Connected to OpenVPN server but no traffic, not even a ping to the VPN server

Model TP-Link Archer C7 v5
Firmware Version OpenWrt 24.10.3 r28872-daca7c049b / LuCI openwrt-24.10 branch 25.250.61039~923f8d9
Kernel Version 6.6.104
openvpn-openssl 2.6.19-r1

I have set up the OpenWRT as a client. The intention is to connect the OpenWRT to my own OpenVPN server. Other devices also connect to this server. In that way I can reach devices which are not normally accessible.

I know I need routing and such, but that is a future problem. The problem now is that I cannot even ping the VPN server.

The OpenWRT is behind a firewall. On this same LAN I have another device which communicates to this same OpenVPN server without a problem. On another location I have a different OpenVPN client which also communicates to the OpenVPN server.

This is the IP address:

8: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 500
    link/[65534] 
    inet 10.89.32.29 peer 10.89.32.30/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::91d8:3689:22c2:a7ec/64 scope link flags 800 
       valid_lft forever preferred_lft forever

This is the route:

root@OpenWrt:~# ip route
default via 192.168.0.1 dev eth0.2  src 192.168.0.86 
10.89.32.0/24 via 10.89.32.30 dev tun0 
10.89.32.30 dev tun0 scope link  src 10.89.32.29 
192.168.0.0/24 dev eth0.2 scope link  src 192.168.0.86 
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1 

The address of the OpenVPN server is 10.89.32.1. There is no ping reply.

root@OpenWrt:~# tcpdump -i tun0
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
01:03:47.251144 IP 10.89.32.29 > 10.89.32.1: ICMP echo request, id 10251, seq 0, length 64
01:03:48.251360 IP 10.89.32.29 > 10.89.32.1: ICMP echo request, id 10251, seq 1, length 64
01:03:49.251775 IP 10.89.32.29 > 10.89.32.1: ICMP echo request, id 10251, seq 2, length 64
01:03:50.251993 IP 10.89.32.29 > 10.89.32.1: ICMP echo request, id 10251, seq 3, length 64

When I do a packet trace on eth0.2 (the WAN device) I see that the number of packets increase when I execute a ping. But I cannot see whether it is ICMP because the traffic is encrypted. I cannot see the contents of the traffic at all.

On the VPN server I do not see any packet arriving. Hence there is no reply coming back to the OpenWRT.

This is the log file showing a successful connection:

Thu Apr 16 01:03:45 2026 daemon.notice openvpn(sample_client)[9767]: Restart pause, 1 second(s)
Thu Apr 16 01:03:46 2026 daemon.warn openvpn(sample_client)[9767]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Thu Apr 16 01:03:46 2026 daemon.warn openvpn(sample_client)[9767]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Apr 16 01:03:46 2026 daemon.notice openvpn(sample_client)[9767]: TCP/UDP: Preserving recently used remote address: [AF_INET]167.86.91.128:1194
Thu Apr 16 01:03:46 2026 daemon.notice openvpn(sample_client)[9767]: Socket Buffers: R=[131072->131072] S=[16384->16384]
Thu Apr 16 01:03:46 2026 daemon.notice openvpn(sample_client)[9767]: Attempting to establish TCP connection with [AF_INET]167.86.91.128:1194
Thu Apr 16 01:03:46 2026 daemon.notice openvpn(sample_client)[9767]: TCP connection established with [AF_INET]167.86.91.128:1194
Thu Apr 16 01:03:46 2026 daemon.notice openvpn(sample_client)[9767]: TCPv4_CLIENT link local: (not bound)
Thu Apr 16 01:03:46 2026 daemon.notice openvpn(sample_client)[9767]: TCPv4_CLIENT link remote: [AF_INET]167.86.91.128:1194
Thu Apr 16 01:03:47 2026 daemon.notice openvpn(sample_client)[9767]: TLS: Initial packet from [AF_INET]167.86.91.128:1194, sid=e913349c fa007b78
Thu Apr 16 01:03:47 2026 daemon.notice openvpn(sample_client)[9767]: VERIFY OK: depth=1, CN=vpnserv
Thu Apr 16 01:03:47 2026 daemon.notice openvpn(sample_client)[9767]: VERIFY OK: depth=0, CN=vpnserv
Thu Apr 16 01:03:48 2026 daemon.notice openvpn(sample_client)[9767]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519
Thu Apr 16 01:03:48 2026 daemon.notice openvpn(sample_client)[9767]: [vpnserv] Peer Connection Initiated with [AF_INET]167.86.91.128:1194
Thu Apr 16 01:03:48 2026 daemon.notice openvpn(sample_client)[9767]: TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Thu Apr 16 01:03:48 2026 daemon.notice openvpn(sample_client)[9767]: TLS: tls_multi_process: initial untrusted session promoted to trusted
Thu Apr 16 01:03:48 2026 daemon.notice openvpn(sample_client)[9767]: PUSH: Received control message: 'PUSH_REPLY,route 10.89.32.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.89.32.29 10.89.32.30,peer-id 0,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500'
Thu Apr 16 01:03:48 2026 daemon.notice openvpn(sample_client)[9767]: OPTIONS IMPORT: --ifconfig/up options modified
Thu Apr 16 01:03:48 2026 daemon.notice openvpn(sample_client)[9767]: OPTIONS IMPORT: route options modified
Thu Apr 16 01:03:48 2026 daemon.notice openvpn(sample_client)[9767]: OPTIONS IMPORT: tun-mtu set to 1500
Thu Apr 16 01:03:48 2026 daemon.notice openvpn(sample_client)[9767]: Preserving previous TUN/TAP instance: tun0
Thu Apr 16 01:03:48 2026 daemon.notice openvpn(sample_client)[9767]: Initialization Sequence Completed
Thu Apr 16 01:03:48 2026 daemon.notice openvpn(sample_client)[9767]: Data Channel: cipher 'AES-256-GCM', peer-id: 0, compression: 'stub'
Thu Apr 16 01:03:48 2026 daemon.notice openvpn(sample_client)[9767]: Timers: ping 10, ping-restart 120
Thu Apr 16 01:03:48 2026 daemon.notice openvpn(sample_client)[9767]: Protocol options: protocol-flags cc-exit tls-ekm dyn-tls-crypt

Firewall config:

root@OpenWrt:~# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='REJECT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].masq='1'
firewall.@zone[1].network='wan' 'wan6'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@zone[2]=zone
firewall.@zone[2].name='vpn'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].network='vpn0'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='vpn'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='vpn'
firewall.@forwarding[1].dest='lan'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].src='lan'
firewall.@forwarding[2].dest='wan'

Network config:

root@OpenWrt:~# uci show network
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fde1:3afc:3468::/48'
network.globals.packet_steering='1'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='eth0.1'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.@device[1]=device
network.@device[1].name='eth0.2'
network.@device[1].macaddr='84:d8:1b:7d:11:8f'
network.wan=interface
network.wan.device='eth0.2'
network.wan.proto='dhcp'
network.wan6=interface
network.wan6.device='eth0.2'
network.wan6.proto='dhcpv6'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='2 3 4 5 0t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='1 0t'
network.vpn0=interface
network.vpn0.proto='none'
network.vpn0.device='tun0'

OpenVPN config: (Note the VPN server is disabled. I only use "sample_client")

openvpn.custom_config=openvpn
openvpn.custom_config.config='/etc/openvpn/my-vpn.conf'
openvpn.sample_server=openvpn
openvpn.sample_server.port='1194'
openvpn.sample_server.proto='udp'
openvpn.sample_server.dev='tun'
openvpn.sample_server.ca='/etc/openvpn/ca.crt'
openvpn.sample_server.cert='/etc/openvpn/server.crt'
openvpn.sample_server.key='/etc/openvpn/server.key'
openvpn.sample_server.dh='/etc/openvpn/dh2048.pem'
openvpn.sample_server.server='10.8.0.0 255.255.255.0'
openvpn.sample_server.ifconfig_pool_persist='/tmp/ipp.txt'
openvpn.sample_server.keepalive='10 120'
openvpn.sample_server.persist_key='1'
openvpn.sample_server.persist_tun='1'
openvpn.sample_server.user='nobody'
openvpn.sample_server.status='/tmp/openvpn-status.log'
openvpn.sample_server.verb='3'
openvpn.sample_client=openvpn
openvpn.sample_client.enabled='1'
openvpn.sample_client.client='1'
openvpn.sample_client.dev='tun'
openvpn.sample_client.remote='vpnserv.example.com 1194'
openvpn.sample_client.resolv_retry='infinite'
openvpn.sample_client.nobind='1'
openvpn.sample_client.persist_key='1'
openvpn.sample_client.persist_tun='1'
openvpn.sample_client.user='nobody'
openvpn.sample_client.ca='/etc/openvpn/ca.crt'
openvpn.sample_client.cert='/etc/openvpn/bon-gateway-ap.crt'
openvpn.sample_client.key='/etc/openvpn/bon-gateway-ap.key'
openvpn.sample_client.data_ciphers='AES-256-GCM'
openvpn.sample_client.data_ciphers_fallback='AES-128-GCM'
openvpn.sample_client.verb='3'
openvpn.sample_client.comp_lzo='no'
openvpn.sample_client.proto='tcp-client'

I have re-initiated the OpenWRT various times to a clean slate condition. Also I have tried various scenarios for firewalling, like allowing all traffic everywhere, with or without masquerading, tun0 in the WAN zone and whatnot. However, I believe the current configuration is the correct one to connect a client.

For this time I only want to be able to ping my VPN server. That is the first step in testing connectivity which every VPN client should be able to do regardless of (almost) anything.

A few things...

This is old and should be updated. I'd recommend moving to 25.12 since 24.10 is now EOL, but at the very least upgrade to 24.10.6 to ensure that you're up to date with security patches.

Since you control both sides, have you considered using WireGuard instead? It's easier to configure and much more performant than OpenVPN.

Meanwhile, let's see your config in another form -- this is easier to read and spot issues.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

Well, that is a bit weird. I installed the Archer a few weeks ago with the image which was available then. I had no idea new versions were released so frequently. I have flashed the device.

OpenWrt 25.12.2 r32802-f505120278 / LuCI (HEAD detached at 067535e) branch 26.082.75780~067535e

I had hopes this solved it, but no. Here is the information you requested;

{
        "kernel": "6.12.74",
        "hostname": "OpenWrt",
        "system": "Qualcomm Atheros QCA956X ver 1 rev 0",
        "model": "TP-Link Archer C7 v5",
        "board_name": "tplink,archer-c7-v5",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "25.12.2",
                "firmware_url": "https://downloads.openwrt.org/",
                "revision": "r32802-f505120278",
                "target": "ath79/generic",
                "description": "OpenWrt 25.12.2 r32802-f505120278",
                "builddate": "1774469393"
        }
}

root@OpenWrt:~# cat /etc/config/network 

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fde1:1234:5678::/48'
        option packet_steering '1'
        option dhcp_default_duid '000<removed>'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0.2'
        option macaddr '12:34:56:78:9a:bc'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

config interface 'vpn0'
        option proto 'none'
        option device 'tun0'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        option masq '1'
        list network 'wan'
        list network 'wan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vpn0'

config forwarding
        option src 'lan'
        option dest 'vpn'

config forwarding
        option src 'vpn'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'wan'

Thanks for the additional config info.

From where are you trying to ping? What is the source IP and the destination IP?

root@OpenWrt:~# ping 10.89.32.1
PING 10.89.32.1 (10.89.32.1): 56 data bytes

I am connected thru SSH with the OpenWRT.
Destination is 10.89.32.1 (the IP of the OpenVPN server)
Source address is unspecified, but I assume 10.89.32.29 is used since I am pinging on the 10.89.32.0/24 network.

This is the IP of the OpenWRT tun0:

7: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 500
    link/[65534] 
    inet 10.89.32.29 peer 10.89.32.30/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::dd3f:b7d1:e8a8:27e9/64 scope link flags 800 
       valid_lft forever preferred_lft forever

And this is the IP of the OpenVPN server:

29: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none 
    inet 10.89.32.1 peer 10.89.32.2/32 scope global tun0
       valid_lft forever preferred_lft forever

I forgot to answer your question why not using Wireguard: I have some 20 Grandstream UCM 62xx PBX in the field which connect to the OpenVPN server. They only support OpenVPN, not Wireguard.

Does anything change if you enable masquerading on the vpn zone?

config zone
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vpn0'
        option masq '1'

I tried that before, no effect.
Because I am running the new firmware now I re-tried. No effect.

And just to make sure- the server accepts pings from other OpenVPN clients? And there are no firewall restrictions on the vpn server itself, right?

That is correct. The VPN server replies to pings. Currently 2 instances used for testing:

• One Grandstream UCM 6204 on my LAN behind the same ISP router as the OpenWRT.
• One Raspi running Debian Bullseye in another location behind a different router.

I have one client to the LAN side of the OpenWRT. I can ping public addresses on the internet. It is not that somewhere ping is blocked on the OpenWRT or in the ISP router.

The OpenVPN server does not have a firewall installed.

In case you are wondering, the OpenWRT is not in production yet.

Have you compared the client configuration between openwrt and one of the working clients?

Yes.

I had to, because I took the settings for the OpenWRT from another client. To be sure.

Some obvious mismatches like compression and so result in a failure to establish the VPN. As a matter of fact, most client config errors result in the VPN connection failing.

According to the routing table, the tun peer address is 10.89.32.30 and network 10.89.32.0/24 (which includes 10.89.32.1) should be reachable via this address.

What is 10.89.32.30 and can you ping it?

The server seems to use net30 instead of topology subnet this is deprecated and might lead to problematic client-to-client routing.
But it is still possible to use it, switching to topology subnet might need to adapt the CCD-files if you use IP addresses instead of client names.
So if it works just keep it for now but consider updating your setup to current standards
(Compression is also deprecated)

It might help if you show us the OpnVPN log and routing table:

logread -e openvpn
ip route show
ip -6 route show

@pavelgl There used to be a good explanation of net30 topology and what each IP address meant but I cannot find it anymore. If the client is configured with 2 addresses 10.89.32.29 and 10.89.32.30, the latter is called the "peer". One expects that it is pingable, but it is not. I have checked my working clients and they don't ping that address either. Since net30 is phased out I won't break my head.

@egc I missed that. Still living in 2006 I guess, I didn't know net30 was obsoleted. It is worth trying to change to subnet topology. No problem to change the CCDs, I have only 3 clients and it is a test setup. I'll report back when I tried.

I don't have compression. I did catch it is deprecated.

This is the output of IP6 route:

root@OpenWrt:/etc/config# ip -6 route
fde1:3afc:3468::/64 dev br-lan  metric 1024 
unreachable fde1:3afc:3468::/48 dev lo  metric 2147483647 
fe80::/64 dev eth0  metric 256 
fe80::/64 dev br-lan  metric 256 
fe80::/64 dev eth0.2  metric 256 
fe80::/64 dev tun0  metric 256

The other 2 listings you asked for are in my original post.

OK, I changed the server directive and changed all the client configs.

The topology is working fine. Two other clients immediately connected and could ping the server.

The OpenWRT also connected. But no ping, no traffic.

On a side note, the config on the client does not need to include the topology option. Apparently it is pushed by the server.