OpenVPN manual config, any changes since 18.x.x

Installing and Using OpenWrt Network and Wireless Configuration
1

I have not configured OpenVPN since release level 18.x.x.x Is the common method for manual configuration of OpenVPN still to add this to the firewall config file to open the port 1194? The reason I ask is monitoring the log, I see where OpenVPN is properly initialized but when I come from another ISP there is nothing logged that I am trying to get into the server. The configuration is exactly the same from year's previous releases but the only difference is new hardware Xiomai AX3200 and the latest release of supported OpenWRT 22.03.2 r19803-9a599fee93. I checked with my ISP and the port 1194 is not blocked. All I can figure out is maybe there is now a different way to open the port other than adding this to /etc/config/firewall?

config rule
	option name 'Allow-OpenVPN-Inbound'
	option target 'ACCEPT'
	option src '*'
	option proto 'udp'
	option dest_port '1194'
2

I changed my client OpenVPN client profile to connect to the LAN side hoping this would reveal if it is the server that is failing rather than the directed ports and when I point on the local subnet on the router address LAN address it won't connect wither but I'm not sure it's supposed to work that way. I'm trying to figure out if I can use another router to test it.

3

You'll always have to open the firewall to allow incoming OpenVPN on the wan side. This is not something that the OpenVPN package controls. There may have been some "up" scripts distributed that include allowing input from WAN, but those would have used iptables which is now replaced by nftables, so it would be best to just open the port at the high level with UCI.

Later versions of OpenVPN may refuse to link to older versions since the encryption used is now considered not secure enough. This should appear in the log. OpenVPN places a lot of messages in the log usually making it straightforward to diagnose the reason it did not connect.

4 
config rule
	option name 'Allow-OpenVPN-Inbound'
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp'
	option dest_port '1194'

The src should be the zone the traffic is coming from.
Are you using openvpn on UDP port 1194?

5

Yes, UDP port 1194 coming in.

Here is the way I have my server configured:
https://www.laroccx.com/posts/openvpn-openwrt/

6

regarding option src '*', someone once told me if you use an asterisk, the server can be accessed from the LAN or WAN side??????

7

The default lan zone allows input to all ports. It is not necessary to add additional rules to allow a service on lan, they are all allowed.

Reaching your WAN IP from the LAN may not always work. Test a home VPN server at home using a separate Internet connection for the client such as a phone hotspot.

8

Could you provide the output to the following please

--Restart services
/etc/init.d/log restart; /etc/init.d/openvpn restart; sleep 10

--Log and status
logread -e openvpn; netstat -l -n -p | grep -e openvpn

--Runtime configuration

pgrep -f -a openvpn
ip address show; ip route show table all
ip rule show; ip -6 rule show; nft list ruleset

--Persistent configuration

uci show network; uci show firewall; uci show openvpn
head -v -n -0 /etc/openvpn/*.conf

They're from the wiki - https://openwrt.org/docs/guide-user/services/vpn/openvpn/server

9

Thanks for taking the time to help


BusyBox v1.35.0 (2022-10-14 22:44:41 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 22.03.2, r19803-9a599fee93
 -----------------------------------------------------
root@OpenWrt:~# /etc/init.d/log restart; /etc/init.d/openvpn restart; sleep 10

root@OpenWrt:~# logread -e openvpn; netstat -l -n -p | grep -e openvpn
Wed Nov  2 02:26:00 2022 daemon.err openvpn(myvpn)[2308]: event_wait : Interrupted system call (code=4)
Wed Nov  2 02:26:00 2022 daemon.notice openvpn(myvpn)[2308]: net_route_v4_del: 10.8.0.0/24 via 10.8.0.2 dev [NULL] table 0 metric -1
Wed Nov  2 02:26:00 2022 daemon.notice openvpn(myvpn)[2308]: Closing TUN/TAP interface
Wed Nov  2 02:26:00 2022 daemon.notice openvpn(myvpn)[2308]: net_addr_ptp_v4_del: 10.8.0.1 dev tun0
Wed Nov  2 02:26:01 2022 daemon.notice openvpn(myvpn)[2308]: /usr/libexec/openvpn-hotplug down myvpn tun0 1500 1621 10.8.0.1 10.8.0.2 init
Wed Nov  2 02:26:01 2022 daemon.notice openvpn(myvpn)[2308]: SIGTERM[hard,] received, process exiting
Wed Nov  2 02:26:01 2022 daemon.warn openvpn(myvpn)[8092]: WARNING: --topology net30 support for server configs with IPv4 pools will be removed in a future release. Please migrate to --topology subnet as soon as possible.
Wed Nov  2 02:26:01 2022 daemon.warn openvpn(myvpn)[8092]: --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
Wed Nov  2 02:26:01 2022 daemon.notice openvpn(myvpn)[8092]: OpenVPN 2.5.7 aarch64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Wed Nov  2 02:26:01 2022 daemon.notice openvpn(myvpn)[8092]: library versions: OpenSSL 1.1.1q  5 Jul 2022, LZO 2.10
Wed Nov  2 02:26:01 2022 daemon.notice openvpn(myvpn)[8092]: net_route_v4_best_gw query: dst 0.0.0.0
Wed Nov  2 02:26:01 2022 daemon.notice openvpn(myvpn)[8092]: net_route_v4_best_gw result: via 192.168.100.1 dev wan
Wed Nov  2 02:26:01 2022 daemon.warn openvpn(myvpn)[8092]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Nov  2 02:26:01 2022 daemon.notice openvpn(myvpn)[8092]: Diffie-Hellman initialized with 2048 bit key
Wed Nov  2 02:26:01 2022 daemon.notice openvpn(myvpn)[8092]: net_route_v4_best_gw query: dst 0.0.0.0
Wed Nov  2 02:26:01 2022 daemon.notice openvpn(myvpn)[8092]: net_route_v4_best_gw result: via 192.168.100.1 dev wan
Wed Nov  2 02:26:01 2022 daemon.notice openvpn(myvpn)[8092]: TUN/TAP device tun0 opened
Wed Nov  2 02:26:01 2022 daemon.notice openvpn(myvpn)[8092]: net_iface_mtu_set: mtu 1500 for tun0
Wed Nov  2 02:26:01 2022 daemon.notice openvpn(myvpn)[8092]: net_iface_up: set tun0 up
Wed Nov  2 02:26:01 2022 daemon.notice openvpn(myvpn)[8092]: net_addr_ptp_v4_add: 10.8.0.1 peer 10.8.0.2 dev tun0
Wed Nov  2 02:26:01 2022 daemon.notice openvpn(myvpn)[8092]: /usr/libexec/openvpn-hotplug up myvpn tun0 1500 1621 10.8.0.1 10.8.0.2 init
Wed Nov  2 02:26:01 2022 daemon.notice openvpn(myvpn)[8092]: net_route_v4_add: 10.8.0.0/24 via 10.8.0.2 dev [NULL] table 0 metric -1
Wed Nov  2 02:26:01 2022 daemon.warn openvpn(myvpn)[8092]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Wed Nov  2 02:26:01 2022 daemon.notice openvpn(myvpn)[8092]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Nov  2 02:26:01 2022 daemon.notice openvpn(myvpn)[8092]: UDPv4 link local (bound): [AF_INET][undef]:1149
Wed Nov  2 02:26:01 2022 daemon.notice openvpn(myvpn)[8092]: UDPv4 link remote: [AF_UNSPEC]
Wed Nov  2 02:26:01 2022 daemon.notice openvpn(myvpn)[8092]: MULTI: multi_init called, r=256 v=256
Wed Nov  2 02:26:01 2022 daemon.notice openvpn(myvpn)[8092]: IFCONFIG POOL IPv4: base=10.8.0.4 size=62
Wed Nov  2 02:26:01 2022 daemon.notice openvpn(myvpn)[8092]: Initialization Sequence Completed
udp        0      0 0.0.0.0:1149            0.0.0.0:*                           8092/openvpn

root@OpenWrt:~# pgrep -f -a openvpn
8092 /usr/sbin/openvpn --syslog openvpn(myvpn) --status /var/run/openvpn.myvpn.status --cd /var/etc --config openvpn-myvpn.conf --up /usr/libexec/openvpn-hotplug up myvpn --down /usr/libexec/openvpn-hotplug down myvpn --script-security 2
root@OpenWrt:~# ip address show; ip route show table all
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1504 qdisc fq_codel state UP qlen 1000
    link/ether 5c:02:14:b0:96:b1 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::5e02:14ff:feb0:96b1/64 scope link
       valid_lft forever preferred_lft forever
3: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 5c:02:14:30:32:3b brd ff:ff:ff:ff:ff:ff
    inet 192.168.100.68/24 brd 192.168.100.255 scope global wan
       valid_lft forever preferred_lft forever
    inet6 2806:2f0:61e0:758:5e02:14ff:fe30:323b/64 scope global dynamic noprefixroute
       valid_lft 258972sec preferred_lft 172572sec
    inet6 2806:2f0:61e0:758::1/128 scope global dynamic noprefixroute
       valid_lft 242780sec preferred_lft 156380sec
    inet6 fe80::5e02:14ff:fe30:323b/64 scope link
       valid_lft forever preferred_lft forever
4: lan1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 5c:02:14:b0:96:b1 brd ff:ff:ff:ff:ff:ff
5: lan2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 5c:02:14:b0:96:b1 brd ff:ff:ff:ff:ff:ff
6: lan3@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN qlen 1000
    link/ether 5c:02:14:b0:96:b1 brd ff:ff:ff:ff:ff:ff
9: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 5c:02:14:b0:96:b1 brd ff:ff:ff:ff:ff:ff
    inet 192.168.26.1/24 brd 192.168.26.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fd24:902b:33c::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::5e02:14ff:feb0:96b1/64 scope link
       valid_lft forever preferred_lft forever
11: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 5c:02:14:b0:96:b3 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::5e02:14ff:feb0:96b3/64 scope link
       valid_lft forever preferred_lft forever
12: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 5c:02:14:b0:96:b2 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::5e02:14ff:feb0:96b2/64 scope link
       valid_lft forever preferred_lft forever
13: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 500
    link/[65534]
    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::8061:b8af:b3b3:4a59/64 scope link flags 800
       valid_lft forever preferred_lft forever
default via 192.168.100.1 dev wan  src 192.168.100.68
10.8.0.0/24 via 10.8.0.2 dev tun0
10.8.0.2 dev tun0 scope link  src 10.8.0.1
192.168.26.0/24 dev br-lan scope link  src 192.168.26.1
192.168.100.0/24 dev wan scope link  src 192.168.100.68
local 10.8.0.1 dev tun0 table local scope host  src 10.8.0.1
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 192.168.26.0 dev br-lan table local scope link  src 192.168.26.1
local 192.168.26.1 dev br-lan table local scope host  src 192.168.26.1
broadcast 192.168.26.255 dev br-lan table local scope link  src 192.168.26.1
broadcast 192.168.100.0 dev wan table local scope link  src 192.168.100.68
local 192.168.100.68 dev wan table local scope host  src 192.168.100.68
broadcast 192.168.100.255 dev wan table local scope link  src 192.168.100.68
default from 2806:2f0:61e0:758::1 via fe80::1 dev wan  metric 512
default from 2806:2f0:61e0:758::/64 via fe80::1 dev wan  metric 512
2806:2f0:61e0:758::/64 dev wan  metric 256
unreachable 2806:2f0:61e0:758::/64 dev lo  metric 2147483647
fd24:902b:33c::/64 dev br-lan  metric 1024
unreachable fd24:902b:33c::/48 dev lo  metric 2147483647
fe80::/64 dev eth0  metric 256
fe80::/64 dev br-lan  metric 256
fe80::/64 dev wlan0  metric 256
fe80::/64 dev wan  metric 256
fe80::/64 dev wlan1  metric 256
fe80::/64 dev tun0  metric 256
local ::1 dev lo table local  metric 0
anycast 2806:2f0:61e0:758:: dev wan table local  metric 0
local 2806:2f0:61e0:758::1 dev wan table local  metric 0
local 2806:2f0:61e0:758:5e02:14ff:fe30:323b dev wan table local  metric 0
anycast fd24:902b:33c:: dev br-lan table local  metric 0
local fd24:902b:33c::1 dev br-lan table local  metric 0
anycast fe80:: dev br-lan table local  metric 0
anycast fe80:: dev eth0 table local  metric 0
anycast fe80:: dev wlan0 table local  metric 0
anycast fe80:: dev wan table local  metric 0
anycast fe80:: dev wlan1 table local  metric 0
anycast fe80:: dev tun0 table local  metric 0
local fe80::5e02:14ff:fe30:323b dev wan table local  metric 0
local fe80::5e02:14ff:feb0:96b1 dev br-lan table local  metric 0
local fe80::5e02:14ff:feb0:96b1 dev eth0 table local  metric 0
local fe80::5e02:14ff:feb0:96b2 dev wlan0 table local  metric 0
local fe80::5e02:14ff:feb0:96b3 dev wlan1 table local  metric 0
local fe80::8061:b8af:b3b3:4a59 dev tun0 table local  metric 0
multicast ff00::/8 dev eth0 table local  metric 256
multicast ff00::/8 dev br-lan table local  metric 256
multicast ff00::/8 dev wlan0 table local  metric 256
multicast ff00::/8 dev wan table local  metric 256
multicast ff00::/8 dev wlan1 table local  metric 256
multicast ff00::/8 dev tun0 table local  metric 256

root@OpenWrt:~# ip rule show; ip -6 rule show; nft list ruleset
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
0:      from all lookup local
32766:  from all lookup main
table inet fw4 {
        chain input {
                type filter hook input priority filter; policy accept;
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
                ct state established,related accept comment "!fw4: Allow inbound established and related flows"
                tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
                udp dport 1194 counter packets 0 bytes 0 accept comment "!fw4: Allow-OpenVPN-Inbound"
                iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
                iifname "wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
                iifname "tun0" jump input_vpn comment "!fw4: Handle vpn IPv4/IPv6 input traffic"
        }

        chain forward {
                type filter hook forward priority filter; policy drop;
                ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
                iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
                iifname "wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
                iifname "tun0" jump forward_vpn comment "!fw4: Handle vpn IPv4/IPv6 forward traffic"
                jump handle_reject
        }

        chain output {
                type filter hook output priority filter; policy accept;
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
                ct state established,related accept comment "!fw4: Allow outbound established and related flows"
                oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
                oifname "wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
                oifname "tun0" jump output_vpn comment "!fw4: Handle vpn IPv4/IPv6 output traffic"
        }

        chain prerouting {
                type filter hook prerouting priority filter; policy accept;
                iifname "br-lan" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
        }

        chain handle_reject {
                meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
                reject comment "!fw4: Reject any other traffic"
        }

        chain syn_flood {
                limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
                drop comment "!fw4: Drop excess packets"
        }

        chain input_lan {
                jump accept_from_lan
        }

        chain output_lan {
                jump accept_to_lan
        }

        chain forward_lan {
                jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
                jump accept_to_vpn comment "!fw4: Accept lan to vpn forwarding"
                jump accept_to_lan
        }

        chain helper_lan {
        }

        chain accept_from_lan {
                iifname "br-lan" counter packets 66 bytes 5098 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
        }

        chain accept_to_lan {
                oifname "br-lan" counter packets 19 bytes 1304 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
        }

        chain input_wan {
                meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
                icmp type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-Ping"
                meta nfproto ipv4 meta l4proto igmp counter packets 0 bytes 0 accept comment "!fw4: Allow-IGMP"
                meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
                ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD"
                icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
                icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 3 bytes 192 accept comment "!fw4: Allow-ICMPv6-Input"
                jump reject_from_wan
        }

        chain output_wan {
                jump accept_to_wan
        }

        chain forward_wan {
                icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
                icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
                meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
                udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
                icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
                icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
                meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
                udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
                jump reject_to_wan
        }

        chain accept_to_wan {
                oifname "wan" counter packets 313 bytes 38801 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
        }

        chain reject_from_wan {
                iifname "wan" counter packets 16 bytes 2173 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
        }

        chain reject_to_wan {
                oifname "wan" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
        }

        chain input_vpn {
                jump accept_from_vpn
        }

        chain output_vpn {
                jump accept_to_vpn
        }

        chain forward_vpn {
                jump accept_to_wan comment "!fw4: Accept vpn to wan forwarding"
                jump accept_to_lan comment "!fw4: Accept vpn to lan forwarding"
                jump accept_to_vpn
        }

        chain helper_vpn {
        }

        chain accept_from_vpn {
                iifname "tun0" counter packets 0 bytes 0 accept comment "!fw4: accept vpn IPv4/IPv6 traffic"
        }

        chain accept_to_vpn {
                oifname "tun0" counter packets 2 bytes 152 accept comment "!fw4: accept vpn IPv4/IPv6 traffic"
        }

        chain dstnat {
                type nat hook prerouting priority dstnat; policy accept;
        }

        chain srcnat {
                type nat hook postrouting priority srcnat; policy accept;
                oifname "wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
                oifname "tun0" jump srcnat_vpn comment "!fw4: Handle vpn IPv4/IPv6 srcnat traffic"
        }

        chain srcnat_wan {
                meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
        }

        chain raw_prerouting {
                type filter hook prerouting priority raw; policy accept;
        }

        chain raw_output {
                type filter hook output priority raw; policy accept;
        }

        chain mangle_prerouting {
                type filter hook prerouting priority mangle; policy accept;
        }

        chain mangle_postrouting {
                type filter hook postrouting priority mangle; policy accept;
        }

        chain mangle_input {
                type filter hook input priority mangle; policy accept;
        }

        chain mangle_output {
                type route hook output priority mangle; policy accept;
        }

        chain mangle_forward {
                type filter hook forward priority mangle; policy accept;
                iifname "wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
                oifname "wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
                iifname "tun0" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone vpn IPv4/IPv6 ingress MTU fixing"
                oifname "tun0" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone vpn IPv4/IPv6 egress MTU fixing"
        }

        chain srcnat_vpn {
                meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 vpn traffic"
        }
}

root@OpenWrt:~# uci show network; uci show firewall; uci show openvpn
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd24:902b:033c::/48'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='lan1' 'lan2' 'lan3'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.26.1'
network.@device[1]=device
network.@device[1].name='wan'
network.@device[1].macaddr='5c:02:14:30:32:3b'
network.wan=interface
network.wan.device='wan'
network.wan.proto='dhcp'
network.wan6=interface
network.wan6.device='wan'
network.wan6.proto='dhcpv6'
network.vpn0=interface
network.vpn0.proto='none'
network.vpn0.auto='1'
network.vpn0.device='tun0'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[2]=zone
firewall.@zone[2].name='vpn'
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].forward='ACCEPT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].network='vpn0'
firewall.@zone[2].masq='1'
firewall.@zone[2].mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[9]=rule
firewall.@rule[9].name='Allow-ICMPv6-Forward'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest='*'
firewall.@rule[9].proto='icmp'
firewall.@rule[9].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[9].limit='1000/sec'
firewall.@rule[9].family='ipv6'
firewall.@rule[9].target='ACCEPT'
firewall.@rule[10]=rule
firewall.@rule[10].name='Allow-IPSec-ESP'
firewall.@rule[10].src='wan'
firewall.@rule[10].dest='lan'
firewall.@rule[10].proto='esp'
firewall.@rule[10].target='ACCEPT'
firewall.@rule[11]=rule
firewall.@rule[11].name='Allow-ISAKMP'
firewall.@rule[11].src='wan'
firewall.@rule[11].dest='lan'
firewall.@rule[11].dest_port='500'
firewall.@rule[11].proto='udp'
firewall.@rule[11].target='ACCEPT'
firewall.@rule[12]=rule
firewall.@rule[12].name='Allow-OpenVPN-Inbound'
firewall.@rule[12].target='ACCEPT'
firewall.@rule[12].src='*'
firewall.@rule[12].proto='udp'
firewall.@rule[12].dest_port='1194'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='vpn'
firewall.@forwarding[1].dest='wan'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].src='vpn'
firewall.@forwarding[2].dest='lan'
firewall.@forwarding[3]=forwarding
firewall.@forwarding[3].src='lan'
firewall.@forwarding[3].dest='vpn'
openvpn.myvpn=openvpn
openvpn.myvpn.enabled='1'
openvpn.myvpn.verb='3'
openvpn.myvpn.port='1149'
openvpn.myvpn.proto='udp'
openvpn.myvpn.dev='tun'
openvpn.myvpn.server='10.8.0.0 255.255.255.0'
openvpn.myvpn.ca='/etc/openvpn/ca.crt'
openvpn.myvpn.cert='/etc/openvpn/cert.crt'
openvpn.myvpn.key='/etc/openvpn/mykey.key'
openvpn.myvpn.dh='/etc/openvpn/dh2048.pem'
openvpn.myvpn.keepalive='10 120'
openvpn.myvpn.status='/var/log/openvpn-status.log'
openvpn.myvpn.push='route 192.168.26.0 255.255.255.0' 'redirect-gateway def1' 'dhcp-option DNS 192.168.26.1'

root@OpenWrt:~# head -v -n -0 /etc/openvpn/*.conf
head: /etc/openvpn/*.conf: No such file or directory

root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
10

Are you connecting your openwrt router to an ISP provided device on the wan port?

11

It is connected to the LAN port of a fiberoptic modem/Voip model
HG8145V5 with DMZ pointed to its IP 192.168.100.68

12

Are you able to connect a computer to the same port and see if you can expose a service to the internet to see if the DMZ is working correctly?
As you have assigned the WAN IP by DHCP and you have replaced the old device with a new device, the DMZ assignment may have been by mac address rather than physical port?

Can you post the contents of

/etc/config/firewall
/etc/config/network

13

I used the DHCP-Static-IP on the modem to assign the x.68 to this device MAC and then in the DMZ the selection was made per IP address. Maybe I can install FTP server on the router and try to connect. I hesitate to try my Windows machine because MS seems to constantly change how the firewall works and when you open a port sometimes it is not really open, plus if the Windows Defender firewall doesn't stop the traffic the antivirus software will block it. But let me try a simple FTP server on the DMZ router.

FIREWALL
config defaults
	option syn_flood	1
	option input		ACCEPT
	option output		ACCEPT
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1

config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option masq		1
	option mtu_fix		1

# add by DJ

config zone
	option name  vpn
	option input ACCEPT
	option forward ACCEPT
	option output ACCEPT
  	option network 'vpn0'
	#option masq '1' # IMPORTANT!!!
	option masq '1'
	option mtu_fix '1'
	
# end of add by DJ



config forwarding
	option src		lan
	option dest		wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

# Allow IPv4 ping
config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-MLD
	option src		wan
	option proto		icmp
	option src_ip		fe80::/10
	list icmp_type		'130/0'
	list icmp_type		'131/0'
	list icmp_type		'132/0'
	list icmp_type		'143/0'
	option family		ipv6
	option target		ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT


# Allow essential forwarded IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT

# add by DJ

config rule
	option name 'Allow-OpenVPN-Inbound'
	option target 'ACCEPT'
	option src '*'
	option proto 'udp'
	option dest_port '1194'

config forwarding
	option src 'vpn'
	option dest 'wan'

config forwarding
	option src 'vpn'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'vpn'

# end of add by DJ

========================================
NETWORK

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd24:902b:033c::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.26.1'

config device
	option name 'wan'
	option macaddr '5c:02:14:30:32:3b'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

# add by DJ

config interface 'vpn0'
	option proto 'none'
	option auto '1'
	option device 'tun0'

# end of add by DJ