Help with openvpn bridge to internal lan dhcp

Hey Folks,

I can´t get my openvpn bridge working on my wrt3200acm router.

need help here :)! so maybe someone knows where the problem is.

• I want the openvpn bridge to bridge the clients directly into my lan , so that they also get a ip from the dhcp on lan.

• Also i want the client traffic to be routed totally over the vpn.

• If you got hints for security and further improvements i woukd be happy to hear them !

Here are the details about the Setup:

*** router: 192.168.1.1/24 (lan)** (will change later to avoid ip range errors with client nets)

network config (relevant parts):

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'tap0'
	option bridge_empty '1'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	list ipaddr '192.168.1.1/24'
	list dns '192.168.0.1'
	option delegate '0'

config device
	option name 'wan'
	option macaddr '26:f5:a2:c4:2a:f0'
	option ipv6 '0'
	option multicast '1'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config device
	option name 'tap0'
	option ipv6 '0'

firewall config (relevant parts)

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule 'ovpn'
	option name 'Allow-OpenVPN'
	option src 'wan'
	option target 'ACCEPT'
	list proto 'udp'
	option dest_port '1194 1195'
	option family 'ipv4'

do i need a rule for tap ? to allow forward ?

openvpn server config

verb 3
port 1194
proto udp4
dev tap0
dev-type tap
mode server
tls-server
keepalive 10 60
topology subnet
server-bridge
push "route-gateway 192.168.1.1"
push "dhcp-option DNS 192.168.1.1"
push "dhcp-option WINS 192.168.1.1"
push "topology subnet"
push "route-delay 5"
push "redirect-gateway def1"
client-to-client
persist-key
persist-tun
<dh>
-----BEGIN DH PARAMETERS-----
BLABLA
-----END DH PARAMETERS-----
</dh>
<tls-crypt-v2>
-----BEGIN OpenVPN tls-crypt-v2 server key-----
BLABLA
-----END OpenVPN tls-crypt-v2 server key-----
</tls-crypt-v2>
<key>
-----BEGIN PRIVATE KEY-----
BLABLA
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
BLABLA
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----
BLABLA
-----END CERTIFICATE-----
</ca>
<crl-verify>
BLABLA
</crl-verify>

openvpn client conf

dev tap
client
proto udp4
remote example.com 1194
resolv-retry infinite
persist-key
persist-tun
keepalive 10 120
auth-nocache
remote-cert-tls server
<tls-crypt-v2>
-----BEGIN OpenVPN tls-crypt-v2 client key-----
BLABLA
-----END OpenVPN tls-crypt-v2 client key-----
</tls-crypt-v2>
<key>
-----BEGIN PRIVATE KEY-----
BLABLA
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
BLABLA
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----
BLABLA
-----END CERTIFICATE-----
</ca>
<crl-verify>
-----BEGIN X509 CRL-----
BLABLA
-----END X509 CRL-----
</crl-verify>

I Think i just missing something here is the

output from the server

2023-05-13 10:25:20 **--cipher is not set.** Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.

2023-05-13 10:25:20 OpenVPN 2.5.7 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]

2023-05-13 10:25:20 library versions: OpenSSL 1.1.1t 7 Feb 2023, LZO 2.10

2023-05-13 10:25:20 NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to

2023-05-13 10:25:20 net_route_v4_best_gw query: dst 0.0.0.0

2023-05-13 10:25:20 net_route_v4_best_gw result: via 192.168.0.1 dev wan

2023-05-13 10:25:20 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.

2023-05-13 10:25:20 Diffie-Hellman initialized with 2048 bit key

2023-05-13 10:25:20 CRL: loaded 1 CRLs from file -----BEGIN X509 CRL-----

BLABLA

-----END X509 CRL-----

2023-05-13 10:25:20 tls-crypt-v2 server key: Cipher 'AES-256-CTR' initialized with 256 bit key

2023-05-13 10:25:20 tls-crypt-v2 server key: Using 256 bit message hash 'SHA256' for HMAC authentication

2023-05-13 10:25:20 TUN/TAP device tap0 opened

2023-05-13 10:25:20 Socket Buffers: R=[180224->180224] S=[180224->180224]

2023-05-13 10:25:20 UDPv4 link local (bound): [AF_INET][undef]:1194

2023-05-13 10:25:20 UDPv4 link remote: [AF_UNSPEC]

2023-05-13 10:25:20 MULTI: multi_init called, r=256 v=256

2023-05-13 10:25:20 Initialization Sequence Completed

2023-05-13 10:25:28 Control Channel: using tls-crypt-v2 key

2023-05-13 10:25:28 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key

2023-05-13 10:25:28 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication

2023-05-13 10:25:28 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key

2023-05-13 10:25:28 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication

2023-05-13 10:25:28 Hidden:64241 tls-crypt-v2 server key: Cipher 'AES-256-CTR' initialized with 256 bit key

2023-05-13 10:25:28 Hidden:64241 tls-crypt-v2 server key: Using 256 bit message hash 'SHA256' for HMAC authentication

2023-05-13 10:25:28 Hidden:64241 TLS: Initial packet from [AF_INET]Hidden:64241, sid=a6b6c8b4 5f8e0862

2023-05-13 10:25:28 Hidden:64241 Control Channel: using tls-crypt-v2 key

2023-05-13 10:25:28 Hidden:64241 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key

2023-05-13 10:25:28 Hidden:64241 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication

2023-05-13 10:25:28 Hidden:64241 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key

2023-05-13 10:25:28 Hidden:64241 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication

2023-05-13 10:25:28 Hidden:64241 VERIFY OK: depth=1, C=DE, ST=Hidden, L=KTOWN, O=Hidden, OU=IT-Sec, CN=exploit.de.com, emailAddress=info@Hidden

2023-05-13 10:25:28 Hidden:64241 VERIFY OK: depth=0, C=DE, ST=Hidden, L=KTOWN, O=Hidden, OU=IT-Sec, CN=Hidden, emailAddress=info@Hidden

2023-05-13 10:25:29 Hidden:64241 peer info: IV_VER=2.6.4

2023-05-13 10:25:29 Hidden:64241 peer info: IV_PLAT=win

2023-05-13 10:25:29 Hidden:64241 peer info: IV_TCPNL=1

2023-05-13 10:25:29 Hidden:64241 peer info: IV_MTU=1600

2023-05-13 10:25:29 Hidden:64241 peer info: IV_NCP=2

2023-05-13 10:25:29 Hidden:64241 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM

2023-05-13 10:25:29 Hidden:64241 peer info: IV_PROTO=990

2023-05-13 10:25:29 Hidden:64241 peer info: IV_LZO_STUB=1

2023-05-13 10:25:29 Hidden:64241 peer info: IV_COMP_STUB=1

2023-05-13 10:25:29 Hidden:64241 peer info: IV_COMP_STUBv2=1

2023-05-13 10:25:29 Hidden:64241 peer info: IV_GUI_VER=OpenVPN_GUI_11

2023-05-13 10:25:29 Hidden:64241 peer info: IV_SSO=openurl,webauth,crtext

2023-05-13 10:25:29 Hidden:64241 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1500'

2023-05-13 10:25:29 Hidden:64241 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 2048 bit RSA, signature: RSA-SHA256

2023-05-13 10:25:29 Hidden:64241 [vpnuser] Peer Connection Initiated with [AF_INET]Hidden:64241

2023-05-13 10:25:29 vpnuser/Hidden:64241 MULTI: **no dynamic or static remote--ifconfig address is available for vpnuser/Hidden:64241**

2023-05-13 10:25:29 vpnuser/Hidden:64241 Data Channel: using negotiated cipher 'AES-256-GCM'

2023-05-13 10:25:29 vpnuser/Hidden:64241 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

2023-05-13 10:25:29 vpnuser/Hidden:64241 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

2023-05-13 10:25:29 vpnuser/Hidden:64241 SENT CONTROL [vpnuser]: 'PUSH_REPLY,route-gateway 192.168.1.1,dhcp-option DNS 192.168.1.1,dhcp-option WINS 192.168.1.1,topology subnet,route-delay 5,redirect-gateway def1,route-gateway dhcp,ping 10,ping-restart 60,peer-id 0,cipher AES-256-GCM' (status=1)

2023-05-13 10:25:29 vpnuser/Hidden:64241 MULTI: Learn: 00:ff:f9:a2:fb:8e@0 -> vpnuser/Hidden:64241

2023-05-13 10:25:30 Control Channel: using tls-crypt-v2 key

2023-05-13 10:25:30 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key

2023-05-13 10:25:30 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication

2023-05-13 10:25:30 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key

2023-05-13 10:25:30 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication

2023-05-13 10:25:30 Hidden:40023 tls-crypt-v2 server key: Cipher 'AES-256-CTR' initialized with 256 bit key

2023-05-13 10:25:30 Hidden:40023 tls-crypt-v2 server key: Using 256 bit message hash 'SHA256' for HMAC authentication

2023-05-13 10:25:30 Hidden:40023 TLS: Initial packet from [AF_INET]Hidden:40023, sid=f8832c1e 06a89c9d

2023-05-13 10:25:30 Hidden:40023 Control Channel: using tls-crypt-v2 key

2023-05-13 10:25:30 Hidden:40023 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key

2023-05-13 10:25:30 Hidden:40023 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication

2023-05-13 10:25:30 Hidden:40023 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key

2023-05-13 10:25:30 Hidden:40023 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication

2023-05-13 10:25:30 Hidden:40023 VERIFY OK: depth=1, C=DE, ST=Hidden, L=KTOWN, O=Hidden, OU=IT-Sec, CN=exploit.de.com, emailAddress=info@Hidden

2023-05-13 10:25:30 Hidden:40023 VERIFY OK: depth=0, C=DE, ST=Hidden, L=KTOWN, O=Hidden, OU=IT-Sec, CN=vpnuser, emailAddress=info@Hidden

2023-05-13 10:25:30 Hidden:40023 peer info: IV_VER=2.5.7

2023-05-13 10:25:30 Hidden:40023 peer info: IV_PLAT=linux

2023-05-13 10:25:30 Hidden:40023 peer info: IV_PROTO=6

2023-05-13 10:25:30 Hidden:40023 peer info: IV_NCP=2

2023-05-13 10:25:30 Hidden:40023 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM

2023-05-13 10:25:30 Hidden:40023 peer info: IV_LZ4=1

2023-05-13 10:25:30 Hidden:40023 peer info: IV_LZ4v2=1

2023-05-13 10:25:30 Hidden:40023 peer info: IV_LZO=1

2023-05-13 10:25:30 Hidden:40023 peer info: IV_COMP_STUB=1

2023-05-13 10:25:30 Hidden:40023 peer info: IV_COMP_STUBv2=1

2023-05-13 10:25:30 Hidden:40023 peer info: IV_TCPNL=1

2023-05-13 10:25:30 Hidden:40023 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 2048 bit RSA, signature: RSA-SHA256

2023-05-13 10:25:30 Hidden:40023 [vpnuser] Peer Connection Initiated with [AF_INET]Hidden:40023

2023-05-13 10:25:30 MULTI: new connection by client 'vpnuser' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.

2023-05-13 10:25:30 MULTI: **no dynamic or static remote--ifconfig address is available for vpnuser/Hidden:40023**

2023-05-13 10:25:30 Data Channel: using negotiated cipher 'AES-256-GCM'

2023-05-13 10:25:30 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

2023-05-13 10:25:30 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

2023-05-13 10:25:30 SENT CONTROL [vpnuser]: 'PUSH_REPLY,route-gateway 192.168.1.1,dhcp-option DNS 192.168.1.1,dhcp-option WINS 192.168.1.1,topology subnet,route-delay 5,redirect-gateway def1,route-gateway dhcp,ping 10,ping-restart 60,peer-id 1,cipher AES-256-GCM' (status=1)

2023-05-13 10:25:35 Control Channel: using tls-crypt-v2 key

2023-05-13 10:25:35 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key

2023-05-13 10:25:35 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication

2023-05-13 10:25:35 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key

2023-05-13 10:25:35 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication

2023-05-13 10:25:35 Hidden:33254 tls-crypt-v2 server key: Cipher 'AES-256-CTR' initialized with 256 bit key

2023-05-13 10:25:35 Hidden:33254 tls-crypt-v2 server key: Using 256 bit message hash 'SHA256' for HMAC authentication

2023-05-13 10:25:35 Hidden:33254 TLS: Initial packet from [AF_INET]Hidden:33254, sid=31a27b62 6f6ca1df

2023-05-13 10:25:35 Hidden:33254 Control Channel: using tls-crypt-v2 key

2023-05-13 10:25:35 Hidden:33254 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key

2023-05-13 10:25:35 Hidden:33254 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication

2023-05-13 10:25:35 Hidden:33254 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key

2023-05-13 10:25:35 Hidden:33254 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication

2023-05-13 10:25:35 Hidden:33254 VERIFY OK: depth=1, C=DE, ST=Hidden, L=KTOWN, O=Hidden, OU=IT-Sec, CN=exploit.de.com, emailAddress=info@Hidden

2023-05-13 10:25:35 Hidden:33254 VERIFY OK: depth=0, C=DE, ST=Hidden, L=KTOWN, O=Hidden, OU=IT-Sec, CN=vpnuser, emailAddress=info@Hidden

2023-05-13 10:25:35 Hidden:33254 peer info: IV_VER=2.5.7

2023-05-13 10:25:35 Hidden:33254 peer info: IV_PLAT=linux

2023-05-13 10:25:35 Hidden:33254 peer info: IV_PROTO=6

2023-05-13 10:25:35 Hidden:33254 peer info: IV_NCP=2

2023-05-13 10:25:35 Hidden:33254 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM

2023-05-13 10:25:35 Hidden:33254 peer info: IV_LZ4=1

2023-05-13 10:25:35 Hidden:33254 peer info: IV_LZ4v2=1

2023-05-13 10:25:35 Hidden:33254 peer info: IV_LZO=1

2023-05-13 10:25:35 Hidden:33254 peer info: IV_COMP_STUB=1

2023-05-13 10:25:35 Hidden:33254 peer info: IV_COMP_STUBv2=1

2023-05-13 10:25:35 Hidden:33254 peer info: IV_TCPNL=1

2023-05-13 10:25:35 Hidden:33254 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 2048 bit RSA, signature: RSA-SHA256

2023-05-13 10:25:35 Hidden:33254 [vpnuser] Peer Connection Initiated with [AF_INET]Hidden:33254

2023-05-13 10:25:35 MULTI: new connection by client 'vpnuser' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.

2023-05-13 10:25:35 MULTI: no dynamic or static remote--ifconfig address is available for vpnuser/Hidden:33254

2023-05-13 10:25:35 Data Channel: using negotiated cipher 'AES-256-GCM'

2023-05-13 10:25:35 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

2023-05-13 10:25:35 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

2023-05-13 10:25:35 SENT CONTROL [vpnuser]: 'PUSH_REPLY,route-gateway 192.168.1.1,dhcp-option DNS 192.168.1.1,dhcp-option WINS 192.168.1.1,topology subnet,route-delay 5,redirect-gateway def1,route-gateway dhcp,ping 10,ping-restart 60,peer-id 0,cipher AES-256-GCM' (status=1)

2023-05-13 10:25:40 Control Channel: using tls-crypt-v2 key

2023-05-13 10:25:40 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key

2023-05-13 10:25:40 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication

2023-05-13 10:25:40 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key

2023-05-13 10:25:40 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication

2023-05-13 10:25:40 Hidden:42761 tls-crypt-v2 server key: Cipher 'AES-256-CTR' initialized with 256 bit key

2023-05-13 10:25:40 Hidden:42761 tls-crypt-v2 server key: Using 256 bit message hash 'SHA256' for HMAC authentication

2023-05-13 10:25:40 Hidden:42761 TLS: Initial packet from [AF_INET]Hidden:42761, sid=f3a67ec0 a665e7fb

2023-05-13 10:25:40 Hidden:42761 Control Channel: using tls-crypt-v2 key

2023-05-13 10:25:40 Hidden:42761 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key

2023-05-13 10:25:40 Hidden:42761 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication

2023-05-13 10:25:40 Hidden:42761 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key

2023-05-13 10:25:40 Hidden:42761 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication

2023-05-13 10:25:40 Hidden:42761 VERIFY OK: depth=1, C=DE, ST=, L=, O=, OU=, CN=, emailAddress=

2023-05-13 10:25:40 Hidden:42761 VERIFY OK: depth=0, C=DE, ST=, L=, O=, OU=, CN=, emailAddress=

2023-05-13 10:25:40 Hidden:42761 peer info: IV_VER=2.5.7

2023-05-13 10:25:40 Hidden:42761 peer info: IV_PLAT=linux

2023-05-13 10:25:40 Hidden:42761 peer info: IV_PROTO=6

2023-05-13 10:25:40 Hidden:42761 peer info: IV_NCP=2

2023-05-13 10:25:40 Hidden:42761 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM

2023-05-13 10:25:40 Hidden:42761 peer info: IV_LZ4=1

2023-05-13 10:25:40 Hidden:42761 peer info: IV_LZ4v2=1

2023-05-13 10:25:40 Hidden:42761 peer info: IV_LZO=1

2023-05-13 10:25:40 Hidden:42761 peer info: IV_COMP_STUB=1

2023-05-13 10:25:40 Hidden:42761 peer info: IV_COMP_STUBv2=1

2023-05-13 10:25:40 Hidden:42761 peer info: IV_TCPNL=1

2023-05-13 10:25:40 Hidden:42761 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 2048 bit RSA, signature: RSA-SHA256

2023-05-13 10:25:40 Hidden:42761 [vpnuser] Peer Connection Initiated with [AF_INET]Hidden:42761

2023-05-13 10:25:40 MULTI: new connection by client 'vpnuser' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.

2023-05-13 10:25:40 MULTI: no dynamic or static remote--ifconfig address is available for vpnuser/Hidden:42761

2023-05-13 10:25:40 Data Channel: using negotiated cipher 'AES-256-GCM'

2023-05-13 10:25:40 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

2023-05-13 10:25:40 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

2023-05-13 10:25:40 SENT CONTROL [vpnuser]: 'PUSH_REPLY,route-gateway 192.168.1.1,dhcp-option DNS 192.168.1.1,dhcp-option WINS 192.168.1.1,topology subnet,route-delay 5,redirect-gateway def1,route-gateway dhcp,ping 10,ping-restart 60,peer-id 1,cipher AES-256-GCM' (status=1)

2023-05-13 10:25:42 event_wait : Interrupted system call (code=4)

2023-05-13 10:25:42 Closing TUN/TAP interface

2023-05-13 10:25:42 SIGINT[hard,] received, process exiting

**these here are also present**

**2023-05-13 10:24:54 SENT CONTROL [vpnuser]: 'PUSH_REPLY,route-gateway 192.168.1.1,dhcp-option DNS 192.168.1.1,dhcp-option WINS 192.168.1.1,topology subnet,route-delay 5,redirect-gateway def1,route-gateway dhcp,ping 10,ping-restart 60,peer-id 0,cipher AES-256-GCM' (status=1)**

**2023-05-13 10:24:55 AEAD Decrypt error: cipher final failed**

output from the connecting client

Sat May 13 12:35:24 2023 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.

Sat May 13 12:35:24 2023 OpenVPN 2.6.4 [git:v2.6.4/b4f749f14a8edc75] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on May 11 2023

Sat May 13 12:35:24 2023 Windows version 10.0 (Windows 10 or greater), amd64 executable

Sat May 13 12:35:24 2023 library versions: OpenSSL 3.1.0 14 Mar 2023, LZO 2.10

Sat May 13 12:35:24 2023 DCO version: v0

Sat May 13 12:35:25 2023 CRL: loaded 1 CRLs from file -----BEGIN X509 CRL----

Sat May 13 12:35:25 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]Hidden:1194

Sat May 13 12:35:25 2023 UDPv4 link local: (not bound)

Sat May 13 12:35:25 2023 UDPv4 link remote: [AF_INET]Hidden:1194

Sat May 13 12:35:25 2023 [server_internal] Peer Connection Initiated with [AF_INET]Hidden:1194

Sat May 13 12:35:25 2023 open_tun

Sat May 13 12:35:25 2023 tap-windows6 device [LAN-Verbindung 2] opened

Sat May 13 12:35:25 2023 Successful ARP Flush on interface [6] {F9A2FB8E-EFBF-4264-B858-A7248853D756}

Sat May 13 12:35:30 2023 Initialization Sequence Completed

The server fails in loop with :

2023-05-13 10:37:00 Hidden:57011 [Hidden] Peer Connection Initiated with [AF_INET]Hidden:57011

2023-05-13 10:37:00 MULTI: new connection by client 'Hidden' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.

2023-05-13 10:37:00 MULTI: no dynamic or static remote--ifconfig address is available for Hidden/Hidden:57011

2023-05-13 10:37:00 Data Channel: using negotiated cipher 'AES-256-GCM'

2023-05-13 10:37:00 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

2023-05-13 10:37:00 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

2023-05-13 10:37:00 SENT CONTROL [Hidden]: 'PUSH_REPLY,route-gateway 192.168.1.1,dhcp-option DNS 192.168.1.1,dhcp-option WINS 192.168.1.1,topology subnet,route-delay 5,redirect-gateway def1,route-gateway dhcp,ping 10,ping-restart 60,peer-id 0,cipher AES-256-GCM' (status=1)

2023-05-13 10:37:00 AEAD Decrypt error: cipher final failed

are my certs wrong ?

Do you need any VPN or precisely OpenVPN ?

openvpn would be great !

Try without tls-crypt-v2

Just remove it from client and server just for testing if this is the problem.

im on it and changed the encryption to

<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
BLA

will post when working

Unless you have peculiar reason to use OpenVPN, a simple advice would be to consider Wireguard instead. It is much easier to configure/install and has better performance. Set up Wireguard on OpenWrt - Robin Bühler
If you still want to use OpenVPN, well I'm awfully rusted with its config, and I'm afraid I can't help anymore.

Is there a reason you want to use a TAP interface as compared to a tunnel? Specifically, TAP has the tendency to be much less efficient because L2 broadcast traffic will flow over the VPN, which is usually not beneficial for a remote device.

Tunnels are typically the recommended method. Further, with a tunnel, you can use more efficient VPN options (such as the aformentioned wireguard) which will improve your overall throughput significantly.

Yep i know and i would like to use tun but i need these layers ...

Ok.

Also worth mentioning... AFAIK, TAP is supported on Windows and Linux (including OpenWrt) and possibly Mac OS. But it is not supported on mobile OS's (iOS and Android). This means that mobile devices will not be able to connect properly to the VPN as client devices (the connection will presumably get established, but the networking will be broken), unless you have them behind something like an OpenWrt router which is running as the VPN client (in which case, you'll actually be back to a routed situation anyway).

i would run a different vpn type on another port for mobile and bridge it also to the net easy peasy
i know the pains , i need those layers .... sad to say
the problem comes from the certs i think

there i no complete tut up to date how to create the pki for the bridged version ?!
im using a mix off old tuts and snipets found from different questions in forums

would be nice to figure it out so we could share the info to the ppl
the certs settings and cipher settings are a thing i am unsure about

I'll try to dig up the original sources for my setup later this week. I can't just copy my files as the setup now references some internal networks within my company, but I'll see if I can get you a "sanitized" example.

Note that I can only provide you an OpenVPN server example for OpenWRT, not client.

For the others here, as to why I use OpenVPN, in my case:
OpenVPN is the only option I've found for L2 (TAP) bridging with Windows clients
Some of the software we use has some device discovery mechanisms that rely on L2 broadcast or multicast traffic (I have not really poked into detail as to which), so the solution needs to behave as close to being connected by a physical cable on that interface as possible

As to why not use a physical cable - generally not advised for 20,000+ pounds moving at 6 MPH. The performance concerns raised here don't affect my use case as it's for connecting to an isolated (moving) network of embedded devices for diagnostic purposes, for which the OpenWRT device acts as the bridge/gateway. Side benefit is that I can perform diagnostics on devices under test in facilities other than my own. Saves a huge amount of my time to tell someone "throw a bridge on it" rather than "OK I'll come up to mainsite in an hour".

As a side note if you're using OpenWRT as the OpenVPN server, there's a script (it can be found in these forums) that you REALLY need to restart OpenVPN when the system changes NTP strata if you're running on a device without RTC.

Edit: I'm 90% certain for the server I manually haxed it. My script is based on https://github.com/jbagdon/openvpn/blob/master/make_config.sh (Or something that it was derived from as the other files don't look familiar to me), but with the following content:

#!/bin/bash

KEY_DIR=~/client-configs/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/server.conf

cat ${BASE_CONFIG} \
    <(echo -e '<ca>') \
    ${KEY_DIR}/ca.crt \
    <(echo -e '</ca>\n<cert>') \
    ${KEY_DIR}/${1}.crt \
    <(echo -e '</cert>\n<key>') \
    ${KEY_DIR}/${1}.key \
    <(echo -e '</key>\n<dh>') \
    ${KEY_DIR}/dh.pem \
    <(echo -e '</dh>') \
    > ${OUTPUT_DIR}/${1}.ovpn