Well what is meant by dual_Stack?
Seems complicated how-to, is there any way how to extend https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic for multiple users? thank you
in that case how / where i can provide password on client side for that pass-protected key and cert? I am so confused ;-/ Is there any working guide how to set it up for multiple clients? thank you
its pretty messed up now:
wget --no-check-certificate -O /tmp/create-certs.sh "...ode/docs/guide-user/services/vpn/openvpn/basic?codeblock=1" sh -v -x /tmp/create-certs.sh
the script downloaded via wget is different as a script provided on howtopage... which one is correct now? Execution of the script from wget ... produced multiple errors: /tmp/create-certs.sh: line 1: service: not found
But again its completely different as the one on the howto website...
The one where wget points seem to me same as create-configs.sh ... so i executed the one as part of the howtopage.
server config:
wget --no-check-certificate -O /tmp/create-configs.sh ".... user/services/vpn/openvpn/basic?codeblock=3"
this one points to wrong direction 404
and script says:
create-configs.sh: line 1: service: not found
Client section
wget --no-check-certificate -O /tmp/create-ovpn.sh "...services/vpn/openvpn/basic?codeblock=5
"
--2019-02-07 00:59:20-- h...uide-user/services/vpn/openvpn/basic?codeblock=5
Resolving openwrt.org... 139.59.209.225, 2a03:b0c0:3:d0::1af1:1
Connecting to openwrt.org|139.59.209.225|:443... connected.
WARNING: cannot verify openwrt.org's certificate, issued by 'CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US':
Unable to locally verify the issuer's authority.
HTTP request sent, awaiting response... 404 Not Found
2019-02-07 00:59:20 ERROR 404: Not Found.
Do not use wget, just copy paste the code, you can copy-paste several lines at once.
copy paste is mess... it shifts everything by tab or something... so it doesnt work properly then.
What OS and terminal are you using?
ok, fixed.
I changed client config because generated file has:
remote local_ip instead of hostname
I imported a config - now i got Waiting on VPN server and after a while -> timeout
on lede: netstat -alpn
udp 0 0 0.0.0.0:1194 0.0.0.0:* 21490/openvpn
seems that openvpn server is running
i am on the same LAN and i tried remote as IP of router WAN port and its still time outing...
even the lede says
root@LEDE:/tmp# netstat -tulpn|grep 1194
udp 0 0 0.0.0.0:1194 0.0.0.0:* 21490/openvpn
eth1 Link encap:Ethernet inet addr:10.0.0.4 (WAN)
lan is 10.0.1.x
there must be some wrong FW rule?
plus i found the "errors" in log:
Thu Feb 7 01:40:07 2019 daemon.err openvpn(vpnserver)[21490]: tls-crypt unwrap error: packet too short
Thu Feb 7 01:40:07 2019 daemon.err openvpn(vpnserver)[21490]: TLS Error: tls-crypt unwrapping failed from [AF_INET]10.0.1.137:54052
where 10.0.1.137 acts like client
i have OpenWrt 18.06.1 r7258-5eb055306f / LuCI openwrt-18.06 branch (git-18.228.31946-f64b152) and that links comes with no solution 
means noone is able to use openvpn on openwrt?
I've tested it on OpenWrt 18.06.1 and it works fine.
Show your OpenVPN client and server configs.
Weird, configs are generated by script provided on howto website. Will paste them shortly.
YES - mine configs are exactly same as you pasted... as it was generated by scripts on howto website. I do not understand then where is the issue?
the client one:
verb 3
nobind
dev tun
client
remote 10.0.0.4 1194 udp
auth-nocache
remote-cert-tls server
and the server:
client-to-client
persist-key
persist-tun
ca /etc/easy-rsa/pki/ca.crt
cert /etc/easy-rsa/pki/issued/vpnserver.crt
compress lzo
dev tun0
dh /etc/easy-rsa/pki/dh.pem
group nogroup
keepalive 10 120
key /etc/easy-rsa/pki/private/vpnserver.key
port 1194
proto udp
push "redirect-gateway def1"
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 192.168.1.1"
push "compress lzo"
push "persist-tun"
push "persist-key"
push "dhcp-option DOMAIN lan"
push "redirect-gateway def1"
push "dhcp-option DOMAIN lan"
push "dhcp-option DNS 10.0.1.1"
push "persist-tun"
push "persist-key"
push "redirect-gateway def1"
push "dhcp-option DOMAIN lan"
push "dhcp-option DNS 10.0.1.1"
push "persist-tun"
push "persist-key"
push "redirect-gateway def1"
push "dhcp-option DOMAIN lan"
push "dhcp-option DNS 10.0.1.1"
push "persist-tun"
push "persist-key"
server 192.168.8.0 255.255.255.0
tls-crypt /etc/easy-rsa/pki/tc.pem
topology subnet
user nobody
verb 3
It should be like this:
# cat /etc/easy-rsa/pki/tc.pem
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
# cat /etc/openvpn/vpnclient.ovpn
verb 3
nobind
dev tun
client
remote SERVER_ADDRESS 1194 udp
auth-nocache
remote-cert-tls server
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-crypt>
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>
my config looks exactly same!
Try to disable tls-crypt, at least temporary.
to disable tls-crpyt where? client/ server?