Hi,
I've followed the steps in the OpenVPN Client wiki guide to configure my OpenWrt router as an OpenVPN client. The OpenVPN service connects to the server successfully, but devices on the LAN aren't able to access the internet while it's running.
I'm assuming there is a misconfiguration in my firewall or routing, but I don't know how to fix it.
Here is the client log:
# logread -e openvpn
Sat Oct 27 15:40:34 2018 daemon.notice openvpn(vpnclient)[3269]: TCP_CLIENT WRITE [41] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=40
Sat Oct 27 15:40:34 2018 daemon.notice openvpn(vpnclient)[3269]: TCP_CLIENT READ [41] from [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=40
Sat Oct 27 15:40:35 2018 daemon.err openvpn(vpnclient)[3269]: event_wait : Interrupted system call (code=4)
Sat Oct 27 15:40:35 2018 daemon.notice openvpn(vpnclient)[3269]: TCP/UDP: Closing socket
Sat Oct 27 15:40:35 2018 daemon.notice openvpn(vpnclient)[3269]: Closing TUN/TAP interface
Sat Oct 27 15:40:35 2018 daemon.notice openvpn(vpnclient)[3269]: /sbin/ifconfig tun0 x.x.x.x
Sat Oct 27 15:40:35 2018 daemon.notice openvpn(vpnclient)[3269]: SIGTERM[hard,] received, process exiting
Sat Oct 27 15:40:36 2018 daemon.notice openvpn(vpnclient)[3428]: OpenVPN 2.4.5 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Oct 27 15:40:36 2018 daemon.notice openvpn(vpnclient)[3428]: library versions: OpenSSL 1.0.2p 14 Aug 2018, LZO 2.10
Sat Oct 27 15:40:36 2018 daemon.notice openvpn(vpnclient)[3428]: LZO compression initializing
Sat Oct 27 15:40:36 2018 daemon.notice openvpn(vpnclient)[3428]: Control Channel MTU parms [ L:1624 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Sat Oct 27 15:40:36 2018 daemon.notice openvpn(vpnclient)[3428]: Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Sat Oct 27 15:40:36 2018 daemon.notice openvpn(vpnclient)[3428]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 68 bytes
Sat Oct 27 15:40:36 2018 daemon.notice openvpn(vpnclient)[3428]: calc_options_string_link_mtu: link-mtu 1624 -> 1572
Sat Oct 27 15:40:36 2018 daemon.notice openvpn(vpnclient)[3428]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 68 bytes
Sat Oct 27 15:40:36 2018 daemon.notice openvpn(vpnclient)[3428]: calc_options_string_link_mtu: link-mtu 1624 -> 1572
Sat Oct 27 15:40:36 2018 daemon.notice openvpn(vpnclient)[3428]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client'
Sat Oct 27 15:40:36 2018 daemon.notice openvpn(vpnclient)[3428]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server'
Sat Oct 27 15:40:36 2018 daemon.notice openvpn(vpnclient)[3428]: TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:443
Sat Oct 27 15:40:36 2018 daemon.notice openvpn(vpnclient)[3428]: Socket Buffers: R=[87380->87380] S=[16384->16384]
Sat Oct 27 15:40:36 2018 daemon.notice openvpn(vpnclient)[3428]: Attempting to establish TCP connection with [AF_INET]x.x.x.x:443 [nonblock]
Sat Oct 27 15:40:37 2018 daemon.notice openvpn(vpnclient)[3428]: TCP connection established with [AF_INET]x.x.x.x:443
Sat Oct 27 15:40:37 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT link local: (not bound)
Sat Oct 27 15:40:37 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT link remote: [AF_INET]x.x.x.x:443
Sat Oct 27 15:40:37 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [14] to [AF_INET]x.x.x.x:443: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Sat Oct 27 15:40:37 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT READ [26] from [AF_INET]x.x.x.x:443: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=0 DATA len=0
Sat Oct 27 15:40:37 2018 daemon.notice openvpn(vpnclient)[3428]: TLS: Initial packet from [AF_INET]x.x.x.x:443, sid=24109957 9b7382fc
Sat Oct 27 15:40:37 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [22] to [AF_INET]x.x.x.x:443: P_ACK_V1 kid=0 [ 0 ]
Sat Oct 27 15:40:37 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [108] to [AF_INET]x.x.x.x:443: P_CONTROL_V1 kid=0 [ ] pid=1 DATA len=94
Sat Oct 27 15:40:37 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT READ [1196] from [AF_INET]x.x.x.x:443: P_CONTROL_V1 kid=0 [ 1 ] pid=1 DATA len=1170
Sat Oct 27 15:40:37 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [22] to [AF_INET]x.x.x.x:443: P_ACK_V1 kid=0 [ 1 ]
Sat Oct 27 15:40:37 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT READ [1184] from [AF_INET]x.x.x.x:443: P_CONTROL_V1 kid=0 [ ] pid=2 DATA len=1170
Sat Oct 27 15:40:37 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [22] to [AF_INET]x.x.x.x:443: P_ACK_V1 kid=0 [ 2 ]
Sat Oct 27 15:40:37 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT READ [1052] from [AF_INET]x.x.x.x:443: P_CONTROL_V1 kid=0 [ ] pid=3 DATA len=1038
Sat Oct 27 15:40:37 2018 daemon.notice openvpn(vpnclient)[3428]: VERIFY OK:
Sat Oct 27 15:40:37 2018 daemon.notice openvpn(vpnclient)[3428]: VERIFY X509NAME OK:
Sat Oct 27 15:40:37 2018 daemon.notice openvpn(vpnclient)[3428]: VERIFY OK:
Sat Oct 27 15:40:38 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [368] to [AF_INET]x.x.x.x:443: P_CONTROL_V1 kid=0 [ 3 ] pid=2 DATA len=342
Sat Oct 27 15:40:38 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT READ [101] from [AF_INET]x.x.x.x:443: P_CONTROL_V1 kid=0 [ 2 ] pid=4 DATA len=75
Sat Oct 27 15:40:38 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [479] to [AF_INET]x.x.x.x:443: P_CONTROL_V1 kid=0 [ 4 ] pid=3 DATA len=453
Sat Oct 27 15:40:38 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT READ [287] from [AF_INET]x.x.x.x:443: P_CONTROL_V1 kid=0 [ 3 ] pid=5 DATA len=261
Sat Oct 27 15:40:38 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [22] to [AF_INET]x.x.x.x:443: P_ACK_V1 kid=0 [ 5 ]
Sat Oct 27 15:40:38 2018 daemon.notice openvpn(vpnclient)[3428]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Sat Oct 27 15:40:38 2018 daemon.notice openvpn(vpnclient)[3428]: [example.com] Peer Connection Initiated with [AF_INET]x.x.x.x:443
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: SENT CONTROL [example.com]: 'PUSH_REQUEST' (status=1)
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [83] to [AF_INET]x.x.x.x:443: P_CONTROL_V1 kid=0 [ ] pid=4 DATA len=69
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT READ [22] from [AF_INET]x.x.x.x:443: P_ACK_V1 kid=0 [ 4 ]
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT READ [323] from [AF_INET]x.x.x.x:443: P_CONTROL_V1 kid=0 [ ] pid=6 DATA len=309
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS x.x.x.x,dhcp-option DNS x.x.x.x,explicit-exit-notify 5,comp-lzo no,route-gateway x.x.x.x,topology subnet,ping 20,ping-restart 40,ifconfig x.x.x.x x.x.x.x,peer-id 0,cipher AES-256-GCM'
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: OPTIONS IMPORT: timers and/or timeouts modified
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: OPTIONS IMPORT: compression parms modified
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: OPTIONS IMPORT: --ifconfig/up options modified
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: OPTIONS IMPORT: route options modified
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: OPTIONS IMPORT: route-related options modified
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: OPTIONS IMPORT: peer-id set
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: OPTIONS IMPORT: adjusting link_mtu to 1627
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: OPTIONS IMPORT: data channel crypto options modified
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: Data Channel: using negotiated cipher 'AES-256-GCM'
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 48 bytes
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: Data Channel MTU parms [ L:1555 D:1450 EF:55 EB:406 ET:0 EL:3 ]
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TUN/TAP device tun0 opened
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TUN/TAP TX queue length set to 100
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: /sbin/ifconfig tun0 x.x.x.x netmask x.x.x.x mtu 1500 broadcast x.x.x.x
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: /sbin/route add -net x.x.x.x netmask x.x.x.x gw x.x.x.x
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: /sbin/route add -net x.x.x.x netmask x.x.x.x gw x.x.x.x
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: /sbin/route add -net x.x.x.x netmask x.x.x.x gw x.x.x.x
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: Initialization Sequence Completed
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [22] to [AF_INET]x.x.x.x:443: P_ACK_V1 kid=0 [ 6 ]
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [101] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=100
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [101] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=100
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:40 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:40 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [101] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=100
Sat Oct 27 15:40:40 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:40 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:40 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:41 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:41 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:42 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:42 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [89] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=88
Sat Oct 27 15:40:42 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [89] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=88
Sat Oct 27 15:40:42 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT READ [147] from [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=146
Sat Oct 27 15:40:42 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT READ [147] from [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=146
Sat Oct 27 15:40:42 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [175] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=174
Sat Oct 27 15:40:43 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [93] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=92
Sat Oct 27 15:40:43 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:43 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT READ [133] from [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=132
Sat Oct 27 15:40:45 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:46 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:51 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:53 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:53 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:54 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:54 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:56 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Here's the firewall config
# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option forward 'REJECT'
option output 'ACCEPT'
option name 'vpn'
option input 'REJECT'
option masq '1'
option network 'vpnclient'
config forwarding
option src 'lan'
option dest 'vpnclient'
Here's the OpenVPN config:
# cat /etc/config/openvpn
config openvpn 'vpnclient'
option enabled '1'
option config '/etc/openvpn/client.ovpn'
# cat /etc/openvpn/client.ovpn
client
dev tun0
proto tcp
remote example.com 443
resolv-retry infinite
nobind
persist-key
persist-tun
persist-remote-ip
ca client.crt
verify-x509-name example.com name
auth-user-pass client.auth
comp-lzo
verb 7
auth SHA256
cipher AES-256-CBC
tls-cipher TLS-...-SHA
auth-nocache