OpenVPN, same config to new router; client can't connect

Installing and Using OpenWrt
1

I tried moving the same exact config that worked on a 5 year old router to a new faster router and the client can’t connect. (This puts my client at 2.4 and server at 2.5 now.)

The server config: (I am not using tls.key)

config openvpn 'myvpn'
option enabled '1'
option verb '5'
option port '1194'
option proto 'udp'
option dev 'tun'
option topology subnet
option server '10.8.0.0 255.255.255.0'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/crt.crt'
option key '/etc/openvpnkey.key'
option dh '/etc/openvpn/dh2048.pem'
option keepalive '10 120'
option status '/var/log/openvpn-status.log'
list push 'route 192.168.8.0 255.255.255.0'
list push 'redirect-gateway def1 bypass-dhcp'
list push 'dhcp-option DNS 192.168.8.1'
list push 'block-outside-dns'

option user nobody
option group nogroup
option persist-key
option persist-tun
option explicit-exit-notify

root@OpenWrt:~# sleep 10; logread -e openvpn
Wed Dec 24 17:40:35 2025 daemon.notice openvpn(myvpn)[2538]: Connection Attempt /usr/libexec/openvpn-hotplug down myvpn tun0 1500 0 10.8.0.1 255.255.255.0 init
Wed Dec 24 17:40:35 2025 daemon.notice openvpn(myvpn)[2538]: Connection Attempt SIGTERM[hard,] received, process exiting
Wed Dec 24 17:40:35 2025 daemon.notice openvpn(myvpn)[4289]: Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
Wed Dec 24 17:40:35 2025 daemon.notice openvpn(myvpn)[4289]: Note: Kernel support for ovpn-dco missing, disabling data channel offload.
Wed Dec 24 17:40:35 2025 daemon.notice openvpn(myvpn)[4289]: OpenVPN 2.6.14 aarch64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] [DCO]
Wed Dec 24 17:40:35 2025 daemon.notice openvpn(myvpn)[4289]: library versions: OpenSSL 3.0.18 30 Sep 2025, LZO 2.10
Wed Dec 24 17:40:35 2025 daemon.notice openvpn(myvpn)[4289]: DCO version: N/A
Wed Dec 24 17:40:35 2025 daemon.warn openvpn(myvpn)[4289]: WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail
Wed Dec 24 17:40:35 2025 daemon.warn openvpn(myvpn)[4289]: WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail
Wed Dec 24 17:40:35 2025 daemon.notice openvpn(myvpn)[4289]: net_route_v4_best_gw query: dst 0.0.0.0
Wed Dec 24 17:40:35 2025 daemon.notice openvpn(myvpn)[4289]: net_route_v4_best_gw result: via 47.(redact).(redact).(redact) dev eth1
Wed Dec 24 17:40:35 2025 daemon.warn openvpn(myvpn)[4289]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Dec 24 17:40:35 2025 daemon.notice openvpn(myvpn)[4289]: Diffie-Hellman initialized with 2048 bit key
Wed Dec 24 17:40:35 2025 daemon.notice openvpn(myvpn)[4289]: TLS-Auth MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
Wed Dec 24 17:40:35 2025 daemon.notice openvpn(myvpn)[4289]: TUN/TAP device tun0 opened
Wed Dec 24 17:40:35 2025 daemon.notice openvpn(myvpn)[4289]: do_ifconfig, ipv4=1, ipv6=0
Wed Dec 24 17:40:35 2025 daemon.notice openvpn(myvpn)[4289]: net_iface_mtu_set: mtu 1500 for tun0
Wed Dec 24 17:40:35 2025 daemon.notice openvpn(myvpn)[4289]: net_iface_up: set tun0 up
Wed Dec 24 17:40:35 2025 daemon.notice openvpn(myvpn)[4289]: net_addr_v4_add: 10.8.0.1/24 dev tun0
Wed Dec 24 17:40:35 2025 daemon.notice openvpn(myvpn)[4289]: /usr/libexec/openvpn-hotplug up myvpn tun0 1500 0 10.8.0.1 255.255.255.0 init
Wed Dec 24 17:40:35 2025 daemon.notice openvpn(myvpn)[4289]: Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
Wed Dec 24 17:40:35 2025 daemon.warn openvpn(myvpn)[4289]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Wed Dec 24 17:40:35 2025 daemon.notice openvpn(myvpn)[4289]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Dec 24 17:40:35 2025 daemon.notice openvpn(myvpn)[4289]: UDPv4 link local (bound): [AF_INET][undef]:1194
Wed Dec 24 17:40:35 2025 daemon.notice openvpn(myvpn)[4289]: UDPv4 link remote: [AF_UNSPEC]
Wed Dec 24 17:40:35 2025 daemon.notice openvpn(myvpn)[4289]: UID set to nobody
Wed Dec 24 17:40:35 2025 daemon.notice openvpn(myvpn)[4289]: GID set to nogroup
Wed Dec 24 17:40:35 2025 daemon.notice openvpn(myvpn)[4289]: Capabilities retained: CAP_NET_ADMIN
Wed Dec 24 17:40:35 2025 daemon.notice openvpn(myvpn)[4289]: MULTI: multi_init called, r=256 v=256
Wed Dec 24 17:40:35 2025 daemon.notice openvpn(myvpn)[4289]: IFCONFIG POOL IPv4: base=10.8.0.2 size=253
Wed Dec 24 17:40:35 2025 daemon.notice openvpn(myvpn)[4289]: Initialization Sequence Completed

The client will fail here as shown in the log:

Wed Dec 24 11:20:28 2025 us=317311 Current Parameter Settings:
Wed Dec 24 11:20:28 2025 us=317311 config = 'testcase.ovpn'
Wed Dec 24 11:20:28 2025 us=317311 mode = 0
Wed Dec 24 11:20:28 2025 us=317311 show_ciphers = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 show_digests = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 show_engines = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 genkey = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 key_pass_file = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 show_tls_ciphers = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 connect_retry_max = 0
Wed Dec 24 11:20:28 2025 us=317311 Connection profiles [0]:
Wed Dec 24 11:20:28 2025 us=317311 proto = udp
Wed Dec 24 11:20:28 2025 us=317311 local = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 local_port = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 remote = '(redacted).com'
Wed Dec 24 11:20:28 2025 us=317311 remote_port = '1194'
Wed Dec 24 11:20:28 2025 us=317311 remote_float = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 bind_defined = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 bind_local = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 bind_ipv6_only = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 connect_retry_seconds = 5
Wed Dec 24 11:20:28 2025 us=317311 connect_timeout = 120
Wed Dec 24 11:20:28 2025 us=317311 socks_proxy_server = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 socks_proxy_port = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 tun_mtu = 1500
Wed Dec 24 11:20:28 2025 us=317311 tun_mtu_defined = ENABLED
Wed Dec 24 11:20:28 2025 us=317311 link_mtu = 1500
Wed Dec 24 11:20:28 2025 us=317311 link_mtu_defined = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 tun_mtu_extra = 0
Wed Dec 24 11:20:28 2025 us=317311 tun_mtu_extra_defined = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 mtu_discover_type = -1
Wed Dec 24 11:20:28 2025 us=317311 fragment = 0
Wed Dec 24 11:20:28 2025 us=317311 mssfix = 1450
Wed Dec 24 11:20:28 2025 us=317311 explicit_exit_notification = 0
Wed Dec 24 11:20:28 2025 us=317311 Connection profiles END
Wed Dec 24 11:20:28 2025 us=317311 remote_random = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 ipchange = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 dev = 'tun'
Wed Dec 24 11:20:28 2025 us=317311 dev_type = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 dev_node = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 lladdr = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 topology = 1
Wed Dec 24 11:20:28 2025 us=317311 ifconfig_local = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 ifconfig_remote_netmask = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 ifconfig_noexec = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 ifconfig_nowarn = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 ifconfig_ipv6_local = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 ifconfig_ipv6_netbits = 0
Wed Dec 24 11:20:28 2025 us=317311 ifconfig_ipv6_remote = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 shaper = 0
Wed Dec 24 11:20:28 2025 us=317311 mtu_test = 0
Wed Dec 24 11:20:28 2025 us=317311 mlock = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 keepalive_ping = 0
Wed Dec 24 11:20:28 2025 us=317311 keepalive_timeout = 0
Wed Dec 24 11:20:28 2025 us=317311 inactivity_timeout = 0
Wed Dec 24 11:20:28 2025 us=317311 ping_send_timeout = 0
Wed Dec 24 11:20:28 2025 us=317311 ping_rec_timeout = 0
Wed Dec 24 11:20:28 2025 us=317311 ping_rec_timeout_action = 0
Wed Dec 24 11:20:28 2025 us=317311 ping_timer_remote = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 remap_sigusr1 = 0
Wed Dec 24 11:20:28 2025 us=317311 persist_tun = ENABLED
Wed Dec 24 11:20:28 2025 us=317311 persist_local_ip = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 persist_remote_ip = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 persist_key = ENABLED
Wed Dec 24 11:20:28 2025 us=317311 passtos = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 resolve_retry_seconds = 1000000000
Wed Dec 24 11:20:28 2025 us=317311 resolve_in_advance = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 username = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 groupname = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 chroot_dir = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 cd_dir = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 writepid = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 up_script = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 down_script = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 down_pre = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 up_restart = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 up_delay = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 daemon = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 inetd = 0
Wed Dec 24 11:20:28 2025 us=317311 log = ENABLED
Wed Dec 24 11:20:28 2025 us=317311 suppress_timestamps = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 machine_readable_output = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 nice = 0
Wed Dec 24 11:20:28 2025 us=317311 verbosity = 5
Wed Dec 24 11:20:28 2025 us=317311 mute = 0
Wed Dec 24 11:20:28 2025 us=317311 gremlin = 0
Wed Dec 24 11:20:28 2025 us=317311 status_file = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 status_file_version = 1
Wed Dec 24 11:20:28 2025 us=317311 status_file_update_freq = 60
Wed Dec 24 11:20:28 2025 us=317311 occ = ENABLED
Wed Dec 24 11:20:28 2025 us=317311 rcvbuf = 0
Wed Dec 24 11:20:28 2025 us=317311 sndbuf = 0
Wed Dec 24 11:20:28 2025 us=317311 sockflags = 0
Wed Dec 24 11:20:28 2025 us=317311 fast_io = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 comp.alg = 0
Wed Dec 24 11:20:28 2025 us=317311 comp.flags = 0
Wed Dec 24 11:20:28 2025 us=317311 route_script = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 route_default_gateway = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 route_default_metric = 0
Wed Dec 24 11:20:28 2025 us=317311 route_noexec = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 route_delay = 5
Wed Dec 24 11:20:28 2025 us=317311 route_delay_window = 30
Wed Dec 24 11:20:28 2025 us=317311 route_delay_defined = ENABLED
Wed Dec 24 11:20:28 2025 us=317311 route_nopull = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 route_gateway_via_dhcp = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 allow_pull_fqdn = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 Pull filters:
Wed Dec 24 11:20:28 2025 us=317311 ignore "route-method"
Wed Dec 24 11:20:28 2025 us=317311 management_addr = '127.0.0.1'
Wed Dec 24 11:20:28 2025 us=317311 management_port = '25340'
Wed Dec 24 11:20:28 2025 us=317311 management_user_pass = 'stdin'
Wed Dec 24 11:20:28 2025 us=317311 management_log_history_cache = 250
Wed Dec 24 11:20:28 2025 us=317311 management_echo_buffer_size = 100
Wed Dec 24 11:20:28 2025 us=317311 management_write_peer_info_file = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 management_client_user = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 management_client_group = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 management_flags = 6
Wed Dec 24 11:20:28 2025 us=317311 shared_secret_file = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 key_direction = not set
Wed Dec 24 11:20:28 2025 us=317311 ciphername = 'AES-256-CBC'
Wed Dec 24 11:20:28 2025 us=317311 ncp_enabled = ENABLED
Wed Dec 24 11:20:28 2025 us=317311 ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
Wed Dec 24 11:20:28 2025 us=317311 authname = 'SHA1'
Wed Dec 24 11:20:28 2025 us=317311 prng_hash = 'SHA1'
Wed Dec 24 11:20:28 2025 us=317311 prng_nonce_secret_len = 16
Wed Dec 24 11:20:28 2025 us=317311 keysize = 0
Wed Dec 24 11:20:28 2025 us=317311 engine = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 replay = ENABLED
Wed Dec 24 11:20:28 2025 us=317311 mute_replay_warnings = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 replay_window = 64
Wed Dec 24 11:20:28 2025 us=317311 replay_time = 15
Wed Dec 24 11:20:28 2025 us=317311 packet_id_file = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 use_iv = ENABLED
Wed Dec 24 11:20:28 2025 us=317311 test_crypto = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 tls_server = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 tls_client = ENABLED
Wed Dec 24 11:20:28 2025 us=317311 key_method = 2
Wed Dec 24 11:20:28 2025 us=317311 ca_file = 'ca.crt'
Wed Dec 24 11:20:28 2025 us=317311 ca_path = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 dh_file = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 cert_file = 'crt.crt'
Wed Dec 24 11:20:28 2025 us=317311 extra_certs_file = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 priv_key_file = 'key.key'
Wed Dec 24 11:20:28 2025 us=317311 pkcs12_file = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 cryptoapi_cert = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 cipher_list = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 cipher_list_tls13 = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 tls_cert_profile = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 tls_verify = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 tls_export_cert = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 verify_x509_type = 0
Wed Dec 24 11:20:28 2025 us=317311 verify_x509_name = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 crl_file = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 ns_cert_type = 0
Wed Dec 24 11:20:28 2025 us=317311 remote_cert_ku[i] = 65535
Wed Dec 24 11:20:28 2025 us=317311 remote_cert_ku[i] = 0
Wed Dec 24 11:20:28 2025 us=317311 remote_cert_ku[i] = 0
Wed Dec 24 11:20:28 2025 us=317311 remote_cert_ku[i] = 0
Wed Dec 24 11:20:28 2025 us=317311 remote_cert_ku[i] = 0
Wed Dec 24 11:20:28 2025 us=317311 remote_cert_ku[i] = 0
Wed Dec 24 11:20:28 2025 us=317311 remote_cert_ku[i] = 0
Wed Dec 24 11:20:28 2025 us=317311 remote_cert_ku[i] = 0
Wed Dec 24 11:20:28 2025 us=317311 remote_cert_ku[i] = 0
Wed Dec 24 11:20:28 2025 us=317311 remote_cert_ku[i] = 0
Wed Dec 24 11:20:28 2025 us=317311 remote_cert_ku[i] = 0
Wed Dec 24 11:20:28 2025 us=317311 remote_cert_ku[i] = 0
Wed Dec 24 11:20:28 2025 us=317311 remote_cert_ku[i] = 0
Wed Dec 24 11:20:28 2025 us=317311 remote_cert_ku[i] = 0
Wed Dec 24 11:20:28 2025 us=317311 remote_cert_ku[i] = 0
Wed Dec 24 11:20:28 2025 us=317311 remote_cert_ku[i] = 0
Wed Dec 24 11:20:28 2025 us=317311 remote_cert_eku = 'TLS Web Server Authentication'
Wed Dec 24 11:20:28 2025 us=317311 ssl_flags = 0
Wed Dec 24 11:20:28 2025 us=317311 tls_timeout = 2
Wed Dec 24 11:20:28 2025 us=317311 renegotiate_bytes = -1
Wed Dec 24 11:20:28 2025 us=317311 renegotiate_packets = 0
Wed Dec 24 11:20:28 2025 us=317311 renegotiate_seconds = 3600
Wed Dec 24 11:20:28 2025 us=317311 handshake_window = 60
Wed Dec 24 11:20:28 2025 us=317311 transition_window = 3600
Wed Dec 24 11:20:28 2025 us=317311 single_session = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 push_peer_info = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 tls_exit = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 tls_auth_file = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 tls_crypt_file = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_protected_authentication = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_protected_authentication = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_protected_authentication = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_protected_authentication = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_protected_authentication = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_protected_authentication = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_protected_authentication = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_protected_authentication = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_protected_authentication = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_protected_authentication = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_protected_authentication = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_protected_authentication = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_protected_authentication = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_protected_authentication = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_protected_authentication = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_protected_authentication = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_private_mode = 00000000
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_private_mode = 00000000
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_private_mode = 00000000
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_private_mode = 00000000
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_private_mode = 00000000
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_private_mode = 00000000
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_private_mode = 00000000
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_private_mode = 00000000
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_private_mode = 00000000
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_private_mode = 00000000
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_private_mode = 00000000
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_private_mode = 00000000
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_private_mode = 00000000
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_private_mode = 00000000
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_private_mode = 00000000
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_private_mode = 00000000
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_cert_private = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_cert_private = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_cert_private = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_cert_private = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_cert_private = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_cert_private = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_cert_private = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_cert_private = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_cert_private = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_cert_private = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_cert_private = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_cert_private = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_cert_private = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_cert_private = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_cert_private = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_cert_private = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_pin_cache_period = -1
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_id = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 pkcs11_id_management = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 server_network = 0.0.0.0
Wed Dec 24 11:20:28 2025 us=317311 server_netmask = 0.0.0.0
Wed Dec 24 11:20:28 2025 us=317311 server_network_ipv6 = ::
Wed Dec 24 11:20:28 2025 us=317311 server_netbits_ipv6 = 0
Wed Dec 24 11:20:28 2025 us=317311 server_bridge_ip = 0.0.0.0
Wed Dec 24 11:20:28 2025 us=317311 server_bridge_netmask = 0.0.0.0
Wed Dec 24 11:20:28 2025 us=317311 server_bridge_pool_start = 0.0.0.0
Wed Dec 24 11:20:28 2025 us=317311 server_bridge_pool_end = 0.0.0.0
Wed Dec 24 11:20:28 2025 us=317311 push_entry = 'redirect-gateway def1'
Wed Dec 24 11:20:28 2025 us=317311 push_entry = 'dhcp-option DNS 192.168.8.1'
Wed Dec 24 11:20:28 2025 us=317311 ifconfig_pool_defined = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 ifconfig_pool_start = 0.0.0.0
Wed Dec 24 11:20:28 2025 us=317311 ifconfig_pool_end = 0.0.0.0
Wed Dec 24 11:20:28 2025 us=317311 ifconfig_pool_netmask = 0.0.0.0
Wed Dec 24 11:20:28 2025 us=317311 ifconfig_pool_persist_filename = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 ifconfig_pool_persist_refresh_freq = 600
Wed Dec 24 11:20:28 2025 us=317311 ifconfig_ipv6_pool_defined = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 ifconfig_ipv6_pool_base = ::
Wed Dec 24 11:20:28 2025 us=317311 ifconfig_ipv6_pool_netbits = 0
Wed Dec 24 11:20:28 2025 us=317311 n_bcast_buf = 256
Wed Dec 24 11:20:28 2025 us=317311 tcp_queue_limit = 64
Wed Dec 24 11:20:28 2025 us=317311 real_hash_size = 256
Wed Dec 24 11:20:28 2025 us=317311 virtual_hash_size = 256
Wed Dec 24 11:20:28 2025 us=317311 client_connect_script = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 learn_address_script = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 client_disconnect_script = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 client_config_dir = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 ccd_exclusive = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 tmp_dir = 'C:\Users\administrator\AppData\Local\Temp'
Wed Dec 24 11:20:28 2025 us=317311 push_ifconfig_defined = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 push_ifconfig_local = 0.0.0.0
Wed Dec 24 11:20:28 2025 us=317311 push_ifconfig_remote_netmask = 0.0.0.0
Wed Dec 24 11:20:28 2025 us=317311 push_ifconfig_ipv6_defined = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 push_ifconfig_ipv6_local = ::/0
Wed Dec 24 11:20:28 2025 us=317311 push_ifconfig_ipv6_remote = ::
Wed Dec 24 11:20:28 2025 us=317311 enable_c2c = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 duplicate_cn = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 cf_max = 0
Wed Dec 24 11:20:28 2025 us=317311 cf_per = 0
Wed Dec 24 11:20:28 2025 us=317311 max_clients = 1024
Wed Dec 24 11:20:28 2025 us=317311 max_routes_per_client = 256
Wed Dec 24 11:20:28 2025 us=317311 auth_user_pass_verify_script = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 auth_user_pass_verify_script_via_file = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 auth_token_generate = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 auth_token_lifetime = 0
Wed Dec 24 11:20:28 2025 us=317311 client = ENABLED
Wed Dec 24 11:20:28 2025 us=317311 pull = ENABLED
Wed Dec 24 11:20:28 2025 us=317311 auth_user_pass_file = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 show_net_up = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 route_method = 3
Wed Dec 24 11:20:28 2025 us=317311 block_outside_dns = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 ip_win32_defined = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 ip_win32_type = 3
Wed Dec 24 11:20:28 2025 us=317311 dhcp_masq_offset = 0
Wed Dec 24 11:20:28 2025 us=317311 dhcp_lease_time = 31536000
Wed Dec 24 11:20:28 2025 us=317311 tap_sleep = 0
Wed Dec 24 11:20:28 2025 us=317311 dhcp_options = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 dhcp_renew = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 dhcp_pre_release = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 domain = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 netbios_scope = '[UNDEF]'
Wed Dec 24 11:20:28 2025 us=317311 netbios_node_type = 0
Wed Dec 24 11:20:28 2025 us=317311 disable_nbt = DISABLED
Wed Dec 24 11:20:28 2025 us=317311 OpenVPN 2.4.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 25 2019
Wed Dec 24 11:20:28 2025 us=317311 Windows version 6.2 (Windows 8 or greater) 64bit
Wed Dec 24 11:20:28 2025 us=317311 library versions: OpenSSL 1.1.0j 20 Nov 2018, LZO 2.10
Enter Management Password:
Wed Dec 24 11:20:28 2025 us=317311 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Wed Dec 24 11:20:28 2025 us=317311 Need hold release from management interface, waiting...
Wed Dec 24 11:20:28 2025 us=819673 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Wed Dec 24 11:20:28 2025 us=935435 MANAGEMENT: CMD 'state on'
Wed Dec 24 11:20:28 2025 us=935435 MANAGEMENT: CMD 'log all on'
Wed Dec 24 11:20:29 2025 us=106110 MANAGEMENT: CMD 'echo all on'
Wed Dec 24 11:20:29 2025 us=107063 MANAGEMENT: CMD 'bytecount 5'
Wed Dec 24 11:20:29 2025 us=108107 MANAGEMENT: CMD 'hold off'
Wed Dec 24 11:20:29 2025 us=109300 MANAGEMENT: CMD 'hold release'
Wed Dec 24 11:20:29 2025 us=109300 Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Wed Dec 24 11:20:29 2025 us=109300 MANAGEMENT: >STATE:1766596829,RESOLVE,,,,,,
Wed Dec 24 11:20:29 2025 us=187542 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Wed Dec 24 11:20:29 2025 us=187542 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
Wed Dec 24 11:20:29 2025 us=187542 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
Wed Dec 24 11:20:29 2025 us=187542 TCP/UDP: Preserving recently used remote address: AF_INET.(redacted).(redacted).(redacted):1194
Wed Dec 24 11:20:29 2025 us=187542 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed Dec 24 11:20:29 2025 us=187542 UDP link local: (not bound)
Wed Dec 24 11:20:29 2025 us=187542 UDP link remote: AF_INET.(redacted).(redacted).(redacted):1194
Wed Dec 24 11:20:29 2025 us=187542 MANAGEMENT: >STATE:1766596829,WAIT,,,,,,
Wed Dec 24 11:21:29 2025 us=484191 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Dec 24 11:21:29 2025 us=484191 TLS Error: TLS handshake failed
Wed Dec 24 11:21:29 2025 us=484191 TCP/UDP: Closing socket
Wed Dec 24 11:21:29 2025 us=484191 SIGUSR1[soft,tls-error] received, process restarting
Wed Dec 24 11:21:29 2025 us=484191 MANAGEMENT: >STATE:1766596889,RECONNECTING,tls-error,,,,,
Wed Dec 24 11:21:29 2025 us=484191 Restart pause, 5 second(s)
Wed Dec 24 11:21:34 2025 us=494229 Re-using SSL/TLS context
Wed Dec 24 11:21:34 2025 us=494229 Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Wed Dec 24 11:21:34 2025 us=494229 MANAGEMENT: >STATE:1766596894,RESOLVE,,,,,,
Wed Dec 24 11:21:34 2025 us=547701 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Wed Dec 24 11:21:34 2025 us=547701 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
Wed Dec 24 11:21:34 2025 us=547701 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
Wed Dec 24 11:21:34 2025 us=547701 TCP/UDP: Preserving recently used remote address: AF_INET.(redacted).(redacted).(redacted):1194
Wed Dec 24 11:21:34 2025 us=547701 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed Dec 24 11:21:34 2025 us=547701 UDP link local: (not bound)
Wed Dec 24 11:21:34 2025 us=547701 UDP link remote: AF_INET.(redacted).(redacted).(redacted):1194
Wed Dec 24 11:21:34 2025 us=547701 MANAGEMENT: >STATE:1766596894,WAIT,,,,,,
Wed Dec 24 11:21:53 2025 us=113859 TCP/UDP: Closing socket
Wed Dec 24 11:21:53 2025 us=113859 SIGTERM[hard,] received, process exiting
Wed Dec 24 11:21:53 2025 us=113859 MANAGEMENT: >STATE:1766596913,EXITING,SIGTERM,,,

GL.iNET Flint 2 (AX GL-MT6000) looking for working OpenVPN server
2

Did you setup an interface and firewall rules?

1 Like
3

The client received no response at all from the server. This is likely because port 1194 UDP is not open in the new router's firewall. By default a new install of OpenWrt blocks all incoming connections from the Internet (except pings).

4

Yes …..

config rule
option name 'Allow-OpenVPN-Inbound'
option target 'ACCEPT'
option src 'wan'
option proto 'udp'
option dest_port '1194'

5

Do you have a public ip on the wan?

What are the first two octets (in bold: aaa.bbb.ccc.ddd) of the output of ifstatus wan | grep address?

6

Hi, retired for almost two decades and I can’t keep up with software and configuration changes like I used to. I was using an old WRT1200AC for the last 5 years for what I need which is simply be able from anywhere to VPN into my home network to access a large size server to get files and store files while I am traveling. I had things configured such that my laptop would via OpenVPN client, it would easily attach to my home network to give the laptop an appearance that I was logged in at my home and not on the road. I had a config file for both my server and my windows client that I have been using for almost 20 years as as routers have come along and various software changes have occurred, these profiles have always worked for me.

My home ISP recently provided me a fiber upgrade and I went looking for a faster router to keep up with the new speed (1G) and someone suggested this MT6000 but when I went to configure it for the first time, using the latest (24.10.x) firmware and using my old 20 year old profiles, my windows client would just stall out and never provide the “connected” message. I had opened another post here ( OpenVPN, same config to new router; client can't connect - #6 by DonJuane ) where someone said that the MT6000 had the 1194 port blocked. So since my firewall edit was the same it always was (see below), I didn’t see how that could be happening.

For 20 years to every new router I have purchased as an upgrade, I have just been adding the following to the firewall to give me remote OpenVPN access to the server in the home router:

edit etc/config/firewall with WinSCP and add these blocks to stock firewall:

config zone
   option name 'vpn'
   option input 'ACCEPT'
   option forward 'ACCEPT'
   option output 'ACCEPT'
   option network 'vpn0'

config rule
   option name 'Allow-OpenVPN-Inbound'
   option target 'ACCEPT'
   option src '*'
   option proto 'udp'
   option dest_port '1194'

config forwarding
   option src 'vpn'
   option dest 'wan'

config forwarding
   option src 'vpn'
   option dest 'lan'

config forwarding
   option src 'lan'
   option dest 'vpn'


So the short story is for over 20 years I have been surviving as a "cut and paste programmer" and not as a network engineer.   There is no way at my age I can learn all this anew and I'd just like to get my network going once again like I have always had it, except have in run on the new device if it is possible.   

I downgraded the MT6000 to 23.5.5 and I was able to get the windows VPN client to attach successfully to my MT6000 OpenVPN server but no traffic would pass through.

Is there a solution?  The router is still returnable via Amazon and perhaps selecting another model of a fast router is the solution, one that is more friendly to OpenVPN server, would this be my best choice if I don't want to take a 6 year networking class.   If anyone can help, I'd be more than appreciative.
7

This is not sustainable as sometimes there are breaking changes. For example, certain cyphers may be dropped, syntax may change, security recommendations get updated, etc.

source should be wan.

You didn't answer my previous question about the IP address...

Also, please remember: one topic - one thread. Do not create multiple threads for a single topic, and try to stay on-topic within any given thread. As you can see, I merged your two threads.

8

Another thought -- is there a reason you continue to use OpenVPN? If you have control of both sides (and it sounds like you do), consider WireGuard which is much easier to configure, modern, secure (and doesn't respond to port-probes) and far more performant.

9

Try to remove list push 'block-outside-dns' its only to windows clients.

cipher AES-256-CBC,auth SHA1,keysize 256
are depreciated.

``block-outside-dnsin OpenVPN is a Windows-specific directive to prevent DNS leaks by forcing the use of only VPN-provided DNS servers

10

I do second the advice to use WireGuard instead of OpenVPN but the more pressing matter is checking if you have got a public IP address

There are not many providers nowadays which hand out a public IPv4 address with their fiber internet.

My notes about setting up WireGuard start with checking if you have a public IPv4 and/or IPv6 address, so have a look:
WireGuard Server Setup Guide
As said not many ISP's providing fiber internet hand out a public IPv4 address but they do hand out an IPv6 address, of course for that you have to setup IPv6, check this also with your provider

11

Sorry, for many years now, I don't continue to be updated via email when I get a new response here.

I didn't ever move over to wireguard because of the learning curve thing. I no longer find pleasure in studying new things for months only to forget them in a week.

Once I figured out my profiles for OpenVPN, since only the routers themselves changed as they got upgraded over the years, it was always easy to plug the OpenVpn server file, 3 firewall additions and I was good to go. Once past Openwrt 18.x.x.x, nothing seems the same any longer. If wireguard is faster, that is good for some but a few mb here or there is not worth spending months to learn something new.

Just looking for a valid file to put in the /etc/config/openvpn file and the additions to the /etc/config/firewall file which is all that used to be required, of course along with Software install of OpenVPN-openssl, and dns-scripts software to get my DDNS up and working.

I just tried 24.10.5 and it keeps telling me that I have errors in my /etc/config/openvpn file. And no matter what I put in the file, it keeps flagging a keepalive parm that is not even in the file. Totally nuts.

12

You can fix that by following this link to your email preferences.

A basic wireguard configuration can be created in minutes. There isn't all that much to learn and you can in fact use an automated method so you don't need to do much at all.

It's really simple, though... literally just about a dozen lines in the config total (for both the interface and peer config) and that's all. You can even have a QR code to transfer the corresponding config to your phone.

I feel your pain. I went to a library over the weekend and couldn't find the card catalog. I went home because I didn't want to try to figure out how to search for my book using that strange looking typewriter.

WireGuard is easier.... just saying.

I used to be really good at OpenVPN. I still have it running (successfully) on my OpenWrt VPN server, but I don't spend much time thinking about it anymore. But, suffice to say that sometimes it is a warning, not an error. And with that, your server might be running.

You still haven't answered about the wan...

It doesn't make sense to spend any time on your config if you don't have a public IP.

13

DDNS is what I have always used.

UPDATE: I am finally tunneled through but when I go to whatsmyipaddress it shows I am connected to my client side ISP instead of my remote router ISP. Here are my config files (some data redacted with @ sign)

Server config file:

config openvpn 'myvpn'
option enable '1'	
option client-to-client
option persist-key
option persist-tun
option auth SHA256
option cipher AES-256-GCM
option ncp-disable
option dev 'tun'	
option dev-type tun
option group nogroup
option keepalive '10 120'
option mode server
option mute 5
option port 1194
option proto udp
#list push "persist-key"
#list push "persist-tun"
#list push "redirect-gateway def1"
#list push "route-ipv6 ::/0"
option route-gateway dhcp
option server  '10.8.0.0 255.255.255.0'
option server-ipv6 'fd00:04ab:c8f1:8de2::0/64/64'
option topology subnet
option duplicate-cn
option user nobody
option verb 3

option ca '/etc/openvpn/caDJ.crt'
option cert '/etc/openvpn/servercertDJ.crt'
option key '/etc/openvpn/serverDJ.key'
option dh '/etc/openvpn/dh2048.pem'

option status '/var/log/openvpn-status.log'

Server firewall (ADDITIONS; not the entire file)

config zone
option name 'vpn'
option input 'ACCEPT'
#the forward option is not in GLiNet firmware
#option forward 'ACCEPT'
option output 'ACCEPT'
# factory Gli Net native firmware has the names the same where old implementation has it named VPn0
option network 'vpn0'
# option network 'vpn'
# copied from factory Gli Net native firmware
option mtu_fix '1'
option masq '1'
option masq6 '1'
option family 'ipv4'
option enabled '1'

config rule
option name 'Allow-OpenVPN-Inbound'
option target 'ACCEPT'
#chaned from splat historicaally
#option src '*'
option src 'wan'
option proto 'udp'
option dest_port '1194'
#next 2 lines copied from GLI Net native firmware
option family 'ipv4'
option enabled '1'

config forwarding
option src 'vpn'
option dest 'wan'
#next 2 lines copied from GLI Net native firmware
option family 'ipv4'
option enabled '1'

config forwarding
option src 'vpn'
option dest 'lan'
#next 2 lines copied from GLI Net native firmware
option family 'ipv4'
option enabled '1'

config forwarding
option src 'lan'
option dest 'vpn'
#next 2 lines copied from GLI Net native firmware
option family 'ipv4'
option enabled '1'

#new rule from GLI Net native firmware (did not exist previous versions)
config rule 'Vpn2Vpn'
option name 'Vpn2Vpn'
option src 'vpn'
option dest 'vpn'
option proto 'all'
option target 'REJECT'
option family 'ipv4'
option enabled '1'

#new rule from GLI Net native firmware (did not exist previous versions)
config rule 'vpn_allow_dns'
option name 'vpn_allow_dns'
option src 'vpn'
option target 'ACCEPT'
option dest_port '53'
option family 'ipv4'
option enabled '1'

Client config file:

client
dev tun
dev-type tun
proto udp
remote donDDNS.@@@@@@.com 1194
float
resolv-retry infinite
#block-outside-dns
nobind
persist-key
persist-tun
auth SHA256
cipher AES-256-GCM
#route-ipv6 ::/0
nice 0
mute 5
verb 3

redirect-gateway def1
dhcp-option DNS 192.168.8.1

ca caDJ.crt
cert certDJ.crt
key clientDJ.key

Note that when I un-comment-out the block-outside-dns, I do not get any DNS resolution at all on my client instance of OPENVPN.

14

You're not pushing redirect-gateway, so the client does not use the VPN as default gateway. Also I think you have to push a DNS for the client to install as an in the tunnel DNS so block-outside-dns doesn't remove the only DNS.

15

With the assumption that I am “cheating” by not exactly knowing how this works and just copying other’s profiles, I am at a major disadvantage. So you are saying that when the command redirect-gateway is added “literally” to the client.ovpn file, this command is not read, and you are saying the command has to exist in the server profile such as

list push "redirect-gateway def1"
??
16

Upon further investigation, when visiting whatsmyipaddress, in the IPv6 field, the IP6 is not going through the VPN because the IP6 address shown on whatsmyipaddress is always the native IP5 of the client ISP and not the remote IP6 address.

17

Why are you adding rules from the configs that came with the GL-inet firmware??? (HINT: you shouldn't be doing that!)

What else have you "ported" from that environment?

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Screenshot 2025-10-20 at 8.14.14 PM

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
18

I was working backwards and the reason for that was that none of the example configureation files I could find such as “server.ovpn, firewall and client.ovpn” have been updated with the new information (apparently) required with more modern versions of OpenWRT and OpenVPN. Root reason for spending the past couple of days working on this was my “boiler plate addition” of long-term used of these 3 files (server, client and server firewalls) have always dropped-in to any OpenWRT version and worked. Something major must have changed after my last server purchase which was running on OpenWRT 18.x.x.x. When I purchased the new GLI-Net MT6000 (flint 2), I dropped in my old server/client profiles and the rules/forwards to the “firewall” on the server that always used to work but no longer.



Using username "root".
root@192.168.8.1's password:
Access denied
root@192.168.8.1's password:

BusyBox v1.36.1 (2025-12-17 21:08:22 UTC) built-in shell (ash)




|       |.-----.-----.-----.|  |  |  |.----.|  |_
|   -   ||  _  |  -|     ||  |  |  ||   ||   |
|_____||   |||||___|||  |____|
|| W I R E L E S S   F R E E D O M

OpenWrt 24.10.5, r29087-d9c5716d1d

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd69:5a34:e1dc::/48'
option packet_steering '1'

config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'

config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.8.1'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '208.67.222.222'
list dns '208.67.220.220'

config interface 'wan'
option device 'eth1'
option proto 'dhcp'

config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/18000000.wifi'
option band '2g'
option channel '4'
option htmode 'HE20'
option cell_density '0'

config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid '(redacted)'
option encryption 'psk2'
option key '(redacted)'

config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/18000000.wifi+1'
option band '5g'
option channel 'auto'
option htmode 'HE80'
option cell_density '0'

config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid '(redacted)'
option encryption 'psk2'
option key '(redacted)'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'

config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'

config dhcp 'wan'
option interface 'wan'
option ignore '1'

config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
option piofolder '/tmp/odhcpd-piofolder'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'

config zone 'lan'
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list device 'tun+'

config zone 'wan'
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'

###added by DJ:

config zone
option name 'vpn'
option input 'ACCEPT'
#the forward option is not in GLiNet firmware
#option forward 'ACCEPT'
option output 'ACCEPT'
# factory Gli Net native firmware has the names the same where old implementation has it named VPn0
option network 'vpn0'
# option network 'vpn'
# copied from factory Gli Net native firmware
option mtu_fix '1'
option masq '1'
option masq6 '1'
option family 'ipv4'
option enabled '1'

###end of add

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

###added by DJ:

config rule
option name 'Allow-OpenVPN-Inbound'
option target 'ACCEPT'
#chaned from splat historicaally
#option src '*'
option src 'wan'
option proto 'udp'
option dest_port '1194'
#next 2 lines copied from GLI Net native firmware
option family 'ipv4'
option enabled '1'

config forwarding
option src 'vpn'
option dest 'wan'
#next 2 lines copied from GLI Net native firmware
option family 'ipv4'
option enabled '1'

config forwarding
option src 'vpn'
option dest 'lan'
#next 2 lines copied from GLI Net native firmware
option family 'ipv4'
option enabled '1'

config forwarding
option src 'lan'
option dest 'vpn'
#next 2 lines copied from GLI Net native firmware
option family 'ipv4'
option enabled '1'

#new rule from GLI Net native firmware (did not exist previous versions)
config rule 'Vpn2Vpn'
option name 'Vpn2Vpn'
option src 'vpn'
option dest 'vpn'
option proto 'all'
option target 'REJECT'
option family 'ipv4'
option enabled '1'

#new rule from GLI Net native firmware (did not exist previous versions)
config rule 'vpn_allow_dns'
option name 'vpn_allow_dns'
option src 'vpn'
option target 'ACCEPT'
option dest_port '53'
option family 'ipv4'
option enabled '1'

###end of add

root@OpenWrt:~#
19

The reason for copying from Gli Net is that there “easy OpenVPN server” worked perfectly but I don’t want to switch my strategy to being hooked to GliNet firmware and using only their routers. I prefer if possible to continue to do quick “drop-ins” of the 3 files I always alter after adding the OpenVPN-OpenSSL software package. Plus I don’t like my router firmware tied into any company’s potential stat collecting such as proprietary router firmware..

20

I understand your reason, but the implementation is entirely wrong. Do not copy any of the config code from the vendor's firmware -- it's not compatible with official OpenWrt.