Open VPN firewall configuration

Hello,
Open VPN packages installed on TP-Link Archer C20i.
Open VPN Instance successfully setup and running through CloudConnexa service.
Network Interface OpenVPN created and linked to device tun0
Firewall forwarding rules setup.
With this configuration internet connection working fine but not passing through the VPN tunnel

Screenshot 2025-11-21 at 23.05.351966×522 66 KB

When I try to channel all traffic through VPN and I remove forward from lan to wan, then

1. Ping from Open WRT Network Diagnosis works fine
2. Ping from computer connected through wireless does not work
   I also tried to setup manual DNS like 8.8.8.8 google DNS resolvers, same behavior.

What I want to achieve:
The main wifi modem/router is providing regular internet access, as of today
The OpenWRT router, attached by a LAN cable to the modem/router is providing a different wireless network, tunnelling all traffic through VPN.

Does anybody have experience with firewall rules and can recommend a solution?
Thanks

disable lan->wan forwarding. in general pbr can help you split traffic between provider and vpn

Hello brada4,
thanks for your recommendation, picture 1 is what I did following your input: WAN forwarding eliminated.
Unfortunately same result, ping a website from router open WRT diagnostic tool works, however computers connected through wi-fi cannot reach internet.

I also screenshot LAN forwarding config (picture 2 and 3) and OPEN VPN forwarding config (picture 4 and 5)

Any further guidance is very welcome.
Thanks, have a great weekend

MergedImages1000×2697 173 KB

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Please use the "Preformatted text </>" button for logs, scripts, configs and general console output (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

BusyBox v1.36.1 (2025-06-23 20:40:36 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 24.10.2, r28739-d9340319c6
 -----------------------------------------------------
root@OpenWrt:~# ubus call system board
{
	"kernel": "6.6.93",
	"hostname": "OpenWrt",
	"system": "MediaTek MT7620A ver:2 eco:6",
	"model": "TP-Link Archer C20i",
	"board_name": "tplink,archer-c20i",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "24.10.2",
		"revision": "r28739-d9340319c6",
		"target": "ramips/mt7620",
		"description": "OpenWrt 24.10.2 r28739-d9340319c6",
		"builddate": "1750711236"
	}
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fde5:c53d:f623::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth0.2'
	option macaddr 'c4:6e:1f:0c:a2:ef'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 6t'

config interface 'OpenVPN'
	option proto 'none'
	option device 'tun0'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
	option band '5g'
	option channel '36'
	option htmode 'VHT80'
	option disabled '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/10180000.wmac'
	option band '2g'
	option channel '1'
	option htmode 'HT20'
	option disabled '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

Firewall config?

Sorry, for some reason I did not copy paste it

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'tun0'
	list network 'lan'

config zone
	option name 'VPN_zone'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	list network 'OpenVPN'
	list device 'tun0'

config forwarding
	option src 'lan'
	option dest 'VPN_zone'

remove tun from lan zone

root@OpenWrt:~#  cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'VPN_zone'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	list network 'OpenVPN'
	list device 'tun0'

config forwarding
	option src 'lan'
	option dest 'VPN_zone'

This is new config after the update, unfortunately wi-fi connected computer still does not reach internet

you removed wan dhcp fw rule, surprising anything works at all.
why tun0 is added extra time in vpn zone too?

cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'VPN_zone'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'OpenVPN'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wan'
	option masq '1'

config forwarding
	option src 'lan'
	option dest 'VPN_zone'

config forwarding
	option src 'VPN_zone'
	option dest 'wan'

I’m not expert… sorry. here the new config I have

As @brada4 already noted you can also remove list device 'tun0', you already listed the network OpenVPN which has the tun0 device

Without seeing you VPN config and log it is guessing, so just a quick fix:
Add to the OpenVPN config:

redirect-gateway def1

Reboot and test again if that does not help then please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have but do not redact private RFC 1918 IP addresses as that is not needed:

ip route show
ip -6 route show
ip rule show
cat /etc/config/openvpn
for ovpn in $(ls /etc/openvpn/*.ovpn);do echo $ovpn; cat $ovpn; echo;done
for vpn in $(ls /tmp/etc/openvpn*.conf);do echo $vpn;cat $vpn;echo;done
logread | grep openvpn

Restore missing wan autoconfig rules from /rom/etc/config/firewall

what is vpn -> wan forwarding supposed to do?
why dont you use pbr?

root@OpenWrt:~# ip route show
default via 192.168.1.1 dev eth0.2  src 192.168.1.8 
100.80.0.0/12 via 100.96.1.17 dev tun0 
100.96.0.0/11 via 100.96.1.17 dev tun0 
100.96.1.16/28 dev tun0 scope link  src 100.96.1.18 
192.168.1.0/24 dev eth0.2 scope link  src 192.168.1.8 
192.168.2.0/24 dev br-lan scope link  src 192.168.2.1 
root@OpenWrt:~# ip -6 route show
default from 2a02:b025:12:406b::1 via fe80::b6b0:24ff:fe59:9824 dev eth0.2  metric 384 
default from 2a02:b025:12:406b::/64 via fe80::b6b0:24ff:fe59:9824 dev eth0.2  metric 384 
fd:0:0:4000::/50 dev tun0  metric 1024 
fd:0:0:8101::/64 dev tun0  metric 256 
fd:0:0:8000::/49 dev tun0  metric 1024 
2a02:b025:12:406b::/64 dev eth0.2  metric 256 
unreachable 2a02:b025:12:406b::/64 dev lo  metric 2147483647 
fd22:31:9d10::/64 dev br-lan  metric 1024 
unreachable fd22:31:9d10::/48 dev lo  metric 2147483647 
fe80::/64 dev eth0  metric 256 
fe80::/64 dev br-lan  metric 256 
fe80::/64 dev eth0.2  metric 256 
fe80::/64 dev tun0  metric 256 
anycast fd:0:0:8101:: dev tun0  metric 0 
anycast 2a02:b025:12:406b:: dev eth0.2  metric 0 
anycast fd22:31:9d10:: dev br-lan  metric 0 
anycast fe80:: dev eth0  metric 0 
anycast fe80:: dev br-lan  metric 0 
anycast fe80:: dev eth0.2  metric 0 
anycast fe80:: dev tun0  metric 0 
multicast ff00::/8 dev eth0  metric 256 
multicast ff00::/8 dev br-lan  metric 256 
multicast ff00::/8 dev eth0.2  metric 256 
multicast ff00::/8 dev tun0  metric 256 
root@OpenWrt:~# ip rule show
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
root@OpenWrt:~# cat /etc/config/openvpn

config openvpn 'custom_config'
	option config '/etc/openvpn/my-vpn.conf'

config openvpn 'sample_server'
	option port '1194'
	option proto 'udp'
	option dev 'tun'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/server.crt'
	option key '/etc/openvpn/server.key'
	option dh '/etc/openvpn/dh2048.pem'
	option server '10.8.0.0 255.255.255.0'
	option ifconfig_pool_persist '/tmp/ipp.txt'
	option keepalive '10 120'
	option persist_key '1'
	option persist_tun '1'
	option user 'nobody'
	option status '/tmp/openvpn-status.log'
	option verb '3'

config openvpn 'sample_client'
	option client '1'
	option dev 'tun'
	option proto 'udp'
	list remote 'my_server_1 1194'
	option resolv_retry 'infinite'
	option nobind '1'
	option persist_key '1'
	option persist_tun '1'
	option user 'nobody'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/client.crt'
	option key '/etc/openvpn/client.key'
	option verb '3'

config openvpn 'CHICAGO'
	option config '/etc/openvpn/CHICAGO.ovpn'
	option enabled '1'

root@OpenWrt:~# for ovpn in $(ls /etc/openvpn/*.ovpn);do echo $ovpn; cat $ovpn;
 echo;done
/etc/openvpn/CHICAGO.ovpn
setenv USERNAME "squirry/connector/77e2c12a-04e8-4af9-b81c-f347c90cb599_f93048d6-b6ad-4279-85ab-d5af8d3cc258"
# OVPN_WEBAUTH_FRIENDLY_USERNAME=squirry/Teal Wolf/USA
# OVPN_FRIENDLY_PROFILE_NAME=Teal Wolf@squirry.openvpn.com [Chicago (IL)]
client
dev tun
remote us-ord.gw.openvpn.com 1194 udp
remote us-ord.gw.openvpn.com 1194 udp
remote us-ord.gw.openvpn.com 443 tcp
remote us-ord.gw.openvpn.com 1194 udp
remote us-ord.gw.openvpn.com 1194 udp
remote us-ord.gw.openvpn.com 1194 udp
remote us-ord.gw.openvpn.com 1194 udp
remote us-ord.gw.openvpn.com 1194 udp
remote-cert-tls server
cipher AES-256-CBC
auth SHA256
persist-tun
nobind
verb 3
socket-flags TCP_NODELAY
push-peer-info

<ca>
-----BEGIN CERTIFICATE-----
MIIDRDCCAiygAwIBAgIJAPRJm0V+RAQkMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV
BAMMEENsb3VkVlBOIFByb2QgQ0EwHhcNMTkxMDE2MTgwNDQ3WhcNNDkxMDA4MTgw
NDQ3WjAbMRkwFwYDVQQDDBBDbG91ZFZQTiBQcm9kIENBMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAvbodWcvyngHYGLVvLHTy9hLFIqrkxWQqi7gnC4RO
Nz0VLzr9WckNN+kE7IrI9qbWL+F/4g5FKNOAayZf1Xc6YU2kV2JkXiScfGexsbFN
rG+CFnphEdk2gJmDEFNxtDmxFVaTv7QCgtcijYEGMADW07sFfvDX0fjeKCTatSe6
rVrQ0jCKsKoOtTiE2IvIlg41cvM7N7Pj/WVFs3Rwjbctd/i+bJ9A4j+G5gCR13KE
Y48fCmkuvptaXZ8JyKoisoX46XTqDEQqBSG3exT6txlgsdqd+obp+CtuhPQQAVH4
f04bM/wNDbFDWVPl0AbdKj9EmdBPIroLWi4VYtJeu4vjMQIDAQABo4GKMIGHMB0G
A1UdDgQWBBTZQ8jn1xwiL3mg+FhSrS5WLh7bKDBLBgNVHSMERDBCgBTZQ8jn1xwi
L3mg+FhSrS5WLh7bKKEfpB0wGzEZMBcGA1UEAwwQQ2xvdWRWUE4gUHJvZCBDQYIJ
APRJm0V+RAQkMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEB
CwUAA4IBAQBCk7zsTsiC0qEtwAfN1yo6VgbTBJf/rBDtoIjofVNDtpjaDZBA3/PT
v+aJJEHSYaP7xNX91cP32Un09aG9BDT4OuLhYO3mOx+ghmFCCt5NhTvbT4gqmWfi
MNaB8Z89gSaeuduD46btNjk+SeIWKBDrZlq0tJ9zexi6OEkre/XA7lssDTtE4GaC
5xKtug1TxrzRziWv2OA14RLGq8n0Hhk40xdhrvE+bhWAUsd2fbfNxTzwhsfQrBH7
K4FWB1sRavCTokSSJ7OX4R3w8QIn7Ziyqzu9JLJ5sy0EhVQxkQpuoW3BwmDVdXLS
d4rhWO4aNE5qqE6lq5AOJ1riv7BrZ4jj
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
MIIDRjCCAi6gAwIBAgIDJPklMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAMMEENs
b3VkVlBOIFByb2QgQ0EwIBcNMjUxMTA4MTE1MzM5WhgPMjA1MDExMDkxMTUzMzla
MGYxZDBiBgNVBAMMW3NxdWlycnkvY29ubmVjdG9yLzc3ZTJjMTJhLTA0ZTgtNGFm
OS1iODFjLWYzNDdjOTBjYjU5OV9mOTMwNDhkNi1iNmFkLTQyNzktODVhYi1kNWFm
OGQzY2MyNTgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCjL5CbbOp0
d5GZinUEPzBCF31y9U9iOD+FvVhU29SdGJfP86CPkaAoldn4edxYlCuRCZd6W8GM
wDWrG0CA1UBjou4s0wmUtanRZ3Qui6vbbUacJw8tWtokWKp1T0GNmx4/MdMb9uHg
DorPct53IdzkJylC4zEnXcj5ZqoiERuCq7hl273v68y0fAydxZ0zQl4GJE27TKe4
/+T3MM/mIhaOXYHmjTUnr8mydd4QieqTyoYNydsqHZhXJ2/xtSqTm955Zt+vBcJl
4QQEjHx/E0jJOF7GoXmkn1LyN6REk00spifriBNBm7B0j/JFyDekNyBA5yBKIggO
WhYMqc3/pSkpAgMBAAGjRjBEMA4GA1UdDwEB/wQEAwIChDATBgNVHSUEDDAKBggr
BgEFBQcDAjAJBgNVHRMEAjAAMBIGA1UdEQQLMAmBB3NxdWlycnkwDQYJKoZIhvcN
AQELBQADggEBACU98aBwVdF7HO/PtVdEYu/78IdpLr/he8MRD3SYPRjrorPv+PNB
8oOMsSPHwlWkCdA22HL+I2O6JYObbxFV+NPvaGeoWllXHqwt+HAAVrxr5TYGIuO5
5224t2SD/0/DKKvxDVt+90PTdwBUdTQaVMHZKuJdy/rty9QXZmEj+wYag3r4g0ki
FMkB9WCuq3cUJxFJHwwZ5V7pYdNogpFBZ+2rNRfKxCxYkR+y03MbwwAcEQ/okPZm
HFl+4FH8ZE18GvUhowrSYLIEhrWAbEMFvEpbSuWuj033QLPPMu7eMWQmamdgBsrd
JAYOyny3gHBxYmNwGkP2CgOH9TBr2nwStNA=
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAoy+Qm2zqdHeRmYp1BD8wQhd9cvVPYjg/hb1YVNvUnRiXz/Og
j5GgKJXZ+HncWJQrkQmXelvBjMA1qxtAgNVAY6LuLNMJlLWp0Wd0Lour221GnCcP
LVraJFiqdU9BjZsePzHTG/bh4A6Kz3LedyHc5CcpQuMxJ13I+WaqIhEbgqu4Zdu9
7+vMtHwMncWdM0JeBiRNu0ynuP/k9zDP5iIWjl2B5o01J6/JsnXeEInqk8qGDcnb
Kh2YVydv8bUqk5veeWbfrwXCZeEEBIx8fxNIyThexqF5pJ9S8jekRJNNLKYn64gT
QZuwdI/yRcg3pDcgQOcgSiIIDloWDKnN/6UpKQIDAQABAoIBABuke4Twirim5nmR
XCgXghe3/e6iwks7hvsjK1rYkCf6WgEGXmzjeLNXSwCNt/cjRkv/yXKXJ26twomV
CLSqKwmVuG3MY+OWcElCEoqt6zM0zBC4hxgiOzCL+nf7sHmJzLJcwMuMYw++tuHU
Lf4VNONLBPDJJnLqLpicvPYfWr8kDTLQqkc1k4gB4zO6n72mg52RaSEdsw8CFWpF
Pt7H30urAdYxt6Vk/6dgxTG2n3eCEX8o+S9A6XECOjMphWdTE38uWBafsml7WmnU
k+mX7bg1LZlmIDa7e7hpCXDQYFcYwSTTKnHD7P+xg+NcxpfN4hFvSlgz9WCWjY2o
7kad7K8CgYEA2AdT9CP4M+2YyaLy4kt2/YhsNExhqXBkrgwDePrMAlTnut4M4a03
AZ5ChBDElUQ9XgHxAcr/oc2a3ILo+PV9wY58gZapW39nhNQjetyt/ath6QLZgrgR
msReI3yPdKJJnaQdJjkE4ldiUry/QOELkZOYKk8At9c2JLY79SneuD8CgYEAwWE4
VUQhvueTvA2n1tv7W8jznM4f+DDlvAka7zfU/8rbinkf82KRG9LuYKnvNLlZgIWj
jLQaLTzBb5+Ng+8GH4pg8nauWy6E794HWnr6dgQ1fphO0/reiLxXtq0EG4TKUrDu
z6I6ne1uqXE+sdKk2BS8TgA+ETbsRdMIrEg6hJcCgYEA1E3HVRzwdWAgkrEgkALo
KtwisvcJ17JMT7wgwYmAax40KrLE6BkKAP4ekpnECInq4XN4/nEY71QXyHSjLuBc
OZelhtmhEPnRq3mscLdmCvGeJJgXWV86deZcOfXVKiO/wzwhJYpN4X9NctBqCQHi
E6yAk7vWkdXgMQ4jOJpwdpMCgYA1Kmd0edDVTZG+Z/q3Ba/roinn+HutnrPqqI4x
KqZy1PDa90YjgfvnLGzBQrczRaonvZYjfviba1K7P6CGn1aNoVvaDWsOQpHl6KMY
6yqk+69BaNpzSUuZSD7NSHASqMV/Som9qBp5hOehyjK0bPdJORo0T7jAvtrir4x4
4TrFbQKBgQCi0XKFXNQkcnLJo8tSeweP34TDCYypcLQT8768v3ZbApIACrmrgJ4y
Nj2J8ZXGxSKInwpRqEQWC5x+1c8V2b6KIIIdRCoVbQsBtSyatKxr3eIGn3/yexW5
eTiKuZVQ3A8CAl7oRUkrUJefhD3LJppBUZwLVL4+vn3g2i0F8q4asQ==
-----END RSA PRIVATE KEY-----
</key>

key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
4f65292e639c83574026ab790f67257b
e92f02e96e3c95db3634393b0c3c094b
71dbef6ab0e715aff9e5d574a69f015e
acb57293a0cb91c57cb4f9064a000d3b
640285c8af740c1910193be5e3ab81af
009e16f916478a1c3a629057cc622afd
8a705bd893c316a944f1fda6a2e5c1b3
4af9fc0233f15fac4a2b125ab9aaaa4d
8604bebe99e5c2470edda8c39eeb2609
d8c1db928e1035880fc4a2c695057e21
335867cfdea9f041c7b2090702667ed4
8ddb8310edb9320a41a570624812dfaf
d7ca0131085f044490dae138c61bbf63
15bb98cea0628b99a10de850ed7ee43e
0dd7e5f446439846a4f2319ec5f735f8
521021b9e6d45cdee7bfd22fce270a49
-----END OpenVPN Static key V1-----
</tls-auth>

root@OpenWrt:~# for vpn in $(ls /tmp/etc/openvpn*.conf);do echo $vpn;cat $vpn;e
cho;done
ls: /tmp/etc/openvpn*.conf: No such file or directory
root@OpenWrt:~# logread | grep openvpn
Sat Nov 22 23:17:32 2025 daemon.warn openvpn(CHICAGO)[2105]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.
Sat Nov 22 23:17:33 2025 daemon.notice openvpn(CHICAGO)[2105]: Note: Kernel support for ovpn-dco missing, disabling data channel offload.
Sat Nov 22 23:17:33 2025 daemon.notice openvpn(CHICAGO)[2105]: OpenVPN 2.6.14 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] [DCO]
Sat Nov 22 23:17:33 2025 daemon.notice openvpn(CHICAGO)[2105]: library versions: OpenSSL 3.0.18 30 Sep 2025, LZO 2.10
Sat Nov 22 23:17:33 2025 daemon.notice openvpn(CHICAGO)[2105]: DCO version: N/A
Sat Nov 22 23:17:33 2025 daemon.warn openvpn(CHICAGO)[2105]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Nov 22 23:17:40 2025 daemon.err openvpn(CHICAGO)[2105]: RESOLVE: Cannot resolve host address: us-ord.gw.openvpn.com:1194 (Try again)
Sat Nov 22 23:17:45 2025 daemon.err openvpn(CHICAGO)[2105]: RESOLVE: Cannot resolve host address: us-ord.gw.openvpn.com:1194 (Try again)
Sat Nov 22 23:17:45 2025 daemon.warn openvpn(CHICAGO)[2105]: Could not determine IPv4/IPv6 protocol
Sat Nov 22 23:17:45 2025 daemon.notice openvpn(CHICAGO)[2105]: SIGUSR1[soft,Could not determine IPv4/IPv6 protocol] received, process restarting
Sat Nov 22 23:17:45 2025 daemon.notice openvpn(CHICAGO)[2105]: Restart pause, 1 second(s)
Sat Nov 22 23:17:46 2025 daemon.warn openvpn(CHICAGO)[2105]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Nov 22 23:17:47 2025 daemon.notice openvpn(CHICAGO)[2105]: TCP/UDP: Preserving recently used remote address: [AF_INET]68.235.38.66:1194
Sat Nov 22 23:17:47 2025 daemon.notice openvpn(CHICAGO)[2105]: Socket Buffers: R=[180224->180224] S=[180224->180224]
Sat Nov 22 23:17:47 2025 daemon.warn openvpn(CHICAGO)[2105]: NOTE: setsockopt TCP_NODELAY=1 failed
Sat Nov 22 23:17:47 2025 daemon.notice openvpn(CHICAGO)[2105]: UDPv4 link local: (not bound)
Sat Nov 22 23:17:47 2025 daemon.notice openvpn(CHICAGO)[2105]: UDPv4 link remote: [AF_INET]68.235.38.66:1194
Sat Nov 22 23:17:47 2025 daemon.notice openvpn(CHICAGO)[2105]: TLS: Initial packet from [AF_INET]68.235.38.66:1194, sid=626ecf19 b6b8a0cf
Sat Nov 22 23:17:47 2025 daemon.notice openvpn(CHICAGO)[2105]: net_route_v4_best_gw query: dst 0.0.0.0
Sat Nov 22 23:17:47 2025 daemon.notice openvpn(CHICAGO)[2105]: net_route_v4_best_gw result: via 192.168.1.1 dev eth0.2
Sat Nov 22 23:17:47 2025 daemon.notice openvpn(CHICAGO)[2105]: VERIFY OK: depth=1, CN=CloudVPN Prod CA
Sat Nov 22 23:17:47 2025 daemon.notice openvpn(CHICAGO)[2105]: VERIFY KU OK
Sat Nov 22 23:17:48 2025 daemon.notice openvpn(CHICAGO)[2105]: Validating certificate extended key usage
Sat Nov 22 23:17:48 2025 daemon.notice openvpn(CHICAGO)[2105]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sat Nov 22 23:17:48 2025 daemon.notice openvpn(CHICAGO)[2105]: VERIFY EKU OK
Sat Nov 22 23:17:48 2025 daemon.notice openvpn(CHICAGO)[2105]: VERIFY OK: depth=0, CN=us-ord-dc1-b1.cloud.openvpn.net
Sat Nov 22 23:17:49 2025 daemon.notice openvpn(CHICAGO)[2105]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519
Sat Nov 22 23:17:49 2025 daemon.notice openvpn(CHICAGO)[2105]: [us-ord-dc1-b1.cloud.openvpn.net] Peer Connection Initiated with [AF_INET]68.235.38.66:1194
Sat Nov 22 23:17:53 2025 daemon.notice openvpn(CHICAGO)[2105]: TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Sat Nov 22 23:17:53 2025 daemon.notice openvpn(CHICAGO)[2105]: TLS: tls_multi_process: initial untrusted session promoted to trusted
Sat Nov 22 23:17:53 2025 daemon.notice openvpn(CHICAGO)[2105]: SENT CONTROL [us-ord-dc1-b1.cloud.openvpn.net]: 'PUSH_REQUEST' (status=1)
Sat Nov 22 23:17:53 2025 daemon.notice openvpn(CHICAGO)[2105]: PUSH: Received control message: 'PUSH_REPLY,route-gateway 100.96.1.17,ifconfig 100.96.1.18 255.255.255.240,ifconfig-ipv6 fd:0:0:8101::2/64 fd:0:0:8101::1,client-ip 151.18.45.31,ping 8,ping-restart 40,reneg-sec 3600,cipher AES-256-GCM,compress stub-v2,peer-id 9268,protocol-flags tls-ekm dyn-tls-crypt cc-exit,block-outside-dns,topology subnet,explicit-exit-notify,remote-cache-lifetime 86400,route 100.96.0.0 255.224.0.0,route-ipv6 fd:0:0:8000::/49,route 100.80.0.0 255.240.0.0,route-ipv6 fd:0:0:4000::/50,dhcp-option DNS 100.96.1.17,auth-tokenSESS_ID,auth-token-user c3F1aXJyeS9jb25uZWN0b3IvNzdlMmMxMmEtMDRlOC00YWY5LWI4MWMtZjM0N2M5MGNiNTk5X2Y5MzA0OGQ2LWI2YWQtNDI3OS04NWFiLWQ1YWY4ZDNjYzI1OA=='
Sat Nov 22 23:17:53 2025 daemon.err openvpn(CHICAGO)[2105]: Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: client-ip (2.6.14)
Sat Nov 22 23:17:53 2025 daemon.err openvpn(CHICAGO)[2105]: Options error: option 'reneg-sec' cannot be used in this context ([PUSH-OPTIONS])
Sat Nov 22 23:17:53 2025 daemon.err openvpn(CHICAGO)[2105]: Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:12: block-outside-dns (2.6.14)
Sat Nov 22 23:17:53 2025 daemon.err openvpn(CHICAGO)[2105]: Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:15: remote-cache-lifetime (2.6.14)
Sat Nov 22 23:17:53 2025 daemon.notice openvpn(CHICAGO)[2105]: OPTIONS IMPORT: --ifconfig/up options modified
Sat Nov 22 23:17:53 2025 daemon.notice openvpn(CHICAGO)[2105]: OPTIONS IMPORT: route options modified
Sat Nov 22 23:17:53 2025 daemon.notice openvpn(CHICAGO)[2105]: OPTIONS IMPORT: route-related options modified
Sat Nov 22 23:17:53 2025 daemon.notice openvpn(CHICAGO)[2105]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Nov 22 23:17:53 2025 daemon.notice openvpn(CHICAGO)[2105]: net_route_v4_best_gw query: dst 0.0.0.0
Sat Nov 22 23:17:53 2025 daemon.notice openvpn(CHICAGO)[2105]: net_route_v4_best_gw result: via 192.168.1.1 dev eth0.2
Sat Nov 22 23:17:53 2025 daemon.notice openvpn(CHICAGO)[2105]: GDG6: remote_host_ipv6=n/a
Sat Nov 22 23:17:53 2025 daemon.notice openvpn(CHICAGO)[2105]: net_route_v6_best_gw query: dst ::
Sat Nov 22 23:17:53 2025 daemon.warn openvpn(CHICAGO)[2105]: sitnl_send: rtnl: generic error (-128): Network unreachable
Sat Nov 22 23:17:53 2025 daemon.notice openvpn(CHICAGO)[2105]: TUN/TAP device tun0 opened
Sat Nov 22 23:17:53 2025 daemon.notice openvpn(CHICAGO)[2105]: net_iface_mtu_set: mtu 1500 for tun0
Sat Nov 22 23:17:53 2025 daemon.notice openvpn(CHICAGO)[2105]: net_iface_up: set tun0 up
Sat Nov 22 23:17:53 2025 daemon.notice openvpn(CHICAGO)[2105]: net_addr_v4_add: 100.96.1.18/28 dev tun0
Sat Nov 22 23:17:53 2025 daemon.notice openvpn(CHICAGO)[2105]: net_iface_mtu_set: mtu 1500 for tun0
Sat Nov 22 23:17:53 2025 daemon.notice openvpn(CHICAGO)[2105]: net_iface_up: set tun0 up
Sat Nov 22 23:17:53 2025 daemon.notice openvpn(CHICAGO)[2105]: net_addr_v6_add: fd:0:0:8101::2/64 dev tun0
Sat Nov 22 23:17:53 2025 daemon.notice openvpn(CHICAGO)[2105]: /usr/libexec/openvpn-hotplug up CHICAGO tun0 1500 0 100.96.1.18 255.255.255.240 init
Sat Nov 22 23:17:54 2025 daemon.notice openvpn(CHICAGO)[2105]: net_route_v4_add: 68.235.38.66/32 via 192.168.1.1 dev [NULL] table 0 metric -1
Sat Nov 22 23:17:54 2025 daemon.notice openvpn(CHICAGO)[2105]: net_route_v4_add: 0.0.0.0/1 via 100.96.1.17 dev [NULL] table 0 metric -1
Sat Nov 22 23:17:54 2025 daemon.notice openvpn(CHICAGO)[2105]: net_route_v4_add: 128.0.0.0/1 via 100.96.1.17 dev [NULL] table 0 metric -1
Sat Nov 22 23:17:54 2025 daemon.notice openvpn(CHICAGO)[2105]: net_route_v4_add: 100.96.0.0/11 via 100.96.1.17 dev [NULL] table 0 metric -1
Sat Nov 22 23:17:54 2025 daemon.notice openvpn(CHICAGO)[2105]: net_route_v4_add: 100.80.0.0/12 via 100.96.1.17 dev [NULL] table 0 metric -1
Sat Nov 22 23:17:54 2025 daemon.notice openvpn(CHICAGO)[2105]: add_route_ipv6(fd:0:0:8000::/49 -> fd:0:0:8101::1 metric -1) dev tun0
Sat Nov 22 23:17:54 2025 daemon.notice openvpn(CHICAGO)[2105]: net_route_v6_add: fd:0:0:8000::/49 via :: dev tun0 table 0 metric -1
Sat Nov 22 23:17:54 2025 daemon.notice openvpn(CHICAGO)[2105]: add_route_ipv6(fd:0:0:4000::/50 -> fd:0:0:8101::1 metric -1) dev tun0
Sat Nov 22 23:17:54 2025 daemon.notice openvpn(CHICAGO)[2105]: net_route_v6_add: fd:0:0:4000::/50 via :: dev tun0 table 0 metric -1
Sat Nov 22 23:17:55 2025 daemon.notice openvpn(CHICAGO)[2105]: Initialization Sequence Completed
Sat Nov 22 23:17:55 2025 daemon.notice openvpn(CHICAGO)[2105]: Data Channel: cipher 'AES-256-GCM', peer-id: 9268, compression: 'stubv2'
Sat Nov 22 23:17:55 2025 daemon.notice openvpn(CHICAGO)[2105]: Timers: ping 8, ping-restart 40
Sat Nov 22 23:17:55 2025 daemon.notice openvpn(CHICAGO)[2105]: Protocol options: explicit-exit-notify 1, protocol-flags cc-exit tls-ekm dyn-tls-crypt
Sat Nov 22 23:17:55 2025 daemon.notice openvpn(CHICAGO)[2105]: PUSH: Received control message: 'PUSH_REPLY,auth-tokenSESS_ID'
Sat Nov 22 23:23:26 2025 daemon.err openvpn(CHICAGO)[2105]: event_wait : Interrupted system call (fd=-1,code=4)
Sat Nov 22 23:23:26 2025 daemon.notice openvpn(CHICAGO)[2105]: SIGTERM received, sending exit notification to peer
Sat Nov 22 23:23:26 2025 daemon.notice openvpn(CHICAGO)[2105]: SENT CONTROL [us-ord-dc1-b1.cloud.openvpn.net]: 'EXIT' (status=1)
Sat Nov 22 23:23:27 2025 daemon.notice openvpn(CHICAGO)[2105]: /usr/libexec/openvpn-hotplug route-pre-down CHICAGO tun0 1500 0 100.96.1.18 255.255.255.240 init
Sat Nov 22 23:23:27 2025 daemon.notice openvpn(CHICAGO)[2105]: net_route_v4_del: 100.96.0.0/11 via 100.96.1.17 dev [NULL] table 0 metric -1
Sat Nov 22 23:23:27 2025 daemon.notice openvpn(CHICAGO)[2105]: net_route_v4_del: 100.80.0.0/12 via 100.96.1.17 dev [NULL] table 0 metric -1
Sat Nov 22 23:23:27 2025 daemon.notice openvpn(CHICAGO)[2105]: net_route_v4_del: 68.235.38.66/32 via 192.168.1.1 dev [NULL] table 0 metric -1
Sat Nov 22 23:23:27 2025 daemon.notice openvpn(CHICAGO)[2105]: net_route_v4_del: 0.0.0.0/1 via 100.96.1.17 dev [NULL] table 0 metric -1
Sat Nov 22 23:23:27 2025 daemon.notice openvpn(CHICAGO)[2105]: net_route_v4_del: 128.0.0.0/1 via 100.96.1.17 dev [NULL] table 0 metric -1
Sat Nov 22 23:23:27 2025 daemon.notice openvpn(CHICAGO)[2105]: delete_route_ipv6(fd:0:0:8000::/49)
Sat Nov 22 23:23:27 2025 daemon.notice openvpn(CHICAGO)[2105]: net_route_v6_del: fd:0:0:8000::/49 via :: dev tun0 table 0 metric -1
Sat Nov 22 23:23:27 2025 daemon.notice openvpn(CHICAGO)[2105]: delete_route_ipv6(fd:0:0:4000::/50)
Sat Nov 22 23:23:27 2025 daemon.notice openvpn(CHICAGO)[2105]: net_route_v6_del: fd:0:0:4000::/50 via :: dev tun0 table 0 metric -1
Sat Nov 22 23:23:27 2025 daemon.notice openvpn(CHICAGO)[2105]: Closing TUN/TAP interface
Sat Nov 22 23:23:27 2025 daemon.notice openvpn(CHICAGO)[2105]: net_addr_v4_del: 100.96.1.18 dev tun0
Sat Nov 22 23:23:27 2025 daemon.notice openvpn(CHICAGO)[2105]: net_addr_v6_del: fd:0:0:8101::2/64 dev tun0
Sat Nov 22 23:23:27 2025 daemon.notice openvpn(CHICAGO)[2105]: /usr/libexec/openvpn-hotplug down CHICAGO tun0 1500 0 100.96.1.18 255.255.255.240 init
Sat Nov 22 23:23:27 2025 daemon.notice openvpn(CHICAGO)[2105]: SIGTERM[soft,exit-with-notification] received, process exiting
Sat Nov 22 23:23:41 2025 daemon.warn openvpn(CHICAGO)[4348]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.
Sat Nov 22 23:23:42 2025 daemon.notice openvpn(CHICAGO)[4348]: Note: Kernel support for ovpn-dco missing, disabling data channel offload.
Sat Nov 22 23:23:42 2025 daemon.notice openvpn(CHICAGO)[4348]: OpenVPN 2.6.14 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] [DCO]
Sat Nov 22 23:23:42 2025 daemon.notice openvpn(CHICAGO)[4348]: library versions: OpenSSL 3.0.18 30 Sep 2025, LZO 2.10
Sat Nov 22 23:23:42 2025 daemon.notice openvpn(CHICAGO)[4348]: DCO version: N/A
Sat Nov 22 23:23:42 2025 daemon.warn openvpn(CHICAGO)[4348]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Nov 22 23:23:43 2025 daemon.notice openvpn(CHICAGO)[4348]: TCP/UDP: Preserving recently used remote address: [AF_INET6]2607:9000:0:30::5:1194
Sat Nov 22 23:23:43 2025 daemon.notice openvpn(CHICAGO)[4348]: Socket Buffers: R=[180224->180224] S=[180224->180224]
Sat Nov 22 23:23:43 2025 daemon.warn openvpn(CHICAGO)[4348]: NOTE: setsockopt TCP_NODELAY=1 failed
Sat Nov 22 23:23:43 2025 daemon.notice openvpn(CHICAGO)[4348]: UDPv6 link local: (not bound)
Sat Nov 22 23:23:43 2025 daemon.notice openvpn(CHICAGO)[4348]: UDPv6 link remote: [AF_INET6]2607:9000:0:30::5:1194
Sat Nov 22 23:23:43 2025 daemon.notice openvpn(CHICAGO)[4348]: TLS: Initial packet from [AF_INET6]2607:9000:0:30::5:1194, sid=9f278c6a c686b627
Sat Nov 22 23:23:43 2025 daemon.notice openvpn(CHICAGO)[4348]: net_route_v4_best_gw query: dst 0.0.0.0
Sat Nov 22 23:23:43 2025 daemon.notice openvpn(CHICAGO)[4348]: net_route_v4_best_gw result: via 192.168.1.1 dev eth0.2
Sat Nov 22 23:23:43 2025 daemon.notice openvpn(CHICAGO)[4348]: VERIFY OK: depth=1, CN=CloudVPN Prod CA
Sat Nov 22 23:23:43 2025 daemon.notice openvpn(CHICAGO)[4348]: VERIFY KU OK
Sat Nov 22 23:23:43 2025 daemon.notice openvpn(CHICAGO)[4348]: Validating certificate extended key usage
Sat Nov 22 23:23:43 2025 daemon.notice openvpn(CHICAGO)[4348]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sat Nov 22 23:23:43 2025 daemon.notice openvpn(CHICAGO)[4348]: VERIFY EKU OK
Sat Nov 22 23:23:43 2025 daemon.notice openvpn(CHICAGO)[4348]: VERIFY OK: depth=0, CN=us-ord-dc1-b1.cloud.openvpn.net
Sat Nov 22 23:23:44 2025 daemon.notice openvpn(CHICAGO)[4348]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519
Sat Nov 22 23:23:44 2025 daemon.notice openvpn(CHICAGO)[4348]: [us-ord-dc1-b1.cloud.openvpn.net] Peer Connection Initiated with [AF_INET6]2607:9000:0:30::5:1194
Sat Nov 22 23:23:45 2025 daemon.notice openvpn(CHICAGO)[4348]: TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Sat Nov 22 23:23:45 2025 daemon.notice openvpn(CHICAGO)[4348]: TLS: tls_multi_process: initial untrusted session promoted to trusted
Sat Nov 22 23:23:45 2025 daemon.notice openvpn(CHICAGO)[4348]: SENT CONTROL [us-ord-dc1-b1.cloud.openvpn.net]: 'PUSH_REQUEST' (status=1)
Sat Nov 22 23:23:45 2025 daemon.notice openvpn(CHICAGO)[4348]: PUSH: Received control message: 'PUSH_REPLY,route-gateway 100.96.1.17,ifconfig 100.96.1.18 255.255.255.240,ifconfig-ipv6 fd:0:0:8101::2/64 fd:0:0:8101::1,client-ip 2a02:b025:12:406b:c66e:1fff:fe0c:a2ef,ping 8,ping-restart 40,reneg-sec 3600,cipher AES-256-GCM,compress stub-v2,peer-id 9400,protocol-flags tls-ekm dyn-tls-crypt cc-exit,block-outside-dns,topology subnet,explicit-exit-notify,remote-cache-lifetime 86400,route 100.96.0.0 255.224.0.0,route-ipv6 fd:0:0:8000::/49,route 100.80.0.0 255.240.0.0,route-ipv6 fd:0:0:4000::/50,dhcp-option DNS 100.96.1.17,auth-tokenSESS_ID,auth-token-user c3F1aXJyeS9jb25uZWN0b3IvNzdlMmMxMmEtMDRlOC00YWY5LWI4MWMtZjM0N2M5MGNiNTk5X2Y5MzA0OGQ2LWI2YWQtNDI3OS04NWFiLWQ1YWY4ZDNjYzI1OA=='
Sat Nov 22 23:23:45 2025 daemon.err openvpn(CHICAGO)[4348]: Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: client-ip (2.6.14)
Sat Nov 22 23:23:45 2025 daemon.err openvpn(CHICAGO)[4348]: Options error: option 'reneg-sec' cannot be used in this context ([PUSH-OPTIONS])
Sat Nov 22 23:23:45 2025 daemon.err openvpn(CHICAGO)[4348]: Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:12: block-outside-dns (2.6.14)
Sat Nov 22 23:23:45 2025 daemon.err openvpn(CHICAGO)[4348]: Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:15: remote-cache-lifetime (2.6.14)
Sat Nov 22 23:23:45 2025 daemon.notice openvpn(CHICAGO)[4348]: OPTIONS IMPORT: --ifconfig/up options modified
Sat Nov 22 23:23:45 2025 daemon.notice openvpn(CHICAGO)[4348]: OPTIONS IMPORT: route options modified
Sat Nov 22 23:23:45 2025 daemon.notice openvpn(CHICAGO)[4348]: OPTIONS IMPORT: route-related options modified
Sat Nov 22 23:23:45 2025 daemon.notice openvpn(CHICAGO)[4348]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Nov 22 23:23:45 2025 daemon.notice openvpn(CHICAGO)[4348]: net_route_v4_best_gw query: dst 0.0.0.0
Sat Nov 22 23:23:45 2025 daemon.notice openvpn(CHICAGO)[4348]: net_route_v4_best_gw result: via 192.168.1.1 dev eth0.2
Sat Nov 22 23:23:45 2025 daemon.notice openvpn(CHICAGO)[4348]: GDG6: remote_host_ipv6=2607:9000:0:30::5
Sat Nov 22 23:23:45 2025 daemon.notice openvpn(CHICAGO)[4348]: net_route_v6_best_gw query: dst 2607:9000:0:30::5
Sat Nov 22 23:23:45 2025 daemon.warn openvpn(CHICAGO)[4348]: sitnl_send: rtnl: generic error (-128): Network unreachable
Sat Nov 22 23:23:45 2025 daemon.notice openvpn(CHICAGO)[4348]: TUN/TAP device tun0 opened
Sat Nov 22 23:23:45 2025 daemon.notice openvpn(CHICAGO)[4348]: net_iface_mtu_set: mtu 1500 for tun0
Sat Nov 22 23:23:45 2025 daemon.notice openvpn(CHICAGO)[4348]: net_iface_up: set tun0 up
Sat Nov 22 23:23:45 2025 daemon.notice openvpn(CHICAGO)[4348]: net_addr_v4_add: 100.96.1.18/28 dev tun0
Sat Nov 22 23:23:45 2025 daemon.notice openvpn(CHICAGO)[4348]: net_iface_mtu_set: mtu 1500 for tun0
Sat Nov 22 23:23:45 2025 daemon.notice openvpn(CHICAGO)[4348]: net_iface_up: set tun0 up
Sat Nov 22 23:23:45 2025 daemon.notice openvpn(CHICAGO)[4348]: net_addr_v6_add: fd:0:0:8101::2/64 dev tun0
Sat Nov 22 23:23:45 2025 daemon.notice openvpn(CHICAGO)[4348]: /usr/libexec/openvpn-hotplug up CHICAGO tun0 1500 0 100.96.1.18 255.255.255.240 init
Sat Nov 22 23:23:46 2025 daemon.notice openvpn(CHICAGO)[4348]: net_route_v4_add: 100.96.0.0/11 via 100.96.1.17 dev [NULL] table 0 metric -1
Sat Nov 22 23:23:46 2025 daemon.notice openvpn(CHICAGO)[4348]: net_route_v4_add: 100.80.0.0/12 via 100.96.1.17 dev [NULL] table 0 metric -1
Sat Nov 22 23:23:46 2025 daemon.notice openvpn(CHICAGO)[4348]: add_route_ipv6(fd:0:0:8000::/49 -> fd:0:0:8101::1 metric -1) dev tun0
Sat Nov 22 23:23:46 2025 daemon.notice openvpn(CHICAGO)[4348]: net_route_v6_add: fd:0:0:8000::/49 via :: dev tun0 table 0 metric -1
Sat Nov 22 23:23:46 2025 daemon.notice openvpn(CHICAGO)[4348]: add_route_ipv6(fd:0:0:4000::/50 -> fd:0:0:8101::1 metric -1) dev tun0
Sat Nov 22 23:23:46 2025 daemon.notice openvpn(CHICAGO)[4348]: net_route_v6_add: fd:0:0:4000::/50 via :: dev tun0 table 0 metric -1
Sat Nov 22 23:23:50 2025 daemon.notice openvpn(CHICAGO)[4348]: Initialization Sequence Completed
Sat Nov 22 23:23:50 2025 daemon.notice openvpn(CHICAGO)[4348]: Data Channel: cipher 'AES-256-GCM', peer-id: 9400, compression: 'stubv2'
Sat Nov 22 23:23:50 2025 daemon.notice openvpn(CHICAGO)[4348]: Timers: ping 8, ping-restart 40
Sat Nov 22 23:23:50 2025 daemon.notice openvpn(CHICAGO)[4348]: Protocol options: explicit-exit-notify 1, protocol-flags cc-exit tls-ekm dyn-tls-crypt
Sat Nov 22 23:23:50 2025 daemon.notice openvpn(CHICAGO)[4348]: PUSH: Received control message: 'PUSH_REPLY,auth-tokenSESS_ID'
root@OpenWrt:~# 

Just to be sure, I flashed again the router and restarted from a clean config, recreated the VPN interface and clan firewall rules. Here the log

You have to regenerate proivate kayes.

Will do. As soon as i can get a working configuration i will set router and wifi passwords and regenerate the keys. What i have now is just a sandbox that i’m studying and trying to setup properly

Have you tried with adding
redirect-gateway def1 to the openvpn config

Hello, thanks for the feedback, I did some testing with different configuration trying to spot where the issue is through my limited knowledge. Here below the tests I did

CONFIGURATION 1 (LAN forwards to VPN)

        config zone
        	option name 'OC'
        	option input 'DROP'
        	option output 'ACCEPT'
        	option forward 'DROP'
        	option masq '1'
        	list network 'CloudConnexa'
        
        config forwarding
        	option src 'lan'
        	option dest 'OC'

WIFI connected laptop does not reach Internet thorugh web browser, exception is OpenVPN CloudConnexa control panel at https://squirry.openvpn.com that is still reachable from the laptop. However if I try to ping it, then ping: cannot resolve https://squirry.openvpn.com
LUCI Network diagnostics can successfully ping openwrt.org

CONFIGURATION 2 (LAN forwards to VPN + WAN)

        config forwarding
        	option src 'lan'
        	option dest 'OC'
        
        config forwarding
        	option src 'lan'
        	option dest 'wan'

WIFI connected laptop does reach Internet but does not tunnel through VPN
LUCI Network diagnostics can successfully ping openwrt.org

CONFIGURATION 3 (LAN forwards to VPN + WAN) and addded redirect-gateway def 1 to /etc/openvpn/CHICAGO.ovpn

        WAS

        socket-flags TCP_NODELAY
        push-peer-info
        
        <ca>
        -----BEGIN CERTIFICATE-----
        MIIDRDCCAiygAw....
        
        NOW IS

        socket-flags TCP_NODELAY
        push-peer-info
        edirect-gateway def 1
        
        <ca>
        -----BEGIN CERTIFICATE-----
        MIIDRDCCAiygAw....

openvpn fails to start, log tells: daemon.err openvpn(CHICAGO)[18744]: Options error: unknown --redirect-gateway flag: def

My mistake I made a typo it is def1, I corrected my posting

The main problem is not the firewall it is the routing, you first need a default route via the vpn.
If everything works with redirect-gateway def1, you should see 0.0.0.0/1 and 128.0.0.0/1 routes via the vpn with
ip route show

Hello,

thanks, I changed to def1 and now the OPEN VPN restarts correctly, also the interface created based on tun0 is restarting properly. However as soon as I remove the firewall rule that forwards both WAN and VPN and I leave VPN only, then wifi connected computers are not reaching internet anymore.

the output of route show is below

root@OpenWrt:~# ip route show
default via 192.168.1.1 dev eth0.2  src 192.168.1.9 
100.96.1.16/28 dev tun0 scope link  src 100.96.1.18 
192.168.1.0/24 dev eth0.2 scope link  src 192.168.1.9 
192.168.2.0/24 dev br-lan scope link  src 192.168.2.1