OpenVPN MULTI: bad source address from client

oscar · March 23, 2018, 11:46am

Hello,

I recently posted some questions about OpenVPN setup, resulting in a smoothly running VPN server/client connection. My goal is running VPN server on router for external clients. Clients should be protected from their local LAN (e.g. in hotels), also confidential information exchange through WhatsApp is desired.

Clients are my mobile phone (wlan turned off) and my sister‘s mobile phone from outside. Both could connect without problem, however, recently my sister could no longer connect, while my phone still did.

The error message in the server‘s openvpn.log:
MULTI: bad source address from client [X.X.x.x], packet dropped

Some search revealed that the server does not know how to redirect the external IP to it‘s local, although this is defined in the settings (e.g. here).

In this thread dealing with a similar problem it was suggested to change the protocol from ‚none‘ to ‚static‘. Is this always required when list push 'redirect-gateway def1' is set? Or the other way round, do I need to set list push 'redirect-gateway def1' to meet the a.m goals?

I hope I was clear enough. I might have failed to privide essential information to resolve the issue, however, this is due to my still substantial lack of knowledge of the field.

My /etc/config/openvpn server configuration:

config openvpn 'VPNserver' 
       option enabled '1' 
       option dev 'tun0' 
       option proto 'udp' 
       option port '5000' 
       option server '192.168.7.0 255.255.255.0' 
       option route_gateway 'dhcp' 
       option ifconfig '192.168.7.1 255.255.255.0' 
       list push 'route 192.168.0.0 255.255.255.0' 
       list push 'dhcp-option    DNS 192.168.0.1' 
       list push 'dhcp-option    WINS 192.168.0.1' 
       list push 'dhcp-option    DNS 208.67.222.123' 
       list push 'dhcp-option    DNS 208.67.220.123' 
       list push 'dhcp-option    NTP 129.6.15.30' 
       list push 'route-gateway    dhcp' 
       list push 'redirect-gateway def1' 
       list push 'sndbuf 393216' 
       list push 'rcvbuf 393216' 
       option dh '/etc/openvpn/dh4096.pem' 
       option pkcs12 '/etc/openvpn/my-server.p12' 
       option cipher 'AES-256-CBC' 
       option auth 'SHA512' 
       option tls_auth '/etc/openvpn/tls-auth.key 0' 
       option tls_server '1' 
       option tls_version_min '1.2' 
       option tls_cipher 'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-S
HA256:TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:!LOW:!EXP:!SRP:!kRSA' 
       option log_append '/tmp/openvpn.log' 
       option status '/tmp/openvpn-status.log' 
       option verb '5' 
       option keepalive '10 120' 
       option comp_lzo 'yes' 
       option client_to_client '1' 
       option persist_key '1' 
       option persist_tun '1' 
       option sndbuf '393216' 
       option rcvbuf '393216' 
       option user 'nobody' 
       option group 'nogroup' 
       option tun_mtu '48000'

and my client.conf (how do I get rid of these ridicously large and bold headings, they appeared only after pasting the text))

# specify client-side
client

# tun/tap device
dev tun0

# protocol, according to server
proto udp

# server address
remote my-ddns-address 5000

# Speed #
#------------------------------------------------
mssfix 0
fragment 0
tun-mtu 48000

# connection
float
comp-lzo
nobind

# persistent device and keys
persist-key
persist-tun
resolv-retry infinite

remote-cert-eku "TLS Web Server Authentication"

 Encryption #
#------------------------------------------------
auth SHA512
auth-nocache
 
# --- SSL --- #
cipher AES-256-CBC
 
# --- TLS --- #
key-direction 1
tls-version-min 1.2

ca  /path/My-CA.crt.pem
cert /path/client-1.crt.pem
key  /path/client-1.key.pem

<tls-auth>
-----BEGIN OpenVPN Static key V1-----
xyzzyx
-----END OpenVPN Static key V1-----
</tls-auth>

# pull dns settings from the server
script-security 2

# logging
log /etc/openvpn/openvpn.log
verb 5

Thanks
Oscar

lleachii · March 23, 2018, 1:40pm

Did you enable masquerade on the OpenVPN interface?

oscar · March 23, 2018, 2:32pm

No I did not. Iit is I followed the OpenWRT VPN Wiki, and I also read somewhere, this should not be done.

tmomas · March 23, 2018, 5:45pm

Please use "Preformatted text </>" for logs, scripts, configs and general console output.

JW0914 · March 24, 2018, 12:18pm

The most common cause of this is when a client behind the router attempts to connect to the VPN server on the router (i.e. client is connected to LAN interface via ethernet or WiFi, and, while connected, attempts connection to the VPN server). The only way this can be done is if Gateway Redirect is utilized, which you, and most users, have no use case for.

Gateway Redirect is used to protect traffic behind the router from other non-WAN interfaces on the router.
- This is not the same as a 3rd party VPN, as the encryption ends at the WAN interface.

Static IP is not required, but is what I always recommended, since it allows for more granular firewall rules, either via fw3 or iptables directly.

A static IP is required for CCD [Client Configuration Directory], which I always recommend users configure, as it adds an additional layer of security

oscar · March 24, 2018, 2:30pm

Hello JW0914, glad you came across my post. I got this message (in the server log) when my sister tried to connect from outside, like she did several times before when it worked like a charm. So she was not behind the router. Thesame is true when I test the system with my mobile, I disconnect from the LAN first using only the mobile phone line.

I actually had this turned on. My understanding is that when the client connects to the OpenVPN server, this is the way to protect oneself while you are in a public LAN like in hotels.

Right, so this was not the cause. So you recommend to delete "list push 'redirect-gateway def1" despite the fact that I want to access internet only through my router and not through the local (hotel etc) router?

oscar · March 24, 2018, 2:35pm

As soon as I get this running again, will be implemented.
Question: I understand the principle of mutual identification with signed certificates. Now with CCD, I am not sure whether this is needed because otherwise it is the server only who identifies itself to the client but not vice versa, correct?

JW0914 · March 24, 2018, 2:41pm

Please perform the steps under Troubleshooting for your next post (for clients, your sister's device)

As to redirect gateway, you have no use for it, so yes, it can be removed.

How is WAN connected on your router

Directly to the hotel's ethernet/wifi network?
- If this instance, your VPN on your router isn't going to protect any information, as the encryption stops at your router's WAN connection.

OR

Through the hotel's network to your router at a remote location
- If this instance, simply add a forwarding rule for tun0 to wan

CCD is in conjunction with a CA and signed certs, not in lieu of.

Signed certs also must authenticate with the server, CCD simply enforces CN [Common Name] verification
- With CCD enabled, even if a cert issued by the VPN's CA tries to connect, unless it's CN matches that which has been configured in the CCD, the connection will be refused.

oscar · March 24, 2018, 2:52pm

Through the hotel's router to the internet to my router to the internet ... when using whatismyip.com the IP address of my sister is shown as the one of my router here. These are my Firewall rules:

# LAN to VPN #    
config forwarding
    option  dest            'vpn'
    option  src             'lan'
 
# LAN to WAN #
config forwarding
    option  dest            'wan'
    option  src             'lan'
 
# VPN to LAN #    
config forwarding
    option  dest            'lan'
    option  src             'vpn'

# VPN to WAN #
config forwarding
    option   dest	    'wan'
    option   src	    'vpn'

More or less, copy/paste from your openwrt wiki.

(if I only understood tmomas advice ....tried in several ways but am too stupid)

oscar · March 24, 2018, 2:59pm

I forgot to mention that when this trouble arose, my lan was no longer accessible, even though the OpenVPN connection was successful with my mobile phone (I dont understand why, my sister still can't). Which means that I cannot access the router in a Browser using its local LAN address).

JW0914 · March 24, 2018, 3:02pm

You're not stupid, Thomas was stating to use the </> button on the toolbar above the reply box (select code/config/log output, then click that button). It's in between the quote button and the upload button.

You can also utilize three back ticks on a new line, code/config/log output on the next line(s), then three back ticks again on a new line (I personally prefer this method, as it syntax highlights)

The purpose of using either is code/configs/logs use a monospaced font (which is why these types should also not be enclosed in quote boxes)

For this, all you need then is the forwarding rule mentioned above

After some research, I now see why @stangri has Gateway Redirect being pushed in the OpenVPN (Server Setup) wiki, as on most BSD/Linux distros, this is required for VPN internet access, whereas with OpenWrt, this is not required due to fw3's implementation.

Unless you perform all the requested steps under Troublshooting (#'s 1 - 3), I, nor anyone else, can help you.

oscar · March 24, 2018, 9:17pm

If I understand right, you are asking for the server's/client's
respective error logs.

(I am definitely too stupid to understand tmomas and your advise regarding </>. Where is 'select code/config/log output'? I pasted everything, selected it, ticked </>, -->fail. Hope you don't mind.)

Client log

2018-03-24 21:18:27 F-Droid built and signed version 0.6.73 läuft auf Motorola Moto G 2014 LTE (MSM8226), Android 7.1.2 (NZH54D) API 25, ABI armeabi-v7a, (motorola/thea_retgb/thea:6.0/MPB24.65-34/31:user/release-keys)
2018-03-24 21:18:27 New OpenVPN Status (USER_VPN_PASSWORD->LEVEL_WAITING_FOR_USER_INPUT): 
2018-03-24 21:18:29 Generiere OpenVPN-Konfiguration…
2018-03-24 21:18:29 New OpenVPN Status (VPN_GENERATE_CONFIG->LEVEL_START): 
2018-03-24 21:18:29 New OpenVPN Status (VPN_GENERATE_CONFIG->LEVEL_START): 
2018-03-24 21:18:29 started Socket Thread
2018-03-24 21:18:29 Netzwerkstatus: CONNECTED HSDPA to MOBILE internet
2018-03-24 21:18:29 Debug state info: CONNECTED HSDPA to MOBILE internet, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 
2018-03-24 21:18:29 Debug state info: CONNECTED HSDPA to MOBILE internet, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 
2018-03-24 21:18:29 Current Parameter Settings:
2018-03-24 21:18:29   config = '/data/user/0/uk.blinkt.openvpn/cache/android.conf'
2018-03-24 21:18:29   mode = 0
2018-03-24 21:18:29   show_ciphers = DISABLED
2018-03-24 21:18:29   show_digests = DISABLED
2018-03-24 21:18:29   show_engines = DISABLED
2018-03-24 21:18:29   genkey = DISABLED
2018-03-24 21:18:29   key_pass_file = '[UNDEF]'
2018-03-24 21:18:29   show_tls_ciphers = DISABLED
2018-03-24 21:18:29   connect_retry_max = 0
2018-03-24 21:18:29 Connection profiles [0]:
2018-03-24 21:18:29   proto = tcp-client
2018-03-24 21:18:29   local = '[UNDEF]'
2018-03-24 21:18:29   local_port = '[UNDEF]'
2018-03-24 21:18:29 Warte 0s Sekunden zwischen zwei Verbindungsversuchen
2018-03-24 21:18:29   remote = 'my-ddns-address.de'
2018-03-24 21:18:29   remote_port = '5000'
2018-03-24 21:18:29   remote_float = ENABLED
2018-03-24 21:18:29   bind_defined = DISABLED
2018-03-24 21:18:29   bind_local = DISABLED
2018-03-24 21:18:29   bind_ipv6_only = DISABLED
2018-03-24 21:18:29   connect_retry_seconds = 2
2018-03-24 21:18:29   connect_timeout = 120
2018-03-24 21:18:29   socks_proxy_server = '[UNDEF]'
2018-03-24 21:18:29   socks_proxy_port = '[UNDEF]'
2018-03-24 21:18:29   tun_mtu = 1500
2018-03-24 21:18:29   tun_mtu_defined = ENABLED
2018-03-24 21:18:29   link_mtu = 1500
2018-03-24 21:18:29   link_mtu_defined = DISABLED
2018-03-24 21:18:29   tun_mtu_extra = 0
2018-03-24 21:18:29   tun_mtu_extra_defined = DISABLED
2018-03-24 21:18:29   mtu_discover_type = -1
2018-03-24 21:18:29   fragment = 0
2018-03-24 21:18:29   mssfix = 1450
2018-03-24 21:18:29   explicit_exit_notification = 0
2018-03-24 21:18:29 Connection profiles END
2018-03-24 21:18:29   remote_random = DISABLED
2018-03-24 21:18:29   ipchange = '[UNDEF]'
2018-03-24 21:18:29   dev = 'tun'
2018-03-24 21:18:29   dev_type = '[UNDEF]'
2018-03-24 21:18:29   dev_node = '[UNDEF]'
2018-03-24 21:18:29   lladdr = '[UNDEF]'
2018-03-24 21:18:29   topology = 1
2018-03-24 21:18:29   ifconfig_local = '[UNDEF]'
2018-03-24 21:18:29   ifconfig_remote_netmask = '[UNDEF]'
2018-03-24 21:18:29   ifconfig_noexec = DISABLED
2018-03-24 21:18:29   ifconfig_nowarn = ENABLED
2018-03-24 21:18:29   ifconfig_ipv6_local = '[UNDEF]'
2018-03-24 21:18:29   ifconfig_ipv6_netbits = 0
2018-03-24 21:18:29   ifconfig_ipv6_remote = '[UNDEF]'
2018-03-24 21:18:29   shaper = 0
2018-03-24 21:18:29   mtu_test = 0
2018-03-24 21:18:29   mlock = DISABLED
2018-03-24 21:18:29   keepalive_ping = 0
2018-03-24 21:18:29   keepalive_timeout = 0
2018-03-24 21:18:29   inactivity_timeout = 0
2018-03-24 21:18:29   ping_send_timeout = 0
2018-03-24 21:18:29   ping_rec_timeout = 0
2018-03-24 21:18:29   ping_rec_timeout_action = 0
2018-03-24 21:18:29   ping_timer_remote = DISABLED
2018-03-24 21:18:29   remap_sigusr1 = 0
2018-03-24 21:18:29   persist_tun = ENABLED
2018-03-24 21:18:29   persist_local_ip = DISABLED
2018-03-24 21:18:29   persist_remote_ip = DISABLED
2018-03-24 21:18:29   persist_key = DISABLED
2018-03-24 21:18:29   passtos = DISABLED
2018-03-24 21:18:29   resolve_retry_seconds = 1000000000
2018-03-24 21:18:29   resolve_in_advance = ENABLED
2018-03-24 21:18:29   username = '[UNDEF]'
2018-03-24 21:18:29   groupname = '[UNDEF]'
2018-03-24 21:18:29   chroot_dir = '[UNDEF]'
2018-03-24 21:18:29   cd_dir = '[UNDEF]'
2018-03-24 21:18:29   writepid = '[UNDEF]'
2018-03-24 21:18:29   up_script = '[UNDEF]'
2018-03-24 21:18:29   down_script = '[UNDEF]'
2018-03-24 21:18:29   down_pre = DISABLED
2018-03-24 21:18:29   up_restart = DISABLED
2018-03-24 21:18:29   up_delay = DISABLED
2018-03-24 21:18:29   daemon = DISABLED
2018-03-24 21:18:29   inetd = 0
2018-03-24 21:18:29   log = DISABLED
2018-03-24 21:18:29   suppress_timestamps = DISABLED
2018-03-24 21:18:29   machine_readable_output = ENABLED
2018-03-24 21:18:29   nice = 0
2018-03-24 21:18:29   verbosity = 4
2018-03-24 21:18:29   mute = 0
2018-03-24 21:18:29   gremlin = 0
2018-03-24 21:18:29   status_file = '[UNDEF]'
2018-03-24 21:18:29   status_file_version = 1
2018-03-24 21:18:29   status_file_update_freq = 60
2018-03-24 21:18:29   occ = ENABLED
2018-03-24 21:18:29   rcvbuf = 0
2018-03-24 21:18:29   sndbuf = 0
2018-03-24 21:18:29   sockflags = 0
2018-03-24 21:18:29   fast_io = DISABLED
2018-03-24 21:18:29   comp.alg = 2
2018-03-24 21:18:29   comp.flags = 1
2018-03-24 21:18:29   route_script = '[UNDEF]'
2018-03-24 21:18:29   route_default_gateway = '[UNDEF]'
2018-03-24 21:18:29   route_default_metric = 0
2018-03-24 21:18:29   route_noexec = DISABLED
2018-03-24 21:18:29   route_delay = 0
2018-03-24 21:18:29   route_delay_window = 30
2018-03-24 21:18:29   route_delay_defined = DISABLED
2018-03-24 21:18:29   route_nopull = DISABLED
2018-03-24 21:18:29   route_gateway_via_dhcp = DISABLED
2018-03-24 21:18:29   allow_pull_fqdn = DISABLED
2018-03-24 21:18:29   management_addr = '/data/user/0/uk.blinkt.openvpn/cache/mgmtsocket'
2018-03-24 21:18:29   management_port = 'unix'
2018-03-24 21:18:29   management_user_pass = '[UNDEF]'
2018-03-24 21:18:29   management_log_history_cache = 250
2018-03-24 21:18:29   management_echo_buffer_size = 100
2018-03-24 21:18:29   management_write_peer_info_file = '[UNDEF]'
2018-03-24 21:18:29   management_client_user = '[UNDEF]'
2018-03-24 21:18:29   management_client_group = '[UNDEF]'
2018-03-24 21:18:29   management_flags = 4390
2018-03-24 21:18:29   shared_secret_file = '[UNDEF]'
2018-03-24 21:18:29   key_direction = 1
2018-03-24 21:18:29   ciphername = 'AES-256-CBC'
2018-03-24 21:18:29   ncp_enabled = ENABLED
2018-03-24 21:18:29   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
2018-03-24 21:18:29   authname = 'SHA512'
2018-03-24 21:18:29   prng_hash = 'SHA1'
2018-03-24 21:18:29   prng_nonce_secret_len = 16
2018-03-24 21:18:29   keysize = 0
2018-03-24 21:18:29   engine = DISABLED
2018-03-24 21:18:29   replay = ENABLED
2018-03-24 21:18:29   mute_replay_warnings = DISABLED
2018-03-24 21:18:29   replay_window = 64
2018-03-24 21:18:29   replay_time = 15
2018-03-24 21:18:29   packet_id_file = '[UNDEF]'
2018-03-24 21:18:29   test_crypto = DISABLED
2018-03-24 21:18:29   tls_server = DISABLED
2018-03-24 21:18:29   tls_client = ENABLED
2018-03-24 21:18:29   key_method = 2
2018-03-24 21:18:29   ca_file = '[UNDEF]'
2018-03-24 21:18:29   ca_path = '[UNDEF]'
2018-03-24 21:18:29   dh_file = '[UNDEF]'
2018-03-24 21:18:29   cert_file = '[UNDEF]'
2018-03-24 21:18:29   extra_certs_file = '[UNDEF]'
2018-03-24 21:18:29   priv_key_file = '[UNDEF]'
2018-03-24 21:18:29   pkcs12_file = '[[INLINE]]'
2018-03-24 21:18:29   cipher_list = '[UNDEF]'
2018-03-24 21:18:29   tls_verify = '[UNDEF]'
2018-03-24 21:18:29   tls_export_cert = '[UNDEF]'
2018-03-24 21:18:29   verify_x509_type = 0
2018-03-24 21:18:29   verify_x509_name = '[UNDEF]'
2018-03-24 21:18:29   crl_file = '[UNDEF]'
2018-03-24 21:18:29   ns_cert_type = 0
2018-03-24 21:18:29   remote_cert_ku[i] = 0
2018-03-24 21:18:29   remote_cert_ku[i] = 0
2018-03-24 21:18:29   remote_cert_ku[i] = 0
2018-03-24 21:18:29   remote_cert_ku[i] = 0
2018-03-24 21:18:29   remote_cert_ku[i] = 0
2018-03-24 21:18:29   remote_cert_ku[i] = 0
2018-03-24 21:18:29   remote_cert_ku[i] = 0
2018-03-24 21:18:29   remote_cert_ku[i] = 0
2018-03-24 21:18:29   remote_cert_ku[i] = 0
2018-03-24 21:18:29   remote_cert_ku[i] = 0
2018-03-24 21:18:29   remote_cert_ku[i] = 0
2018-03-24 21:18:29   remote_cert_ku[i] = 0
2018-03-24 21:18:29   remote_cert_ku[i] = 0
2018-03-24 21:18:29   remote_cert_ku[i] = 0
2018-03-24 21:18:29   remote_cert_ku[i] = 0
2018-03-24 21:18:29   remote_cert_ku[i] = 0
2018-03-24 21:18:29   remote_cert_eku = 'TLS Web Server Authentication'
2018-03-24 21:18:29   ssl_flags = 192
2018-03-24 21:18:29   tls_timeout = 2
2018-03-24 21:18:29   renegotiate_bytes = -1
2018-03-24 21:18:29   renegotiate_packets = 0
2018-03-24 21:18:29   renegotiate_seconds = 3600
2018-03-24 21:18:29   handshake_window = 60
2018-03-24 21:18:29   transition_window = 3600
2018-03-24 21:18:29   single_session = DISABLED
2018-03-24 21:18:29   push_peer_info = DISABLED
2018-03-24 21:18:29   tls_exit = DISABLED
2018-03-24 21:18:29   tls_auth_file = '[[INLINE]]'
2018-03-24 21:18:29   tls_crypt_file = '[UNDEF]'
2018-03-24 21:18:29   client = ENABLED
2018-03-24 21:18:29   pull = ENABLED
2018-03-24 21:18:29   auth_user_pass_file = '[UNDEF]'
2018-03-24 21:18:29 OpenVPN 2.5-icsopenvpn [git:HEAD-9fa0b9a7e1240170] android-14-armeabi-v7a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 18 2017
2018-03-24 21:18:29 library versions: OpenSSL 1.1.0f  25 May 2017, LZO 2.10
2018-03-24 21:18:29 MANAGEMENT: Connected to management server at /data/user/0/uk.blinkt.openvpn/cache/mgmtsocket
2018-03-24 21:18:29 MANAGEMENT: CMD 'hold release'
2018-03-24 21:18:30 MANAGEMENT: CMD 'bytecount 2'
2018-03-24 21:18:30 MANAGEMENT: CMD 'state on'
2018-03-24 21:18:30 MANAGEMENT: CMD 'proxy NONE'
2018-03-24 21:18:31 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2018-03-24 21:18:31 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2018-03-24 21:18:31 LZO compression initializing
2018-03-24 21:18:31 Control Channel MTU parms [ L:1624 D:1138 EF:112 EB:0 ET:0 EL:3 ]
2018-03-24 21:18:31 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
2018-03-24 21:18:31 New OpenVPN Status (TCP_CONNECT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2018-03-24 21:18:31 New OpenVPN Status (TCP_CONNECT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2018-03-24 21:18:31 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1604,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
2018-03-24 21:18:31 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1604,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
2018-03-24 21:18:31 TCP/UDP: Preserving recently used remote address: [AF_INET]98.98.98.98:5000
2018-03-24 21:18:31 Socket Buffers: R=[262144->262144] S=[16384->16384]
2018-03-24 21:18:31 Attempting to establish TCP connection with [AF_INET]98.98.98.98:5000 [nonblock]
2018-03-24 21:18:31 MANAGEMENT: >STATE:1521922711,TCP_CONNECT,,,,,,
2018-03-24 21:18:31 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2018-03-24 21:18:32 TCP connection established with [AF_INET]98.98.98.98:5000
2018-03-24 21:18:32 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2018-03-24 21:18:32 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2018-03-24 21:18:32 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2018-03-24 21:18:32 TCP_CLIENT link local: (not bound)
2018-03-24 21:18:32 TCP_CLIENT link remote: [AF_INET]98.98.98.98:5000
2018-03-24 21:18:32 MANAGEMENT: >STATE:1521922712,WAIT,,,,,,
2018-03-24 21:18:32 New OpenVPN Status (AUTH->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2018-03-24 21:18:32 New OpenVPN Status (AUTH->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2018-03-24 21:18:32 MANAGEMENT: >STATE:1521922712,AUTH,,,,,,
2018-03-24 21:18:32 TLS: Initial packet from [AF_INET]98.98.98.98:5000, sid=d9055916 064424d8
2018-03-24 21:18:34 VERIFY OK: depth=1, C=UK, ST=state, L=my-village, O=My Certificate Authority, CN=my-ca
2018-03-24 21:18:34 Validating certificate extended key usage
2018-03-24 21:18:34 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2018-03-24 21:18:34 VERIFY EKU OK
2018-03-24 21:18:34 VERIFY OK: depth=0, C=UK, ST=state, L=my-village, O=Server Inc., CN=vpn-server
2018-03-24 21:18:34 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1604', remote='link-mtu 48104'
2018-03-24 21:18:34 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 48000'
2018-03-24 21:18:34 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
2018-03-24 21:18:34 [ralf-server] Peer Connection Initiated with [AF_INET]98.98.98.98:5000
2018-03-24 21:18:36 New OpenVPN Status (GET_CONFIG->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2018-03-24 21:18:36 New OpenVPN Status (GET_CONFIG->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2018-03-24 21:18:36 MANAGEMENT: >STATE:1521922716,GET_CONFIG,,,,,,
2018-03-24 21:18:36 SENT CONTROL [ralf-server]: 'PUSH_REQUEST' (status=1)
2018-03-24 21:18:36 PUSH: Received control message: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,dhcp-option    DNS 192.168.0.1,dhcp-option    WINS 192.168.0.1,dhcp-option    DNS 208.67.222.222,dhcp-option    DNS 208.67.220.220,dhcp-option    NTP 129.6.15.30,sndbuf 393216,rcvbuf 393216,route-gateway 192.168.7.1,topology subnet,ping 10,ping-restart 120,ifconfig 192.168.7.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
2018-03-24 21:18:36 OPTIONS IMPORT: timers and/or timeouts modified
2018-03-24 21:18:36 New OpenVPN Status (ASSIGN_IP->LEVEL_CONNECTING_SERVER_REPLIED): ,192.168.7.2,,,,
2018-03-24 21:18:36 New OpenVPN Status (ASSIGN_IP->LEVEL_CONNECTING_SERVER_REPLIED): ,192.168.7.2,,,,
2018-03-24 21:18:36 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
2018-03-24 21:18:36 Socket Buffers: R=[262144->786432] S=[20160->786432]
2018-03-24 21:18:36 OPTIONS IMPORT: --ifconfig/up options modified
2018-03-24 21:18:36 OPTIONS IMPORT: route options modified
2018-03-24 21:18:36 OPTIONS IMPORT: route-related options modified
2018-03-24 21:18:36 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2018-03-24 21:18:36 OPTIONS IMPORT: peer-id set
2018-03-24 21:18:36 OPTIONS IMPORT: adjusting link_mtu to 1627
2018-03-24 21:18:36 OPTIONS IMPORT: data channel crypto options modified
2018-03-24 21:18:36 New OpenVPN Status (ADD_ROUTES->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2018-03-24 21:18:36 New OpenVPN Status (ADD_ROUTES->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2018-03-24 21:18:36 Data Channel: using negotiated cipher 'AES-256-GCM'
2018-03-24 21:18:36 Data Channel MTU parms [ L:1555 D:1450 EF:55 EB:406 ET:0 EL:3 ]
2018-03-24 21:18:36 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
2018-03-24 21:18:36 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
2018-03-24 21:18:36 ROUTE_GATEWAY 127.100.103.119/255.0.0.0 IFACE=lo HWADDR=00:00:00:00:00:00
2018-03-24 21:18:36 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
2018-03-24 21:18:36 MANAGEMENT: >STATE:1521922716,ASSIGN_IP,,192.168.7.2,,,,
2018-03-24 21:18:36 MANAGEMENT: CMD 'needok 'IFCONFIG' ok'
2018-03-24 21:18:36 MANAGEMENT: >STATE:1521922716,ADD_ROUTES,,,,,,
2018-03-24 21:18:36 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2018-03-24 21:18:36 MANAGEMENT: CMD 'needok 'DNSSERVER' ok'
2018-03-24 21:18:36 MANAGEMENT: CMD 'needok 'DNSSERVER' ok'
2018-03-24 21:18:36 Tun-Netzwerkinterface wird geöffnet:
2018-03-24 21:18:36 MANAGEMENT: CMD 'needok 'DNSSERVER' ok'
2018-03-24 21:18:36 MANAGEMENT: CMD 'needok 'PERSIST_TUN_ACTION' OPEN_BEFORE_CLOSE'
2018-03-24 21:18:36 Lokale IPv4: 192.168.7.2/24 IPv6: null MTU: 1500
2018-03-24 21:18:36 DNS-Server: 192.168.0.1, 208.67.222.222, 208.67.220.220, Domäne: null
2018-03-24 21:18:36 Routen: 192.168.0.0/24, 192.168.7.0/24 
2018-03-24 21:18:36 Ausgeschlossene Routen:  
2018-03-24 21:18:36 Installierte VpnService-Routen: 192.168.0.0/24, 192.168.7.0/24 
2018-03-24 21:18:36 Nicht zugelassene Apps für das VPN: 
2018-03-24 21:18:36 MANAGEMENT: CMD 'needok 'OPENTUN' ok'
2018-03-24 21:18:36 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2018-03-24 21:18:36 Initialization Sequence Completed
2018-03-24 21:18:36 MANAGEMENT: >STATE:1521922716,CONNECTED,SUCCESS,192.168.7.2,98.98.98.98,5000,10.147.130.242,47001
2018-03-24 21:18:36 New OpenVPN Status (CONNECTED->LEVEL_CONNECTED): SUCCESS,192.168.7.2,98.98.98.98,5000,10.147.130.242,47001
2018-03-24 21:18:36 New OpenVPN Status (CONNECTED->LEVEL_CONNECTED): SUCCESS,192.168.7.2,98.98.98.98,5000,10.147.130.242,47001
2018-03-24 21:18:36 Netzwerkstatus: CONNECTED HSPA+ to MOBILE internet
2018-03-24 21:18:36 Debug state info: CONNECTED HSPA+ to MOBILE internet, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED

Server log from /tmp/openvpn.log

Sat Mar 24 21:14:22 2018 us=358599 OpenVPN 2.4.4 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Mar 24 21:14:22 2018 us=358843 library versions: OpenSSL 1.0.2n  7 Dec 2017, LZO 2.10
Sat Mar 24 21:14:22 2018 us=369581 Diffie-Hellman initialized with 4096 bit key
Sat Mar 24 21:14:22 2018 us=488299 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sat Mar 24 21:14:22 2018 us=488497 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sat Mar 24 21:14:22 2018 us=488634 TLS-Auth MTU parms [ L:48124 D:1138 EF:112 EB:0 ET:0 EL:3 ]
Sat Mar 24 21:14:22 2018 us=500700 TUN/TAP device tun0 opened
Sat Mar 24 21:14:22 2018 us=500882 TUN/TAP TX queue length set to 100
Sat Mar 24 21:14:22 2018 us=501015 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat Mar 24 21:14:22 2018 us=501195 /sbin/ifconfig tun0 192.168.7.1 netmask 255.255.255.0 mtu 48000 broadcast 192.168.7.255
Sat Mar 24 21:14:22 2018 us=524909 Data Channel MTU parms [ L:48124 D:48124 EF:124 EB:8156 ET:0 EL:3 ]
Sat Mar 24 21:14:22 2018 us=526454 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sat Mar 24 21:14:22 2018 us=526639 Socket Buffers: R=[87380->327680] S=[16384->327680]
Sat Mar 24 21:14:22 2018 us=526792 Listening for incoming TCP connection on [AF_INET][undef]:5000
Sat Mar 24 21:14:22 2018 us=526929 TCPv4_SERVER link local (bound): [AF_INET][undef]:5000
Sat Mar 24 21:14:22 2018 us=527030 TCPv4_SERVER link remote: [AF_UNSPEC]
Sat Mar 24 21:14:22 2018 us=527146 GID set to nogroup
Sat Mar 24 21:14:22 2018 us=527266 UID set to nobody
Sat Mar 24 21:14:22 2018 us=527384 MULTI: multi_init called, r=256 v=256
Sat Mar 24 21:14:22 2018 us=527586 IFCONFIG POOL: base=192.168.7.2 size=252, ipv6=0
Sat Mar 24 21:14:22 2018 us=527869 MULTI: TCP INIT maxclients=1024 maxevents=1028
Sat Mar 24 21:14:22 2018 us=536010 Initialization Sequence Completed
Sat Mar 24 21:18:31 2018 us=882629 MULTI: multi_create_instance called
Sat Mar 24 21:18:31 2018 us=882961 Re-using SSL/TLS context
Sat Mar 24 21:18:31 2018 us=883087 LZO compression initializing
Sat Mar 24 21:18:31 2018 us=897807 Control Channel MTU parms [ L:48124 D:1138 EF:112 EB:0 ET:0 EL:3 ]
Sat Mar 24 21:18:31 2018 us=902731 Data Channel MTU parms [ L:48124 D:48124 EF:124 EB:8156 ET:0 EL:3 ]
Sat Mar 24 21:18:31 2018 us=903063 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 48104,tun-mtu 48000,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
Sat Mar 24 21:18:31 2018 us=903175 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 48104,tun-mtu 48000,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
Sat Mar 24 21:18:31 2018 us=904485 TCP connection established with [AF_INET]333.333.333.333:44444
Sat Mar 24 21:18:31 2018 us=904616 TCPv4_SERVER link local: (not bound)
Sat Mar 24 21:18:31 2018 us=904728 TCPv4_SERVER link remote: [AF_INET]333.333.333.333:44444
RSat Mar 24 21:18:32 2018 us=683567 333.333.333.333:44444 TLS: Initial packet from [AF_INET]333.333.333.333:44444, sid=b16c9b97 e1d4cd70
WRRWWWWRRRRWRWRSat Mar 24 21:18:34 2018 us=817230 333.333.333.333:44444 VERIFY OK: depth=1, C=UK, ST=state, L=my-village, O=My Certificate Authority, CN=my-ca
Sat Mar 24 21:18:34 2018 us=826888 333.333.333.333:44444 VERIFY OK: depth=0, C=UK, ST=state, L=my-village, O=Client, CN=client1
WRWRSat Mar 24 21:18:34 2018 us=962937 333.333.333.333:44444 peer info: IV_VER=2.5_master
Sat Mar 24 21:18:34 2018 us=963098 333.333.333.333:44444 peer info: IV_PLAT=android
Sat Mar 24 21:18:34 2018 us=963203 333.333.333.333:44444 peer info: IV_PROTO=2
Sat Mar 24 21:18:34 2018 us=963304 333.333.333.333:44444 peer info: IV_NCP=2
Sat Mar 24 21:18:34 2018 us=963404 333.333.333.333:44444 peer info: IV_LZ4=1
Sat Mar 24 21:18:34 2018 us=963505 333.333.333.333:44444 peer info: IV_LZ4v2=1
Sat Mar 24 21:18:34 2018 us=963607 333.333.333.333:44444 peer info: IV_LZO=1
Sat Mar 24 21:18:34 2018 us=963710 333.333.333.333:44444 peer info: IV_COMP_STUB=1
Sat Mar 24 21:18:34 2018 us=963841 333.333.333.333:44444 peer info: IV_COMP_STUBv2=1
Sat Mar 24 21:18:34 2018 us=963954 333.333.333.333:44444 peer info: IV_TCPNL=1
Sat Mar 24 21:18:34 2018 us=964059 333.333.333.333:44444 peer info: IV_GUI_VER=uk.blinkt.openvpn_0.6.73
Sat Mar 24 21:18:34 2018 us=964260 333.333.333.333:44444 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 48104', remote='link-mtu 1604'
Sat Mar 24 21:18:34 2018 us=964407 333.333.333.333:44444 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 48000', remote='tun-mtu 1500'
WRSat Mar 24 21:18:35 2018 us=52176 333.333.333.333:44444 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Sat Mar 24 21:18:35 2018 us=52406 333.333.333.333:44444 [client1] Peer Connection Initiated with [AF_INET]333.333.333.333:44444
Sat Mar 24 21:18:35 2018 us=52657 client1/333.333.333.333:44444 MULTI_sva: pool returned IPv4=192.168.7.2, IPv6=(Not enabled)
Sat Mar 24 21:18:35 2018 us=53051 client1/333.333.333.333:44444 MULTI: Learn: 192.168.7.2 -> client1/333.333.333.333:44444
Sat Mar 24 21:18:35 2018 us=53182 client1/333.333.333.333:44444 MULTI: primary virtual IP for client1/333.333.333.333:44444: 192.168.7.2
RSat Mar 24 21:18:36 2018 us=242454 client1/333.333.333.333:44444 PUSH: Received control message: 'PUSH_REQUEST'
Sat Mar 24 21:18:36 2018 us=242869 client1/333.333.333.333:44444 SENT CONTROL [client1]: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,dhcp-option    DNS 192.168.0.1,dhcp-option    WINS 192.168.0.1,dhcp-option    DNS 208.67.222.222,dhcp-option    DNS 208.67.220.220,dhcp-option    NTP 129.6.15.30,sndbuf 393216,rcvbuf 393216,route-gateway 192.168.7.1,topology subnet,ping 10,ping-restart 120,ifconfig 192.168.7.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Sat Mar 24 21:18:36 2018 us=243006 client1/333.333.333.333:44444 Data Channel: using negotiated cipher 'AES-256-GCM'
Sat Mar 24 21:18:36 2018 us=243153 client1/333.333.333.333:44444 Data Channel MTU parms [ L:48052 D:48052 EF:52 EB:8156 ET:0 EL:3 ]
Sat Mar 24 21:18:36 2018 us=244034 client1/333.333.333.333:44444 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Mar 24 21:18:36 2018 us=244191 client1/333.333.333.333:44444 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
WWRRwRwrWrWRwrWWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWSat Mar 24 21:26:09 2018 us=316933 client1/333.333.333.333:44444 Connection reset, restarting [0]
Sat Mar 24 21:26:09 2018 us=317091 client1/333.333.333.333:44444 SIGUSR1[soft,connection-reset] received, client-instance restarting
Sat Mar 24 21:26:09 2018 us=318765 TCP/UDP: Closing socket

oscar · March 24, 2018, 9:25pm

This setting and a.m logs correspond to

external IP is from mobile phone provider (not from my router, as desired)
through 192.168.0.1 I cannot reach the router Web Gui from my mobile phone.

anon57995562 · March 24, 2018, 9:29pm

You're not too stupid.

Just highlight the text you are posting, and then click the </> icon on your post toolbar.

Post%20toolbar%20icons

In the post preview window on the right, you'll see the format change.

tmomas · March 24, 2018, 9:32pm

There must be a newline before the preformatted text for the formatting to take effect.

anon57995562 · March 24, 2018, 9:36pm

Did you perform all three troubleshooting steps as requested above?

oscar · March 25, 2018, 8:21am

before posting the a.m. logs:

changes made to /etc/firewall & /etc/openvpn ....done
changes to client config file ... done & uploaded to client
"Once client connect attempt fails" ... which is not the case

I just noticed creation of the pfx file creation should be included:

openssl pkcs12 -export -out openvpn/clients/client1.p12 -inkey openvpn/clients/client1.key.pem -in openvpn/clients/client1.crt.pem -certfile ca/My-CA.crt.pem

What else?
Again my OpenVPN server config

config openvpn 'VPNserver'
option  enabled             1
option  dev                 'tun'
option  dev                 'tun0'
option  topology            'subnet'
option  proto               'tcp'
option  port                5000

option  server              '192.168.7.0 255.255.255.0'
option  ifconfig            '192.168.7.1 255.255.255.0'        

list    push                'route 192.168.0.0 255.255.255.0'
list    push                'dhcp-option    DNS 192.168.0.1'
list    push                'dhcp-option    WINS 192.168.0.1'
list    push                'dhcp-option    DNS 208.67.222.222'
list    push                'dhcp-option    DNS 208.67.220.220'
list    push                'dhcp-option    NTP 129.6.15.30'

option  dh                  '/etc/openvpn/dh4096.pem'
option  pkcs12          '/etc/openvpn/vpn-server.p12'

option  cipher              AES-256-CBC
option  auth                'SHA512'
option  tls_auth            '/etc/openvpn/tls-auth.key 0'

option  tls_server          1
option  tls_version_min     1.2
option  tls_cipher          'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:!LOW:!EXP:!SRP:!kRSA'

option  log                 '/tmp/openvpn.log'
option  status              '/tmp/openvpn-status.log'
option  verb                5

option  keepalive           '10 120'
option  comp_lzo            'yes'

option  client_to_client    1
option  persist_key         1
option  persist_tun         1

option  sndbuf              393216
option  rcvbuf              393216
option  fragment            0
option  mssfix              0
option  tun_mtu             48000

list    push                'sndbuf 393216'
list    push                'rcvbuf 393216'

option  user                'nobody'
option  group               'nogroup'

and, my firewall (section corresponding to VPN only)

config rule
option  target          'ACCEPT'
option  family          'ipv4'
option  proto           'tcp udp'
option  src             '*'
option  dest_port       5000
option  name            'Allow Forwarded VPN Request -> Router'

config rule
option  target          'ACCEPT'
option  family          'ipv4'
option  proto           'tcp udp'
option  src             'vpn'
option  src_ip          '192.168.7.0/24'
option  dest_ip         '192.168.1.0/24'
option  name            'Allow VPN0 -> LAN'

config rule
option  target          'ACCEPT'
option  proto           'tcp udp'
option  family          'ipv4'
option  src             'vpn'
option  src_ip          '192.168.7.0/24'
option  dest            '*'
option  dest_ip         '192.168.1.0/24'
option  name            'Allow Forwarded VPN0 -> Router'

config rule
option  target          'ACCEPT'
option family	        'ipv4'
option  proto           'icmp'
option  src             'vpn'
option  src_ip          '192.168.7.0/24'
option  dest            'lan'
option  name            'Allow VPN0 (ICMP) -> LAN'

config rule
option  target          'ACCEPT'
option family           'ipv4'
option  proto           'icmp'
list    icmp_type       'echo-request'
option  src             'vpn'
option  src_ip          '192.168.7.0/24'
option  dest            'wan'
option  name            'Allow VPN0 (echo-request) -> WAN' 

config zone
option  name            'lan'
option  network         'lan'
option  input           'ACCEPT'
option  output          'ACCEPT'
option  forward         'DROP'

config zone
option  name            'vpn'
option  network         'vpn0'
option  input           'ACCEPT'
option  output          'ACCEPT'
option  forward         'ACCEPT'

config zone
option  name            'wan'
option  network         'wan wan6'
option  input           'DROP'
option  output          'ACCEPT'
option  forward         'DROP'
option  masq            1
option  mtu_fix         1

config forwarding
option  dest            'vpn'
option  src             'lan'

config forwarding
option  dest            'lan'
option  src             'vpn'

config forwarding
option   dest	    'wan'
option   src	    'vpn'

and my client configuration in use:

client

dev tun
proto tcp
my-ddns-address.com 5000

mssfix 0
fragment 0
tun-mtu 1500

float
nobind
comp-lzo

persist-key
persist-tun
resolv-retry infinite

auth SHA512
auth-nocache

cipher AES-256-CBC
key-direction 1
tls-version-min 1.2
remote-cert-eku 'TLS Web Server Authentication'

<tls-auth>
-----BEGIN OpenVPN Static key V1-----
XXXX
-----END OpenVPN Static key V1-----
</tls-auth>

verb 7

I am stripped down, nothing left to provide

JW0914 · March 25, 2018, 1:02pm

A few things:

Client connects successfully

 2018-03-24 21:18:36 New OpenVPN Status (CONNECTED->LEVEL_CONNECTED): SUCCESS,192.168.7.2,98.98.98.98,5000,10.147.130.242,47001
 2018-03-24 21:18:36 New OpenVPN Status (CONNECTED->LEVEL_CONNECTED): SUCCESS,192.168.7.2,98.98.98.98,5000,10.147.130.242,47001
 2018-03-24 21:18:36 Netzwerkstatus: CONNECTED HSPA+ to MOBILE internet
 2018-03-24 21:18:36 Debug state info: CONNECTED HSPA+ to MOBILE internet, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED

There's nothing wrong server side

 Sat Mar 24 21:18:35 2018 us=52406 333.333.333.333:44444 [client1] Peer Connection Initiated with [AF_INET]333.333.333.333:44444
 Sat Mar 24 21:18:35 2018 us=52657 client1/333.333.333.333:44444 MULTI_sva: pool returned IPv4=192.168.7.2, IPv6=(Not enabled)
 Sat Mar 24 21:18:35 2018 us=53051 client1/333.333.333.333:44444 MULTI: Learn: 192.168.7.2 -> client1/333.333.333.333:44444
 Sat Mar 24 21:18:35 2018 us=53182 client1/333.333.333.333:44444 MULTI: primary virtual IP for client1/333.333.333.333:44444: 192.168.7.2
 Sat Mar 24 21:18:36 2018 us=242454 client1/333.333.333.333:44444 PUSH: Received control message: 'PUSH_REQUEST'
 Sat Mar 24 21:18:36 2018 us=242869 client1/333.333.333.333:44444 SENT CONTROL [client1]: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,dhcp-option    DNS 192.168.0.1,dhcp-option    WINS 192.168.0.1,dhcp-option    DNS 208.67.222.222,dhcp-option    DNS 208.67.220.220,dhcp-option    NTP 129.6.15.30,sndbuf 393216,rcvbuf 393216,route-gateway 192.168.7.1,topology subnet,ping 10,ping-restart 120,ifconfig 192.168.7.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
 Sat Mar 24 21:18:36 2018 us=243006 client1/333.333.333.333:44444 Data Channel: using negotiated cipher 'AES-256-GCM'
 Sat Mar 24 21:18:36 2018 us=243153 client1/333.333.333.333:44444 Data Channel MTU parms [ L:48052 D:48052 EF:52 EB:8156 ET:0 EL:3 ]
 Sat Mar 24 21:18:36 2018 us=244034 client1/333.333.333.333:44444 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
 Sat Mar 24 21:18:36 2018 us=244191 client1/333.333.333.333:44444 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
 WWRRwRwrWrWRwrWWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWSat Mar 24 21:26:09 2018 us=316933 client1/333.333.333.333:44444 Connection reset, restarting [0]
 Sat Mar 24 21:26:09 2018 us=317091 client1/333.333.333.333:44444 SIGUSR1[soft,connection-reset] received, client-instance restarting
 Sat Mar 24 21:26:09 2018 us=318765 TCP/UDP: Closing socket

This isn't an issue with the VPN server, as client-to-client is enabled in the VPN server config and forwarding between vpn <-> lan is enabled in the firewall config.

You can try changing the following in /etc/config/firewall

config rule
    option  target          'ACCEPT'
    option  proto           'tcp udp'
    option  family          'ipv4'
    option  src             'vpn'
    option  src_ip          '192.168.7.0/24'
    option  dest            '*'
    option  dest_ip         '192.168.1.0/24'
    option  name            'Allow Forwarded VPN0 -> Router'

to

 config rule
    option  target          'ACCEPT'
    option  family          'ipv4'
    option  proto           'tcp udp'
    option  src             'vpn'
    option  dest            *
    option  name            'Allow Forwarded VPN0 -> Router'

Then issue: /etc/init.d/firewall reload
- Verify from the terminal output that no errors exist within the firewall.
  - If this does not solve the issue, reboot the router and see if that solves the issue, as the issue likely resides within the firewall.

On a side note, I noticed a few things you'll want to change:

VPN Server config

Diffie-Hellman cert should be only be 2048bit, not 4096bit.
- It's impossible to break a 2048bit DH cert, and the only reason one would have to use a 3072bit would be if one is a potential target of a nation state. While it's not likely a nation state has the capabilities to break 2048bit, since it's not possible to know for sure, 3072bit would be a safer choice for that specific scenario.
- Since you utilize your VPN server for two separate purposes (remote access and securing public hot spots), I would recommend configuring two separate servers (one for each use), as that would allow you to drop your encryption for the public hotspots to 1024bit for the DH cert.
  - For the hotpot server:
    - You would block access to all interfaces, except forwarding to wan, and all other VPN clients
      Set option client_to_client_ 0
    - You will also want to change your SSL & TLS ciphers to AES128
      - Realistically, AES128 can also be utilized for the remote access server since it's not currently possible to break AES128 yet either
        (IIRC, it should remain secure through 2030)
    - You will likely want to verify the re-key interval if dropping to 1024, as I believe the default is 3600s (60m), and you may wish to drop this to 1800s (30min).
      This is set via option reneg_sec <seconds>
- /etc/config/openvpn can run multiple servers, and to do so, simple copy your current server config below itself, with a blank line separating the two, and edit accordingly.
I'm currently in the process of revamping the VPN server wiki I wrote to bring it inline with the wiki guide lines, and I believe in the original I forget to mention the VPN server should only be configured with sha512 if an x64 client is being utilized, since 64bit devices process sha512 more efficiently [faster] than sha256.

Client Config

Unless the client is having issues with a tunnel MTU of 48000, MTU should not be set to anything other than 48000 when using AES256
- See Optimizing Performance on Gigabit Networks
Always verify clients have no issue utilizing TLS version 1.2.
- While I set this as the default in my wiki, I did forget to annotate that client support for TLS 1.2 should be verified on older clients, as it may need to be dropped to TLS 1 or 1.1.

oscar · March 25, 2018, 6:32pm

SUCCESS!

did you notice the message in the client log?

WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1604', remote='link-mtu 48104'
2018-03-24 21:18:34 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 48000'

It is my mobile phone. it reads the 48000 and then sets it to the default value (1500), because it allows only MTU values 64 - 9000. So I set it to 9000 instead. The new warning in the client log is

"if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 48000)

BUT: link-mtu is 'adjusted' to 48127, and Local IPv4: .... MTU: 48000. Madness, creativity, schizophrenia? I don't understand this at all, but the goal of 48000 at least has been achieved.

The only, and in fact most important point though is to go from outside through the tunnel to my router and then into the internet. This has not been accomplished yet.

The tunneled connection through my router into the internet was indeed slow (back then when it worked...), would the downsizing of the encryption bits improve it?

And, thanks, your patience and dedication in this area are highly appreciated.

The other points, DCC, and two server, will be approached as soon as the Web access is successfully tunneled.

JW0914 · March 26, 2018, 11:55am

Local and Link MTUs are not the same things and are treated completely different.

Local MTU refers to the MTU for the local interface
Link MTU refers to the MTU for the TCP packet that's encapsulated within the UDP packet.
- This encapsulation is why TCP only has two use cases in OpenVPN, and outside of the following two, should never be utilized, as TCP cannot efficiently encapsulate itself.
  1. Troublsehooting
    OR
  2. When packet loss is high while utilizing UDP

With the above being said, it's baffling when users are told directly where to go to source the information for a more thorough explanation, and instead choose to not read the sourced material and do their own thing.

It's your configuration, so by all means, utilize an MTU value lower than 48000, as you're only severely limiting your own throughput by 175mbps if using AES256.

Your VPN server is not the cause of this, and with your firewall rule change above, matches a known working firewall configuration for VPN -> WAN passthrough.

In your server config, the following sets your WAN DNS servers, so I would verify the DNS addresses currently set (OpenDNS) provides you with the best WAN DNS option.
```
list    push                'dhcp-option    DNS 208.67.222.222'
list    push                'dhcp-option    DNS 208.67.220.220'`
```
- I would try at least three different DNS servers (6 total, as each will have a primary and backup DNS address)
I would also verify if NIST is the best place to pull your NTP server from, as there may be a closer option to your country of residence.
```
list    push                'dhcp-option    NTP 129.6.15.30'
```

Your speed is going to be limited to your ISP's upload speed. This is why if users don't have a minimum 50mbps upload, I generally recommended to go with a 3rd party VPN.

Lowering your DH to 2048 will help, and if you choose to go the route of creating a separate server specifically for securing public WiFi, this will help even more (if utilizing my prior recommendations for this scenario).
- I would probably revise my prior statement above of a rekey of 30min (1800s) for securing public wifi and would recommend a 10min (600s) re-key value.
  - What this does is forces a new encryption key to be negotiated ever X seconds.
    - Let's say someone gains access to the block of data from a 30 minute re-key session... even if they were able to crack the encryption for that block of data, that encryption key would not be able to be used for any other block of data since each re-key negotiates a new encryption key.
  - The reason I'd recommend dropping that to a 10min re-key is in case you're doing security sensitive things like shopping or banking while connected to public WiFi. You'd likely be perfectly fine with a 30min re-key, but I've always been a bit paranoid when it comes to anything financial related over public WiFi with a VPN.
I'd also verify OpenSSL speeds on your router and VPN clients, as you can likely gain some throughput if your router isn't a dual core >1GHz and/or your clients aren't using a 64bit platform (non-x64 processes sha256 more efficiently than sha512).
- Perform the following on your router and VPN clients:
  - openssl speed sha256
  - openssl speed sha512
  - openssl speed aes
  - openssl speed ecdh
  - openssl speed ecdsa
  - openssl speed rsa