The server starts and appears to be listening for connections fine.
This is the log from the openvpn startup sequence:
Fri Oct 22 17:14:29 2021 daemon.warn openvpn(server)[3757]: --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
Fri Oct 22 17:14:29 2021 daemon.notice openvpn(server)[3757]: OpenVPN 2.5.3 i486-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Fri Oct 22 17:14:29 2021 daemon.notice openvpn(server)[3757]: library versions: OpenSSL 1.1.1l 24 Aug 2021, LZO 2.10
Fri Oct 22 17:14:29 2021 daemon.warn openvpn(server)[3757]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Oct 22 17:14:29 2021 daemon.notice openvpn(server)[3757]: TUN/TAP device tun0 opened
Fri Oct 22 17:14:29 2021 daemon.notice openvpn(server)[3757]: net_iface_mtu_set: mtu 1500 for tun0
Fri Oct 22 17:14:29 2021 daemon.notice openvpn(server)[3757]: net_iface_up: set tun0 up
Fri Oct 22 17:14:29 2021 daemon.notice openvpn(server)[3757]: net_addr_v4_add: 192.168.18.1/24 dev tun0
Fri Oct 22 17:14:29 2021 daemon.notice openvpn(server)[3757]: /usr/libexec/openvpn-hotplug up server tun0 1500 1621 192.168.18.1 255.255.255.0 init
Fri Oct 22 17:14:29 2021 daemon.warn openvpn(server)[3757]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Fri Oct 22 17:14:29 2021 daemon.notice openvpn(server)[3757]: UDPv4 link local (bound): [AF_INET][undef]:1194
Fri Oct 22 17:14:29 2021 daemon.notice openvpn(server)[3757]: UDPv4 link remote: [AF_UNSPEC]
Fri Oct 22 17:14:29 2021 daemon.notice openvpn(server)[3757]: GID set to nogroup
Fri Oct 22 17:14:29 2021 daemon.notice openvpn(server)[3757]: UID set to nobody
Fri Oct 22 17:14:29 2021 daemon.notice openvpn(server)[3757]: Initialization Sequence Completed
When I try to connect though using Viscosity I get this error in the OpenWRT log:
Fri Oct 22 18:39:12 2021 daemon.err openvpn(server)[3757]: TLS Error: could not determine wrapping from [AF_INET]172.16.9.1:63983
The VPN client keeps trying and this error keeps coming back until I eventually stop the client from trying.
OpenWRT runs on a vm on to of Fusion and it receives an IP address on the LAN via DHCP. The address is 172.16.9.2
172.16.9.1 is the IP address of the VMware virtual network host machine.
This is the log from Viscosity client:
2021-10-22 15:50:37: State changed to Connecting
2021-10-22 15:50:37: Checking reachability status of connection...
2021-10-22 15:50:37: Connection is reachable. Starting connection attempt.
2021-10-22 15:50:37: OpenVPN 2.4.11 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Aug 26 2021
2021-10-22 15:50:37: library versions: OpenSSL 1.1.1l 24 Aug 2021, LZO 2.10
2021-10-22 15:50:37: Valid endpoint found: 172.16.9.2:1194:udp
2021-10-22 15:50:37: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2021-10-22 15:50:37: TCP/UDP: Preserving recently used remote address: [AF_INET]172.16.9.2:1194
2021-10-22 15:50:37: UDP link local: (not bound)
2021-10-22 15:50:37: UDP link remote: [AF_INET]172.16.9.2:1194
The attempt to connect ends on the last line of the log... it will stay there pretty much until killed.
This is not about certs, but the TLS crypt key v2, that is only supported by OpenVPN 2.5.
The current page revision generates keys and configs with tls-crypt-v2.
But you need to regenerate the TLS crypt key and use tls-crypt for OpenVPN 2.4.
I did regenerate the keys using tls-crypt I assume (I followed the instructions you shared).
I suppose this line cleans all previous keys that were created with tls-crypt-v2:
easyrsa init-pki
This is the first time I setup an OpenVPN Server, so forgive my ignorance. I've been scouring thorough all articles and blogs I can find to try to get this working.
Completly removed the section from the config file.
Restarted service.
Tried configuring the client using the ca, cert and private key from the server.
I got this in OpenWRT logs:
Client is more limited on what is supports configuring. Viscosity provides a visual interface with a few options. The only option that doesn't refer to TLS is called "static key" and expects a "secret file" to be linked to the config. Not sure if this is supported with OpenVPN in OpenWRT.
I never seen something like this.
This is the server config:
user nobody
group nogroup
dev tun
port 1194
proto udp
server 192.168.18.0 255.255.255.0
topology subnet
keepalive 10 60
persist-tun
persist-key
# push "dhcp-option DNS 192.168.18.1"
# push "dhcp-option DOMAIN lan"
# push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
The server config looks normal, so the problem should be on the client side.
I import the generated VPN profile to NetworkManager and it works just fine.
Since starting from scratch, perhaps you shouldn't even bother with OpenVPN.
WireGuard is preferable for better performance and easier configuration.