OpenVPN Server Debugging OpenWRT v24

This might not be the place to ask/discuss this but I figured I'd try. (Thanks for moving to the right place @frollic) I've been fighting this issue for about 2 weeks now. Originally I was setting this up with my routers original OEM firmware but it was extremely limited. For example I have an old ASUS RT-N66U that has an "advanced" tab for OpenVPN server settings. I used that for years and it worked fine. Now I have a TP-Link AX23 of which the OEM firmware/webUI was clearly never meant to be useful. So I installed OpenWRT. However the problem still persists.

Clients can connect but it is a black hole. Once connected you can't access anything, you can't even ping the OpenVPN server ip 10.8.0.1. I've tried numerous setup tutorials and have been using the openvpn_server_management.sh script from here as a way to speed things up.

As a spitball there were two major changes I thought I might be slamming into.

The first was DHCP and DNS were not handed out on the OpenWRT device. Likewise with the device when it was running the TP-Link firmware. Back when I was using the ASUS router everything was on it. However the TP-Link firmware was so bad I migrated everything I could away from it. However I haven't found anything in the docs or tutorials that say DHCP/DNS must be enabled and delegated on the device running the OpenVPN server either. I moved DHCP back to the router/OpenWRT/OpenVPN device but no change.

Next was the clients I'm setting this up for are largely Android devices. I used to only use this for my laptops when working remotely. Android devices are less than forthcoming with debugging info or network settings at all but also now have various DNS features that may or may not be screwing everything up. i.e. "Private DNS." which in theory rejects DNS unless "it" deems it secure. By what metric this is deemed I have no idea. I've tested turning these things on and off but also no change. I could still be missing one of these "only overlord approved 'security features'."

I'd appreciate it if someone had some debugging advice or could even spot an issue with my setup. I'm tapped out of ideas of things to test and try outside setting up OpenVPN on another machine on the network and just port forwarding to it.

server.conf

port 1194
proto udp
dev tun
server 10.8.0.0 255.255.255.0
topology subnet

ca /etc/easy-rsa/pki/ca.crt
cert /etc/easy-rsa/pki/issued/server.crt
key /etc/easy-rsa/pki/private/server.key
dh /etc/easy-rsa/pki/dh.pem

tls-crypt-v2 /etc/easy-rsa/pki/private/server.pem

client-to-client
keepalive 10 60

push "redirect-gateway def1"
#push "route [numbersNdots] 255.255.255.0"
push "dhcp-option DNS 10.8.0.1"
#push "dhcp-option DNS [numbersNdots]"
push "dhcp-option DOMAIN lan"
push "persist-tun"
push "persist-key"

# Privileges and security
user nobody
group nogroup
persist-tun
persist-key

# Logging
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 3

client.ovpn

user nobody
group nogroup
dev tun
nobind
client
remote [numbersNdots] 1194 udp
auth-nocache
remote-cert-tls server

/etc/config/firewall

config rule
	option name 'Allow-OpenVPN'
	option src 'wan'
	option dest_port '1194'
	option proto 'udp'
	option target 'ACCEPT'

You haven't posted the firewall config, but if you have created a dedicated vpn zone and forwarding(s), remove all of them and add device tun+ to the lan zone.

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list device 'tun+'

This is what's in /etc/config/firewall

config rule
	option name 'Allow-OpenVPN'
	option src 'wan'
	option dest_port '1194'
	option proto 'udp'
	option target 'ACCEPT'

Though if there wasn't a correct firewall rule I couldn't connect much less to a black hole. - unless I need something else to push from Class A to Class C address etc.

That's only for allowing incoming connections from internet.

OK but what else do I need? I've had other rules, I've tried defining the TUN device under interfaces with rules that push this and that but nothing worked. Of course I could have always been 1 thing away from the correct combination but I've tried so many things I couldn't tell you what went with what at this point.

Just add device tun+ to the lan zone (as suggested above), restart the firewall service and test again.

Previously when I had defined tun0 I left protocol as unmanaged, is/was this correct? I also had Masquerading set because at one point I did have a connection hit my DHCP server but it showed as the Class A address and was rejected. Masquerading didn't seem to fix anything and further throwing stuff at the wall saw me not even getting rejections heh.

OK I readded a zone for the tun+ device and set it to masquerade. I also readded DNS under forwards. No dice.

Please post your complete files for the following:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
cat /etc/config/openvpn

Also... I'll add that if you don't have a specific reason to require OpenVPN as a protocol, Wireguard is a really nice option and generally recommended over OpenVPN these days -- it's modern, really easy to configure, and much more performant.

I've heard wireguard mentioned for years but never even knew it was an option for this. I just want various people to be able to tunnel in and access local servers/domains as cloudflare is problematic when trying to access the services from "outside."

{
	"kernel": "6.6.119",
	"hostname": "OpenWrt",
	"system": "MediaTek MT7621 ver:1 eco:4",
	"model": "TP-Link Archer AX23 v1",
	"board_name": "tplink,archer-ax23-v1",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "24.10.5",
		"revision": "r29087-d9c5716d1d",
		"target": "ramips/mt7621",
		"description": "OpenWrt 24.10.5 r29087-d9c5716d1d",
		"builddate": "1766005702"
	}
}

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd73:82ca:ebd3::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.0.8'
	option netmask '255.255.255.0'
	option delegate '0'
	list dns '192.168.0.82'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'
	option delegate '0'

config device
	option name 'wan'
	option macaddr ''

config device
	option name 'tun0'
	option ipv6 '0'

config interface 'tun0'
	option proto 'none'
	option auto '0'


config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option flow_offloading '1'
	option flow_offloading_hw '1'
	option synflood_protect '1'
	option drop_invalid '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list device 'tun+'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'http'
	option src 'wan'
	option dest_ip '192.168.0.80'
	option dest_port '80'
	option src_dport '80'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'https'
	option src 'wan'
	option src_dport '443'
	option dest_ip '192.168.0.80'
	option dest_port '443'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'smtp'
	option src 'wan'
	option src_dport '25'
	option dest_ip '192.168.0.80'
	option dest_port '25'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'XMPP'
	option src 'wan'
	option src_dport '5222'
	option dest_ip '192.168.0.80'
	option dest_port '5222'

config rule 'ovpn'
	option name 'Allow-OpenVPN'
	option src 'wan'
	option dest_port '1194'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'

config forwarding
	option src 'vpn'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'vpn'


config openvpn 'custom_config'
	option enabled '0'
	option config '/etc/openvpn/my-vpn.conf'

config openvpn 'sample_server'
	option enabled '0'
	option port '1194'
	option proto 'udp'
	option dev 'tun'
	option ca '/etc/easy-rsa/pki/ca.crt'
	option cert '/etc/easy-rsa/pki/issued/server.crt'
	option key '/etc/easy-rsa/pki/private/server.key'
	option dh '/etc/easy-rsa/pki/dh.pem'
	option server '10.8.0.0 255.255.255.0'
	option ifconfig_pool_persist '/tmp/ipp.txt'
	option keepalive '10 120'
	option persist_key '1'
	option persist_tun '1'
	option user 'nobody'
	option status '/tmp/openvpn-status.log'
	option verb '5'

config openvpn 'sample_client'
	option enabled '0'
	option client '1'
	option dev 'tun'
	option proto 'udp'
	list remote 'my_server_1 1194'
	option resolv_retry 'infinite'
	option nobind '1'
	option persist_key '1'
	option persist_tun '1'
	option user 'nobody'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/client.crt'
	option key '/etc/openvpn/client.key'
	option verb '3'

Is this your main router?

I ask because the above is a bit unusual (although still can be valid). Most of the time, the main router will be set at the .1 or .254 addresses on a /24 network (this is not a requirement, just common practice).

If this is not the main router, how is this device connected to the upstream -- via the lan or wan port)?

Delete this:

Delete all of this:

Yes this is the main router and .8 is my norm for that heh. Upstream on the WAN yes. I also have a .7 which is the old ASUS I mentioned in the OP, it just handles wifi upstairs.

Delete that stuff I was just told to add it!? OK I will give it a shot.

Removed, restarted the firewall, still bumpkis. Can you perhaps link me a good tutorial on wiregaurd? I searched the site but the search only returned others trying to solve issues or what looked like router to 3rd party setups.

For wireguard:

Meanwhile, for your current config, let's see some additional logs:

logread -e openvpn

And also, from an OpenVPN client (such as your computer or phone), what is the result of:

ping 192.168.0.8
ping 64.226.122.113
ping openwrt.org

Mon Jan 19 01:14:12 2026 daemon.err openvpn(server)[5791]: Options error: In [CMD-LINE]:1: Error opening configuration file: server.conf
Mon Jan 19 01:14:12 2026 daemon.warn openvpn(server)[5791]: Use --help for more information.
Mon Jan 19 01:14:17 2026 daemon.err openvpn(server)[5792]: Options error: In [CMD-LINE]:1: Error opening configuration file: server.conf
Mon Jan 19 01:14:17 2026 daemon.warn openvpn(server)[5792]: Use --help for more information.
Mon Jan 19 01:14:22 2026 daemon.err openvpn(server)[5796]: Options error: In [CMD-LINE]:1: Error opening configuration file: server.conf
Mon Jan 19 01:14:22 2026 daemon.warn openvpn(server)[5796]: Use --help for more information.
Mon Jan 19 01:14:27 2026 daemon.err openvpn(server)[5797]: Options error: In [CMD-LINE]:1: Error opening configuration file: server.conf
Mon Jan 19 01:14:27 2026 daemon.warn openvpn(server)[5797]: Use --help for more information.
Mon Jan 19 07:43:47 2026 daemon.err uhttpd[2013]: [info] luci: accepted login on /admin/vpn/openvpn for root from 192.168.0.62

I only have a roommates phone to test with and it has no term to ping with. However if I try to load the luci it does show the little initialization line at the top "LuCi - Lua configuration interafce" but that's it, doesn't give me the login and eventually times out.

So it's the actual config file itself, not the network or firewall configs.

Note the time, that was from HOURS ago while I was throwing stuff at the wall trying anything and everything to see if it helped. logread has virtually nothing of relevance. I have a term open watching tail -F /var/log/openvpn.log for stuff but again, everything looks fine, no errors, just doesn't work.

If that's the case, let's see the latest log output that shows a successful connection.

Here is the last 100 lines

2026-01-20 11:37:35 Could not determine IPv4/IPv6 protocol. Using AF_INET
2026-01-20 11:37:35 Socket Buffers: R=[180224->180224] S=[180224->180224]
2026-01-20 11:37:35 UDPv4 link local (bound): [AF_INET][undef]:1194
2026-01-20 11:37:35 UDPv4 link remote: [AF_UNSPEC]
2026-01-20 11:37:35 UID set to nobody
2026-01-20 11:37:35 GID set to nogroup
2026-01-20 11:37:35 Capabilities retained: CAP_NET_ADMIN
2026-01-20 11:37:35 MULTI: multi_init called, r=256 v=256
2026-01-20 11:37:35 IFCONFIG POOL IPv4: base=10.8.0.2 size=253
2026-01-20 11:37:35 Initialization Sequence Completed
2026-01-20 11:39:35 Control Channel: using tls-crypt-v2 key
2026-01-20 11:39:35 Connection Attempt Control Channel: using tls-crypt-v2 key
2026-01-20 11:39:35 NUMBERSNDOTS:27965 Control Channel: using tls-crypt-v2 key
2026-01-20 11:39:35 NUMBERSNDOTS:27965 VERIFY OK: depth=1, CN=Easy-RSA CA
2026-01-20 11:39:35 NUMBERSNDOTS:27965 VERIFY OK: depth=0, CN=reacher
2026-01-20 11:39:35 NUMBERSNDOTS:27965 peer info: IV_VER=3.11.1
2026-01-20 11:39:35 NUMBERSNDOTS:27965 peer info: IV_PLAT=android
2026-01-20 11:39:35 NUMBERSNDOTS:27965 peer info: IV_NCP=2
2026-01-20 11:39:35 NUMBERSNDOTS:27965 peer info: IV_TCPNL=1
2026-01-20 11:39:35 NUMBERSNDOTS:27965 peer info: IV_PROTO=8094
2026-01-20 11:39:35 NUMBERSNDOTS:27965 peer info: IV_MTU=1600
2026-01-20 11:39:35 NUMBERSNDOTS:27965 peer info: IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
2026-01-20 11:39:35 NUMBERSNDOTS:27965 peer info: IV_AUTO_SESS=1
2026-01-20 11:39:35 NUMBERSNDOTS:27965 peer info: IV_GUI_VER=net.openvpn.connect.android_3.7.1-10568
2026-01-20 11:39:35 NUMBERSNDOTS:27965 peer info: IV_SSO=webauth,crtext
2026-01-20 11:39:35 NUMBERSNDOTS:27965 peer info: IV_BS64DL=1
2026-01-20 11:39:35 NUMBERSNDOTS:27965 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2026-01-20 11:39:35 NUMBERSNDOTS:27965 TLS: tls_multi_process: initial untrusted session promoted to trusted
2026-01-20 11:39:35 NUMBERSNDOTS:27965 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519
2026-01-20 11:39:35 NUMBERSNDOTS:27965 [reacher] Peer Connection Initiated with [AF_INET]NUMBERSNDOTS:27965
2026-01-20 11:39:35 reacher/NUMBERSNDOTS:27965 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
2026-01-20 11:39:35 reacher/NUMBERSNDOTS:27965 MULTI: Learn: 10.8.0.2 -> reacher/NUMBERSNDOTS:27965
2026-01-20 11:39:35 reacher/NUMBERSNDOTS:27965 MULTI: primary virtual IP for reacher/NUMBERSNDOTS:27965: 10.8.0.2
2026-01-20 11:39:35 reacher/NUMBERSNDOTS:27965 SENT CONTROL [reacher]: 'PUSH_REPLY,persist-tun,persist-key,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500' (status=1)
2026-01-20 11:39:35 reacher/NUMBERSNDOTS:27965 PUSH: Received control message: 'PUSH_REQUEST'
2026-01-20 11:39:36 reacher/NUMBERSNDOTS:27965 Data Channel: cipher 'AES-256-GCM', peer-id: 0
2026-01-20 11:39:36 reacher/NUMBERSNDOTS:27965 Timers: ping 10, ping-restart 120
2026-01-20 11:39:36 reacher/NUMBERSNDOTS:27965 Protocol options: protocol-flags cc-exit tls-ekm dyn-tls-crypt
2026-01-20 11:44:01 reacher/NUMBERSNDOTS:27965 Delayed exit in 5 seconds
2026-01-20 11:44:06 Control Channel: using tls-crypt-v2 key
2026-01-20 11:44:06 Connection Attempt Control Channel: using tls-crypt-v2 key
2026-01-20 11:44:06 NUMBERSNDOTS:44340 Control Channel: using tls-crypt-v2 key
2026-01-20 11:44:06 reacher/NUMBERSNDOTS:27965 SIGTERM[soft,delayed-exit] received, client-instance exiting
2026-01-20 11:44:07 NUMBERSNDOTS:44340 VERIFY OK: depth=1, CN=Easy-RSA CA
2026-01-20 11:44:07 NUMBERSNDOTS:44340 VERIFY OK: depth=0, CN=reacher
2026-01-20 11:44:07 NUMBERSNDOTS:44340 peer info: IV_VER=3.11.1
2026-01-20 11:44:07 NUMBERSNDOTS:44340 peer info: IV_PLAT=android
2026-01-20 11:44:07 NUMBERSNDOTS:44340 peer info: IV_NCP=2
2026-01-20 11:44:07 NUMBERSNDOTS:44340 peer info: IV_TCPNL=1
2026-01-20 11:44:07 NUMBERSNDOTS:44340 peer info: IV_PROTO=8094
2026-01-20 11:44:07 NUMBERSNDOTS:44340 peer info: IV_MTU=1600
2026-01-20 11:44:07 NUMBERSNDOTS:44340 peer info: IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
2026-01-20 11:44:07 NUMBERSNDOTS:44340 peer info: IV_AUTO_SESS=1
2026-01-20 11:44:07 NUMBERSNDOTS:44340 peer info: IV_GUI_VER=net.openvpn.connect.android_3.7.1-10568
2026-01-20 11:44:07 NUMBERSNDOTS:44340 peer info: IV_SSO=webauth,crtext
2026-01-20 11:44:07 NUMBERSNDOTS:44340 peer info: IV_BS64DL=1
2026-01-20 11:44:07 NUMBERSNDOTS:44340 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2026-01-20 11:44:07 NUMBERSNDOTS:44340 TLS: tls_multi_process: initial untrusted session promoted to trusted
2026-01-20 11:44:07 NUMBERSNDOTS:44340 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519
2026-01-20 11:44:07 NUMBERSNDOTS:44340 [reacher] Peer Connection Initiated with [AF_INET]NUMBERSNDOTS:44340
2026-01-20 11:44:07 reacher/NUMBERSNDOTS:44340 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
2026-01-20 11:44:07 reacher/NUMBERSNDOTS:44340 MULTI: Learn: 10.8.0.2 -> reacher/NUMBERSNDOTS:44340
2026-01-20 11:44:07 reacher/NUMBERSNDOTS:44340 MULTI: primary virtual IP for reacher/NUMBERSNDOTS:44340: 10.8.0.2
2026-01-20 11:44:07 reacher/NUMBERSNDOTS:44340 SENT CONTROL [reacher]: 'PUSH_REPLY,persist-tun,persist-key,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.8.0.2 255.255.255.0,peer-id 1,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500' (status=1)
2026-01-20 11:44:07 reacher/NUMBERSNDOTS:44340 PUSH: Received control message: 'PUSH_REQUEST'
2026-01-20 11:44:08 reacher/NUMBERSNDOTS:44340 Data Channel: cipher 'AES-256-GCM', peer-id: 0
2026-01-20 11:44:08 reacher/NUMBERSNDOTS:44340 Timers: ping 10, ping-restart 120
2026-01-20 11:44:08 reacher/NUMBERSNDOTS:44340 Protocol options: protocol-flags cc-exit tls-ekm dyn-tls-crypt
2026-01-20 11:44:29 reacher/NUMBERSNDOTS:44340 Delayed exit in 5 seconds
2026-01-20 11:44:31 Control Channel: using tls-crypt-v2 key
2026-01-20 11:44:32 Connection Attempt Control Channel: using tls-crypt-v2 key
2026-01-20 11:44:32 NUMBERSNDOTS:3871 Control Channel: using tls-crypt-v2 key
2026-01-20 11:44:32 NUMBERSNDOTS:3871 VERIFY OK: depth=1, CN=Easy-RSA CA
2026-01-20 11:44:32 NUMBERSNDOTS:3871 VERIFY OK: depth=0, CN=reacher
2026-01-20 11:44:32 NUMBERSNDOTS:3871 peer info: IV_VER=3.11.1
2026-01-20 11:44:32 NUMBERSNDOTS:3871 peer info: IV_PLAT=android
2026-01-20 11:44:32 NUMBERSNDOTS:3871 peer info: IV_NCP=2
2026-01-20 11:44:32 NUMBERSNDOTS:3871 peer info: IV_TCPNL=1
2026-01-20 11:44:32 NUMBERSNDOTS:3871 peer info: IV_PROTO=8094
2026-01-20 11:44:32 NUMBERSNDOTS:3871 peer info: IV_MTU=1600
2026-01-20 11:44:32 NUMBERSNDOTS:3871 peer info: IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
2026-01-20 11:44:32 NUMBERSNDOTS:3871 peer info: IV_AUTO_SESS=1
2026-01-20 11:44:32 NUMBERSNDOTS:3871 peer info: IV_GUI_VER=net.openvpn.connect.android_3.7.1-10568
2026-01-20 11:44:32 NUMBERSNDOTS:3871 peer info: IV_SSO=webauth,crtext
2026-01-20 11:44:32 NUMBERSNDOTS:3871 peer info: IV_BS64DL=1
2026-01-20 11:44:32 NUMBERSNDOTS:3871 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2026-01-20 11:44:32 NUMBERSNDOTS:3871 TLS: tls_multi_process: initial untrusted session promoted to trusted
2026-01-20 11:44:32 NUMBERSNDOTS:3871 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519
2026-01-20 11:44:32 NUMBERSNDOTS:3871 [reacher] Peer Connection Initiated with [AF_INET]NUMBERSNDOTS:3871
2026-01-20 11:44:32 MULTI: new connection by client 'reacher' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
2026-01-20 11:44:32 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
2026-01-20 11:44:32 MULTI: Learn: 10.8.0.2 -> reacher/NUMBERSNDOTS:3871
2026-01-20 11:44:32 MULTI: primary virtual IP for reacher/NUMBERSNDOTS:3871: 10.8.0.2
2026-01-20 11:44:32 SENT CONTROL [reacher]: 'PUSH_REPLY,persist-tun,persist-key,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500' (status=1)
2026-01-20 11:44:32 reacher/NUMBERSNDOTS:3871 PUSH: Received control message: 'PUSH_REQUEST'
2026-01-20 11:44:33 reacher/NUMBERSNDOTS:3871 Data Channel: cipher 'AES-256-GCM', peer-id: 0
2026-01-20 11:44:33 reacher/NUMBERSNDOTS:3871 Timers: ping 10, ping-restart 120
2026-01-20 11:44:33 reacher/NUMBERSNDOTS:3871 Protocol options: protocol-flags cc-exit tls-ekm dyn-tls-crypt
2026-01-20 12:00:33 reacher/NUMBERSNDOTS:3871 Delayed exit in 5 seconds
2026-01-20 12:00:38 reacher/NUMBERSNDOTS:3871 SIGTERM[soft,delayed-exit] received, client-instance exiting

Anyhow thanks everyone for chiming in. I'll call this and look into wireguard as a replacement.