connection tries. Are you sure your Firewall rules are correct?
Are you trying to connect from outside of your LAN?
Suggest to run tcpdump -i any udp and port 8443 on the router to check if you have incoming packages when trying to connect from client.

Ok, nothing on tcpdump:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes

Also with -v option there isn't any output.

Which means you are not receiving any packet on port UDP 8443. So are you having a public IP on your router? Try with IP Address directly instead of DNS.

What an a** Im, forgot to mention that I have mwan3 installed!

Are you trying to connect the VPN tunnel from LAN side or WAN side of the firewall?

In practical terms OpenVPN only works from internet to the firewall, it should only work from internet because that is the whole point with the concept of VPN.

You shouldn’t have a separate interface for OpenVPN. The tun(X) shuld be a device in the interface (defined in the firewall) you whant to connect to.

What actual client hardware/software do you have. iOS for example only supports udp.

What does the client log say, that is actually the only log that matters because the client want to talk and the server wont respond on a illegal connection attempt.

But based on the two log lines above my first guess is still that you sit at home and try connect through the LAN.

If you try to connect from internet and the server won't respond.

Then the log in the client will be very empty and a line in client log similar to is written:

connecting to “IP”…

And not much more and after 60sec it will fail.

In the server if you try connecting with wrong credetials the log will say something about:

connection attempt with wrong password

Followed with a line that say it has blocked the attempt.

That depends on the log level and the line TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) is a corresponding line that when the server doesn't response with in 60 seconds as you also indicate.

Thats what Im trying to do, connect from outside to my local network so I can work with my LAN side resources, and why not, also use the internet service where I have the VPN server (a more secure and controlled by me internet connection).

Mistakenly I though that creating this interface and add it to the WAN zone of the firewall would make it directly accessible from the internet without having to manipulate the firewall rules so I can spare some CPU usage. But now I have created a firewall rule as said earlier and had unassigned the OPENVPN interface (withe the adapter tun0) from the WAN zone.

Client hardware is a macOS with Tunnelblick software and it does support TCP too, had used on other older setup (when my router was running another firmware, I changed to OpenWrt because its OpenWrt!)

Nope, have tried to connect from a different location and also have tried by using my phone shared 5G access.

I think that mwan3 package (I have 2 ISPs) its messing up something here since I can't find something wrong with this setup, for now what I have tried is to bring down the second internet access by pulling the cable off so it only stays on the first (where I do want to receive the incoming VPN connections), resolving this problem I will change this setup to "proto tcp" and then check on how do I proceed having the two ISPs access up. First and foremost I want to be able to access the VPN service!

PD: For anyone who wants to know, I want to use the 8443 port on TCP because many WiFi paid spots without having to log in fails to catch outside connections on this port (commonly), or 8080, 443, 80, 53 on TCP, or also, 53 on UDP! (but this 4 last options normally crashes some other local services on the VPN server).

Finally I was able to get some response from the OpenVPN server, but this led me to another problem.
I was really frustrated on why my connection attempts didn't got through, as I have the opportunity use the same hardware (2nd router), I took the time to recreate with the same versions of firmware and package on the other one but without the mwan3 package (thus no double wan) to discard it or point it as the reason for this problem. Conclusion, the same problem happened again, so I can say that this problem isn't caused by mwan3! Then suddenly by my mistake on changing the protocols on the config of the OpenVPN and then changing the protocols on the firewall rule, I mistakenly left TCP and UDP marked for accepting connections on port 8443 and on OpenVPN config UDP, then... I got a response!
So this would be the firewall rule

Network > Firewall > Traffic Rules
Rule "Allow-OpenVPN"
Protocol "TCP/UDP"
Source zone "WAN"
Destination zone "Device (input)"
Destination port "8443"
Action "ACCEPT"

Now this would be my second problem, the response
Server log:

Tue Jul 13 11:22:09 2021 daemon.notice openvpn(server)[30610]: <CLIENT WAN IPv4>:47312 TLS: Initial packet from [AF_INET]<CLIENT WAN IPv4>:47312, sid=888fbbf8 54994b14
Tue Jul 13 11:22:09 2021 daemon.err openvpn(server)[30610]: <CLIENT WAN IPv4>:47312 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: CN=server
Tue Jul 13 11:22:09 2021 daemon.err openvpn(server)[30610]: <CLIENT WAN IPv4>:47312 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
Tue Jul 13 11:22:09 2021 daemon.err openvpn(server)[30610]: <CLIENT WAN IPv4>:47312 TLS_ERROR: BIO read tls_read_plaintext error
Tue Jul 13 11:22:09 2021 daemon.err openvpn(server)[30610]: <CLIENT WAN IPv4>:47312 TLS Error: TLS object -> incoming plaintext read error
Tue Jul 13 11:22:09 2021 daemon.err openvpn(server)[30610]: <CLIENT WAN IPv4>:47312 TLS Error: TLS handshake failed
Tue Jul 13 11:22:09 2021 daemon.notice openvpn(server)[30610]: <CLIENT WAN IPv4>:47312 SIGUSR1[soft,tls-error] received, client-instance restarting

Client log:

2021-07-13 11:22:09.101425 MANAGEMENT: CMD 'hold release'
2021-07-13 11:22:09.101621 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2021-07-13 11:22:09.105472 MANAGEMENT: >STATE:1626193329,RESOLVE,,,,,,
2021-07-13 11:22:09.235860 TCP/UDP: Preserving recently used remote address: [AF_INET6]<SERVER WAN IPv6>:8443
2021-07-13 11:22:09.235975 Socket Buffers: R=[786896->786896] S=[9216->9216]
2021-07-13 11:22:09.236012 setsockopt(IPV6_V6ONLY=0)
2021-07-13 11:22:09.236052 UDP link local (bound): [AF_INET6][undef]:1194
2021-07-13 11:22:09.236074 UDP link remote: [AF_INET6]<SERVER WAN IPv6>:8443
2021-07-13 11:22:09.236104 MANAGEMENT: >STATE:1626193329,WAIT,,,,,,
2021-07-13 11:23:09.145092 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2021-07-13 11:23:09.145280 TLS Error: TLS handshake failed
2021-07-13 11:23:09.145764 SIGUSR1[soft,tls-error] received, process restarting
2021-07-13 11:23:09.145871 MANAGEMENT: >STATE:1626193389,RECONNECTING,tls-error,,,,,
2021-07-13 11:23:09.175486 MANAGEMENT: CMD 'hold release'
2021-07-13 11:23:09.175614 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2021-07-13 11:23:09.175868 TCP/UDP: Preserving recently used remote address: [AF_INET]<SERVER WAN IPv4>:8443
2021-07-13 11:23:09.175937 Socket Buffers: R=[786896->786896] S=[9216->9216]
2021-07-13 11:23:09.175978 UDP link local (bound): [AF_INET][undef]:1194
2021-07-13 11:23:09.175999 UDP link remote: [AF_INET]<SERVER WAN IPv4>:8443
2021-07-13 11:23:09.176025 MANAGEMENT: >STATE:1626193389,WAIT,,,,,,
2021-07-13 11:23:09.176324 MANAGEMENT: CMD 'hold release'
2021-07-13 11:23:09.190431 MANAGEMENT: >STATE:1626193389,AUTH,,,,,,
2021-07-13 11:23:09.190487 TLS: Initial packet from [AF_INET]<SERVER WAN IPv4>:8443, sid=95baa263 04a42986
2021-07-13 11:23:09.339712 VERIFY OK: depth=1, CN=server
2021-07-13 11:23:09.339976 VERIFY KU OK
2021-07-13 11:23:09.340001 Validating certificate extended key usage
2021-07-13 11:23:09.340018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2021-07-13 11:23:09.340029 VERIFY EKU OK
2021-07-13 11:23:09.340042 VERIFY OK: depth=0, CN=server
2021-07-13 11:24:09.609378 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2021-07-13 11:24:09.609534 TLS Error: TLS handshake failed
2021-07-13 11:24:09.610051 SIGUSR1[soft,tls-error] received, process restarting
2021-07-13 11:24:09.610236 MANAGEMENT: >STATE:1626193449,RECONNECTING,tls-error,,,,,

So for what I know, now is a problem with the certificate...

Got it finally fully running, to say things first not all the options are available through LuCI and in part of creating the "OPENVPN" interface I wasn't wrong because that to make it work you need to create the a firewall zone using the interface firstly created and assigned to the tun0 adapter so the clients may have access to LAN resources and/or internet access.

So this is my working config:

Server side:
On /etc/config/openvpn file:

config openvpn 'server'
              option dev_type 'tun'
              option dev 'tun'
              option keep alive '10 60'
              option verb '3'
              option ca /etc/openvpn/ca.crt'
              option enable '1'
              option proto 'tcp-server'
              option port '8443'
              option persist_key '1'
              option persist_tun '1'
              option topology 'subnet'
              option client_to_client '1'
              option server '192.168.10.0 255.255.255.0'
              option cert '/etc/openvpn/server.crt'
              option key '/etc/openvpn/server.key'
              option dh '/etc/openvpn/dh2048.pem'
              list push 'redirect-gateway'
              list push 'route 192.168.1.0 255.255.255.0'
              list push 'dhcp-option DNS 192.168.10.1'
              list push 'dhcp-option WINS 192.168.10.1'

• Key and Certs may be uploaded using LuCI (I've created them as explained in the next part)
• Proto option can be 'udp' or 'tcp-server'
• Client_to_client option enables clients connected to the VPN may interact with each other.
• Server option you may choose whatever network range you like, but OpenVPN 2.4 doesn't likes long ranges, I would suggest to keep it on 254 range (255.255.255.0)
• List push 'redirect-gateway', makes all the clients connected to the server redirect all its traffic through the VPN
• List push 'route', makes the client to create a route to you're internal network (mine is 192.168.1.0/24)
• List push 'dhcp-option DNS', makes the client force the use the specified DNS server IP
• List push 'dhcp-option WINS', makes the client force the use the specified WINS server IP (in my case I have also samba36 package installed sharing my attached USB device, this is optional)

Create the following firewall rule to accept incoming connections:

Network > Firewall > Traffic Rules
Rule "Allow-OpenVPN"
Protocol "TCP/UDP"
Source zone "WAN"
Destination zone "Device (input)"
Destination port "8443"
Action "ACCEPT"

Create the Interface OPENVPN so you can assign it to a new firewall zone as this:

Network > Interface
Name "OPENVPN"
Adapter "tun0"
Protocol "Unmanaged"

Create the firewall zone openvpn as this:

Network > Firewall
Name "openvpn"
Input "accept"
output "accept"
Forward "accept"
covered networks "OPENVPN"
Allow forward to destination zones "lan/wan"

• If you select on "Allow forward to destination zones" only lan, you only have access to your local lan resource, if you want to give only internet access select only wan.

Creating the certs:
Ive first tried using EasyRSA 3 but I ended up with cert problems at trying to connect. So, I went with EasyRSA 2.2.2
If you have a macOS device as I, you need to install brew and the install openssl by doing the following commands:

xcode-select --install
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
brew install vim
brew install openssl

• If you have Xcode installed already skip the first command

Untar the easyrsa-2.2.2.tar downloaded file and go with the terminal to the extracted directory, then, edit vars file the following lines as you wish (I use VI for editing so I do, vi vars, then press I and edit the lines, once you finish press "ESC" key followed by :wq the "Enter")

export KEY_COUNTRY=
export KEY_PROVINCE=
export KEY_CITY=
export KEY_ORG=
export KEY_EMAIL=
export KEY_OU=

Next you put the following commands:

export PATH="/usr/local/opt/openssl/bin:$PATH"
cp openssl-1.0.0.cnf openssl.cnf
. ./vars
./clean-all
./build-ca

At "build-ca", EasyRSA will ask you for some parameters as specified on the vars file.

Next, create the server keys and follow the same parameters as specified above, only that on "Common name" and "Name" put "server"

./build-key-server server

Next create the clients keys, note that as said on the server, it will ask you for "Common name" and "Name" put the client name you want (with no space between)

./build-key client1
./build-key client2
./build-key client3

After creating all clients keys and certs, build the generate Diffie Hellman parameters by:

./build-dh

So the certs goes like this on the server:

ca.crt > ca
server.crt > cert 
server.key > key
dh2048.pem > dh

Creating the clients config:
Create a .opvn file (name it as you wish) with this inside:

client
dev tun
proto tcp-client
float

resolv-retry infinite
remote-cert-tls server
persist-key
persist-tun
remote (WAN IP or HOSTNAME to your OpenWrt device) 8443

<ca>
-----BEGIN CERTIFICATE-----
(content on ca.crt file between this lines)
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
(content on client#.crt file between this lines)
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
(content on client#.key file between this lines)
-----END PRIVATE KEY-----
</key>

Congrats!! You're done, you may now connect your clients to the OpenVPN server!!