Looking for help with OpenVPN

I have a Linksys WRT32X router flashed with OpenWRT 19.07.2
I use LuCI to manage it; it is running very stable and I have archived that setup.

Here is what I want to do:
Configure two routes (in this order of priority):
#1 for 192.168.200.224/27 to go from LAN to WAN
#2 for everyone to go from NORDVPNTUN to WAN (the first priority will strip off the bypass IPs, right?)

I installed the OpenVPN package and followed a NordVPN tutorial on adding a VPN Tunnel.
The VPN service does not start at boot, but I can start the service through clicking a button in LuCI. I'm sidestepping this issue for now (I assume I just need to add a line of code somewhere).
While the service is running, under Network -> Interfaces -> NORDVPNTUN, I get an error: Network device is not present. So there's no traffic going through it. I'm sidestepping this issue for now (I assume it's due to the order things boot?).

I have also installed stangri's Policy Based Routing packages as I want to have some devices (in the 192.168.200.224/27 address range) bypass the VPN. I have configured those devices with static IP addresses to lock them into that IP range.
Under VPN->VPN Policy Routing -> Policies, I added two:
VPN_Bypass (with the 192.168.200.224/27 local addresses and set Interface = WAN) and
VPN_Tunnel (with 192.168.200.1/24 and set Interface = NORDVPNTUN).

So, now I'm stuck... All of my internet traffic just bypasses the VPN and the Policy rules as if they aren't there. I could use help to figure out where to start... are there other posts that capture this issue that I should look at? What OpenWRT/OpenVPN information should I be looking at?

-Adam

Autostart doesn't work since May 2019, approximately. Try to change extension of OpenVPN-configuration file to .conf instead of default .ovpn There is no need to specify it in /etc/config/openvpn

Thank you for the suggestions ulmwind.

I did change the extension of the file from .ovpn to .conf per the tutorial:
https://nordvpn.com/tutorials/openwrt/openvpn/

If autostart doesn't work, do you know if there is something I could/should add to System -> Startup -> Initscripts or -> Local Startup?

-Adam

I don't know about LuCI, but in command line you should just enable openvpn:
/etc/init.d/openvpn enable
After that restart router, and check log:
logread -e openvpn

Tunnel interface does not exist means that the OpenVPN client did not start or didn't connect to the server. Troubleshooting that is usually straightforward by looking at the system log.

Check this post.
This is a 5 steps guide to set up an OpenVPN client with NordVPN in Luci. It is partly based on the tutorial you refer to.
I own the WRT32X and the VPN service does start at boot after following this guide.
Regarding the error that says the network device is not present, check /etc/config/network. Find the config paragraph related to the VPN interface you created. option proto should come first. If it is not listed first, move it to the first line. I had the same issue than yours, it did the trick for me.
Alternatively, you can delete the VPN interface you created and re-create it with the following command lines (as suggested in the NordVPN tutorial). Adapt it to your situation.

uci set network.nordvpntun=interface
uci set network.nordvpntun.proto='none'
uci set network.nordvpntun.ifname='tun0'
uci commit network

I use that same package with 2 policies similar to yours.
The difference is that my CIDR for the second policy is 192.168.1.0/24. Notice the "0" instead of the "1" before the forward slash. I don't know if it matters.
Otherwise, your policies are listed in the right order it seems.
For info, you don't necessarily have to allocate static IPs to the devices like you are doing in your first policy, you can single out devices by MAC addresses or even network interface. Check the readme from the package here. and head to the section about src_addr

Thank you everyone. I think I was fighting 3 issues all at once.

#1) I had scp'd in 2 different Nord .ovpn files. For whatever reason, OpenVPN was trying to access both. I renamed the one I didn't want and it flushed out.
#2) I had an incorrect user name in my .conf file... d'oh!
#3) I switched to the CIDR that Darius mentioned.

I think I'm in uncharted waters... after fighting dd-wrt on/off again for the last 4 months, I ... think... everything is working the way I want. I still have some work to do to get the guest wifi up, but before I tackle that, I have a question about the syslog and kernellog.

I expected them to both be "quiet" once the errors were worked out. I think it has to do with an incomplete disable of IPv6.

Here is my kernel log:

[   18.125924] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
[   18.132383] br-lan: port 3(wlan0) entered blocking state
[   18.137723] br-lan: port 3(wlan0) entered forwarding state
[  117.389238] ieee80211 phy0: staid 1 deleted
[  599.309517] ieee80211 phy0: staid 1 deleted
[  923.956116] ieee80211 phy1: staid 6 deleted
[  965.549904] ieee80211 phy1: staid 3 deleted

The phy0 and phy1 staid x deleted will continue forever every 200-600 seconds.

My syslog is similar:

Thu Mar 19 14:37:58 2020 daemon.info hostapd: wlan0: STA 14:56:8e:5b:52:7e IEEE 802.11: associated (aid 2)
Thu Mar 19 14:37:58 2020 daemon.notice hostapd: wlan0: AP-STA-CONNECTED 14:56:8e:5b:52:7e
Thu Mar 19 14:37:58 2020 daemon.info hostapd: wlan0: STA 14:56:8e:5b:52:7e WPA: pairwise key handshake completed (RSN)
Thu Mar 19 14:37:58 2020 daemon.info dnsmasq-dhcp[3917]: DHCPDISCOVER(br-lan) 14:56:8e:5b:52:7e
Thu Mar 19 14:37:58 2020 daemon.info dnsmasq-dhcp[3917]: DHCPOFFER(br-lan) 192.168.2.132 14:56:8e:5b:52:7e
Thu Mar 19 14:37:59 2020 daemon.info dnsmasq-dhcp[3917]: DHCPDISCOVER(br-lan) 14:56:8e:5b:52:7e
Thu Mar 19 14:37:59 2020 daemon.info dnsmasq-dhcp[3917]: DHCPOFFER(br-lan) 192.168.2.132 14:56:8e:5b:52:7e
Thu Mar 19 14:38:01 2020 daemon.info dnsmasq-dhcp[3917]: DHCPDISCOVER(br-lan) 14:56:8e:5b:52:7e
Thu Mar 19 14:38:01 2020 daemon.info dnsmasq-dhcp[3917]: DHCPOFFER(br-lan) 192.168.2.132 14:56:8e:5b:52:7e
Thu Mar 19 14:38:02 2020 daemon.info hostapd: wlan0: STA 14:56:8e:5b:52:7e IEEE 802.11: authenticated
Thu Mar 19 14:38:05 2020 daemon.info dnsmasq-dhcp[3917]: DHCPDISCOVER(br-lan) 14:56:8e:5b:52:7e
Thu Mar 19 14:38:05 2020 daemon.info dnsmasq-dhcp[3917]: DHCPOFFER(br-lan) 192.168.2.132 14:56:8e:5b:52:7e
Thu Mar 19 14:38:05 2020 daemon.info dnsmasq-dhcp[3917]: DHCPREQUEST(br-lan) 192.168.2.132 14:56:8e:5b:52:7e
Thu Mar 19 14:38:05 2020 daemon.info dnsmasq-dhcp[3917]: DHCPACK(br-lan) 192.168.2.132 14:56:8e:5b:52:7e Galaxy-J3-Eclipse
Thu Mar 19 14:44:21 2020 daemon.notice hostapd: wlan0: AP-STA-DISCONNECTED 14:56:8e:5b:52:7e
Thu Mar 19 14:44:21 2020 daemon.info hostapd: wlan0: STA 14:56:8e:5b:52:7e IEEE 802.11: disassociated due to inactivity
Thu Mar 19 14:44:22 2020 daemon.info hostapd: wlan0: STA 14:56:8e:5b:52:7e IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)
Thu Mar 19 14:44:22 2020 kern.debug kernel: [ 8841.926809] ieee80211 phy0: staid 2 deleted

Is this normal?

-Adam

That's all normal. Those messages are all related to your Galaxy J3 periodically connecting and disconnecting from the wifi. You will see "deauthenticated due to inactivity" and "staid deleted" when a mobile wifi device moves out of range or puts its radio to sleep. If no network activity is happening they tend to sleep a lot.

mk24,
Thanks for confirming the logs are not errors. I did note that once enough wifi devices connected, that the log did quiet down.

I am close to getting this router configured the way I want. I am currently hung up on a setting for the guest wifi network.

I followed these instructions:
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan-webinterface

The wifi is running, and my phone can connect and get an IP assigned. But I get a notification on my phone "Connected without internet". I assume this has to do with the firewall not connecting to the WAN?

On the Network -> Firewall page, the guest (wlan1-1) Zone is configured the same as the lan Zone, which is consistent with the instructions.

I checked the Status -> Routes page and can see an ARP from my phone to the wlan1-1 Interface.

On the Active IPv4 Routes, the wlan1-1 shows up in three different tables with the same target and none have an IPv4 Gateway listed.

Do you have any thoughts on what I can look at?

-Adam

I'm going out on a limb to say that my DNSMasq configuration is the cause.

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option serversfile '/tmp/adb_list.overall'
	option noresolv '1'
	list server '127.0.0.1#5353'
	list server '/pool.ntp.org/8.8.8.8'

I think it's gathering the DNS queries for both lan and wlan1-1, but it's not returning the responses to the devices on the wlan1-1?

The other limb I would have climbed onto is that the wlan1-1 doesn't get access to the DNSMasq and therefore the DNS requests (on port 53) on wlan1-1 are rejected. Therefore there's no response to provide the devices on that network.

I just don't know how to correct for either condition.

-Adam

When I ping the DHCP server, 192.168.200.25 from my wireless device with an assigned IP address from the DHCP server, I get the following error:
From 192.168.200.25: icmp_seq=1 Destination Port Unreachable

While I didn't expect this to work, I also tested the internet (yahoo.com) from my wireless device with an assigned IP address from the DHCP server, I get the same error:
From OpenWrt.lan (192.168.200.25): icmp_seq=1 Destination Port Unreachable

I don't understand what could be failing.

-Adam

Sorry, so you couldn't ping DHCP server itself?