OpenVPN help network/netmask combination error

I followed this guide for setting up OpenVPN but it will not start. https://openwrt.org/docs/guide-user/services/vpn/openvpn/server
I'm receiving the following error: --server directive network/netmask combination is invalid

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/openvpn
root@HP-OpenWrt:~# ubus call system board
{
	"kernel": "5.15.137",
	"hostname": "HP-OpenWrt",
	"system": "AMD Phenom(tm) II X2 511 Processor",
	"model": "Hewlett-Packard s5730y",
	"board_name": "hewlett-packard-s5730y",
	"rootfs_type": "ext4",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "x86/64",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
}

root@HP-OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdb4:b5fa:497e::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.120'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option hostname '*'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config openvpn 'sample_server'
	option port '1194'
	option proto 'udp'
	option dev 'tun'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/server.crt'
	option key '/etc/openvpn/server.key'
	option dh '/etc/openvpn/dh2048.pem'
	option server '10.8.0.0 255.255.255.0'
	option ifconfig_pool_persist '/tmp/ipp.txt'
	option keepalive '10 120'
	option persist_key '1'
	option persist_tun '1'
	option user 'nobody'
	option status '/tmp/openvpn-status.log'
	option verb '3'

config openvpn 'sample_client'
	option client '1'
	option dev 'tun'
	option proto 'udp'
	list remote 'my_server_1 1194'
	option resolv_retry 'infinite'
	option nobind '1'
	option persist_key '1'
	option persist_tun '1'
	option user 'nobody'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/client.crt'
	option key '/etc/openvpn/client.key'
	option verb '3'

config openvpn 'server'
	option enabled '1'
	option config '/etc/openvpn/server.conf'

Can you show us this file (since it turns out you've got the openvpn conf file elsewhere).

(The contents of the /etc/config/openvpn file are fine, but largely irrelevant)

I did not get the conf file elsewhere it was created using the tutorial via terminal but it doesn't display the same way as one using the luci app.

user nobody
group nogroup
dev tun
port 1194
proto udp
server 192.168.1.120 255.255.255.0
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
push "dhcp-option DNS 192.168.1.120"
push "dhcp-option DOMAIN lan"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>
-----BEGIN DH PARAMETERS-----
*
-----END DH PARAMETERS-----
</dh>
<tls-crypt-v2>
-----BEGIN OpenVPN tls-crypt-v2 server key-----
*
-----END OpenVPN tls-crypt-v2 server key-----
</tls-crypt-v2>
<key>
-----BEGIN PRIVATE KEY-----
*
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
*
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----
*
-----END CERTIFICATE-----
</ca>

If I change the IP to 192.168.1.0 the service will start without the error but my IP is configured for 192.168.1.120 so it will not work.

Ok... so there are two issues:

  1. The subnet overlaps your lan (and in fact, it's specified with the same IP address, so it will absolutely conflict):
  1. the OpenVPN IP/subnet mask should be such that the subnet is specified, but not a host address. In this case, the .0 address for the /24 subnet size would be the subnet/network address, which is what should be used (.120 is a host address).

So it should be specified like:

192.168.9.0 255.255.255.0

This way, it doesn't overlap your LAN subnet, and it is specifying the entire 192.168.9.0/24 network. When the server starts up, it will use 192.168.9.1 as its address.

Correct, and expected. You must use a different, non-overlapping subnet.

OK the service is up and running again but my iphone is not connecting to it. I imported the opvn file into the official app on the phone. I have ddns properly configured and can ssh into the router remotely.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
cat /etc/openvpn/server.conf

And also please show us the logs from your phone.

I'm seeing key negotiation failed and TLS handshake failed in my OpenWrt system log. I'm not sure how to access the logs on the iphone app.

I see where the iphone app says connection timeout error

root@HP-OpenWrt:~# cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'tun+'
	list network 'lan'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule 'ovpn'
	option name 'Allow-OpenVPN'
	option src 'wan'
	option dest_port '1194'
	option proto 'udp'
	option target 'ACCEPT'

Look at the upper right hand corner of the app (just below your battery icon). You'll see an icon with < > on it... that's the log. Click into it and then click the "X" in the upper right hand corner. Finally, go back and attempt to connect. Once it times out, click back into the log and you can share it from there.

I found it after typing that and that is where I posted how the log just shows event connection timeout error.

Can we see the actual log output?

I don't really have anything setup on the phone yet to share it. Just got the phone today and don't really care for phone os. Was just using it to test since it would be outside of network with WiFi disabled. It resolves the url to the proper ip and then just times out. As I said OpenWrt system log shows 54038 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

I could boot up a virtual machine and import the OPVN file but I would already be on the same network.

Connect your phone to your router's wifi and then change the IP address to the router (192.168.1.120). See if it is able to complete the init sequence.

Meanwhile, is there a reason you are using OpenVPN? I'd recommend Wireguard since it is easier to configure and much more performant.

Would I put it in the server override (optional) section? Where the server hostname is listed it says (locked) and there is no easy way to edit the opvn file on iphone. I had to connect it to the latest MacOS just to get the file on the phone.