OpenVPN no access to LAN

I followed the instructions https://lede-project.org/docs/user-guide/openvpn.server exactly. The VPN connection works. Unfortunately, I only have access to my router (192.168.0.1) and not to other servers in the network. Below you will find my config. Does anyone know where the mistake is?

root@LEDE:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxxxx/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.0.1'

config interface 'wan'
        option type 'bridge'
        option _orig_ifname 'eth1 wlan0'
        option _orig_bridge 'true'
        option proto 'dhcp'
        option ifname 'eth1'

config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 5'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6'

config interface 'vpn0'
        option ifname 'tun0'
        option proto 'none'
        option auto '1'

root@LEDE:~# cat /etc/config/firewall

config rule
        option name 'Allow-OpenVPN-Inbound'
        option target 'ACCEPT'
        option src 'wan'
        option dest_port '1194'
        option proto 'udp'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        option masq '1'
        option network 'vpn0'

config forwarding
        option dest 'lan'
        option src 'vpn'

config forwarding
        option dest 'wan'
        option src 'vpn'


root@LEDE:~# cat /proc/sys/net/ipv4/ip_forward
1

root@LEDE:~# cat /etc/config/openvpn
config openvpn 'BellevueVPN'
        option enabled '1'
        option dev 'tun'
        option port '1194'
        option proto 'udp'
        option status '/var/log/openvpn_status.log'
        option log '/tmp/openvpn.log'
        option verb '3'
        option mute '5'
        option keepalive '10 120'
        option persist_key '1'
        option persist_tun '1'
        option user 'nobody'
        option group 'nogroup'
        option ca '/etc/easy-rsa/keys/ca.crt'
        option cert '/etc/easy-rsa/keys/BellevueVPN.crt'
        option key '/etc/easy-rsa/keys/BellevueVPN.key'
        option dh '/etc/easy-rsa/keys/dh2048.pem'
        option mode 'server'
        option tls_server '1'
        option tls_auth '/etc/easy-rsa/keys/ta.key 0'
        option server '10.8.0.0 255.255.255.0'
        option topology 'subnet'
        option route_gateway 'dhcp'
        option client_to_client '1'
        list push 'persist-key'
        list push 'persist-tun'
        list push 'redirect-gateway def1'
        # allow your clients to access to your network
        list push 'route 192.168.0.0 255.255.255.0'
        # push DNS to your clients
        list push 'dhcp-option DNS 192.168.0.1'
        option comp_lzo 'no'

root@LEDE:/etc/easy-rsa/keys# cat xxxx.ovpn
client
dev tun
proto udp
remote xxxxx.xx 1194
resolv-retry infinite
nobind
mute-replay-warnings
ns-cert-type server
key-direction 1
verb 1
mute 20
comp-lzo no
# uncomment for Windows 7 clients
#route-method exe
#route-delay 2
<ca>
-----BEGIN CERTIFICATE-----

Try turning off masq for your vpn firewall zone. Not sure if that's the issue, but my config works and I don't have masquerading enabled on the VPN server side.

Unfortunately, that did not work. I found no difference.

Please do the following:

  1. /etc/config/openvpn:
    • verb 4
    • proto tcp
  2. /etc/config/firewall:
    • Change OpenVPN rule to proto 'tcp udp'
  3. Client Config:
    • verb 5
  4. Disconnect Client
  5. /etc/init.d/openvpn restart
  6. Reconnect client

Once that's done, attempt to access another device on the network. After one minute of trying to connect to another LAN client, post your client and server logs (remove WAN IP from logs).

  • Server Log: /tmp/openvpn.log
  • Client Log: Refer to OpenVPN client config or application

Additionally:

  • What's the purpose of your VPN - remote access from WAN or wanting to push all LAN traffic through the VPN?

    • Unfortunately, the LEDE wiki, like almost every other OpenVPN wiki, does the absolute bare minimum for a truly sub-par wiki. There's several crucial options missing from your server and client configs, and I'd recommend looking at the OpenVPN wiki I wrote a while back on OpenWrt.
  • Why is wlan0 in your WAN (as that should not be in WAN)?

First of all: Thanks for your effort!

I did a successful job on points 1 to 6. Additionally I had to replace the entry proto udp with proto tcp in the client.ovpn. If I don't change that, then no connection is possible. Then it was also possible to connect to the router again. But it is not yet possible to connect to other computers in the network.

/tmp/openvpn.log

Mon Dec 11 18:41:19 2017 us=141274 MULTI: multi_create_instance called
Mon Dec 11 18:41:19 2017 us=141407 Re-using SSL/TLS context
Mon Dec 11 18:41:19 2017 us=141580 Control Channel MTU parms [ L:1624 D:1182 EF:68 EB:0 ET:0 EL:3 ]
Mon Dec 11 18:41:19 2017 us=141650 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Mon Dec 11 18:41:19 2017 us=141744 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Mon Dec 11 18:41:19 2017 us=141779 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Mon Dec 11 18:41:19 2017 us=141838 TCP connection established with [AF_INET]2xx.x5.xx1.1xx:38571
Mon Dec 11 18:41:19 2017 us=141872 TCP_SERVER link local: (not bound)
Mon Dec 11 18:41:19 2017 us=141908 TCP_SERVER link remote: [AF_INET]2xx.x5.xx1.1xx:38571
Mon Dec 11 18:41:20 2017 us=105827 2xx.x5.xx1.1xx:38571 TLS: Initial packet from [AF_INET]2xx.x5.xx1.1xx:38571, sid=83195a2c 845fdb42
Mon Dec 11 18:41:20 2017 us=561288 2xx.x5.xx1.1xx:38571 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA, name=EasyRSA, emailAddress=me@myhost.mydomain
Mon Dec 11 18:41:20 2017 us=562225 2xx.x5.xx1.1xx:38571 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=OP5Remo, name=EasyRSA, emailAddress=me@myhost.mydomain
Mon Dec 11 18:41:20 2017 us=767242 2xx.x5.xx1.1xx:38571 peer info: IV_VER=2.5_master
Mon Dec 11 18:41:20 2017 us=767308 2xx.x5.xx1.1xx:38571 peer info: IV_PLAT=android
Mon Dec 11 18:41:20 2017 us=767344 2xx.x5.xx1.1xx:38571 peer info: IV_PROTO=2
Mon Dec 11 18:41:20 2017 us=767377 2xx.x5.xx1.1xx:38571 peer info: IV_NCP=2
Mon Dec 11 18:41:20 2017 us=767408 2xx.x5.xx1.1xx:38571 peer info: IV_LZ4=1
Mon Dec 11 18:41:20 2017 us=767439 2xx.x5.xx1.1xx:38571 peer info: IV_LZ4v2=1
Mon Dec 11 18:41:20 2017 us=767468 2xx.x5.xx1.1xx:38571 peer info: IV_LZO=1
Mon Dec 11 18:41:20 2017 us=767499 2xx.x5.xx1.1xx:38571 peer info: IV_COMP_STUB=1
Mon Dec 11 18:41:20 2017 us=767529 2xx.x5.xx1.1xx:38571 peer info: IV_COMP_STUBv2=1
Mon Dec 11 18:41:20 2017 us=767559 2xx.x5.xx1.1xx:38571 peer info: IV_TCPNL=1
Mon Dec 11 18:41:20 2017 us=767590 2xx.x5.xx1.1xx:38571 peer info: IV_GUI_VER=de.blinkt.openvpn_0.6.73
Mon Dec 11 18:41:20 2017 us=830809 2xx.x5.xx1.1xx:38571 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mon Dec 11 18:41:20 2017 us=830884 2xx.x5.xx1.1xx:38571 [OP5Remo] Peer Connection Initiated with [AF_INET]2xx.x5.xx1.1xx:38571
Mon Dec 11 18:41:20 2017 us=830953 OP5Remo/2xx.x5.xx1.1xx:38571 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Mon Dec 11 18:41:20 2017 us=831080 OP5Remo/2xx.x5.xx1.1xx:38571 MULTI: Learn: 10.8.0.2 -> OP5Remo/2xx.x5.xx1.1xx:38571
Mon Dec 11 18:41:20 2017 us=831119 OP5Remo/2xx.x5.xx1.1xx:38571 MULTI: primary virtual IP for OP5Remo/2xx.x5.xx1.1xx:38571: 10.8.0.2
Mon Dec 11 18:41:21 2017 us=997206 OP5Remo/2xx.x5.xx1.1xx:38571 PUSH: Received control message: 'PUSH_REQUEST'
Mon Dec 11 18:41:21 2017 us=997333 OP5Remo/2xx.x5.xx1.1xx:38571 SENT CONTROL [OP5Remo]: 'PUSH_REPLY,persist-key,persist-tun,redirect-gateway def1,route 192.168.0.0 255.255.255.0,dhcp-option DNS 192.168.0.1,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Mon Dec 11 18:41:21 2017 us=997373 OP5Remo/2xx.x5.xx1.1xx:38571 Data Channel: using negotiated cipher 'AES-256-GCM'
Mon Dec 11 18:41:21 2017 us=997420 OP5Remo/2xx.x5.xx1.1xx:38571 Data Channel MTU parms [ L:1552 D:1450 EF:52 EB:406 ET:0 EL:3 ]
Mon Dec 11 18:41:21 2017 us=997611 OP5Remo/2xx.x5.xx1.1xx:38571 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Dec 11 18:41:21 2017 us=997650 OP5Remo/2xx.x5.xx1.1xx:38571 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Dec 11 18:41:22 2017 us=737784 OP5Remo/2xx.x5.xx1.1xx:38571 MULTI: bad source address from client [100.100.90.160], packet dropped
Mon Dec 11 18:41:22 2017 us=737943 OP5Remo/2xx.x5.xx1.1xx:38571 MULTI: bad source address from client [100.100.90.160], packet dropped
Mon Dec 11 18:41:23 2017 us=166037 OP5Remo/2xx.x5.xx1.1xx:38571 MULTI: bad source address from client [100.100.90.160], packet dropped
Mon Dec 11 18:41:23 2017 us=166142 OP5Remo/2xx.x5.xx1.1xx:38571 MULTI: bad source address from client [100.100.90.160], packet dropped
Mon Dec 11 18:41:23 2017 us=198553 OP5Remo/2xx.x5.xx1.1xx:38571 MULTI: bad source address from client [100.100.90.160], packet dropped
Mon Dec 11 18:41:23 2017 us=316171 OP5Remo/2xx.x5.xx1.1xx:38571 NOTE: --mute triggered...


Client Log

2017-12-11 19:41:17 F-Droid built and signed version 0.6.73 läuft auf OnePlus ONEPLUS A5000 (msm8998), Android 7.1.1 (NMF26X) API 25, ABI arm64-v8a, (OnePlus/OnePlus5/OnePlus5:7.1.1/NMF26X/10171617:user/release-keys)
2017-12-11 19:41:17 Generiere OpenVPN-Konfiguration…
2017-12-11 19:41:17 New OpenVPN Status (VPN_GENERATE_CONFIG->LEVEL_START): 
2017-12-11 19:41:17 New OpenVPN Status (VPN_GENERATE_CONFIG->LEVEL_START): 
2017-12-11 19:41:17 started Socket Thread
2017-12-11 19:41:17 Netzwerkstatus: CONNECTED LTE to MOBILE internet
2017-12-11 19:41:17 Debug state info: CONNECTED LTE to MOBILE internet, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 
2017-12-11 19:41:17 Current Parameter Settings:
2017-12-11 19:41:17 config = '/data/user/0/de.blinkt.openvpn/cache/android.conf'
2017-12-11 19:41:17 Warte 0s Sekunden zwischen zwei Verbindungsversuchen
2017-12-11 19:41:17 mode = 0
2017-12-11 19:41:17 show_ciphers = DISABLED
2017-12-11 19:41:17 show_digests = DISABLED
2017-12-11 19:41:17 show_engines = DISABLED
2017-12-11 19:41:17 genkey = DISABLED
2017-12-11 19:41:17 key_pass_file = '[UNDEF]'
2017-12-11 19:41:17 show_tls_ciphers = DISABLED
2017-12-11 19:41:17 connect_retry_max = 0
2017-12-11 19:41:17 Connection profiles [0]:
2017-12-11 19:41:17 proto = tcp-client
2017-12-11 19:41:17 local = '[UNDEF]'
2017-12-11 19:41:17 local_port = '[UNDEF]'
2017-12-11 19:41:17 remote = 'xxx.xx.org'
2017-12-11 19:41:17 remote_port = '1194'
2017-12-11 19:41:17 remote_float = DISABLED
2017-12-11 19:41:17 bind_defined = DISABLED
2017-12-11 19:41:17 bind_local = DISABLED
2017-12-11 19:41:17 bind_ipv6_only = DISABLED
2017-12-11 19:41:17 NOTE: --mute triggered...
2017-12-11 19:41:17 160 variation(s) on previous 20 message(s) suppressed by --mute
2017-12-11 19:41:17 OpenVPN 2.5-icsopenvpn [git:HEAD-9fa0b9a7e1240170] android-21-arm64-v8a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 18 2017
2017-12-11 19:41:17 library versions: OpenSSL 1.1.0f 25 May 2017, LZO 2.10
2017-12-11 19:41:17 MANAGEMENT: Connected to management server at /data/user/0/de.blinkt.openvpn/cache/mgmtsocket
2017-12-11 19:41:17 MANAGEMENT: CMD 'hold release'
2017-12-11 19:41:17 MANAGEMENT: CMD 'proxy NONE'
2017-12-11 19:41:17 MANAGEMENT: CMD 'bytecount 2'
2017-12-11 19:41:17 MANAGEMENT: CMD 'state on'
2017-12-11 19:41:17 Debug state info: CONNECTED LTE to MOBILE internet, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 
2017-12-11 19:41:18 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
2017-12-11 19:41:18 MANAGEMENT: CMD 'password [...]'
2017-12-11 19:41:18 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2017-12-11 19:41:18 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-12-11 19:41:18 New OpenVPN Status (RESOLVE->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2017-12-11 19:41:18 New OpenVPN Status (RESOLVE->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2017-12-11 19:41:18 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-12-11 19:41:18 LZO compression initializing
2017-12-11 19:41:18 Control Channel MTU parms [ L:1624 D:1182 EF:68 EB:0 ET:0 EL:3 ]
2017-12-11 19:41:18 MANAGEMENT: >STATE:1513017678,RESOLVE,,,,,,
2017-12-11 19:41:19 New OpenVPN Status (TCP_CONNECT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2017-12-11 19:41:19 New OpenVPN Status (TCP_CONNECT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2017-12-11 19:41:19 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
2017-12-11 19:41:19 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
2017-12-11 19:41:19 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
2017-12-11 19:41:19 TCP/UDP: Preserving recently used remote address: [AF_INET]xx2.2x3.xx.1xx:1194
2017-12-11 19:41:19 Socket Buffers: R=[4194304->4194304] S=[524288->524288]
2017-12-11 19:41:19 Attempting to establish TCP connection with [AF_INET]xx2.2x3.xx.1xx:1194 [nonblock]
2017-12-11 19:41:19 MANAGEMENT: >STATE:1513017679,TCP_CONNECT,,,,,,
2017-12-11 19:41:19 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2017-12-11 19:41:20 TCP connection established with [AF_INET]xx2.2x3.xx.1xx:1194
2017-12-11 19:41:20 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2017-12-11 19:41:20 TCP_CLIENT link local: (not bound)
2017-12-11 19:41:20 TCP_CLIENT link remote: [AF_INET]xx2.2x3.xx.1xx:1194
2017-12-11 19:41:20 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2017-12-11 19:41:20 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2017-12-11 19:41:20 MANAGEMENT: >STATE:1513017680,WAIT,,,,,,
2017-12-11 19:41:20 New OpenVPN Status (AUTH->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2017-12-11 19:41:20 New OpenVPN Status (AUTH->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2017-12-11 19:41:20 MANAGEMENT: >STATE:1513017680,AUTH,,,,,,
2017-12-11 19:41:20 TLS: Initial packet from [AF_INET]xx2.2x3.xx.1xx:1194, sid=9375f580 cc186dc3
2017-12-11 19:41:20 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA, name=EasyRSA, emailAddress=me@myhost.mydomain
2017-12-11 19:41:20 VERIFY OK: nsCertType=SERVER
2017-12-11 19:41:20 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=BellevueVPN, name=EasyRSA, emailAddress=me@myhost.mydomain
2017-12-11 19:41:21 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
2017-12-11 19:41:21 [BellevueVPN] Peer Connection Initiated with [AF_INET]xx2.2x3.xx.1xx:1194
2017-12-11 19:41:22 New OpenVPN Status (GET_CONFIG->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2017-12-11 19:41:22 New OpenVPN Status (GET_CONFIG->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2017-12-11 19:41:22 MANAGEMENT: >STATE:1513017682,GET_CONFIG,,,,,,
2017-12-11 19:41:22 SENT CONTROL [BellevueVPN]: 'PUSH_REQUEST' (status=1)
2017-12-11 19:41:22 New OpenVPN Status (ASSIGN_IP->LEVEL_CONNECTING_SERVER_REPLIED): ,10.8.0.2,,,,
2017-12-11 19:41:22 New OpenVPN Status (ASSIGN_IP->LEVEL_CONNECTING_SERVER_REPLIED): ,10.8.0.2,,,,
2017-12-11 19:41:22 PUSH: Received control message: 'PUSH_REPLY,persist-key,persist-tun,redirect-gateway def1,route 192.168.0.0 255.255.255.0,dhcp-option DNS 192.168.0.1,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
2017-12-11 19:41:22 OPTIONS IMPORT: timers and/or timeouts modified
2017-12-11 19:41:22 OPTIONS IMPORT: --persist options modified
2017-12-11 19:41:22 OPTIONS IMPORT: --ifconfig/up options modified
2017-12-11 19:41:22 OPTIONS IMPORT: route options modified
2017-12-11 19:41:22 OPTIONS IMPORT: route-related options modified
2017-12-11 19:41:22 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2017-12-11 19:41:22 OPTIONS IMPORT: peer-id set
2017-12-11 19:41:22 OPTIONS IMPORT: adjusting link_mtu to 1627
2017-12-11 19:41:22 OPTIONS IMPORT: data channel crypto options modified
2017-12-11 19:41:22 Data Channel: using negotiated cipher 'AES-256-GCM'
2017-12-11 19:41:22 Data Channel MTU parms [ L:1555 D:1450 EF:55 EB:406 ET:0 EL:3 ]
2017-12-11 19:41:22 New OpenVPN Status (ADD_ROUTES->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2017-12-11 19:41:22 New OpenVPN Status (ADD_ROUTES->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2017-12-11 19:41:22 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
2017-12-11 19:41:22 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
2017-12-11 19:41:22 GDG: SIOCGIFHWADDR(lo) failed
2017-12-11 19:41:22 ROUTE_GATEWAY 127.100.103.119/255.0.0.0 IFACE=lo
2017-12-11 19:41:22 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
2017-12-11 19:41:22 MANAGEMENT: >STATE:1513017682,ASSIGN_IP,,10.8.0.2,,,,
2017-12-11 19:41:22 MANAGEMENT: CMD 'needok 'IFCONFIG' ok'
2017-12-11 19:41:22 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2017-12-11 19:41:22 MANAGEMENT: >STATE:1513017682,ADD_ROUTES,,,,,,
2017-12-11 19:41:22 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2017-12-11 19:41:22 MANAGEMENT: CMD 'needok 'DNSSERVER' ok'
2017-12-11 19:41:22 MANAGEMENT: CMD 'needok 'PERSIST_TUN_ACTION' OPEN_BEFORE_CLOSE'
2017-12-11 19:41:22 Tun-Netzwerkinterface wird geöffnet:
2017-12-11 19:41:22 Lokale IPv4: 10.8.0.2/24 IPv6: null MTU: 1500
2017-12-11 19:41:22 DNS-Server: 192.168.0.1, Domäne: null
2017-12-11 19:41:22 Routen: 0.0.0.0/0, 10.8.0.0/24, 192.168.0.0/24 
2017-12-11 19:41:22 Ausgeschlossene Routen: 
2017-12-11 19:41:22 Installierte VpnService-Routen: 0.0.0.0/0 
2017-12-11 19:41:22 Nicht zugelassene Apps für das VPN: 
2017-12-11 19:41:22 MANAGEMENT: CMD 'needok 'OPENTUN' ok'
2017-12-11 19:41:22 Initialization Sequence Completed
2017-12-11 19:41:22 MANAGEMENT: >STATE:1513017682,CONNECTED,SUCCESS,10.8.0.2,xx2.2x3.xx.1xx,1194,100.100.90.160,45194
2017-12-11 19:41:22 New OpenVPN Status (CONNECTED->LEVEL_CONNECTED): SUCCESS,10.8.0.2,xx2.2x3.xx.1xx,1194,100.100.90.160,45194
2017-12-11 19:41:22 New OpenVPN Status (CONNECTED->LEVEL_CONNECTED): SUCCESS,10.8.0.2,xx2.2x3.xx.1xx,1194,100.100.90.160,45194
2017-12-11 19:41:22 Debug state info: CONNECTED LTE to MOBILE internet, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 

I just want to remote access to my LAN

It's a typo.

PS: Sorry, some of the log's are in German.

The issue is likely the redirect gateway option [list push 'redirect-gateway def1'], which is used when you want to push all LAN traffic through the VPN to WAN... like I said, the LEDE wiki is subpar and not well written.

Try the following config, which should resolve your issues.

  1. First, you'll need to issue the following command:

    • cd /etc/easy-rsa/keys ; openssl pkcs12 -export -out BellevueVPN.p12 -inkey BellevueVPN.key -in BellevueVPN.crt -certfile ca.crt
      • Do not encrypt the PKCS12 [p12] cert, as servers should not have encrypted key files.
  2. Change /etc/config/openvpn to:

#

    ##::[[---  LEDE OpenVPN Config  ---]]::##

####################################################
          ##----- VPN Server TCP -----##
####################################################

config openvpn 'BellevueVPN'
    option  enabled                 1

        # Protocol #
#---------------------------------------------------
    option  dev                     'tun'
    option  dev                     'tun0'
    option  topology                'subnet'
    option  proto                   'tcp'
    option  port                    1194


    # Routes #
#---------------------------------------------------
    option  server                  '10.8.0.0 255.255.255.0'
    option  ifconfig                '10.8.0.1 255.255.255.0'


    # Client Config #
#---------------------------------------------------
    #option  ccd_exclusive           1
    #option  ifconfig_pool_persist   '/etc/openvpn/clients/private/ipp.txt'
    #option  client_config_dir       '/etc/openvpn/clients/private'


    # Pushed Routes #
#---------------------------------------------------
    list    push                    'route 192.168.0.0 255.255.255.0'
    list    push                    'dhcp-option    DNS 192.168.0.1'
    list    push                    'dhcp-option    WINS 192.168.0.1'
    list    push                    'dhcp-option    DNS 208.67.222.222'
    list    push                    'dhcp-option    DNS 208.67.220.220'
    list    push                    'dhcp-option    NTP 129.6.15.30'


    # Encryption #
#---------------------------------------------------
    # Diffie-Hellmann:
    option  dh                      '/etc/easy-rsa/keys/dh2048.pem'

    # PKCS12:
    option  pkcs12                  '/etc/easy-rsa/keys/BellevueVPN.p12'

    # SSL:
    option  cipher                  'AES-256-CBC'
    option  auth                    'SHA512'
    option  tls_auth                '/etc/easy-rsa/keys/ta.key 0'

    # TLS:
    option  tls_version_min         1.2
    option  tls_cipher              'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-2
56-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:!aNULL:!eNULL:!LOW:!3DES:!MD5:!SHA:!EXP:!PSK:!SRP:!DSS:!RC4:!kRSA'


    # Logging #
#---------------------------------------------------
    option  log                     '/tmp/openvpn-server.log'
    option  status                  '/tmp/openvpn-server-status.log'
    option  verb                    4


    # Connection Options #
#---------------------------------------------------
    option  keepalive               '10 120'
    option  comp_lzo                'yes'


    # Connection Reliability #
#---------------------------------------------------
    option  client_to_client        1
    option  persist_key             1
    option  persist_tun             1


    # Connection Speed #
#---------------------------------------------------
    option  sndbuf                  393216
    option  rcvbuf                  393216
    option  fragment                0
    option  mssfix                  0
    option  tun_mtu                 48000


    # Pushed Buffers #
#---------------------------------------------------
    list    push                    'sndbuf 393216'
    list    push                    'rcvbuf 393216'


    # Permissions #
#---------------------------------------------------
    option  user                    'nobody'
    option  group                   'nogroup'

  • You may have to comment out the TLS options, and if you do, I recommend going through the steps in my above linked wiki to create certs via an openssl.cnf versus Easy-RSA.

  • Double check I got all the IPs and network/firewall zone name's correct.

  1. Change /etc/config/network to:
#

    ##::[[---  LEDE WAN Network Config  ---]]::##

####################################################
          ##----- Active Networks -----##
####################################################

    # OpenVPN #
#---------------------------------------------------
config interface 'vpn0'
    option  ifname          'tun0'
    option  proto           'static'
    option  ipaddr          10.8.0.1
    option  netmask         255.255.255.0
    option  broadcast       10.8.0.255
    option  dns             '192.168.0.1 208.67.222.222 208.67.220.220'
    option  delegate        0
  1. Change /etc/config/firewall to:
#

    ##::[[---  LEDE Firewall Config  ---]]::##

####################################################
               ##----- Rules -----##
####################################################

    # OpenVPN #
#---------------------------------------------------
config rule
    option  target          'ACCEPT'
    option  family          'ipv4'
    option  proto           'tcp udp'
    option  src             *
    option  dest_port       1194
    option  name            'Allow Forwarded OpenVPN Request -> Router'

config rule
    option  target          'ACCEPT'
    option  family          'ipv4'
    option  proto           'tcp udp'
    option  src             'vpn'
    option  src_ip          '10.8.0.0/24'
    option  dest_ip         '192.168.0.0/24'
    option  name            'Allow OpenVPN -> LAN'

config rule
    option  target          'ACCEPT'
    option  family          'ipv4'
    option  proto           'tcp udp'
    option  src             'vpn'
    option  src_ip          '10.8.0.0/24'
    option  dest            *
    option  dest_ip         '192.168.0.0/24'
    option  name            'Allow Forwarded OpenVPN -> Router'

config rule
    option  target          'ACCEPT'
    option  family          'ipv4'
    option  proto           'icmp'
    option  src             'vpn'
    option  src_ip          '10.8.0.0/24'
    option  dest            'lan'
    option  name            'Allow OpenVPN (ICMP) -> LAN'

config rule
    option  target          'ACCEPT'
    option  family          'ipv4'
    option  proto           'icmp'
    list    icmp_type       'echo-request'
    option  src             'vpn'
    option  src_ip          '10.8.0.0/24'
    option  dest            'wan'
    option  name            'Allow OpenVPN (echo-request) -> WAN'

####################################################
       ##----- Interzone Forwarding  -----##
####################################################

    # OpenVPN #
#---------------------------------------------------

config forwarding
    option  dest            'vpn'
    option  src             'lan'

config forwarding
    option  dest            'lan'
    option  src             'vpn'

config forwarding
    option  dest            'wan'
    option  src             'vpn'
  1. Issue: cd /etc/init.d ; ./openvpn stop ; ./network restart ; ./firewall restart ; ./openvpn start ; tail -f /tmp/openvpn.log
    • Once you've verified everything works, change the OpenVPN server and client configs back to UDP, restart the server, then reconnect the client.

Thanks again for your big effort!!!
Below you will find the current configuarations.

  1. Has worked

  2. Has worked, I just switched of the compression

root@LEDE:/# cat /etc/config/openvpn
package openvpn

#

    ##::[[---  LEDE OpenVPN Config  ---]]::##

####################################################
          ##----- VPN Server TCP -----##
####################################################

config openvpn 'BellevueVPN'
    option  enabled                 1

    # Protocol #
    option  dev                     'tun'
    option  dev                     'tun0'
    option  topology                'subnet'
    option  proto                   'tcp'
    option  port                    1194


    # Routes #
    option  server                  '10.8.0.0 255.255.255.0'
    option  ifconfig                '10.8.0.1 255.255.255.0'


    # Client Config #
    #option  ccd_exclusive           1
    #option  ifconfig_pool_persist   '/etc/openvpn/clients/private/ipp.txt'
    #option  client_config_dir       '/etc/openvpn/clients/private'


    # Pushed Routes #
    list    push                    'route 192.168.0.0 255.255.255.0'
    list    push                    'dhcp-option    DNS 192.168.0.1'
    list    push                    'dhcp-option    WINS 192.168.0.1'
    list    push                    'dhcp-option    DNS 208.67.222.222'
    list    push                    'dhcp-option    DNS 208.67.220.220'
    list    push                    'dhcp-option    NTP 129.6.15.30'


    # Encryption #
    # Diffie-Hellmann:
    option  dh                      '/etc/easy-rsa/keys/dh2048.pem'

    # PKCS12:
    option  pkcs12                  '/etc/easy-rsa/keys/BellevueVPN.p12'

    # SSL:
    option  cipher                  'AES-256-CBC'
    option  auth                    'SHA512'
    option  tls_auth                '/etc/easy-rsa/keys/ta.key 0'

    # TLS:
    option  tls_version_min         1.2
    option  tls_cipher              'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:!aNULL:!eNULL:!LOW:!3DES:!MD5:!SHA:!EXP:!PSK:!SRP:!DSS:!RC4:!kRSA'


    # Logging #
    option  log                     '/tmp/openvpn-server.log'
    option  status                  '/tmp/openvpn-server-status.log'
    option  verb                    4


    # Connection Options #
    option  keepalive               '10 120'
    option  comp_lzo                'no'


    # Connection Reliability #
    option  client_to_client        1
    option  persist_key             1
    option  persist_tun             1


    # Connection Speed #
    option  sndbuf                  393216
    option  rcvbuf                  393216
    option  fragment                0
    option  mssfix                  0
    option  tun_mtu                 48000


    # Pushed Buffers #
    list    push                    'sndbuf 393216'
    list    push                    'rcvbuf 393216'


    # Permissions #
    option  user                    'nobody'
    option  group                   'nogroup'
  1. Has worked
root@LEDE:/# cat /etc/config/network 
# OpenVPN #
#---------------------------------------------------
config interface 'vpn0'
    option  ifname          'tun0'
    option  proto           'static'
    option  ipaddr          10.8.0.1
    option  netmask         255.255.255.0
    option  broadcast       10.8.0.255
    option  dns             '192.168.0.1 208.67.222.222 208.67.220.220'
    option  delegate        0
  1. Has worked, I just add the vpn zone
root@LEDE:/# cat /etc/config/firewall 
####################################################
                ##----- Zone  -----##
####################################################

    # OpenVPN #

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option network 'vpn0'
	option forward 'ACCEPT'
	option masq '1'

####################################################
               ##----- Rules -----##
####################################################

    # OpenVPN #
config rule
    option  target          'ACCEPT'
    option  family          'ipv4'
    option  proto           'tcp udp'
    option  src             *
    option  dest_port       1194
    option  name            'Allow Forwarded OpenVPN Request -> Router'

config rule
    option  target          'ACCEPT'
    option  family          'ipv4'
    option  proto           'tcp udp'
    option  src             'vpn'
    option  src_ip          '10.8.0.0/24'
    option  dest_ip         '192.168.0.0/24'
    option  name            'Allow OpenVPN -> LAN'

config rule
    option  target          'ACCEPT'
    option  family          'ipv4'
    option  proto           'tcp udp'
    option  src             'vpn'
    option  src_ip          '10.8.0.0/24'
    option  dest            *
    option  dest_ip         '192.168.0.0/24'
    option  name            'Allow Forwarded OpenVPN -> Router'

config rule
    option  target          'ACCEPT'
    option  family          'ipv4'
    option  proto           'icmp'
    option  src             'vpn'
    option  src_ip          '10.8.0.0/24'
    option  dest            'lan'
    option  name            'Allow OpenVPN (ICMP) -> LAN'

config rule
    option  target          'ACCEPT'
    option  family          'ipv4'
    option  proto           'icmp'
    list    icmp_type       'echo-request'
    option  src             'vpn'
    option  src_ip          '10.8.0.0/24'
    option  dest            'wan'
    option  name            'Allow OpenVPN (echo-request) -> WAN'

####################################################
       ##----- Interzone Forwarding  -----##
####################################################

    # OpenVPN #

config forwarding
    option  dest            'vpn'
    option  src             'lan'

config forwarding
    option  dest            'lan'
    option  src             'vpn'

config forwarding
    option  dest            'wan'
    option  src             'vpn'
  1. I issued the command: cd /etc/init.d ; ./openvpn stop ; ./network restart ; ./firewall restart ; ./openvpn start ; tail -f /tmp/openvpn-server.log

  2. After the restart it was not possible to connect. I adjusted the client.ovpn based on the wiki (link). Now I was able to connect.

 # Config Type #
client
 
 # Connection  #
dev tun
proto tcp
remote xxx.xxx.org 1194
 
# Speed #
mssfix 0
fragment 0
tun-mtu 48000
 
# Reliability #--
float
nobind
comp-lzo no
 
persist-key
persist-tun
resolv-retry infinite
 
# Encryption #
auth SHA512
auth-nocache
 
# --- SSL --- #
cipher AES-256-CBC
 
# --- TLS --- #
key-direction 1
tls-version-min 1.2
 
remote-cert-eku 'TLS Web Server Authentication'
 
# Logging #
verb 5

<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
.
.
.
</ca>
  1. Unfortunately, I still can't reach my NAS (192.168.0.2). Below you will find the server and client logs.
root@LEDE:/# tail -f /tmp/openvpn-server.log 
Tue Dec 12 17:16:01 2017 us=899013 Socket Buffers: R=[87380->327680] S=[16384->327680]
Tue Dec 12 17:16:01 2017 us=899083 Listening for incoming TCP connection on [AF_INET][undef]:1194
Tue Dec 12 17:16:01 2017 us=899140 TCPv4_SERVER link local (bound): [AF_INET][undef]:1194
Tue Dec 12 17:16:01 2017 us=899186 TCPv4_SERVER link remote: [AF_UNSPEC]
Tue Dec 12 17:16:01 2017 us=899238 GID set to nogroup
Tue Dec 12 17:16:01 2017 us=899295 UID set to nobody
Tue Dec 12 17:16:01 2017 us=899347 MULTI: multi_init called, r=256 v=256
Tue Dec 12 17:16:01 2017 us=899416 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Tue Dec 12 17:16:01 2017 us=899504 MULTI: TCP INIT maxclients=1024 maxevents=1028
Tue Dec 12 17:16:01 2017 us=900114 Initialization Sequence Completed
Tue Dec 12 17:33:32 2017 us=960260 MULTI: multi_create_instance called
Tue Dec 12 17:33:32 2017 us=960397 Re-using SSL/TLS context
Tue Dec 12 17:33:32 2017 us=962021 Control Channel MTU parms [ L:48124 D:1138 EF:112 EB:0 ET:0 EL:3 ]
Tue Dec 12 17:33:32 2017 us=962585 Data Channel MTU parms [ L:48124 D:48124 EF:124 EB:8156 ET:0 EL:3 ]
Tue Dec 12 17:33:32 2017 us=962697 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 48104,tun-mtu 48000,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
Tue Dec 12 17:33:32 2017 us=962734 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 48104,tun-mtu 48000,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
Tue Dec 12 17:33:32 2017 us=962916 TCP connection established with [AF_INET]ip.ip.ip.ip:57996
Tue Dec 12 17:33:32 2017 us=962953 TCP_SERVER link local: (not bound)
Tue Dec 12 17:33:32 2017 us=962988 TCP_SERVER link remote: [AF_INET]ip.ip.ip.ip:57996
Tue Dec 12 17:33:33 2017 us=839355 ip.ip.ip.ip:57996 TLS: Initial packet from [AF_INET]ip.ip.ip.ip:57996, sid=55983312 6fec19fb
Tue Dec 12 17:33:34 2017 us=328472 ip.ip.ip.ip:57996 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA, name=EasyRSA, emailAddress=me@myhost.mydomain
Tue Dec 12 17:33:34 2017 us=329450 ip.ip.ip.ip:57996 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=OP5Remo, name=EasyRSA, emailAddress=me@myhost.mydomain
Tue Dec 12 17:33:34 2017 us=567728 ip.ip.ip.ip:57996 peer info: IV_VER=2.5_master
Tue Dec 12 17:33:34 2017 us=567799 ip.ip.ip.ip:57996 peer info: IV_PLAT=android
Tue Dec 12 17:33:34 2017 us=567837 ip.ip.ip.ip:57996 peer info: IV_PROTO=2
Tue Dec 12 17:33:34 2017 us=567869 ip.ip.ip.ip:57996 peer info: IV_NCP=2
Tue Dec 12 17:33:34 2017 us=567899 ip.ip.ip.ip:57996 peer info: IV_LZ4=1
Tue Dec 12 17:33:34 2017 us=567929 ip.ip.ip.ip:57996 peer info: IV_LZ4v2=1
Tue Dec 12 17:33:34 2017 us=567958 ip.ip.ip.ip:57996 peer info: IV_LZO=1
Tue Dec 12 17:33:34 2017 us=567988 ip.ip.ip.ip:57996 peer info: IV_COMP_STUB=1
Tue Dec 12 17:33:34 2017 us=568019 ip.ip.ip.ip:57996 peer info: IV_COMP_STUBv2=1
Tue Dec 12 17:33:34 2017 us=568049 ip.ip.ip.ip:57996 peer info: IV_TCPNL=1
Tue Dec 12 17:33:34 2017 us=568081 ip.ip.ip.ip:57996 peer info: IV_GUI_VER=de.blinkt.openvpn_0.6.73
Tue Dec 12 17:33:34 2017 us=639182 ip.ip.ip.ip:57996 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Tue Dec 12 17:33:34 2017 us=639261 ip.ip.ip.ip:57996 [OP5Remo] Peer Connection Initiated with [AF_INET]ip.ip.ip.ip:57996
Tue Dec 12 17:33:34 2017 us=639330 OP5Remo/ip.ip.ip.ip:57996 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Tue Dec 12 17:33:34 2017 us=639456 OP5Remo/ip.ip.ip.ip:57996 MULTI: Learn: 10.8.0.2 -> OP5Remo/ip.ip.ip.ip:57996
Tue Dec 12 17:33:34 2017 us=639496 OP5Remo/ip.ip.ip.ip:57996 MULTI: primary virtual IP for OP5Remo/ip.ip.ip.ip:57996: 10.8.0.2
Tue Dec 12 17:33:35 2017 us=752000 OP5Remo/ip.ip.ip.ip:57996 PUSH: Received control message: 'PUSH_REQUEST'
Tue Dec 12 17:33:35 2017 us=752137 OP5Remo/ip.ip.ip.ip:57996 SENT CONTROL [OP5Remo]: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,dhcp-option    DNS 192.168.0.1,dhcp-option    WINS 192.168.0.1,dhcp-option    DNS 208.67.222.222,dhcp-option    DNS 208.67.220.220,dhcp-option    NTP 129.6.15.30,sndbuf 393216,rcvbuf 393216,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Tue Dec 12 17:33:35 2017 us=752179 OP5Remo/ip.ip.ip.ip:57996 Data Channel: using negotiated cipher 'AES-256-GCM'
Tue Dec 12 17:33:35 2017 us=752227 OP5Remo/ip.ip.ip.ip:57996 Data Channel MTU parms [ L:48052 D:48052 EF:52 EB:8156 ET:0 EL:3 ]
Tue Dec 12 17:33:35 2017 us=752421 OP5Remo/ip.ip.ip.ip:57996 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Dec 12 17:33:35 2017 us=752470 OP5Remo/ip.ip.ip.ip:57996 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Client log
2017-12-12 18:33:32 F-Droid built and signed version 0.6.73 läuft auf OnePlus ONEPLUS A5000 (msm8998), Android 7.1.1 (NMF26X) API 25, ABI arm64-v8a, (OnePlus/OnePlus5/OnePlus5:7.1.1/NMF26X/10171617:user/release-keys)
2017-12-12 18:33:32 Generiere OpenVPN-Konfiguration…
2017-12-12 18:33:32 New OpenVPN Status (VPN_GENERATE_CONFIG->LEVEL_START): 
2017-12-12 18:33:32 New OpenVPN Status (VPN_GENERATE_CONFIG->LEVEL_START): 
2017-12-12 18:33:32 started Socket Thread
2017-12-12 18:33:32 Netzwerkstatus: CONNECTED LTE to MOBILE internet
2017-12-12 18:33:32 Debug state info: CONNECTED LTE to MOBILE internet, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 
2017-12-12 18:33:32 Debug state info: CONNECTED LTE to MOBILE internet, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 
2017-12-12 18:33:32 Current Parameter Settings:
2017-12-12 18:33:32 config = '/data/user/0/de.blinkt.openvpn/cache/android.conf'
2017-12-12 18:33:32 mode = 0
2017-12-12 18:33:32 show_ciphers = DISABLED
2017-12-12 18:33:32 Warte 0s Sekunden zwischen zwei Verbindungsversuchen
2017-12-12 18:33:32 show_digests = DISABLED
2017-12-12 18:33:32 show_engines = DISABLED
2017-12-12 18:33:32 genkey = DISABLED
2017-12-12 18:33:32 key_pass_file = '[UNDEF]'
2017-12-12 18:33:32 show_tls_ciphers = DISABLED
2017-12-12 18:33:32 connect_retry_max = 0
2017-12-12 18:33:32 Connection profiles [0]:
2017-12-12 18:33:32 proto = tcp-client
2017-12-12 18:33:32 local = '[UNDEF]'
2017-12-12 18:33:32 local_port = '[UNDEF]'
2017-12-12 18:33:32 remote = 'ip.ip.ip.ip'
2017-12-12 18:33:32 remote_port = '1194'
2017-12-12 18:33:32 remote_float = ENABLED
2017-12-12 18:33:32 bind_defined = DISABLED
2017-12-12 18:33:32 bind_local = DISABLED
2017-12-12 18:33:32 bind_ipv6_only = DISABLED
2017-12-12 18:33:32 connect_retry_seconds = 2
2017-12-12 18:33:32 connect_timeout = 120
2017-12-12 18:33:32 socks_proxy_server = '[UNDEF]'
2017-12-12 18:33:32 socks_proxy_port = '[UNDEF]'
2017-12-12 18:33:32 tun_mtu = 48000
2017-12-12 18:33:32 tun_mtu_defined = ENABLED
2017-12-12 18:33:32 link_mtu = 1500
2017-12-12 18:33:32 link_mtu_defined = DISABLED
2017-12-12 18:33:32 tun_mtu_extra = 0
2017-12-12 18:33:32 tun_mtu_extra_defined = DISABLED
2017-12-12 18:33:32 mtu_discover_type = -1
2017-12-12 18:33:32 fragment = 0
2017-12-12 18:33:32 mssfix = 1450
2017-12-12 18:33:32 explicit_exit_notification = 0
2017-12-12 18:33:32 Connection profiles END
2017-12-12 18:33:32 remote_random = DISABLED
2017-12-12 18:33:32 ipchange = '[UNDEF]'
2017-12-12 18:33:32 dev = 'tun'
2017-12-12 18:33:32 dev_type = '[UNDEF]'
2017-12-12 18:33:32 dev_node = '[UNDEF]'
2017-12-12 18:33:32 lladdr = '[UNDEF]'
2017-12-12 18:33:32 topology = 1
2017-12-12 18:33:32 ifconfig_local = '[UNDEF]'
2017-12-12 18:33:32 ifconfig_remote_netmask = '[UNDEF]'
2017-12-12 18:33:32 ifconfig_noexec = DISABLED
2017-12-12 18:33:32 ifconfig_nowarn = ENABLED
2017-12-12 18:33:32 ifconfig_ipv6_local = '[UNDEF]'
2017-12-12 18:33:32 ifconfig_ipv6_netbits = 0
2017-12-12 18:33:32 ifconfig_ipv6_remote = '[UNDEF]'
2017-12-12 18:33:32 shaper = 0
2017-12-12 18:33:32 mtu_test = 0
2017-12-12 18:33:32 mlock = DISABLED
2017-12-12 18:33:32 keepalive_ping = 0
2017-12-12 18:33:32 keepalive_timeout = 0
2017-12-12 18:33:32 inactivity_timeout = 0
2017-12-12 18:33:32 ping_send_timeout = 0
2017-12-12 18:33:32 ping_rec_timeout = 0
2017-12-12 18:33:32 ping_rec_timeout_action = 0
2017-12-12 18:33:32 ping_timer_remote = DISABLED
2017-12-12 18:33:32 remap_sigusr1 = 0
2017-12-12 18:33:32 persist_tun = ENABLED
2017-12-12 18:33:32 persist_local_ip = DISABLED
2017-12-12 18:33:32 persist_remote_ip = DISABLED
2017-12-12 18:33:32 persist_key = DISABLED
2017-12-12 18:33:32 passtos = DISABLED
2017-12-12 18:33:32 resolve_retry_seconds = 1000000000
2017-12-12 18:33:32 resolve_in_advance = ENABLED
2017-12-12 18:33:32 username = '[UNDEF]'
2017-12-12 18:33:32 groupname = '[UNDEF]'
2017-12-12 18:33:32 chroot_dir = '[UNDEF]'
2017-12-12 18:33:32 cd_dir = '[UNDEF]'
2017-12-12 18:33:32 writepid = '[UNDEF]'
2017-12-12 18:33:32 up_script = '[UNDEF]'
2017-12-12 18:33:32 down_script = '[UNDEF]'
2017-12-12 18:33:32 down_pre = DISABLED
2017-12-12 18:33:32 up_restart = DISABLED
2017-12-12 18:33:32 up_delay = DISABLED
2017-12-12 18:33:32 daemon = DISABLED
2017-12-12 18:33:32 inetd = 0
2017-12-12 18:33:32 log = DISABLED
2017-12-12 18:33:32 suppress_timestamps = DISABLED
2017-12-12 18:33:32 machine_readable_output = ENABLED
2017-12-12 18:33:32 nice = 0
2017-12-12 18:33:32 verbosity = 4
2017-12-12 18:33:32 mute = 0
2017-12-12 18:33:32 gremlin = 0
2017-12-12 18:33:32 status_file = '[UNDEF]'
2017-12-12 18:33:32 status_file_version = 1
2017-12-12 18:33:32 status_file_update_freq = 60
2017-12-12 18:33:32 occ = ENABLED
2017-12-12 18:33:32 rcvbuf = 0
2017-12-12 18:33:32 sndbuf = 0
2017-12-12 18:33:32 sockflags = 0
2017-12-12 18:33:32 fast_io = DISABLED
2017-12-12 18:33:32 comp.alg = 2
2017-12-12 18:33:32 comp.flags = 1
2017-12-12 18:33:32 route_script = '[UNDEF]'
2017-12-12 18:33:32 route_default_gateway = '[UNDEF]'
2017-12-12 18:33:32 route_default_metric = 0
2017-12-12 18:33:32 route_noexec = DISABLED
2017-12-12 18:33:32 route_delay = 0
2017-12-12 18:33:32 route_delay_window = 30
2017-12-12 18:33:32 route_delay_defined = DISABLED
2017-12-12 18:33:32 route_nopull = DISABLED
2017-12-12 18:33:32 route_gateway_via_dhcp = DISABLED
2017-12-12 18:33:32 allow_pull_fqdn = DISABLED
2017-12-12 18:33:32 management_addr = '/data/user/0/de.blinkt.openvpn/cache/mgmtsocket'
2017-12-12 18:33:32 management_port = 'unix'
2017-12-12 18:33:32 management_user_pass = '[UNDEF]'
2017-12-12 18:33:32 management_log_history_cache = 250
2017-12-12 18:33:32 management_echo_buffer_size = 100
2017-12-12 18:33:32 management_write_peer_info_file = '[UNDEF]'
2017-12-12 18:33:32 management_client_user = '[UNDEF]'
2017-12-12 18:33:32 management_client_group = '[UNDEF]'
2017-12-12 18:33:32 management_flags = 4390
2017-12-12 18:33:32 shared_secret_file = '[UNDEF]'
2017-12-12 18:33:32 key_direction = 1
2017-12-12 18:33:32 ciphername = 'AES-256-CBC'
2017-12-12 18:33:32 ncp_enabled = ENABLED
2017-12-12 18:33:32 ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
2017-12-12 18:33:32 authname = 'SHA512'
2017-12-12 18:33:32 prng_hash = 'SHA1'
2017-12-12 18:33:32 prng_nonce_secret_len = 16
2017-12-12 18:33:32 keysize = 0
2017-12-12 18:33:32 engine = DISABLED
2017-12-12 18:33:32 replay = ENABLED
2017-12-12 18:33:32 mute_replay_warnings = DISABLED
2017-12-12 18:33:32 replay_window = 64
2017-12-12 18:33:32 replay_time = 15
2017-12-12 18:33:32 packet_id_file = '[UNDEF]'
2017-12-12 18:33:32 test_crypto = DISABLED
2017-12-12 18:33:32 tls_server = DISABLED
2017-12-12 18:33:32 tls_client = ENABLED
2017-12-12 18:33:32 key_method = 2
2017-12-12 18:33:32 ca_file = '[[INLINE]]'
2017-12-12 18:33:32 ca_path = '[UNDEF]'
2017-12-12 18:33:32 dh_file = '[UNDEF]'
2017-12-12 18:33:32 cert_file = '[[INLINE]]'
2017-12-12 18:33:32 extra_certs_file = '[UNDEF]'
2017-12-12 18:33:32 priv_key_file = '[[INLINE]]'
2017-12-12 18:33:32 pkcs12_file = '[UNDEF]'
2017-12-12 18:33:32 cipher_list = '[UNDEF]'
2017-12-12 18:33:32 tls_verify = '[UNDEF]'
2017-12-12 18:33:32 tls_export_cert = '[UNDEF]'
2017-12-12 18:33:32 verify_x509_type = 0
2017-12-12 18:33:32 verify_x509_name = '[UNDEF]'
2017-12-12 18:33:32 crl_file = '[UNDEF]'
2017-12-12 18:33:32 ns_cert_type = 0
2017-12-12 18:33:32 remote_cert_ku[i] = 0
2017-12-12 18:33:32 remote_cert_ku[i] = 0
2017-12-12 18:33:32 remote_cert_ku[i] = 0
2017-12-12 18:33:32 remote_cert_ku[i] = 0
2017-12-12 18:33:32 remote_cert_ku[i] = 0
2017-12-12 18:33:32 remote_cert_ku[i] = 0
2017-12-12 18:33:32 remote_cert_ku[i] = 0
2017-12-12 18:33:32 remote_cert_ku[i] = 0
2017-12-12 18:33:32 remote_cert_ku[i] = 0
2017-12-12 18:33:32 remote_cert_ku[i] = 0
2017-12-12 18:33:32 remote_cert_ku[i] = 0
2017-12-12 18:33:32 remote_cert_ku[i] = 0
2017-12-12 18:33:32 remote_cert_ku[i] = 0
2017-12-12 18:33:32 remote_cert_ku[i] = 0
2017-12-12 18:33:32 remote_cert_ku[i] = 0
2017-12-12 18:33:32 remote_cert_ku[i] = 0
2017-12-12 18:33:32 remote_cert_eku = 'TLS Web Server Authentication'
2017-12-12 18:33:32 ssl_flags = 192
2017-12-12 18:33:32 tls_timeout = 2
2017-12-12 18:33:32 renegotiate_bytes = -1
2017-12-12 18:33:32 renegotiate_packets = 0
2017-12-12 18:33:32 renegotiate_seconds = 3600
2017-12-12 18:33:32 handshake_window = 60
2017-12-12 18:33:32 transition_window = 3600
2017-12-12 18:33:32 single_session = DISABLED
2017-12-12 18:33:32 push_peer_info = DISABLED
2017-12-12 18:33:32 tls_exit = DISABLED
2017-12-12 18:33:32 tls_auth_file = '[[INLINE]]'
2017-12-12 18:33:32 tls_crypt_file = '[UNDEF]'
2017-12-12 18:33:32 client = ENABLED
2017-12-12 18:33:32 pull = ENABLED
2017-12-12 18:33:32 auth_user_pass_file = '[UNDEF]'
2017-12-12 18:33:32 OpenVPN 2.5-icsopenvpn [git:HEAD-9fa0b9a7e1240170] android-21-arm64-v8a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 18 2017
2017-12-12 18:33:32 library versions: OpenSSL 1.1.0f 25 May 2017, LZO 2.10
2017-12-12 18:33:32 MANAGEMENT: Connected to management server at /data/user/0/de.blinkt.openvpn/cache/mgmtsocket
2017-12-12 18:33:32 MANAGEMENT: CMD 'hold release'
2017-12-12 18:33:32 MANAGEMENT: CMD 'bytecount 2'
2017-12-12 18:33:32 MANAGEMENT: CMD 'proxy NONE'
2017-12-12 18:33:32 MANAGEMENT: CMD 'state on'
2017-12-12 18:33:33 MANAGEMENT: CMD 'password [...]'
2017-12-12 18:33:33 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2017-12-12 18:33:33 New OpenVPN Status (TCP_CONNECT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2017-12-12 18:33:33 New OpenVPN Status (TCP_CONNECT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2017-12-12 18:33:33 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2017-12-12 18:33:33 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2017-12-12 18:33:33 LZO compression initializing
2017-12-12 18:33:33 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 48000)
2017-12-12 18:33:33 Control Channel MTU parms [ L:48124 D:1138 EF:112 EB:0 ET:0 EL:3 ]
2017-12-12 18:33:33 Data Channel MTU parms [ L:48124 D:1450 EF:124 EB:8156 ET:0 EL:3 ]
2017-12-12 18:33:33 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 48104,tun-mtu 48000,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
2017-12-12 18:33:33 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 48104,tun-mtu 48000,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
2017-12-12 18:33:33 TCP/UDP: Preserving recently used remote address: [AF_INET]ip.ip.ip.ip:1194
2017-12-12 18:33:33 Socket Buffers: R=[4194304->4194304] S=[524288->524288]
2017-12-12 18:33:33 Attempting to establish TCP connection with [AF_INET]ip.ip.ip.ip:1194 [nonblock]
2017-12-12 18:33:33 MANAGEMENT: >STATE:1513100013,TCP_CONNECT,,,,,,
2017-12-12 18:33:33 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2017-12-12 18:33:34 TCP connection established with [AF_INET]ip.ip.ip.ip:1194
2017-12-12 18:33:34 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2017-12-12 18:33:34 TCP_CLIENT link local: (not bound)
2017-12-12 18:33:34 TCP_CLIENT link remote: [AF_INET]ip.ip.ip.ip:1194
2017-12-12 18:33:34 MANAGEMENT: >STATE:1513100014,WAIT,,,,,,
2017-12-12 18:33:34 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2017-12-12 18:33:34 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2017-12-12 18:33:34 New OpenVPN Status (AUTH->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2017-12-12 18:33:34 New OpenVPN Status (AUTH->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2017-12-12 18:33:34 MANAGEMENT: >STATE:1513100014,AUTH,,,,,,
2017-12-12 18:33:34 TLS: Initial packet from [AF_INET]ip.ip.ip.ip:1194, sid=53e81aab 3ba59899
2017-12-12 18:33:34 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA, name=EasyRSA, emailAddress=me@myhost.mydomain
2017-12-12 18:33:34 Validating certificate extended key usage
2017-12-12 18:33:34 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2017-12-12 18:33:34 VERIFY EKU OK
2017-12-12 18:33:34 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=BellevueVPN, name=EasyRSA, emailAddress=me@myhost.mydomain
2017-12-12 18:33:35 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
2017-12-12 18:33:35 [BellevueVPN] Peer Connection Initiated with [AF_INET]ip.ip.ip.ip:1194
2017-12-12 18:33:36 New OpenVPN Status (GET_CONFIG->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2017-12-12 18:33:36 New OpenVPN Status (GET_CONFIG->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2017-12-12 18:33:36 MANAGEMENT: >STATE:1513100016,GET_CONFIG,,,,,,
2017-12-12 18:33:36 SENT CONTROL [BellevueVPN]: 'PUSH_REQUEST' (status=1)
2017-12-12 18:33:36 PUSH: Received control message: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,dhcp-option DNS 192.168.0.1,dhcp-option WINS 192.168.0.1,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,dhcp-option NTP 129.6.15.30,sndbuf 393216,rcvbuf 393216,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
2017-12-12 18:33:36 New OpenVPN Status (ASSIGN_IP->LEVEL_CONNECTING_SERVER_REPLIED): ,10.8.0.2,,,,
2017-12-12 18:33:36 New OpenVPN Status (ASSIGN_IP->LEVEL_CONNECTING_SERVER_REPLIED): ,10.8.0.2,,,,
2017-12-12 18:33:36 OPTIONS IMPORT: timers and/or timeouts modified
2017-12-12 18:33:36 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
2017-12-12 18:33:36 Socket Buffers: R=[4194304->786432] S=[524288->786432]
2017-12-12 18:33:36 OPTIONS IMPORT: --ifconfig/up options modified
2017-12-12 18:33:36 OPTIONS IMPORT: route options modified
2017-12-12 18:33:36 OPTIONS IMPORT: route-related options modified
2017-12-12 18:33:36 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2017-12-12 18:33:36 OPTIONS IMPORT: peer-id set
2017-12-12 18:33:36 OPTIONS IMPORT: adjusting link_mtu to 48127
2017-12-12 18:33:36 New OpenVPN Status (ADD_ROUTES->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2017-12-12 18:33:36 New OpenVPN Status (ADD_ROUTES->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2017-12-12 18:33:36 OPTIONS IMPORT: data channel crypto options modified
2017-12-12 18:33:36 Data Channel: using negotiated cipher 'AES-256-GCM'
2017-12-12 18:33:36 Data Channel MTU parms [ L:48055 D:1450 EF:55 EB:8156 ET:0 EL:3 ]
2017-12-12 18:33:36 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
2017-12-12 18:33:36 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
2017-12-12 18:33:36 GDG: SIOCGIFHWADDR(lo) failed
2017-12-12 18:33:36 ROUTE_GATEWAY 127.100.103.119/255.0.0.0 IFACE=lo
2017-12-12 18:33:36 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
2017-12-12 18:33:36 MANAGEMENT: >STATE:1513100016,ASSIGN_IP,,10.8.0.2,,,,
2017-12-12 18:33:36 MANAGEMENT: CMD 'needok 'IFCONFIG' ok'
2017-12-12 18:33:36 MANAGEMENT: >STATE:1513100016,ADD_ROUTES,,,,,,
2017-12-12 18:33:36 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2017-12-12 18:33:36 MANAGEMENT: CMD 'needok 'DNSSERVER' ok'
2017-12-12 18:33:36 MANAGEMENT: CMD 'needok 'DNSSERVER' ok'
2017-12-12 18:33:36 MANAGEMENT: CMD 'needok 'DNSSERVER' ok'
2017-12-12 18:33:36 Tun-Netzwerkinterface wird geöffnet:
2017-12-12 18:33:36 MANAGEMENT: CMD 'needok 'PERSIST_TUN_ACTION' OPEN_BEFORE_CLOSE'
2017-12-12 18:33:36 Lokale IPv4: 10.8.0.2/24 IPv6: null MTU: 48000
2017-12-12 18:33:36 DNS-Server: 192.168.0.1, 208.67.222.222, 208.67.220.220, Domäne: null
2017-12-12 18:33:36 Routen: 10.8.0.0/24, 192.168.0.0/24 
2017-12-12 18:33:36 Ausgeschlossene Routen: 
2017-12-12 18:33:36 Installierte VpnService-Routen: 10.8.0.0/24, 192.168.0.0/24 
2017-12-12 18:33:36 Nicht zugelassene Apps für das VPN: 
2017-12-12 18:33:36 MANAGEMENT: CMD 'needok 'OPENTUN' ok'
2017-12-12 18:33:36 Initialization Sequence Completed
2017-12-12 18:33:36 MANAGEMENT: >STATE:1513100016,CONNECTED,SUCCESS,10.8.0.2,ip.ip.ip.ip,1194,10.178.240.212,45565
2017-12-12 18:33:36 New OpenVPN Status (CONNECTED->LEVEL_CONNECTED): SUCCESS,10.8.0.2,ip.ip.ip.ip,1194,10.178.240.212,45565
2017-12-12 18:33:36 New OpenVPN Status (CONNECTED->LEVEL_CONNECTED): SUCCESS,10.8.0.2,ip.ip.ip.ip,1194,10.178.240.212,45565
2017-12-12 18:33:36 Debug state info: CONNECTED LTE to MOBILE internet, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED

You want compression enabled... why have you disabled it?

The VPN isn't the issue at this point for accessing your NAS, but most likely the issue is enabling masquerading for the VPN tunnel in /etc/config/firewall. Your configs should look exactly as I posted in my prior post, and masquerading is for WAN facing networks (i.e. VPNs which are utilized for gateway redirect, which yours is not).

  • client_to_client enables VPN clients to see each other and other devices on the networks

  • Firewall forwarding allows unrestricted access for LAN <-> VPN

This will be the third time I've mentioned my OpenVPN wiki... please refer to it, and not the LEDE wiki, on how your configs should look, which are exactly as I posted above.

I've enabled it.

If I copy your /etc/config/firewall exactly from the last post, I get a firewall error because the zone vpn does not exist.
I disabled the masquerading and restarted everything. Unfortunately, it still doesn't work.

Sorry for the inconvenience. But I read through the wiki and created the client.ovpn from your wiki. Also in your wiki there is the vpn zone in the firewall, so I added it. As I have already mentioned, if I don't do that I get a firewall error.

Simply modify the VPN network zone name in /etc/config/firewall to what yours is supposed to be

It's not about me being inconvenienced, but about the fact I know my OpenVPN wiki works. If your configs are in line with those in my wiki, the VPN is not the issue. Try rebooting your router, then try and ping 2 devices on your LAN while connected to the VPN... if they don't resolve, use the configs in my wiki, edit accordingly, then reboot your router and try and connect with a client (client must be disconnected and then connected again, i.e. don't select reconnect, as it needs to be a new session).

  • While I recommend redoing the entire VPN Server setup per the new wiki, as VPN certs really should be generated via an openssl.cnf for a number of reasons, to simply get you up and running, perform steps under:
    1. Network
    2. Firewall
    3. VPN Server
    4. Double check client cert options mirror those under Clients
  • If you're still have issues even after ensuring everything mirrors that with which is in the wiki, please post your firewall, network, and openvpn server and client configs, as I will utilize them to determine where the error lies.

.
To prevent issues like yours in the future, I've replaced the original LEDE VPN Server wiki with a port of mine from the OpenWrt Wiki

I just adjusted the IP's, and now it's working. Thanks.

I will use the new wiki to do the whole VPN server configuration again. If something doesn't work for me, I'll let you know.

@JW0914 I try to understand the new wiki article and make the preparations. I have a few more questions:

  1. In the "Prerequisites" tabs in OpenSSL, some of the line numbers are no longer correct. (250, 251, 255, 256)

  2. Unfortunately, I don't understand what I need to modify in /etc/ssl/openssl.cnf in lines 198-220, 222-226, 235-251 and 253-261. Is there maybe some text missing in the wiki? Or can you tell me what I need to change?

Thank you for your article. I am now trying to do everything right and help other users to install an OpenVPN server based on the wiki.

PS: I'm not a native english speaker. Please excuse my not so good English.

I'm currently editing the wiki to update a few inter-wiki links, and will update the openssl.cnf line numbers to bring it inline with edits I made to the openssl.cnf to simplify it a bit.

The lines you will need to edit:

  1. CA [main CA - will only be utilized to sign ICAs]
    • 1.a.I matches openssl.cnf
    • 2.a does not match, should be lines 201 - 217
    • 2.b does not match, should be lines 219 - 223
  2. ICA [i.e. VPN Server ICA]
    • 1.a.I matches openssl.cnf
    • 2.a does not match, should be lines 230 - 240
    • 2.b does not match, should be lines 242 - 250
  3. ICA Server Certs [i.e. VPN server, uhttpd server for LuCI, etc)
    • 1.a does not match, should be line 239
    • 1.b does not match, should be line 240
  4. ICA Client Certs (VPN Server Clients)
    • 1.a.I does not match, should be line 244
    • 1.b.I does not match, should be line 245

No need to apologize, your English is fine =]

Thanks for the correction. But I don't know what to edit. I mean the content in the "a. Server" and "b. Clients" section. Or to say in other words, I don't understand the content, so I don't know what I need to modify and how.
Could you maybe make an example of my case? That would help me a lot. I think that would make the wiki easier to understand.

The wiki tells you what to edit...

In regards to lines with no instructions on what to edit, they're not required for the wiki, but there to serve an informational purpose as to where one would need to edit if they have more than one VPN Server or multiple clients they need to create certs for.

The wiki tells me I have to modify the SubjectAltNames & V3 profiles in the lines xx-xx. But I don't know what that means. Sorry. I tried to google SubjectAltNames, but I couldn't figure it out. Since I'm not a pro, I only understand half of what it says here.

Ok, I see.

I'm a bit baffled...

  1. CA 1.a.I says:
    • Line 183: DNS.1 = Router.1
      • Change Router.1 to what you'd like the name of your Certificate Authority to be
  2. ICA 1.a.I says:
    • Line 188: DNS.1 = Router.2
      • Change Router.2 to what you'd like the name of your Intermediate CA to be
  3. ICA Server Cert 1.a.I says:
    • Line 239: IP.1 = 10.0.1.1
      • Change the server's SAN IP from 10.0.1.1 to match your VPN Server IP
  4. ICA Server Cert 1.b.I says:
  5. ICA Client Certs 1.a.I says:
    • Line 244: DNS.1 = VPN--Hostname
      • Change the SAN DNS from VPNserver-Client1-Device-Hostname to match client username
  6. ICA Client Certs 1.a.I says:

I understood all that.

What I didn't understand was:

grafik

Right... usually one will have multiple VPN client certs to make, as each device should have it's own, and since most aren't familiar with the layout of an openssl.cnf, this is telling the user where those additional profiles can be found/where to add them if they want to only use a CA and not an ICA (the ICA section also lists where it's server and client SANs can be found)