OpenVPN server, no LAN no internet

Hello everyone,

I have OpenWrt SNAPSHOT installed r6873-cf7a88c / LuCI Master (git-18.131.66371-1e39fef) in a xiaomi-3g router, the stable version is not available

My ISP provides the data by the vlan with id 832

I followed this guide to configure OpenVPN https://openwrt.org/docs/guide-user/services/vpn/openvpn/server.setup, clients connect to the server but do not have access to LAN or the internet, it does not solve pings

ping 8.8.8.8               
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
28  * * *
29  * * *
30  * * *

My configurations and logs:

/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ifname 'eth0.1'

config device 'lan_dev'
        option name 'eth0.1'
        option macaddr 'xx:xx:xx:xx'

config interface 'wan'
        option proto 'dhcp'
        option _orig_ifname 'eth0.2'
        option _orig_bridge 'false'
        option ifname 'eth0.832'

config interface 'wan6'
        option _orig_ifname 'eth0.2'
        option _orig_bridge 'false'
        option ifname 'eth0.832'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option auto '0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 6t'
        option vid '1'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '1t 6t'
        option vid '832'

config interface 'vpnserver'
        option proto 'none'
        option ifname 'ovpns0'
        option auto '1'

/etc/config/openvpn

config openvpn 'vpnserver'
        option dev_type 'tun'
        option dev 'ovpns0'
        option port 'XXXX'
        option comp_lzo 'yes'
        option keepalive '10 120'
        option persist_key '1'
        option persist_tun '1'
        option mode 'server'
        option tls_server '1'
        option server '192.168.200.0 255.255.255.0'
        option topology 'subnet'
        option route_gateway 'dhcp'
        option client_to_client '1'
        list push 'comp-lzo yes'
        list push 'persist-key'
        list push 'persist-tun'
        list push 'topology subnet'
        list push 'route-gateway dhcp'
        list push 'redirect-gateway def1'
        list push 'route 192.168.200.0 255.255.255.0'
        list push 'dhcp-option DNS 192.168.1.1'
        list push 'redirect-gateway def1 bypass-dhcp'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/OpenVPN.crt'
        option key '/etc/openvpn/OpenVPN.key'
        option dh '/etc/openvpn/dh2048.pem'
        option tls_auth '/etc/openvpn/tls-auth.key 0'
        option duplicate_cn '1'
        option enabled '1'
        option verb '5'

client

client
dev tun
proto udp
fast-io
remote domain.org XXXX
remote-cert-tls server
nobind
persist-key
persist-tun
comp-lzo no
verb 7
key-direction 1

firewall


config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Allow-OpenVPN-Inbound'
        option target 'ACCEPT'
        option src '*'
        option dest_port '1194'
        option proto 'udp'

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config include
        option path '/etc/firewall.user'

config zone
        option name 'vpnserver'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'vpnserver'
        option masq '1'
        option forward 'REJECT'

config forwarding
        option dest 'wan'
        option src 'lan'

config forwarding
        option dest 'wan'
        option src 'invitados'
config forwarding
        option dest 'lan'
        option src 'vpnserver'

config forwarding
        option dest 'wan'
        option src 'vpnserver'

config forwarding
        option dest 'vpnserver'
        option src 'lan'


log

Sat May 12 21:15:53 2018 daemon.notice openvpn(vpnserver)[3253]: MULTI: multi_create_instance called
Sat May 12 21:15:53 2018 daemon.notice openvpn(vpnserver)[3253]: 192.168.1.5:37009 Re-using SSL/TLS context
Sat May 12 21:15:53 2018 daemon.notice openvpn(vpnserver)[3253]: 192.168.1.5:37009 Control Channel MTU parms [ L:1621 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Sat May 12 21:15:53 2018 daemon.notice openvpn(vpnserver)[3253]: 192.168.1.5:37009 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Sat May 12 21:15:53 2018 daemon.notice openvpn(vpnserver)[3253]: 192.168.1.5:37009 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Sat May 12 21:15:53 2018 daemon.notice openvpn(vpnserver)[3253]: 192.168.1.5:37009 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Sat May 12 21:15:53 2018 daemon.notice openvpn(vpnserver)[3253]: 192.168.1.5:37009 TLS: Initial packet from [AF_INET]192.168.1.5:37009, sid=b6bf028b fe907110
Sat May 12 21:15:54 2018 daemon.notice openvpn(vpnserver)[3253]: 192.168.1.5:37009 VERIFY OK: depth=1, C=xx, ST=xxxxx, O=xxxxxxx
Sat May 12 21:15:54 2018 daemon.notice openvpn(vpnserver)[3253]: 192.168.1.5:37009 VERIFY OK: depth=0, CN=xxxxx
Sat May 12 21:15:54 2018 daemon.notice openvpn(vpnserver)[3253]: 192.168.1.5:37009 peer info: IV_VER=2.4.6
Sat May 12 21:15:54 2018 daemon.notice openvpn(vpnserver)[3253]: 192.168.1.5:37009 peer info: IV_PLAT=linux
Sat May 12 21:15:54 2018 daemon.notice openvpn(vpnserver)[3253]: 192.168.1.5:37009 peer info: IV_PROTO=2
Sat May 12 21:15:54 2018 daemon.notice openvpn(vpnserver)[3253]: 192.168.1.5:37009 peer info: IV_NCP=2
Sat May 12 21:15:54 2018 daemon.notice openvpn(vpnserver)[3253]: 192.168.1.5:37009 peer info: IV_LZ4=1
Sat May 12 21:15:54 2018 daemon.notice openvpn(vpnserver)[3253]: 192.168.1.5:37009 peer info: IV_LZ4v2=1
Sat May 12 21:15:54 2018 daemon.notice openvpn(vpnserver)[3253]: 192.168.1.5:37009 peer info: IV_LZO=1
Sat May 12 21:15:54 2018 daemon.notice openvpn(vpnserver)[3253]: 192.168.1.5:37009 peer info: IV_COMP_STUB=1
Sat May 12 21:15:54 2018 daemon.notice openvpn(vpnserver)[3253]: 192.168.1.5:37009 peer info: IV_COMP_STUBv2=1
Sat May 12 21:15:54 2018 daemon.notice openvpn(vpnserver)[3253]: 192.168.1.5:37009 peer info: IV_TCPNL=1
Sat May 12 21:15:54 2018 daemon.warn openvpn(vpnserver)[3253]: 192.168.1.5:37009 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1542'
Sat May 12 21:15:54 2018 daemon.warn openvpn(vpnserver)[3253]: 192.168.1.5:37009 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Sat May 12 21:15:54 2018 daemon.notice openvpn(vpnserver)[3253]: 192.168.1.5:37009 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Sat May 12 21:15:54 2018 daemon.notice openvpn(vpnserver)[3253]: 192.168.1.5:37009 [cliente] Peer Connection Initiated with [AF_INET]192.168.1.5:37009
Sat May 12 21:15:54 2018 daemon.notice openvpn(vpnserver)[3253]: cliente/192.168.1.5:37009 MULTI_sva: pool returned IPv4=192.168.200.2, IPv6=(Not enabled)
Sat May 12 21:15:54 2018 daemon.notice openvpn(vpnserver)[3253]: cliente/192.168.1.5:37009 MULTI: Learn: 192.168.200.2 -> cliente/192.168.1.5:37009
Sat May 12 21:15:54 2018 daemon.notice openvpn(vpnserver)[3253]: cliente/192.168.1.5:37009 MULTI: primary virtual IP for cliente/192.168.1.5:37009: 192.168.200.2
Sat May 12 21:15:55 2018 daemon.notice openvpn(vpnserver)[3253]: cliente/192.168.1.5:37009 PUSH: Received control message: 'PUSH_REQUEST'
Sat May 12 21:15:55 2018 daemon.notice openvpn(vpnserver)[3253]: cliente/192.168.1.5:37009 SENT CONTROL [cliente]: 'PUSH_REPLY,comp-lzo yes,persist-key,persist-tun,topology subnet,route-gateway dhcp,redirect-gateway def1,route 192.168.200.0 255.255.255.0,dhcp-option DNS 192.168.1.1,redirect-gateway def1 bypass-dhcp,route-gateway 192.168.200.1,topology subnet,ping 10,ping-restart 120,ifconfig 192.168.200.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Sat May 12 21:15:55 2018 daemon.notice openvpn(vpnserver)[3253]: cliente/192.168.1.5:37009 Data Channel: using negotiated cipher 'AES-256-GCM'
Sat May 12 21:15:55 2018 daemon.notice openvpn(vpnserver)[3253]: cliente/192.168.1.5:37009 Data Channel MTU parms [ L:1549 D:1450 EF:49 EB:406 ET:0 EL:3 ]
Sat May 12 21:15:55 2018 daemon.notice openvpn(vpnserver)[3253]: cliente/192.168.1.5:37009 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat May 12 21:15:55 2018 daemon.notice openvpn(vpnserver)[3253]: cliente/192.168.1.5:37009 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat May 12 21:15:55 2018 daemon.warn openvpn(vpnserver)[3253]: cliente/192.168.1.5:37009 IP packet with unknown IP version=15 seen
Sat May 12 21:15:55 2018 daemon.notice openvpn(vpnserver)[3253]: cliente/192.168.1.5:37009 MULTI: bad source address from client [1140:40:1148:19c0:a8c8:2ff:ffff:ff06], packet dropped
Sat May 12 21:15:56 2018 daemon.warn openvpn(vpnserver)[3253]: cliente/192.168.1.5:37009 IP packet with unknown IP version=15 seen
Sat May 12 21:15:56 2018 daemon.warn openvpn(vpnserver)[3253]: cliente/192.168.1.5:37009 IP packet with unknown IP version=15 seen
Sat May 12 21:15:56 2018 daemon.warn openvpn(vpnserver)[3253]: cliente/192.168.1.5:37009 IP packet with unknown IP version=15 seen
Sat May 12 21:15:56 2018 daemon.warn openvpn(vpnserver)[3253]: cliente/192.168.1.5:37009 IP packet with unknown IP version=15 seen
Sat May 12 21:15:56 2018 daemon.warn openvpn(vpnserver)[3253]: cliente/192.168.1.5:37009 IP packet with unknown IP version=15 seen
Sat May 12 21:15:56 2018 daemon.warn openvpn(vpnserver)[3253]: cliente/192.168.1.5:37009 IP packet with unknown IP version=15 seen
Sat May 12 21:15:57 2018 daemon.warn openvpn(vpnserver)[3253]: cliente/192.168.1.5:37009 IP packet with unknown IP version=15 seen
Sat May 12 21:15:57 2018 daemon.warn openvpn(vpnserver)[3253]: cliente/192.168.1.5:37009 IP packet with unknown IP version=15 seen
Sat May 12 21:15:57 2018 daemon.warn openvpn(vpnserver)[3253]: cliente/192.168.1.5:37009 IP packet with unknown IP version=15 seen
Sat May 12 21:15:57 2018 daemon.warn openvpn(vpnserver)[3253]: cliente/192.168.1.5:37009 IP packet with unknown IP version=15 seen
Sat May 12 21:15:57 2018 daemon.warn openvpn(vpnserver)[3253]: cliente/192.168.1.5:37009 IP packet with unknown IP version=15 seen
Sat May 12 21:15:57 2018 daemon.warn openvpn(vpnserver)[3253]: cliente/192.168.1.5:37009 IP packet with unknown IP version=15 seen
Sat May 12 21:15:57 2018 daemon.warn openvpn(vpnserver)[3253]: cliente/192.168.1.5:37009 IP packet with unknown IP version=15 seen
Sat May 12 21:15:58 2018 daemon.warn openvpn(vpnserver)[3253]: cliente/192.168.1.5:37009 IP packet with unknown IP version=15 seen
Sat May 12 21:15:58 2018 daemon.warn openvpn(vpnserver)[3253]: cliente/192.168.1.5:37009 IP packet with unknown IP version=15 seen
Sat May 12 21:15:59 2018 daemon.warn openvpn(vpnserver)[3253]: cliente/192.168.1.5:37009 IP packet with unknown IP version=15 seen
Sat May 12 21:15:59 2018 daemon.warn openvpn(vpnserver)[3253]: cliente/192.168.1.5:37009 IP packet with unknown IP version=15 seen
Sat May 12 21:15:59 2018 daemon.warn openvpn(vpnserver)[3253]: cliente/192.168.1.5:37009 IP packet with unknown IP version=15 seen
Sat May 12 21:15:59 2018 daemon.warn openvpn(vpnserver)[3253]: cliente/192.168.1.5:37009 IP packet with unknown IP version=15 seen
Sat May 12 21:15:59 2018 daemon.warn openvpn(vpnserver)[3253]: cliente/192.168.1.5:37009 IP packet with unknown IP version=15 seen

I would be very grateful if you helped me with this error, thank you very much

Try changing your push route...

should be instead:

(the above assuming that your main network is 192.168.1.0/24 which is inferred from the dns server you have defined in the openvpn server config).

thank you very much for responding, I made the change you mention unfortunately remains the same

I assume you restarted the openvpn server after making the change, right?
/etc/init.d/openvpn restart

Also, not sure if this matters, but try removing the following lines:

yes, always restart after every change

I've also done what you tell me but it's still the same

It is very strange because that same configuration worked for me with an openwrt version of March, I had a copy of the onfiguration files, I installed a new openwrt version, I saved the configuration files and then imported from the backup copy and now it does not work

I have also tried to change the value in / etc / config / dhcp but it still does not work


         option localservice '0'
4: tun0: <POINTOPOINT, MULTICAST, NOARP, UP, LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
     link / none
     inet 192.168.200.4/24 brd 192.168.200.255 scope global noprefixroute tun0
        valid_lft forever preferred_lft forever
     inet6 xxxx: xxxx: xxxx: xxxx / 64 scope link stable-privacy
        valid_lft forever preferred_lft forever

ping 192.168.200.4
PING 192.168.200.4 (192.168.200.4) 56(84) bytes of data.
64 bytes from 192.168.200.4: icmp_seq=1 ttl=64 time=0.066 ms
64 bytes from 192.168.200.4: icmp_seq=2 ttl=64 time=0.082 ms
^C

thanks

No ping to openvpn server

ping 192.168.200.1
PING 192.168.200.1 (192.168.200.1) 56 (84) bytes of data.

other client conected

 ping 192.168.200.3
PING 192.168.200.3 (192.168.200.3) 56(84) bytes of data.
^C
--- 192.168.200.3 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2037ms

Sorry it isn't working yet... Another thing to try:

Try removing this line

And then changing this one from:

to:
option dev 'tun0'

Then update your network and firewall definitions so that they look like this:

config interface 'vpnserver'
	option proto 'none'
	option ifname 'tun0'
config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option network 'vpnserver'
	option forward 'REJECT'

thanks again for the help, when I make these changes the clients do not connect to the server
If you need more data or want more tests, please tell me

I forgot to mention that you’ll have to update all other firewall rules that reference ‘vpnserver’ zone to ‘vpn’.

Try that and report back.

I made the changes but it still does not work, right now my configuration files are like this:
cat /etc/config/firewall

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Allow-OpenVPN-Inbound'
        option target 'ACCEPT'
        option src '*'
        option dest_port 'xxxxxx'
        option proto 'udp'

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config include
        option path '/etc/firewall.user'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'vpnserver'
        option masq '1'
        option forward 'REJECT'

config forwarding
        option dest 'lan'
        option src 'vpnserver'

config forwarding
        option dest 'wan'
        option src 'vpnserver'

config forwarding
        option dest 'vpnserver'
        option src 'lan'

cat /etc/config/openvpn

config openvpn 'vpnserver'

#       option dev_type 'tun'
#       option dev 'ovpns0'
        option dev 'tun0'
        option port '41194'
        option comp_lzo 'yes'
        option keepalive '10 120'
        option persist_key '1'
        option persist_tun '1'
        option mode 'server'
        option tls_server '1'
        option server '192.168.200.0 255.255.255.0'
        option topology 'subnet'
        option route_gateway 'dhcp'
        option client_to_client '1'
        list push 'comp-lzo yes'
        list push 'persist-key'
        list push 'persist-tun'
        list push 'topology subnet'
        list push 'route-gateway dhcp'
        list push 'redirect-gateway def1'
        list push 'route 192.168.1.0 255.255.255.0'
        list push 'dhcp-option DNS 192.168.1.1'
        list push 'redirect-gateway def1 bypass-dhcp'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/OpenVPN.crt'
        option key '/etc/openvpn/OpenVPN.key'
        option dh '/etc/openvpn/dh2048.pem'
        option tls_auth '/etc/openvpn/tls-auth.key 0'
        option duplicate_cn '1'
        option enabled '1'

cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ifname 'eth0.1'

config device 'lan_dev'
        option name 'eth0.1'
        option macaddr '50:64:2b:1a:7c:30'

config interface 'wan'
        option proto 'dhcp'
        option _orig_ifname 'eth0.2'
        option _orig_bridge 'false'
        option ifname 'eth0.832'

config interface 'wan6'
        option _orig_ifname 'eth0.2'
        option _orig_bridge 'false'
        option ifname 'eth0.832'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option auto '0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 6t'
        option vid '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 6t'
        option vid '2'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '1t 6t'
        option vid '832'

config interface 'vpnserver'
        option proto 'none'
        option ifname 'tun0'
        option auto '1'

Logs

client 1 android

Tue May 15 00:19:51 2018 daemon.notice openvpn(vpnserver)[3255]: xx.xx.xx.:42648 peer info: IV_GUI_VER=OC30Android
Tue May 15 00:19:51 2018 daemon.notice openvpn(vpnserver)[3255]: xx.xx.xx.:42648 peer info: IV_VER=3.2
Tue May 15 00:19:51 2018 daemon.notice openvpn(vpnserver)[3255]: xx.xx.xx.:42648 peer info: IV_PLAT=android
Tue May 15 00:19:51 2018 daemon.notice openvpn(vpnserver)[3255]: xx.xx.xx.:42648 peer info: IV_NCP=2
Tue May 15 00:19:51 2018 daemon.notice openvpn(vpnserver)[3255]: xx.xx.xx.:42648 peer info: IV_TCPNL=1
Tue May 15 00:19:51 2018 daemon.notice openvpn(vpnserver)[3255]: xx.xx.xx.:42648 peer info: IV_PROTO=2
Tue May 15 00:19:51 2018 daemon.notice openvpn(vpnserver)[3255]: xx.xx.xx.:42648 peer info: IV_LZO=1
Tue May 15 00:19:51 2018 daemon.notice openvpn(vpnserver)[3255]: xx.xx.xx.:42648 peer info: IV_IPv6=0
Tue May 15 00:19:51 2018 daemon.notice openvpn(vpnserver)[3255]: xx.xx.xx.:42648 peer info: IV_AUTO_SESS=1
Tue May 15 00:19:51 2018 daemon.notice openvpn(vpnserver)[3255]: xx.xx.xx.:42648 peer info: IV_BS64DL=1
Tue May 15 00:19:51 2018 daemon.warn openvpn(vpnserver)[3255]: xx.xx.xx.:42648 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1542'
Tue May 15 00:19:51 2018 daemon.warn openvpn(vpnserver)[3255]: xx.xx.xx.:42648 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Tue May 15 00:19:51 2018 daemon.notice openvpn(vpnserver)[3255]: xx.xx.xx.:42648 [cliente] Peer Connection Initiated with [AF_INET]xx.xx.xx.:42648
Tue May 15 00:19:51 2018 daemon.notice openvpn(vpnserver)[3255]: cliente/xx.xx.xx.:42648 MULTI_sva: pool returned IPv4=192.168.200.2, IPv6=(Not enabled)
Tue May 15 00:19:52 2018 daemon.warn openvpn(vpnserver)[3255]: cliente/xx.xx.xx.:42648 IP packet with unknown IP version=15 seen
Tue May 15 00:19:52 2018 daemon.warn openvpn(vpnserver)[3255]: cliente/xx.xx.xx.:42648 IP packet with unknown IP version=15 seen
Tue May 15 00:19:57 2018 daemon.warn openvpn(vpnserver)[3255]: cliente/xx.xx.xx.:42648 IP packet with unknown IP version=15 seen
Tue May 15 00:19:57 2018 daemon.warn openvpn(vpnserver)[3255]: cliente/xx.xx.xx.:42648 IP packet with unknown IP version=15 seen
Tue May 15 00:20:01 2018 daemon.warn openvpn(vpnserver)[3255]: cliente/xx.xx.xx.:42648 IP packet with unknown IP version=15 seen
Tue May 15 00:20:02 2018 daemon.warn openvpn(vpnserver)[3255]: cliente/xx.xx.xx.:42648 IP packet with unknown IP version=15 seen
Tue May 15 00:20:02 2018 daemon.warn openvpn(vpnserver)[3255]: cliente/xx.xx.xx.:42648 IP packet with unknown IP version=15 seen
Tue May 15 00:20:02 2018 daemon.warn openvpn(vpnserver)[3255]: cliente/xx.xx.xx.:42648 IP packet with unknown IP version=15 seen

client 2, linux


ue May 15 00:21:03 2018 daemon.notice openvpn(vpnserver)[3255]: 192.168.1.5:53823 peer info: IV_VER=2.4.6
Tue May 15 00:21:03 2018 daemon.notice openvpn(vpnserver)[3255]: 192.168.1.5:53823 peer info: IV_PLAT=linux
Tue May 15 00:21:03 2018 daemon.notice openvpn(vpnserver)[3255]: 192.168.1.5:53823 peer info: IV_PROTO=2
Tue May 15 00:21:03 2018 daemon.notice openvpn(vpnserver)[3255]: 192.168.1.5:53823 peer info: IV_NCP=2
Tue May 15 00:21:03 2018 daemon.notice openvpn(vpnserver)[3255]: 192.168.1.5:53823 peer info: IV_LZ4=1
Tue May 15 00:21:03 2018 daemon.notice openvpn(vpnserver)[3255]: 192.168.1.5:53823 peer info: IV_LZ4v2=1
Tue May 15 00:21:03 2018 daemon.notice openvpn(vpnserver)[3255]: 192.168.1.5:53823 peer info: IV_LZO=1
Tue May 15 00:21:03 2018 daemon.notice openvpn(vpnserver)[3255]: 192.168.1.5:53823 peer info: IV_COMP_STUB=1
Tue May 15 00:21:03 2018 daemon.notice openvpn(vpnserver)[3255]: 192.168.1.5:53823 peer info: IV_COMP_STUBv2=1
Tue May 15 00:21:03 2018 daemon.notice openvpn(vpnserver)[3255]: 192.168.1.5:53823 peer info: IV_TCPNL=1
Tue May 15 00:21:03 2018 daemon.warn openvpn(vpnserver)[3255]: 192.168.1.5:53823 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1542'
Tue May 15 00:21:03 2018 daemon.warn openvpn(vpnserver)[3255]: 192.168.1.5:53823 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Tue May 15 00:21:03 2018 daemon.notice openvpn(vpnserver)[3255]: 192.168.1.5:53823 [cliente] Peer Connection Initiated with [AF_INET]192.168.1.5:53823
Tue May 15 00:21:03 2018 daemon.notice openvpn(vpnserver)[3255]: cliente/192.168.1.5:53823 MULTI_sva: pool returned IPv4=192.168.200.3, IPv6=(Not enabled)
Tue May 15 00:21:05 2018 daemon.warn openvpn(vpnserver)[3255]: cliente/xx.xx.xx.:42648 IP packet with unknown IP version=15 seen
Tue May 15 00:21:05 2018 daemon.warn openvpn(vpnserver)[3255]: cliente/192.168.1.5:53823 IP packet with unknown IP version=15 seen
Tue May 15 00:21:05 2018 daemon.warn openvpn(vpnserver)[3255]: cliente/192.168.1.5:53823 IP packet with unknown IP version=15 seen
Tue May 15 00:21:05 2018 daemon.warn openvpn(vpnserver)[3255]: cliente/xx.xx.xx.:42648 IP packet with unknown IP version=15 seen
Tue May 15 00:21:05 2018 daemon.warn openvpn(vpnserver)[3255]: cliente/xx.xx.xx.:42648 IP packet with unknown IP version=15 seen
Tue May 15 00:21:06 2018 daemon.warn openvpn(vpnserver)[3255]: cliente/192.168.1.5:53823 IP packet with unknown IP version=15 seen
Tue May 15 00:21:06 2018 daemon.warn openvpn(vpnserver)[3255]: cliente/192.168.1.5:53823 IP packet with unknown IP version=15 seen
Tue May 15 00:21:06 2018 daemon.warn openvpn(vpnserver)[3255]: cliente/192.168.1.5:53823 IP packet with unknown IP version=15 seen
Tue May 15 00:21:06 2018 daemon.warn openvpn(vpnserver)[3255]: cliente/192.168.1.5:53823 IP packet with unknown IP version=15 seen
Tue May 15 00:21:06 2018 daemon.warn openvpn(vpnserver)[3255]: cliente/192.168.1.5:53823 IP packet with unknown IP version=15 seen
Tue May 15 00:21:06 2018 daemon.warn openvpn(vpnserver)[3255]: cliente/192.168.1.5:53823 IP packet with unknown IP version=15 seen

Thank you

Try the following (taking out most of the push directives, adding mtu, and a few other tweaks. Also check your client config files to make sure they are configured at parity.

        option proto 'tcp'
        option port '41194'
        option dev 'tun0'
        option server '192.168.200.0 255.255.255.0'
	option tun_ipv6 '1'
	option tun_mtu '1500'
        option keepalive '10 120'
        option persist_key '1'
        option persist_tun '1'
        option mode 'server'
        option tls_server '1'
        option client_to_client '1'
        list push 'redirect-gateway def1'
        list push 'route 192.168.1.0 255.255.255.0'
        list push 'dhcp-option DNS 192.168.1.1'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/OpenVPN.crt'
        option key '/etc/openvpn/OpenVPN.key'
        option dh '/etc/openvpn/dh2048.pem'
        option tls_auth '/etc/openvpn/tls-auth.key 0'
        option duplicate_cn '1'
        option enabled '1'

nothing, there is no way, I have flashed the router again and I have reconfigured it from scratch following this guide https://openwrt.org/docs/guide-user/services/vpn/openvpn/server.setup and I have also tried with this other https://openwrt.org/docs/guide-user/services/vpn/openvpn/server.comprehensive in the two cases the clients connect to the server (router) but they do not see each other and they do not have access to Internet.

Honestly I do not understand how the first time I configured it following the first guide I had no problems and after updating it does not work anymore, neither going back to restore the configuration that previously worked or starting from scratch.

Again thank you for your help.

Im in the same situation. Just setup openvpn on LEDE. I used the same link OP used for instructions to setup openvpn.
Few things are not clear to me. Are we to adjust the Server IP, DNS IP etc in that sample config to match our router setup? i.e the instructions mention 192.168.200.0 subnet where as my router IP is 10.0.0.1.
Am I to adjust the config to accommodate for that? In my case, my openvpn client also connects to the router but i get no LAN or internet.

The network defined in the OpenVPN server config file must be different than your LAN. So the networks as you mentioned are okay.

In that same config, you need to have a push route (and probably DNS, too) to your LAN if you want LAN + internet access through your VPN.

list push 'route 10.0.0.0 255.255.255.0'
list push 'dhcp-option DNS 10.0.0.1'

Thanks. I've added the route and still not go. No lan or internet.
i notice that the client still gets an ip of 192.168.200.2 when connected to the VPN.

config openvpn 'vpnserver'
        option enabled '1'
        option dev_type 'tun'
        option dev 'ovpns0'
        option port '1194'
        option comp_lzo 'yes'
        option keepalive '10 120'
        option persist_key '1'
        option persist_tun '1'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/my-server.crt'
        option key '/etc/openvpn/my-server.key'
        option dh '/etc/openvpn/dh2048.pem'
        option tls_auth '/etc/openvpn/tls-auth.key 0'
        option mode 'server'
        option tls_server '1'
        option server '192.168.200.0 255.255.255.0'
        option topology 'subnet'
        option route_gateway 'dhcp'
        option client_to_client '1'
        option log '/tmp/openvpn.log'
        list push 'comp-lzo yes'
        list push 'persist-key'
        list push 'persist-tun'
        list push 'topology subnet'
        list push 'route-gateway dhcp'
        list push 'redirect-gateway def1'
        list push 'route 192.168.200.0 255.255.255.0'
        list push 'dhcp-option DNS 10.0.0.1'
        list push 'route 10.0.0.0 255.255.255.0'

note that prior to my modifications the config had:

list push 'route 192.168.200.0 255.255.255.0'
list push 'dhcp-option DNS 192.168.1.1' <----Would i need this? That IP is invalid on my router lan subnet of 10.0.0.x

If you don't have a 192.168.1.0/24 network, you don't need that line in your openVPN config.

Did you update your network config and your firewall to permit the OpenVPN connections to the LAN and WAN? Please post these files:
/etc/config/network
/etc/config/firewall

Notes:
openwrt Router lan subnet: 10.0.0.0
openwrt Router lan ip / Also the lan gatewatey: 10.0.0.1
openvpn server : 192.168.200.0 (this is used as is from the link with the instructions.
openvpn client ip when connected to vpn: 192.168.200.2

The script that creates the vpn config supposedly adds all the firewall rules needed. if interested this link: https://openwrt.org/docs/guide-user/services/vpn/openvpn/server.setup towards the middle of the page.

At this point, while the vpn connects, the client cannot ping even the vpn server ip which i assume is 192.168.200.1? Though i cannot see this anywhere.
The client also cannot ping any internal lan IP of 10.0.0.x.

Seems like a route issue. i just dont know what routes should be added.

Here my configs:

/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fde3:536c:2190::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '10.0.0.1'

config interface 'wan'
        option ifname 'eth1.2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth1.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 5t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6t'

config interface 'vpnserver'
        option proto 'none'
        option ifname 'ovpns0'
        option auto '1

/etc/config/firewall

config defaults
        option syn_flood '1'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'DROP'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option forward 'DROP'
        option output 'ACCEPT'
        option masq '1'
        option network 'wan wan6'
        option mtu_fix '1'
        option input 'DROP'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

		###My forward rules have been removed from this file for privacy reasons #####

		
		config forwarding
        option dest 'wan'
        option src 'lan'

config rule
        option name 'Allow-OpenVPN-Inbound'
        option target 'ACCEPT'
        option src '*'
        option proto 'tcpudp'
        option dest_port '1194'

config zone
        option name 'vpnserver'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option masq '1'
        option network 'vpnserver'
        option forward 'REJECT'

config forwarding
        option src 'vpnserver'
        option dest 'wan'

config forwarding
        option src 'vpnserver'
        option dest 'lan'

Firewall and network look okay.

What happens if you remove these three directives from the OpenVPN server config:

        option route_gateway 'dhcp'
        list push 'route-gateway dhcp'
        list push 'route 192.168.200.0 255.255.255.0'

One other thing that could be an issue... how is your OpenVPN service starting (server side)? If it auto-starts on boot, try doing a service restart and see if that resolves the issue.

/etc/init.d/openvpn restart

My theory is this: Due to some issues with timing and sequencing, it is possible that the OpenVPN service is starting before the time has been set on the router via NTP. when that happens, it can cause issues like this or other service failures. The solutions are to either delay the OpenVPN start until after NTP has succeeded, or to force a service restart when the clock is set for the first time after boot. Either method should resolve the issue if that is indeed the source of the problem.

Nothing changes with those configs removed. The vpn still connects but I still cannot ping the vpn server IP, internal router lan ip, or google dns 8.8.8.8.

This is what i see in the openvpn log on server side:

Mon Jun 18 09:37:03 2018 OpenVPN 2.4.5 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Mon Jun 18 09:37:03 2018 library versions: OpenSSL 1.0.2o  27 Mar 2018, LZO 2.10
Mon Jun 18 09:37:03 2018 TUN/TAP device ovpns0 opened
Mon Jun 18 09:37:03 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Jun 18 09:37:03 2018 /sbin/ip link set dev ovpns0 up mtu 1500
Mon Jun 18 09:37:03 2018 /sbin/ip addr add dev ovpns0 192.168.200.1/24 broadcast 192.168.200.255
Mon Jun 18 09:37:03 2018 Could not determine IPv4/IPv6 protocol. Using AF_INET
Mon Jun 18 09:37:03 2018 UDPv4 link local (bound): [AF_INET][undef]:1194
Mon Jun 18 09:37:03 2018 UDPv4 link remote: [AF_UNSPEC]
Mon Jun 18 09:37:03 2018 Initialization Sequence Completed
Mon Jun 18 09:37:41 2018 204.48.78.161:54842 peer info: IV_GUI_VER=OC30Android
Mon Jun 18 09:37:41 2018 204.48.78.161:54842 peer info: IV_VER=3.2
Mon Jun 18 09:37:41 2018 204.48.78.161:54842 peer info: IV_PLAT=android
Mon Jun 18 09:37:41 2018 204.48.78.161:54842 peer info: IV_NCP=2
Mon Jun 18 09:37:41 2018 204.48.78.161:54842 peer info: IV_TCPNL=1
Mon Jun 18 09:37:41 2018 204.48.78.161:54842 peer info: IV_PROTO=2
Mon Jun 18 09:37:41 2018 204.48.78.161:54842 peer info: IV_LZO=1
Mon Jun 18 09:37:41 2018 204.48.78.161:54842 peer info: IV_LZO_SWAP=1
Mon Jun 18 09:37:41 2018 204.48.78.161:54842 peer info: IV_LZ4=1
Mon Jun 18 09:37:41 2018 204.48.78.161:54842 peer info: IV_LZ4v2=1
Mon Jun 18 09:37:41 2018 204.48.78.161:54842 peer info: IV_COMP_STUB=1
Mon Jun 18 09:37:41 2018 204.48.78.161:54842 peer info: IV_COMP_STUBv2=1
Mon Jun 18 09:37:41 2018 204.48.78.161:54842 peer info: IV_AUTO_SESS=1
Mon Jun 18 09:37:41 2018 204.48.78.161:54842 peer info: IV_BS64DL=1
Mon Jun 18 09:37:41 2018 204.48.78.161:54842 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1542'
Mon Jun 18 09:37:41 2018 X.X.X.X:54842 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Mon Jun 18 09:37:42 2018 X.X.X.X:54842 [my-client] Peer Connection Initiated with [AF_INET]X.X.X.X:54842
Mon Jun 18 09:37:42 2018 my-client/X.X.X.X:54842 MULTI_sva: pool returned IPv4=192.168.200.2, IPv6=(Not enabled)
Mon Jun 18 09:37:42 2018 my-client/204.48.78.161:54842 IP packet with unknown IP version=15 seen
Mon Jun 18 09:37:43 2018 my-client/204.48.78.161:54842 IP packet with unknown IP version=15 seen
Mon Jun 18 09:37:44 2018 my-client/204.48.78.161:54842 IP packet with unknown IP version=15 seen
Mon Jun 18 09:37:45 2018 my-client/204.48.78.161:54842 IP packet with unknown IP version=15 seen

i've tried restarting openvpn many times already. Infact everytime i make a config change i restart the service. So i dont think its timing related.