OpenVPN server - TLS key failed to occur within 60 secs

Apologies, not sure how to post the config files in the shortened scrollable format

Hi all,

I've been trying to setup an OpenVPN server on my Linksys 1900ACS router following this guide: https://lede-project.org/docs/user-guide/openvpnserver.setup

But on both an Android and Windows devices, I get the message 'TLS key negotiation failed to occur within 60 seconds (check network connectivity).

My setup is having a Plusnet Hub One router connected directly to the internet with a static public IP. I then have the LEDE router behind the Hub One (everything that I can switch off on the Hub One to pass on all traffic to the LEDE, I think I have done). Internet connectivity from LAN devices work fine. I have existing port forwards that also allow me successful access to internal devices from the outside. I have also forwarded UDP 1194 on the Hub Router.

It seems like something is not letting the VPN connection get through, but I cannot figure out what. Any help would be appreciated.

Firewall config:

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'REJECT'
	option forward 'REJECT'
	option network 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config zone
	option forward 'REJECT'
	option output 'ACCEPT'
	option name 'Guest'
	option input 'REJECT'
	option network 'Guest'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'Guest DNS'
	option src 'Guest'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '67-68'
	option name 'Guest DHCP'
	option src 'Guest'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport '8125'
	option dest_ip '10.10.10.99'
	option dest_port '8125'
	option name 'CCTV Web 8125'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport '554'
	option dest_ip '10.10.10.99'
	option dest_port '554'
	option name 'CCTV RTSP 554'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport '8000'
	option dest_port '8000'
	option name 'CCTV SDK 8000'
	option dest_ip '10.10.10.99'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'udp'
	option src_dport '8124'
	option dest_ip '10.10.10.99'
	option dest_port '8124'
	option name 'CCTV WEB 8124'

config forwarding
	option dest 'wan'
	option src 'Guest'

config forwarding
	option dest 'wan'
	option src 'lan'

config rule
	option name 'Allow-OpenVPN-Inbound'
	option target 'ACCEPT'
	option src '*'
	option proto 'tcpudp'
	option dest_port '1194'

config zone
	option name 'vpnserver'
	option input 'ACCEPT'
	option forward 'REJECT'
	option output 'ACCEPT'
	option masq '1'
	option network 'vpnserver'

config forwarding
	option src 'vpnserver'
	option dest 'wan'

config forwarding
	option src 'vpnserver'
	option dest 'lan'

Network config:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd1d:9152:16f0::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '10.10.10.10'
	option _orig_ifname 'eth0.1 radio0.network1 radio1.network1'
	option _orig_bridge 'true'
	option dns '8.8.8.8'
	option ifname 'eth0 eth0.1'

config interface 'wan'
	option ifname 'eth1.2'
	option _orig_ifname 'eth1.2'
	option _orig_bridge 'false'
	option proto 'static'
	option ipaddr '172.16.0.2'
	option netmask '255.255.255.0'
	option gateway '172.16.0.1'

config interface 'wan6'
	option ifname 'eth1.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0 1 2 3 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'
	option vid '2'

config openvpn 'custom_config'
	option config '/etc/openvpn/my-vpn.conf'

config openvpn 'sample_server'
	option port '1194'
	option proto 'udp'
	option dev 'tun'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/server.crt'
	option key '/etc/openvpn/server.key'
	option dh '/etc/openvpn/dh1024.pem'
	option server '10.8.0.0 255.255.255.0'
	option ifconfig_pool_persist '/tmp/ipp.txt'
	option keepalive '10 120'
	option compress 'lzo'
	option persist_key '1'
	option persist_tun '1'
	option user 'nobody'
	option status '/tmp/openvpn-status.log'
	option verb '3'

config openvpn 'sample_client'
	option client '1'
	option dev 'tun'
	option proto 'udp'
	list remote 'my_server_1 1194'
	option resolv_retry 'infinite'
	option nobind '1'
	option persist_key '1'
	option persist_tun '1'
	option user 'nobody'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/client.crt'
	option key '/etc/openvpn/client.key'
	option compress 'lzo'
	option verb '3'

config openvpn 'vpnserver'
	option enabled '1'
	option dev_type 'tun'
	option dev 'ovpns0'
	option port '1194'
	option proto 'udp'
	option comp_lzo 'yes'
	option keepalive '10 120'
	option persist_key '1'
	option persist_tun '1'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/my-server.crt'
	option key '/etc/openvpn/my-server.key'
	option dh '/etc/openvpn/dh2048.pem'
	option mode 'server'
	option tls_server '1'
	option server '192.168.200.0 255.255.255.0'
	option topology 'subnet'
	option route_gateway 'dhcp'
	option client_to_client '1'
	option key_direction '0'
	list push 'comp-lzo yes'
	list push 'persist-key'
	list push 'persist-tun'
	list push 'topology subnet'
	list push 'route-gateway dhcp'
	list push 'redirect-gateway def1'
	list push 'route 192.168.200.0 255.255.255.0'
	list push 'dhcp-option DNS 192.168.1.1'


config interface 'Guest'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option dns '8.8.8.8'

config interface 'vpnserver'
	option proto 'none'
	option ifname 'ovpns0'
	option auto '1'

OpenVPN config:

config openvpn 'custom_config'
	option config '/etc/openvpn/my-vpn.conf'

config openvpn 'sample_server'
	option port '1194'
	option proto 'udp'
	option dev 'tun'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/server.crt'
	option key '/etc/openvpn/server.key'
	option dh '/etc/openvpn/dh1024.pem'
	option server '10.8.0.0 255.255.255.0'
	option ifconfig_pool_persist '/tmp/ipp.txt'
	option keepalive '10 120'
	option compress 'lzo'
	option persist_key '1'
	option persist_tun '1'
	option user 'nobody'
	option status '/tmp/openvpn-status.log'
	option verb '3'

config openvpn 'sample_client'
	option client '1'
	option dev 'tun'
	option proto 'udp'
	list remote 'my_server_1 1194'
	option resolv_retry 'infinite'
	option nobind '1'
	option persist_key '1'
	option persist_tun '1'
	option user 'nobody'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/client.crt'
	option key '/etc/openvpn/client.key'
	option compress 'lzo'
	option verb '3'

config openvpn 'vpnserver'
	option enabled '1'
	option dev_type 'tun'
	option dev 'ovpns0'
	option port '1194'
	option proto 'udp'
	option comp_lzo 'yes'
	option keepalive '10 120'
	option persist_key '1'
	option persist_tun '1'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/my-server.crt'
	option key '/etc/openvpn/my-server.key'
	option dh '/etc/openvpn/dh2048.pem'
	option mode 'server'
	option tls_server '1'
	option server '192.168.200.0 255.255.255.0'
	option topology 'subnet'
	option route_gateway 'dhcp'
	option client_to_client '1'
	option key_direction '0'
	list push 'comp-lzo yes'
	list push 'persist-key'
	list push 'persist-tun'
	list push 'topology subnet'
	list push 'route-gateway dhcp'
	list push 'redirect-gateway def1'
	list push 'route 192.168.200.0 255.255.255.0'
	list push 'dhcp-option DNS 192.168.1.1'

Instead of port forwarding on Plusnet Hub One router I would just use DMZ on it where you put your LEDE router into the DMZ. I know the interface of the Plusnet Hub One router and it's total crap :slight_smile:
Anyway, you'll still be doing double NAT but it should work.... Did you know that you can also convert the Plusnet router to run LEDE?

Your problem may be related to boot sequencing (specifically the system time) -- I had similar issues that I solved by adjusting the timing of the OpenVPN startup.

See this post and follow the link within the post if the experiment works.

Yeah I've tried both, port forward and putting in DMZ no joy. I do know about the Hub One running LEDE. I actually borrowed a mate's BT HH5, which he bought already converted from eBay. I had that set up but it was too under powered - OpenVPN client speeds were down about 60-70%

Unfortunately my soldering skills are not quite up to the job, else I would have converted my Hub One. To be fair, the Hub One unmodified has been doing its job as is, else I was thinking about getting an OpenReach Modem. I'm still thinking the double nat might be causing issues with OpenVPN server?

I did see your post before posting on here, but still not luck.

Try stopping and restarting the OpenVPN service:

/etc/init.d/openvpn stop
/etc/init.d/openvpn start

Then try to connect from one of your clients. If that fixes the problem, chances are that this is an issue with the boot sequence/timing.

You should be able to run openvpn behind double nat, I do it in one location. Here are excerpts from my config:

config interface 'vpn0'
        option ifname 'tun0'
        option proto 'none'
        option auto '1'

in /etc/config/network

config zone
        option name 'vpn'
        option network 'vpn0'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config forwarding
        option src 'vpn'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'vpn'

config forwarding
        option src 'vpn'
        option dest 'wan'

config rule
        option _name 'openvpn-udp'
        option src 'wan'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '1194'

in /etc/config/firewall

config openvpn 'server'
        option dev 'tun'
        option comp_lzo 'yes'
        option mssfix '1420'
        option keepalive '10 60'
        option verb '3'
        option server '10.0.100.0 255.255.255.0'
        option port '1195'
        option cipher 'AES-256-CBC'
        option ca '/etc/openvpn/ca.crt'
        option dh '/etc/openvpn/dh.pem'
        option key '/etc/openvpn/server.key'
        option cert '/etc/openvpn/server.crt'
        option tls_auth '/etc/openvpn/ta.key 0'
        option client_to_client '1'
        list 'push' 'route 192.168.7.0 255.255.255.0'
        list 'push' 'redirect-gateway'
        list 'push' 'dhcp-option DNS 192.168.7.1'
        list 'push' 'dhcp-option DNS 208.67.222.222'
        option enabled '1'

in /etc/config/openvpn.

Btw, with HH5A/Plusnet Hub running lede you don't need openreach modem to avoid double nat, you can put them into a bridge mode. This is how:

config dsl 'dsl'
        option annex 'b'
        option tone 'a'
        option xfer_mode 'ptm'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'ptm101'
        option proto 'static'
        option ipaddr '192.168.105.1'
        option netmask '255.255.255.0'
        option type 'bridge'
        option ifname 'eth0.2 ptm0.101'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0 2 5 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '2'
        option ports '4 6t'

in /etc/config/network. Here port 4 has vdsl bridged to it and you can pick up internet from it on your main router by configuring pppoe on it (exactly as you would do on openreach modem). You can disable firewall on the HH5A/Plusnet Hub.

Thanks, yes, I realise that. I meant I was previously considering getting an Openreach modem to replace the Hub One all together.

You're missing option tls_auth /path/to/tls-auth.key in the server config, and tls-auth /path/to/tls-auth.key in client, along with key-direction 1

Just added those values. But still the same error.

Did you restart the server, disconnect the client, then connect the client? If so, please do the following:

  1. /etc/config/openvpn:
    • verb 5
    • proto tcp
  2. /etc/config/firewall:
    • Change OpenVPN rules to proto 'tcp udp'
  3. Client Config:
    • verb 7
    • proto tcp
  4. Disconnect Client
  5. LEDE: cd /etc/init.d && ./firewall reload && ./openvpn restart
  6. Reconnect client

Once that's done, and the TLS error occurs_, please post your client and server logs, as well as the configs for each (please ensure you remove WAN IP, DDNS, from configs and logs).

  • Server Log: /tmp/openvpn.log
  • Client Log:
    • Windows: Right click on OpenVPN tray icon -> View Log
    • BSD/Linux: Refer to OpenVPN client config or application

I cannot find the openvpn server log, there is no such filename in the tmp folder. Android Client Log file in next post (due to max character restriction).

NB: Just to reiterate (and if it helps), I followed this guide for setup: https://lede-project.org/docs/user-guide/openvpnserver.setup My command line programming skills are evidently not good at all. So I just followed the instructions on that post parrot-fashion.

Firewall:

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'REJECT'
	option forward 'REJECT'
	option network 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config zone
	option forward 'REJECT'
	option output 'ACCEPT'
	option name 'Guest'
	option input 'REJECT'
	option network 'Guest'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'Guest DNS'
	option src 'Guest'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '67-68'
	option name 'Guest DHCP'
	option src 'Guest'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport '8125'
	option dest_ip '10.10.10.99'
	option dest_port '8125'
	option name 'CCTV Web 8125'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport '554'
	option dest_ip '10.10.10.99'
	option dest_port '554'
	option name 'CCTV RTSP 554'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport '8000'
	option dest_port '8000'
	option name 'CCTV SDK 8000'
	option dest_ip '10.10.10.99'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'udp'
	option src_dport '8124'
	option dest_ip '10.10.10.99'
	option dest_port '8124'
	option name 'CCTV WEB 8124'

config forwarding
	option dest 'wan'
	option src 'Guest'

config forwarding
	option dest 'wan'
	option src 'lan'

config rule
	option name 'Allow-OpenVPN-Inbound'
	option target 'ACCEPT'
	option src '*'
	option proto 'tcp udp'
	option dest_port '1194'

config zone
	option name 'vpnserver'
	option input 'ACCEPT'
	option forward 'REJECT'
	option output 'ACCEPT'
	option masq '1'
	option network 'vpnserver'

config forwarding
	option src 'vpnserver'
	option dest 'wan'

config forwarding
	option src 'vpnserver'
	option dest 'lan'

config redirect
	option target 'DNAT'
	option src 'wan'
	option proto 'udp'
	option src_dport '1194'
	option dest_port '1194'
	option name 'InboundUDP'
	option dest_ip '10.10.10.10'
	option dest 'lan'

Openvpn:

config openvpn 'vpnserver'
	option enabled '1'
	option dev_type 'tun'
	option dev 'ovpns0'
	option port '1194'
	option proto 'tcp'
	option comp_lzo 'yes'
	option keepalive '10 120'
	option persist_key '1'
	option persist_tun '1'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/my-server.crt'
	option key '/etc/openvpn/my-server.key'
	option dh '/etc/openvpn/dh2048.pem'
	option mode 'server'
	option tls_server '1'
	option server '192.168.200.0 255.255.255.0'
	option topology 'subnet'
	option route_gateway 'dhcp'
	option client_to_client '1'
	option key_direction '0'
	verb 5
	list push 'comp-lzo yes'
	list push 'persist-key'
	list push 'persist-tun'
	list push 'topology subnet'
	list push 'route-gateway dhcp'
	list push 'redirect-gateway def1'
	list push 'route 192.168.200.0 255.255.255.0'
	list push 'dhcp-option DNS 192.168.1.1'

VPNClient.ovpn

client
  dev tun
  proto tcp
  fast-io
  remote X.X.X.X 1194
  remote-cert-tls server
  nobind
  persist-key
  persist-tun
  comp-lzo no
  verb 7
<ca>
-----BEGIN CERTIFICATE-----
MIIFNTCCAx2gAwIBAgIJAIfH8OcMg73zDjuOG9nqGz/mTFvWg=
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4097 (0x1001)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=GB, ST=London, O=WWW Ltd.
        Validity
            Not Before: Feb  1 10:03:30 2018 GMT
            Not After : Jan 30 10:03:30 2028 GMT
        Subject: CN=my-client
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:ad:7d:1a:75:de
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: 
                Digital Signature
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
    Signature Algorithm: sha256WithRSAEncryption
         9c:e6:06:0c:78:3e:32:b8:84:e2:92:69:d1:51:ab:c0:56:5c:
         
-----BEGIN CERTIFICATE-----
MIIE5TCCAs2gAwIBAgICEAEwDQ
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwg
-----END PRIVATE KEY-----
</key>

Android Client Log:

2018-02-01 17:37:46 official build 0.6.73 running on samsung SM-J320FN (SC9830I), Android 5.1.1 (LMY47V) API 22, ABI armeabi-v7a, (samsung/j3xnltexx/j3xnlte:5.1.1/LMY47V/J320FNXXU0AQJ4:user/release-keys)
2018-02-01 17:37:46 Building configuration…
2018-02-01 17:37:46 New OpenVPN Status (VPN_GENERATE_CONFIG->LEVEL_START): 
2018-02-01 17:37:46 New OpenVPN Status (VPN_GENERATE_CONFIG->LEVEL_START): 
2018-02-01 17:37:46 started Socket Thread
2018-02-01 17:37:46 Network Status: CONNECTED HSUPA to MOBILE everywhere
2018-02-01 17:37:46 Debug state info: CONNECTED HSUPA to MOBILE everywhere, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 
2018-02-01 17:37:46 P:WARNING: linker: /data/data/de.blinkt.openvpn/cache/c_pie_openvpn.armeabi-v7a: unused DT entry: type 0x6ffffffe arg 0x338
2018-02-01 17:37:46 P:WARNING: linker: /data/data/de.blinkt.openvpn/cache/c_pie_openvpn.armeabi-v7a: unused DT entry: type 0x6fffffff arg 0x1
2018-02-01 17:37:46 P:WARNING: linker: libopenvpn.so: unused DT entry: type 0x6ffffffe arg 0x455a4
2018-02-01 17:37:46 P:WARNING: linker: libopenvpn.so: unused DT entry: type 0x6fffffff arg 0x3
2018-02-01 17:37:46 Debug state info: CONNECTED HSUPA to MOBILE everywhere, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 
2018-02-01 17:37:46 P:Initializing Google Breakpad!
2018-02-01 17:37:46 Current Parameter Settings:
2018-02-01 17:37:46 Waiting 0s seconds between connection attempt
2018-02-01 17:37:46   config = '/data/data/de.blinkt.openvpn/cache/android.conf'
2018-02-01 17:37:46   mode = 0
2018-02-01 17:37:46   show_ciphers = DISABLED
2018-02-01 17:37:46   show_digests = DISABLED
2018-02-01 17:37:46   show_engines = DISABLED
2018-02-01 17:37:46   genkey = DISABLED
2018-02-01 17:37:46   key_pass_file = '[UNDEF]'
2018-02-01 17:37:46   show_tls_ciphers = DISABLED
2018-02-01 17:37:46   connect_retry_max = 0
2018-02-01 17:37:46 Connection profiles [0]:
2018-02-01 17:37:46   proto = tcp-client
2018-02-01 17:37:46   local = '[UNDEF]'
2018-02-01 17:37:46   local_port = '[UNDEF]'
2018-02-01 17:37:46   remote = 'X.X.X.X'
2018-02-01 17:37:46   remote_port = '1194'
2018-02-01 17:37:46   remote_float = DISABLED
2018-02-01 17:37:46   bind_defined = DISABLED
2018-02-01 17:37:46   bind_local = DISABLED
2018-02-01 17:37:46   bind_ipv6_only = DISABLED
2018-02-01 17:37:46   connect_retry_seconds = 2
2018-02-01 17:37:46   connect_timeout = 120
2018-02-01 17:37:46   socks_proxy_server = '[UNDEF]'
2018-02-01 17:37:46   socks_proxy_port = '[UNDEF]'
2018-02-01 17:37:46   tun_mtu = 1500
2018-02-01 17:37:46   tun_mtu_defined = ENABLED
2018-02-01 17:37:46   link_mtu = 1500
2018-02-01 17:37:47   link_mtu_defined = DISABLED
2018-02-01 17:37:47   tun_mtu_extra = 0
2018-02-01 17:37:47   tun_mtu_extra_defined = DISABLED
2018-02-01 17:37:47   mtu_discover_type = -1
2018-02-01 17:37:47   fragment = 0
2018-02-01 17:37:47   mssfix = 1450
2018-02-01 17:37:47   explicit_exit_notification = 0
2018-02-01 17:37:47 Connection profiles END
2018-02-01 17:37:47   remote_random = DISABLED
2018-02-01 17:37:47 New OpenVPN Status (TCP_CONNECT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2018-02-01 17:37:47 New OpenVPN Status (TCP_CONNECT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2018-02-01 17:37:47   ipchange = '[UNDEF]'
2018-02-01 17:37:47   dev = 'tun'
2018-02-01 17:37:47   dev_type = '[UNDEF]'
2018-02-01 17:37:47   dev_node = '[UNDEF]'
2018-02-01 17:37:47   lladdr = '[UNDEF]'
2018-02-01 17:37:47   topology = 1
2018-02-01 17:37:47   ifconfig_local = '[UNDEF]'
2018-02-01 17:37:47   ifconfig_remote_netmask = '[UNDEF]'
2018-02-01 17:37:47   ifconfig_noexec = DISABLED
2018-02-01 17:37:47   ifconfig_nowarn = ENABLED
2018-02-01 17:37:47   ifconfig_ipv6_local = '[UNDEF]'
2018-02-01 17:37:47   ifconfig_ipv6_netbits = 0
2018-02-01 17:37:47   ifconfig_ipv6_remote = '[UNDEF]'
2018-02-01 17:37:47   shaper = 0
2018-02-01 17:37:47   mtu_test = 0
2018-02-01 17:37:47   mlock = DISABLED
2018-02-01 17:37:47   keepalive_ping = 0
2018-02-01 17:37:47   keepalive_timeout = 0
2018-02-01 17:37:47   inactivity_timeout = 0
2018-02-01 17:37:47   ping_send_timeout = 0
2018-02-01 17:37:47   ping_rec_timeout = 0
2018-02-01 17:37:47   ping_rec_timeout_action = 0
2018-02-01 17:37:47   ping_timer_remote = DISABLED
2018-02-01 17:37:47   remap_sigusr1 = 0
2018-02-01 17:37:47   persist_tun = ENABLED
2018-02-01 17:37:47   persist_local_ip = DISABLED
2018-02-01 17:37:47   persist_remote_ip = DISABLED
2018-02-01 17:37:47   persist_key = DISABLED
2018-02-01 17:37:47   passtos = DISABLED
2018-02-01 17:37:47   resolve_retry_seconds = 60
2018-02-01 17:37:47   resolve_in_advance = ENABLED
2018-02-01 17:37:47   username = '[UNDEF]'
2018-02-01 17:37:47   groupname = '[UNDEF]'
2018-02-01 17:37:47   chroot_dir = '[UNDEF]'
2018-02-01 17:37:47   cd_dir = '[UNDEF]'
2018-02-01 17:37:47   writepid = '[UNDEF]'
2018-02-01 17:37:47   up_script = '[UNDEF]'
2018-02-01 17:37:47   down_script = '[UNDEF]'
2018-02-01 17:37:47   down_pre = DISABLED
2018-02-01 17:37:47   up_restart = DISABLED
2018-02-01 17:37:47   up_delay = DISABLED
2018-02-01 17:37:47   daemon = DISABLED
2018-02-01 17:37:47   inetd = 0
2018-02-01 17:37:47   log = DISABLED
2018-02-01 17:37:47   suppress_timestamps = DISABLED
2018-02-01 17:37:47   machine_readable_output = ENABLED
2018-02-01 17:37:47   nice = 0
2018-02-01 17:37:47   verbosity = 4
2018-02-01 17:37:47   mute = 0
2018-02-01 17:37:47   gremlin = 0
2018-02-01 17:37:47   status_file = '[UNDEF]'
2018-02-01 17:37:47   status_file_version = 1
2018-02-01 17:37:47   status_file_update_freq = 60
2018-02-01 17:37:47   occ = ENABLED
2018-02-01 17:37:47   rcvbuf = 0
2018-02-01 17:37:47   sndbuf = 0
2018-02-01 17:37:47   sockflags = 0
2018-02-01 17:37:47   fast_io = ENABLED
2018-02-01 17:37:47   comp.alg = 2
2018-02-01 17:37:47   comp.flags = 1
2018-02-01 17:37:47   route_script = '[UNDEF]'
2018-02-01 17:37:47   route_default_gateway = '[UNDEF]'
2018-02-01 17:37:47   route_default_metric = 0
2018-02-01 17:37:47   route_noexec = DISABLED
2018-02-01 17:37:47   route_delay = 0
2018-02-01 17:37:47   route_delay_window = 30
2018-02-01 17:37:47   route_delay_defined = DISABLED
2018-02-01 17:37:47   route_nopull = DISABLED
2018-02-01 17:37:47   route_gateway_via_dhcp = DISABLED
2018-02-01 17:37:47   allow_pull_fqdn = DISABLED
2018-02-01 17:37:47   management_addr = '/data/data/de.blinkt.openvpn/cache/mgmtsocket'
2018-02-01 17:37:47   management_port = 'unix'
2018-02-01 17:37:47   management_user_pass = '[UNDEF]'
2018-02-01 17:37:47   management_log_history_cache = 250
2018-02-01 17:37:47   management_echo_buffer_size = 100
2018-02-01 17:37:47   management_write_peer_info_file = '[UNDEF]'
2018-02-01 17:37:47   management_client_user = '[UNDEF]'
2018-02-01 17:37:47   management_client_group = '[UNDEF]'
2018-02-01 17:37:47   management_flags = 4390
2018-02-01 17:37:47   shared_secret_file = '[UNDEF]'
2018-02-01 17:37:47   key_direction = (null)
2018-02-01 17:37:47   ciphername = 'BF-CBC'
2018-02-01 17:37:47   ncp_enabled = ENABLED
2018-02-01 17:37:47   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
2018-02-01 17:37:47   authname = 'SHA1'
2018-02-01 17:37:47   prng_hash = 'SHA1'
2018-02-01 17:37:47   prng_nonce_secret_len = 16
2018-02-01 17:37:47   keysize = 0
2018-02-01 17:37:47   engine = DISABLED
2018-02-01 17:37:47   replay = ENABLED
2018-02-01 17:37:47   mute_replay_warnings = DISABLED
2018-02-01 17:37:47   replay_window = 64
2018-02-01 17:37:47   replay_time = 15
2018-02-01 17:37:47   packet_id_file = '[UNDEF]'
2018-02-01 17:37:47   test_crypto = DISABLED
2018-02-01 17:37:47   tls_server = DISABLED
2018-02-01 17:37:47   tls_client = ENABLED
2018-02-01 17:37:47   key_method = 2
2018-02-01 17:37:47   ca_file = '[[INLINE]]'
2018-02-01 17:37:47   ca_path = '[UNDEF]'
2018-02-01 17:37:47   dh_file = '[UNDEF]'
2018-02-01 17:37:47   cert_file = '[[INLINE]]'
2018-02-01 17:37:47   extra_certs_file = '[UNDEF]'
2018-02-01 17:37:47   priv_key_file = '[[INLINE]]'
2018-02-01 17:37:47   pkcs12_file = '[UNDEF]'
2018-02-01 17:37:47   cipher_list = '[UNDEF]'
2018-02-01 17:37:47   tls_verify = '[UNDEF]'
2018-02-01 17:37:47   tls_export_cert = '[UNDEF]'
2018-02-01 17:37:47   verify_x509_type = 0
2018-02-01 17:37:47   verify_x509_name = '[UNDEF]'
2018-02-01 17:37:47   crl_file = '[UNDEF]'
2018-02-01 17:37:47   ns_cert_type = 0
2018-02-01 17:37:47   remote_cert_ku[i] = 65535
2018-02-01 17:37:47   remote_cert_ku[i] = 0
2018-02-01 17:37:47   remote_cert_ku[i] = 0
2018-02-01 17:37:47   remote_cert_ku[i] = 0
2018-02-01 17:37:47   remote_cert_ku[i] = 0
2018-02-01 17:37:47   remote_cert_ku[i] = 0
2018-02-01 17:37:47   remote_cert_ku[i] = 0
2018-02-01 17:37:47   remote_cert_ku[i] = 0
2018-02-01 17:37:47   remote_cert_ku[i] = 0
2018-02-01 17:37:47   remote_cert_ku[i] = 0
2018-02-01 17:37:47   remote_cert_ku[i] = 0
2018-02-01 17:37:47   remote_cert_ku[i] = 0
2018-02-01 17:37:47   remote_cert_ku[i] = 0
2018-02-01 17:37:47   remote_cert_ku[i] = 0
2018-02-01 17:37:47   remote_cert_ku[i] = 0
2018-02-01 17:37:47   remote_cert_ku[i] = 0
2018-02-01 17:37:47   remote_cert_eku = 'TLS Web Server Authentication'
2018-02-01 17:37:47   ssl_flags = 0
2018-02-01 17:37:47   tls_timeout = 2
2018-02-01 17:37:47   renegotiate_bytes = -1
2018-02-01 17:37:47   renegotiate_packets = 0
2018-02-01 17:37:47   renegotiate_seconds = 3600
2018-02-01 17:37:47   handshake_window = 60
2018-02-01 17:37:47   transition_window = 3600
2018-02-01 17:37:47   single_session = DISABLED
2018-02-01 17:37:47   push_peer_info = DISABLED
2018-02-01 17:37:47   tls_exit = DISABLED
2018-02-01 17:37:47   tls_auth_file = '[[INLINE]]'
2018-02-01 17:37:47   tls_crypt_file = '[UNDEF]'
2018-02-01 17:37:47   client = ENABLED
2018-02-01 17:37:47   pull = ENABLED
2018-02-01 17:37:47   auth_user_pass_file = '[UNDEF]'
2018-02-01 17:37:47 OpenVPN 2.5-icsopenvpn [git:icsopenvpn-d51333c645c12713+] android-14-armeabi-v7a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jun 26 2017
2018-02-01 17:37:47 library versions: OpenSSL 1.1.0f  25 May 2017, LZO 2.10
2018-02-01 17:37:47 MANAGEMENT: Connected to management server at /data/data/de.blinkt.openvpn/cache/mgmtsocket
2018-02-01 17:37:47 MANAGEMENT: CMD 'hold release'
2018-02-01 17:37:47 MANAGEMENT: CMD 'proxy NONE'
2018-02-01 17:37:47 MANAGEMENT: CMD 'bytecount 2'
2018-02-01 17:37:47 MANAGEMENT: CMD 'state on'
2018-02-01 17:37:47 NOTE: --fast-io is disabled since we are not using UDP
2018-02-01 17:37:47 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-02-01 17:37:47 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-02-01 17:37:47 LZO compression initializing
2018-02-01 17:37:47 Control Channel MTU parms [ L:1624 D:1182 EF:68 EB:0 ET:0 EL:3 ]
2018-02-01 17:37:47 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
2018-02-01 17:37:47 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
2018-02-01 17:37:47 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
2018-02-01 17:37:47 TCP/UDP: Preserving recently used remote address: [AF_INET]X.X.X.X:1194
2018-02-01 17:37:47 Socket Buffers: R=[244668->244668] S=[100663->100663]
2018-02-01 17:37:47 Attempting to establish TCP connection with [AF_INET]X.X.X.X:1194 [nonblock]
2018-02-01 17:37:47 MANAGEMENT: >STATE:1517506667,TCP_CONNECT,,,,,,
2018-02-01 17:37:47 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2018-02-01 17:37:48 TCP connection established with [AF_INET]X.X.X.X:1194
2018-02-01 17:37:48 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2018-02-01 17:37:48 TCP_CLIENT link local: (not bound)
2018-02-01 17:37:48 TCP_CLIENT link remote: [AF_INET]X.X.X.X:1194
2018-02-01 17:37:48 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2018-02-01 17:37:48 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2018-02-01 17:37:48 MANAGEMENT: >STATE:1517506668,WAIT,,,,,,
2018-02-01 17:37:48 Connection reset, restarting [0]
2018-02-01 17:37:48 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): connection-reset,,,,,
2018-02-01 17:37:48 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): connection-reset,,,,,
2018-02-01 17:37:48 TCP/UDP: Closing socket
2018-02-01 17:37:48 SIGUSR1[soft,connection-reset] received, process restarting
2018-02-01 17:37:48 MANAGEMENT: >STATE:1517506668,RECONNECTING,connection-reset,,,,,
2018-02-01 17:37:48 New OpenVPN Status (CONNECTRETRY->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): 2
2018-02-01 17:37:48 New OpenVPN Status (CONNECTRETRY->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): 2
2018-02-01 17:37:48 Waiting 2s seconds between connection attempt
2018-02-01 17:37:53 MANAGEMENT: CMD 'hold release'
2018-02-01 17:37:53 MANAGEMENT: CMD 'proxy NONE'
2018-02-01 17:37:53 MANAGEMENT: CMD 'bytecount 2'
2018-02-01 17:37:53 MANAGEMENT: CMD 'state on'
2018-02-01 17:37:54 New OpenVPN Status (TCP_CONNECT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2018-02-01 17:37:54 New OpenVPN Status (TCP_CONNECT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2018-02-01 17:37:54 NOTE: --fast-io is disabled since we are not using UDP
2018-02-01 17:37:54 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-02-01 17:37:54 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-02-01 17:37:54 LZO compression initializing
2018-02-01 17:37:54 Control Channel MTU parms [ L:1624 D:1182 EF:68 EB:0 ET:0 EL:3 ]
2018-02-01 17:37:54 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
2018-02-01 17:37:54 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
2018-02-01 17:37:54 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
2018-02-01 17:37:54 TCP/UDP: Preserving recently used remote address: [AF_INET]X.X.X.X:1194
2018-02-01 17:37:54 Socket Buffers: R=[244668->244668] S=[100663->100663]
2018-02-01 17:37:54 Attempting to establish TCP connection with [AF_INET]X.X.X.X:1194 [nonblock]
2018-02-01 17:37:54 MANAGEMENT: >STATE:1517506674,TCP_CONNECT,,,,,,
2018-02-01 17:37:54 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2018-02-01 17:37:55 TCP connection established with [AF_INET]X.X.X.X:1194
2018-02-01 17:37:55 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2018-02-01 17:37:55 TCP_CLIENT link local: (not bound)
2018-02-01 17:37:55 TCP_CLIENT link remote: [AF_INET]X.X.X.X:1194
2018-02-01 17:37:55 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2018-02-01 17:37:55 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2018-02-01 17:37:55 MANAGEMENT: >STATE:1517506675,WAIT,,,,,,
2018-02-01 17:37:56 Connection reset, restarting [0]
2018-02-01 17:37:56 TCP/UDP: Closing socket
2018-02-01 17:37:56 SIGUSR1[soft,connection-reset] received, process restarting
2018-02-01 17:37:56 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): connection-reset,,,,,
2018-02-01 17:37:56 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): connection-reset,,,,,
2018-02-01 17:37:56 MANAGEMENT: >STATE:1517506676,RECONNECTING,connection-reset,,,,,
2018-02-01 17:37:56 New OpenVPN Status (CONNECTRETRY->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): 2
2018-02-01 17:37:56 New OpenVPN Status (CONNECTRETRY->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): 2
2018-02-01 17:37:56 Waiting 2s seconds between connection attempt
2018-02-01 17:38:01 MANAGEMENT: CMD 'hold release'
2018-02-01 17:38:01 MANAGEMENT: CMD 'proxy NONE'
2018-02-01 17:38:01 MANAGEMENT: CMD 'bytecount 2'
2018-02-01 17:38:01 MANAGEMENT: CMD 'state on'
2018-02-01 17:38:01 MANAGEMENT: CMD 'signal SIGUSR1'
2018-02-01 17:38:01 NOTE: --fast-io is disabled since we are not using UDP
2018-02-01 17:38:01 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): close_context usr1 to hup,,,,,
2018-02-01 17:38:01 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): close_context usr1 to hup,,,,,
2018-02-01 17:38:01 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-02-01 17:38:01 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-02-01 17:38:01 SIGHUP[hard,close_context usr1 to hup] received, process restarting
2018-02-01 17:38:01 MANAGEMENT: >STATE:1517506681,RECONNECTING,close_context usr1 to hup,,,,,
2018-02-01 17:38:01 Current Parameter Settings:
2018-02-01 17:38:01   config = '/data/data/de.blinkt.openvpn/cache/android.conf'
2018-02-01 17:38:01   mode = 0
2018-02-01 17:38:01 New OpenVPN Status (USERPAUSE->LEVEL_VPNPAUSED): 
2018-02-01 17:38:01 New OpenVPN Status (USERPAUSE->LEVEL_VPNPAUSED): 
2018-02-01 17:38:01   show_ciphers = DISABLED
2018-02-01 17:38:01   show_digests = DISABLED
2018-02-01 17:38:01   show_engines = DISABLED
2018-02-01 17:38:01   genkey = DISABLED
2018-02-01 17:38:01   key_pass_file = '[UNDEF]'
2018-02-01 17:38:01   show_tls_ciphers = DISABLED
2018-02-01 17:38:01   connect_retry_max = 0
2018-02-01 17:38:01 Connection profiles [0]:
2018-02-01 17:38:01   proto = tcp-client
2018-02-01 17:38:01   local = '[UNDEF]'
2018-02-01 17:38:01   local_port = '[UNDEF]'
2018-02-01 17:38:01   remote = 'X.X.X.X'
2018-02-01 17:38:01   remote_port = '1194'
2018-02-01 17:38:01   remote_float = DISABLED
2018-02-01 17:38:01   bind_defined = DISABLED
2018-02-01 17:38:01   bind_local = DISABLED
2018-02-01 17:38:01   bind_ipv6_only = DISABLED
2018-02-01 17:38:01   connect_retry_seconds = 2
2018-02-01 17:38:01   connect_timeout = 120
2018-02-01 17:38:01   socks_proxy_server = '[UNDEF]'
2018-02-01 17:38:01   socks_proxy_port = '[UNDEF]'
2018-02-01 17:38:01   tun_mtu = 1500
2018-02-01 17:38:01   tun_mtu_defined = ENABLED
2018-02-01 17:38:01   link_mtu = 1500
2018-02-01 17:38:01   link_mtu_defined = DISABLED
2018-02-01 17:38:01   tun_mtu_extra = 0
2018-02-01 17:38:01   tun_mtu_extra_defined = DISABLED
2018-02-01 17:38:01   mtu_discover_type = -1
2018-02-01 17:38:01   fragment = 0
2018-02-01 17:38:01   mssfix = 1450
2018-02-01 17:38:01   explicit_exit_notification = 0
2018-02-01 17:38:01 Connection profiles END
2018-02-01 17:38:01   remote_random = DISABLED
2018-02-01 17:38:01   ipchange = '[UNDEF]'
2018-02-01 17:38:01   dev = 'tun'
2018-02-01 17:38:01   dev_type = '[UNDEF]'
2018-02-01 17:38:01   dev_node = '[UNDEF]'
2018-02-01 17:38:01   lladdr = '[UNDEF]'
2018-02-01 17:38:01   topology = 1
2018-02-01 17:38:01   ifconfig_local = '[UNDEF]'
2018-02-01 17:38:01   ifconfig_remote_netmask = '[UNDEF]'
2018-02-01 17:38:01   ifconfig_noexec = DISABLED
2018-02-01 17:38:01   ifconfig_nowarn = ENABLED
2018-02-01 17:38:01   ifconfig_ipv6_local = '[UNDEF]'
2018-02-01 17:38:01   ifconfig_ipv6_netbits = 0
2018-02-01 17:38:01   ifconfig_ipv6_remote = '[UNDEF]'
2018-02-01 17:38:01   shaper = 0
2018-02-01 17:38:01   mtu_test = 0
2018-02-01 17:38:01   mlock = DISABLED
2018-02-01 17:38:01   keepalive_ping = 0
2018-02-01 17:38:01   keepalive_timeout = 0
2018-02-01 17:38:01   inactivity_timeout = 0
2018-02-01 17:38:01   ping_send_timeout = 0
2018-02-01 17:38:01   ping_rec_timeout = 0
2018-02-01 17:38:01   ping_rec_timeout_action = 0
2018-02-01 17:38:01   ping_timer_remote = DISABLED
2018-02-01 17:38:01   remap_sigusr1 = 0
2018-02-01 17:38:01   persist_tun = ENABLED
2018-02-01 17:38:01   persist_local_ip = DISABLED
2018-02-01 17:38:01   persist_remote_ip = DISABLED
2018-02-01 17:38:01   persist_key = DISABLED
2018-02-01 17:38:01   passtos = DISABLED
2018-02-01 17:38:01   resolve_retry_seconds = 60
2018-02-01 17:38:01   resolve_in_advance = ENABLED
2018-02-01 17:38:01   username = '[UNDEF]'
2018-02-01 17:38:01   groupname = '[UNDEF]'
2018-02-01 17:38:01   chroot_dir = '[UNDEF]'
2018-02-01 17:38:01   cd_dir = '[UNDEF]'
2018-02-01 17:38:01   writepid = '[UNDEF]'
2018-02-01 17:38:01   up_script = '[UNDEF]'
2018-02-01 17:38:01   down_script = '[UNDEF]'
2018-02-01 17:38:01   down_pre = DISABLED
2018-02-01 17:38:01   up_restart = DISABLED
2018-02-01 17:38:01   up_delay = DISABLED
2018-02-01 17:38:01   daemon = DISABLED
2018-02-01 17:38:01   inetd = 0
2018-02-01 17:38:01   log = DISABLED
2018-02-01 17:38:01   suppress_timestamps = DISABLED
2018-02-01 17:38:01   machine_readable_output = ENABLED
2018-02-01 17:38:01   nice = 0
2018-02-01 17:38:01   verbosity = 4
2018-02-01 17:38:01   mute = 0
2018-02-01 17:38:01   gremlin = 0
2018-02-01 17:38:01   status_file = '[UNDEF]'
2018-02-01 17:38:01   status_file_version = 1
2018-02-01 17:38:01   status_file_update_freq = 60
2018-02-01 17:38:01   occ = ENABLED
2018-02-01 17:38:01   rcvbuf = 0
2018-02-01 17:38:01   sndbuf = 0
2018-02-01 17:38:01   sockflags = 0
2018-02-01 17:38:01   fast_io = ENABLED
2018-02-01 17:38:01   comp.alg = 2
2018-02-01 17:38:01   comp.flags = 1
2018-02-01 17:38:01   route_script = '[UNDEF]'
2018-02-01 17:38:01   route_default_gateway = '[UNDEF]'
2018-02-01 17:38:01   route_default_metric = 0
2018-02-01 17:38:01   route_noexec = DISABLED
2018-02-01 17:38:01   route_delay = 0
2018-02-01 17:38:01   route_delay_window = 30
2018-02-01 17:38:01   route_delay_defined = DISABLED
2018-02-01 17:38:01   route_nopull = DISABLED
2018-02-01 17:38:01   route_gateway_via_dhcp = DISABLED
2018-02-01 17:38:01   allow_pull_fqdn = DISABLED
2018-02-01 17:38:01   management_addr = '/data/data/de.blinkt.openvpn/cache/mgmtsocket'
2018-02-01 17:38:01   management_port = 'unix'
2018-02-01 17:38:01   management_user_pass = '[UNDEF]'
2018-02-01 17:38:01   management_log_history_cache = 250
2018-02-01 17:38:01   management_echo_buffer_size = 100
2018-02-01 17:38:01   management_write_peer_info_file = '[UNDEF]'
2018-02-01 17:38:01   management_client_user = '[UNDEF]'
2018-02-01 17:38:01   management_client_group = '[UNDEF]'
2018-02-01 17:38:01   management_flags = 4390
2018-02-01 17:38:01   shared_secret_file = '[UNDEF]'
2018-02-01 17:38:01   key_direction = (null)
2018-02-01 17:38:01   ciphername = 'BF-CBC'
2018-02-01 17:38:01   ncp_enabled = ENABLED
2018-02-01 17:38:01   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
2018-02-01 17:38:01   authname = 'SHA1'
2018-02-01 17:38:01   prng_hash = 'SHA1'
2018-02-01 17:38:01   prng_nonce_secret_len = 16
2018-02-01 17:38:01   keysize = 0
2018-02-01 17:38:01   engine = DISABLED
2018-02-01 17:38:01   replay = ENABLED
2018-02-01 17:38:01   mute_replay_warnings = DISABLED
2018-02-01 17:38:01   replay_window = 64
2018-02-01 17:38:01   replay_time = 15
2018-02-01 17:38:01   packet_id_file = '[UNDEF]'
2018-02-01 17:38:01   test_crypto = DISABLED
2018-02-01 17:38:01   tls_server = DISABLED
2018-02-01 17:38:01   tls_client = ENABLED
2018-02-01 17:38:01   key_method = 2
2018-02-01 17:38:01   ca_file = '[[INLINE]]'
2018-02-01 17:38:01   ca_path = '[UNDEF]'
2018-02-01 17:38:01   dh_file = '[UNDEF]'
2018-02-01 17:38:01   cert_file = '[[INLINE]]'
2018-02-01 17:38:01   extra_certs_file = '[UNDEF]'
2018-02-01 17:38:01   priv_key_file = '[[INLINE]]'
2018-02-01 17:38:01   pkcs12_file = '[UNDEF]'
2018-02-01 17:38:01   cipher_list = '[UNDEF]'
2018-02-01 17:38:01   tls_verify = '[UNDEF]'
2018-02-01 17:38:01   tls_export_cert = '[UNDEF]'
2018-02-01 17:38:01   verify_x509_type = 0
2018-02-01 17:38:01   verify_x509_name = '[UNDEF]'
2018-02-01 17:38:01   crl_file = '[UNDEF]'
2018-02-01 17:38:01   ns_cert_type = 0
2018-02-01 17:38:01   remote_cert_ku[i] = 65535
2018-02-01 17:38:01   remote_cert_ku[i] = 0
2018-02-01 17:38:01   remote_cert_ku[i] = 0
2018-02-01 17:38:01   remote_cert_ku[i] = 0
2018-02-01 17:38:01   remote_cert_ku[i] = 0
2018-02-01 17:38:01   remote_cert_ku[i] = 0
2018-02-01 17:38:01   remote_cert_ku[i] = 0
2018-02-01 17:38:01   remote_cert_ku[i] = 0
2018-02-01 17:38:01   remote_cert_ku[i] = 0
2018-02-01 17:38:01   remote_cert_ku[i] = 0
2018-02-01 17:38:01   remote_cert_ku[i] = 0
2018-02-01 17:38:01   remote_cert_ku[i] = 0
2018-02-01 17:38:01   remote_cert_ku[i] = 0
2018-02-01 17:38:01   remote_cert_ku[i] = 0
2018-02-01 17:38:01   remote_cert_ku[i] = 0
2018-02-01 17:38:01   remote_cert_ku[i] = 0
2018-02-01 17:38:01   remote_cert_eku = 'TLS Web Server Authentication'
2018-02-01 17:38:01   ssl_flags = 0
2018-02-01 17:38:01   tls_timeout = 2
2018-02-01 17:38:01   renegotiate_bytes = -1
2018-02-01 17:38:01   renegotiate_packets = 0
2018-02-01 17:38:01   renegotiate_seconds = 3600
2018-02-01 17:38:01   handshake_window = 60
2018-02-01 17:38:01   transition_window = 3600
2018-02-01 17:38:01   single_session = DISABLED
2018-02-01 17:38:01   push_peer_info = DISABLED
2018-02-01 17:38:01   tls_exit = DISABLED
2018-02-01 17:38:01   tls_auth_file = '[[INLINE]]'
2018-02-01 17:38:01   tls_crypt_file = '[UNDEF]'
2018-02-01 17:38:01   client = ENABLED
2018-02-01 17:38:01   pull = ENABLED
2018-02-01 17:38:01   auth_user_pass_file = '[UNDEF]'
2018-02-01 17:38:01 OpenVPN 2.5-icsopenvpn [git:icsopenvpn-d51333c645c12713+] android-14-armeabi-v7a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jun 26 2017
2018-02-01 17:38:01 library versions: OpenSSL 1.1.0f  25 May 2017, LZO 2.10
2018-02-01 17:38:12 MANAGEMENT: CMD 'signal SIGINT'
2018-02-01 17:38:12 Signal received from management interface, exiting
2018-02-01 17:38:12 New OpenVPN Status (NOPROCESS->LEVEL_NOTCONNECTED): No process running.
2018-02-01 17:38:12 New OpenVPN Status (NOPROCESS->LEVEL_NOTCONNECTED): No process running.

Add

log /tmp/openvpn.log
verb 9

to your openvpn config. That will generate log you can post.

verb 5 is all that's needed in the server config

verb 5 was not working, so I tried dziny's suggestion:

Openvpn server log:

Thu Feb  1 20:32:44 2018 us=536238 OpenVPN 2.4.3 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Thu Feb  1 20:32:44 2018 us=536320 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.10
Thu Feb  1 20:32:44 2018 us=537151 Diffie-Hellman initialized with 2048 bit key
Thu Feb  1 20:32:44 2018 us=538243 TLS-Auth MTU parms [ L:1624 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Thu Feb  1 20:32:44 2018 us=538931 TUN/TAP device ovpns0 opened
Thu Feb  1 20:32:44 2018 us=539011 TUN/TAP TX queue length set to 100
Thu Feb  1 20:32:44 2018 us=539062 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Feb  1 20:32:44 2018 us=539134 /sbin/ifconfig ovpns0 192.168.200.1 netmask 255.255.255.0 mtu 1500 broadcast 192.168.200.255
Thu Feb  1 20:32:44 2018 us=544717 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Thu Feb  1 20:32:44 2018 us=544805 Could not determine IPv4/IPv6 protocol. Using AF_INET
Thu Feb  1 20:32:44 2018 us=544865 Socket Buffers: R=[87380->87380] S=[16384->16384]
Thu Feb  1 20:32:44 2018 us=544919 Listening for incoming TCP connection on [AF_INET][undef]:1194
Thu Feb  1 20:32:44 2018 us=544972 TCPv4_SERVER link local (bound): [AF_INET][undef]:1194
Thu Feb  1 20:32:44 2018 us=545011 TCPv4_SERVER link remote: [AF_UNSPEC]
Thu Feb  1 20:32:44 2018 us=545053 MULTI: multi_init called, r=256 v=256
Thu Feb  1 20:32:44 2018 us=545122 IFCONFIG POOL: base=192.168.200.2 size=252, ipv6=0
Thu Feb  1 20:32:44 2018 us=545196 MULTI: TCP INIT maxclients=1024 maxevents=1028
Thu Feb  1 20:32:44 2018 us=545289 Initialization Sequence Completed
Thu Feb  1 20:32:44 2018 us=545428  read from TUN/TAP returned 76
Thu Feb  1 20:32:44 2018 us=570087  read from TUN/TAP returned 76
Thu Feb  1 20:32:44 2018 us=969969  read from TUN/TAP returned 76
Thu Feb  1 20:32:45 2018 us=200000  read from TUN/TAP returned 76
Thu Feb  1 20:32:53 2018 us=235680 MULTI: multi_create_instance called
Thu Feb  1 20:32:53 2018 us=235829 Re-using SSL/TLS context
Thu Feb  1 20:32:53 2018 us=235878 LZO compression initializing
Thu Feb  1 20:32:53 2018 us=236098 Control Channel MTU parms [ L:1624 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Thu Feb  1 20:32:53 2018 us=236188 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Thu Feb  1 20:32:53 2018 us=236246 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
Thu Feb  1 20:32:53 2018 us=236285 calc_options_string_link_mtu: link-mtu 1624 -> 1544
Thu Feb  1 20:32:53 2018 us=236361 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
Thu Feb  1 20:32:53 2018 us=236399 calc_options_string_link_mtu: link-mtu 1624 -> 1544
Thu Feb  1 20:32:53 2018 us=236455 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Thu Feb  1 20:32:53 2018 us=236492 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Thu Feb  1 20:32:53 2018 us=236562 TCP connection established with [AF_INET]X.X.X.X:33354
Thu Feb  1 20:32:53 2018 us=236602 TCP_SERVER link local: (not bound)
Thu Feb  1 20:32:53 2018 us=236648 TCP_SERVER link remote: [AF_INET]X.X.X.X:33354
Thu Feb  1 20:32:53 2018 us=535830 X.X.X.X:33354 TCP_SERVER read returned 42
Thu Feb  1 20:32:53 2018 us=535944 X.X.X.X:33354 TCP_SERVER READ [42] from [AF_INET]X.X.X.X:33354: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=d7b715e9 aedc7eae [ 1897339418 2864812131 3997836989 1137368410 169910784 346 1937340160 0 ]
Thu Feb  1 20:32:53 2018 us=536003 X.X.X.X:33354 TLS: Initial packet from [AF_INET]X.X.X.X:33354, sid=d7b715e9 aedc7eae
Thu Feb  1 20:32:53 2018 us=536044 X.X.X.X:33354 TLS Error: reading acknowledgement record from packet
Thu Feb  1 20:32:53 2018 us=536094 X.X.X.X:33354 Fatal TLS error (check_tls_errors_co), restarting
Thu Feb  1 20:32:53 2018 us=536133 X.X.X.X:33354 SIGUSR1[soft,tls-error] received, client-instance restarting
Thu Feb  1 20:32:53 2018 us=536256 TCP/UDP: Closing socket
Thu Feb  1 20:33:00 2018 us=835411 MULTI: multi_create_instance called
Thu Feb  1 20:33:00 2018 us=835553 Re-using SSL/TLS context
Thu Feb  1 20:33:00 2018 us=835603 LZO compression initializing
Thu Feb  1 20:33:00 2018 us=835776 Control Channel MTU parms [ L:1624 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Thu Feb  1 20:33:00 2018 us=835852 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Thu Feb  1 20:33:00 2018 us=835942 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
Thu Feb  1 20:33:00 2018 us=835983 calc_options_string_link_mtu: link-mtu 1624 -> 1544
Thu Feb  1 20:33:00 2018 us=836055 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
Thu Feb  1 20:33:00 2018 us=836093 calc_options_string_link_mtu: link-mtu 1624 -> 1544
Thu Feb  1 20:33:00 2018 us=836148 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Thu Feb  1 20:33:00 2018 us=836185 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Thu Feb  1 20:33:00 2018 us=836249 TCP connection established with [AF_INET]X.X.X.X:33355
Thu Feb  1 20:33:00 2018 us=836288 TCP_SERVER link local: (not bound)
Thu Feb  1 20:33:00 2018 us=836329 TCP_SERVER link remote: [AF_INET]X.X.X.X:33355
Thu Feb  1 20:33:01 2018 us=223196 X.X.X.X:33355 TCP_SERVER read returned 42
Thu Feb  1 20:33:01 2018 us=223314 X.X.X.X:33355 TCP_SERVER READ [42] from [AF_INET]X.X.X.X:33355: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=0d3e51b8 7e4834f4 [ 4113720783 1029741513 3022168451 3348788222 987409408 346 1937341952 0 ]
Thu Feb  1 20:33:01 2018 us=223375 X.X.X.X:33355 TLS: Initial packet from [AF_INET]X.X.X.X:33355, sid=0d3e51b8 7e4834f4
Thu Feb  1 20:33:01 2018 us=223417 X.X.X.X:33355 TLS Error: reading acknowledgement record from packet
Thu Feb  1 20:33:01 2018 us=223471 X.X.X.X:33355 Fatal TLS error (check_tls_errors_co), restarting
Thu Feb  1 20:33:01 2018 us=223510 X.X.X.X:33355 SIGUSR1[soft,tls-error] received, client-instance restarting
Thu Feb  1 20:33:01 2018 us=223629 TCP/UDP: Closing socket
Thu Feb  1 20:33:11 2018 us=590674 MULTI: multi_create_instance called
Thu Feb  1 20:33:11 2018 us=590809 Re-using SSL/TLS context
Thu Feb  1 20:33:11 2018 us=590858 LZO compression initializing
Thu Feb  1 20:33:11 2018 us=591041 Control Channel MTU parms [ L:1624 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Thu Feb  1 20:33:11 2018 us=591122 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Thu Feb  1 20:33:11 2018 us=591177 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
Thu Feb  1 20:33:11 2018 us=591215 calc_options_string_link_mtu: link-mtu 1624 -> 1544
Thu Feb  1 20:33:11 2018 us=591282 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
Thu Feb  1 20:33:11 2018 us=591319 calc_options_string_link_mtu: link-mtu 1624 -> 1544
Thu Feb  1 20:33:11 2018 us=591374 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Thu Feb  1 20:33:11 2018 us=591410 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Thu Feb  1 20:33:11 2018 us=591478 TCP connection established with [AF_INET]X.X.X.X:33356
Thu Feb  1 20:33:11 2018 us=591518 TCP_SERVER link local: (not bound)
Thu Feb  1 20:33:11 2018 us=591559 TCP_SERVER link remote: [AF_INET]X.X.X.X:33356
Thu Feb  1 20:33:11 2018 us=870082 X.X.X.X:33356 TCP_SERVER read returned 42
Thu Feb  1 20:33:11 2018 us=870190 X.X.X.X:33356 TCP_SERVER READ [42] from [AF_INET]X.X.X.X:33356: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=f9a9545a 595f45ce [ 2964377152 852077731 3746216662 4202494899 2001741568 346 1937344768 0 ]
Thu Feb  1 20:33:11 2018 us=870256 X.X.X.X:33356 TLS: Initial packet from [AF_INET]X.X.X.X:33356, sid=f9a9545a 595f45ce
Thu Feb  1 20:33:11 2018 us=870299 X.X.X.X:33356 TLS Error: reading acknowledgement record from packet
Thu Feb  1 20:33:11 2018 us=870352 X.X.X.X:33356 Fatal TLS error (check_tls_errors_co), restarting
Thu Feb  1 20:33:11 2018 us=870391 X.X.X.X:33356 SIGUSR1[soft,tls-error] received, client-instance restarting
Thu Feb  1 20:33:11 2018 us=870504 TCP/UDP: Closing socket
Thu Feb  1 20:33:16 2018 us=851144 MULTI: multi_create_instance called
Thu Feb  1 20:33:16 2018 us=851280 Re-using SSL/TLS context
Thu Feb  1 20:33:16 2018 us=851329 LZO compression initializing
Thu Feb  1 20:33:16 2018 us=851504 Control Channel MTU parms [ L:1624 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Thu Feb  1 20:33:16 2018 us=851579 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Thu Feb  1 20:33:16 2018 us=851637 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
Thu Feb  1 20:33:16 2018 us=851675 calc_options_string_link_mtu: link-mtu 1624 -> 1544
Thu Feb  1 20:33:16 2018 us=851742 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
Thu Feb  1 20:33:16 2018 us=851781 calc_options_string_link_mtu: link-mtu 1624 -> 1544
Thu Feb  1 20:33:16 2018 us=851836 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Thu Feb  1 20:33:16 2018 us=851873 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Thu Feb  1 20:33:16 2018 us=851937 TCP connection established with [AF_INET]X.X.X.X:33357
Thu Feb  1 20:33:16 2018 us=851975 TCP_SERVER link local: (not bound)
Thu Feb  1 20:33:16 2018 us=852017 TCP_SERVER link remote: [AF_INET]X.X.X.X:33357
Thu Feb  1 20:33:17 2018 us=595028 X.X.X.X:33357 TCP_SERVER read returned 42
Thu Feb  1 20:33:17 2018 us=595146 X.X.X.X:33357 TCP_SERVER READ [42] from [AF_INET]X.X.X.X:33357: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=c3c38ca5 3fd896ce [ 2664788199 615180072 1390340468 937328838 3186128896 346 1937346304 0 ]
Thu Feb  1 20:33:17 2018 us=595208 X.X.X.X:33357 TLS: Initial packet from [AF_INET]X.X.X.X:33357, sid=c3c38ca5 3fd896ce
Thu Feb  1 20:33:17 2018 us=595250 X.X.X.X:33357 TLS Error: reading acknowledgement record from packet
Thu Feb  1 20:33:17 2018 us=595303 X.X.X.X:33357 Fatal TLS error (check_tls_errors_co), restarting
Thu Feb  1 20:33:17 2018 us=595343 X.X.X.X:33357 SIGUSR1[soft,tls-error] received, client-instance restarting
Thu Feb  1 20:33:17 2018 us=595461 TCP/UDP: Closing socket
Thu Feb  1 20:33:24 2018 us=961553 MULTI: multi_create_instance called
Thu Feb  1 20:33:24 2018 us=961688 Re-using SSL/TLS context
Thu Feb  1 20:33:24 2018 us=961742 LZO compression initializing
Thu Feb  1 20:33:24 2018 us=961923 Control Channel MTU parms [ L:1624 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Thu Feb  1 20:33:24 2018 us=962001 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Thu Feb  1 20:33:24 2018 us=962055 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
Thu Feb  1 20:33:24 2018 us=962093 calc_options_string_link_mtu: link-mtu 1624 -> 1544
Thu Feb  1 20:33:24 2018 us=962159 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
Thu Feb  1 20:33:24 2018 us=962196 calc_options_string_link_mtu: link-mtu 1624 -> 1544
Thu Feb  1 20:33:24 2018 us=962254 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Thu Feb  1 20:33:24 2018 us=962292 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Thu Feb  1 20:33:24 2018 us=962363 TCP connection established with [AF_INET]X.X.X.X:33358
Thu Feb  1 20:33:24 2018 us=962405 TCP_SERVER link local: (not bound)
Thu Feb  1 20:33:24 2018 us=962451 TCP_SERVER link remote: [AF_INET]X.X.X.X:33358
Thu Feb  1 20:33:25 2018 us=330885 X.X.X.X:33358 TCP_SERVER read returned 42
Thu Feb  1 20:33:25 2018 us=330987 X.X.X.X:33358 TCP_SERVER READ [42] from [AF_INET]X.X.X.X:33358: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=ec4d0765 028c33b3 [ 828900258 271948470 3789509320 1801071330 1129668096 346 1937348096 0 ]
Thu Feb  1 20:33:25 2018 us=331046 X.X.X.X:33358 TLS: Initial packet from [AF_INET]X.X.X.X:33358, sid=ec4d0765 028c33b3
Thu Feb  1 20:33:25 2018 us=331085 X.X.X.X:33358 TLS Error: reading acknowledgement record from packet
Thu Feb  1 20:33:25 2018 us=331135 X.X.X.X:33358 Fatal TLS error (check_tls_errors_co), restarting
Thu Feb  1 20:33:25 2018 us=331178 X.X.X.X:33358 SIGUSR1[soft,tls-error] received, client-instance restarting
Thu Feb  1 20:33:25 2018 us=331292 TCP/UDP: Closing socket
Thu Feb  1 20:33:31 2018 us=167979 MULTI: multi_create_instance called
Thu Feb  1 20:33:31 2018 us=168110 Re-using SSL/TLS context
Thu Feb  1 20:33:31 2018 us=168159 LZO compression initializing
Thu Feb  1 20:33:31 2018 us=168336 Control Channel MTU parms [ L:1624 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Thu Feb  1 20:33:31 2018 us=168416 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Thu Feb  1 20:33:31 2018 us=168469 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
Thu Feb  1 20:33:31 2018 us=168510 calc_options_string_link_mtu: link-mtu 1624 -> 1544
Thu Feb  1 20:33:31 2018 us=168577 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
Thu Feb  1 20:33:31 2018 us=168614 calc_options_string_link_mtu: link-mtu 1624 -> 1544
Thu Feb  1 20:33:31 2018 us=168669 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Thu Feb  1 20:33:31 2018 us=168705 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Thu Feb  1 20:33:31 2018 us=168768 TCP connection established with [AF_INET]X.X.X.X:33359
Thu Feb  1 20:33:31 2018 us=168807 TCP_SERVER link local: (not bound)
Thu Feb  1 20:33:31 2018 us=168848 TCP_SERVER link remote: [AF_INET]X.X.X.X:33359
Thu Feb  1 20:33:31 2018 us=911008 X.X.X.X:33359 TCP_SERVER read returned 42
Thu Feb  1 20:33:31 2018 us=911116 X.X.X.X:33359 TCP_SERVER READ [42] from [AF_INET]X.X.X.X:33359: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=e47c08b2 0980bfeb [ 2154507713 1839281328 631901780 367760635 4229032960 346 1937349888 0 ]
Thu Feb  1 20:33:31 2018 us=911177 X.X.X.X:33359 TLS: Initial packet from [AF_INET]X.X.X.X:33359, sid=e47c08b2 0980bfeb
Thu Feb  1 20:33:31 2018 us=911217 X.X.X.X:33359 TLS Error: reading acknowledgement record from packet
Thu Feb  1 20:33:31 2018 us=911267 X.X.X.X:33359 Fatal TLS error (check_tls_errors_co), restarting
Thu Feb  1 20:33:31 2018 us=911311 X.X.X.X:33359 SIGUSR1[soft,tls-error] received, client-instance restarting
Thu Feb  1 20:33:31 2018 us=911425 TCP/UDP: Closing socket
Thu Feb  1 20:33:46 2018 us=20672 MULTI: multi_create_instance called
Thu Feb  1 20:33:46 2018 us=20765 Re-using SSL/TLS context
Thu Feb  1 20:33:46 2018 us=20808 LZO compression initializing
Thu Feb  1 20:33:46 2018 us=20986 Control Channel MTU parms [ L:1624 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Thu Feb  1 20:33:46 2018 us=21068 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Thu Feb  1 20:33:46 2018 us=21122 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
Thu Feb  1 20:33:46 2018 us=21166 calc_options_string_link_mtu: link-mtu 1624 -> 1544
Thu Feb  1 20:33:46 2018 us=21238 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
Thu Feb  1 20:33:46 2018 us=21276 calc_options_string_link_mtu: link-mtu 1624 -> 1544
Thu Feb  1 20:33:46 2018 us=21331 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Thu Feb  1 20:33:46 2018 us=21367 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Thu Feb  1 20:33:46 2018 us=21432 TCP connection established with [AF_INET]X.X.X.X:33360
Thu Feb  1 20:33:46 2018 us=21473 TCP_SERVER link local: (not bound)
Thu Feb  1 20:33:46 2018 us=21515 TCP_SERVER link remote: [AF_INET]X.X.X.X:33360
Thu Feb  1 20:33:46 2018 us=340953 X.X.X.X:33360 TCP_SERVER read returned 42
Thu Feb  1 20:33:46 2018 us=341058 X.X.X.X:33360 TCP_SERVER READ [42] from [AF_INET]X.X.X.X:33360: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=0d6f63a3 f8486c86 [ 3316259378 4076818278 176722422 4165536446 626409984 346 1937353472 0 ]
Thu Feb  1 20:33:46 2018 us=341117 X.X.X.X:33360 TLS: Initial packet from [AF_INET]X.X.X.X:33360, sid=0d6f63a3 f8486c86
Thu Feb  1 20:33:46 2018 us=341156 X.X.X.X:33360 TLS Error: reading acknowledgement record from packet
Thu Feb  1 20:33:46 2018 us=341205 X.X.X.X:33360 Fatal TLS error (check_tls_errors_co), restarting
Thu Feb  1 20:33:46 2018 us=341245 X.X.X.X:33360 SIGUSR1[soft,tls-error] received, client-instance restarting
Thu Feb  1 20:33:46 2018 us=341362 TCP/UDP: Closing socket

I was stating that the verbosity for the server log doesn't need to be more than 5, as anything above that will log r/w access, which is not needed.

Whomever wrote that wiki obviously never bothered testing it, since it puts forth an improperly configured server config, hence your problems.

Please replace your server config with the following (double check I imported everything correctly)

config openvpn 'VPNserver'
    option  enabled             1

    # Protocol #
#------------------------------------------------
    option  dev                 'tun'
    option  dev                 'ovpns0'
    option  topology            'subnet'
    option  proto               'tcp'
    option  port                1194

    # Routes #
#------------------------------------------------
    option  server              '192.168.200.0 255.255.255.0'
    option  ifconfig            '192.168.200.1 255.255.255.0'
    option  route_gateway       'dhcp'

    # Client Config #
#------------------------------------------------
    #   option  ccd_exclusive           1
    #   option  ifconfig_pool_persist   '/etc/openvpn/clients/ipp.txt'
    #   option  client_config_dir       '/etc/openvpn/clients/'

    # Pushed Routes #
#------------------------------------------------
    list    push                'route 192.168.1.0 255.255.255.0'
    list    push                'dhcp-option    DNS 192.168.1.1'
    list    push                'dhcp-option    WINS 192.168.1.1'
    list    push                'dhcp-option    DNS 208.67.222.123'
    list    push                'dhcp-option    DNS 208.67.220.123'
    list    push                'dhcp-option    NTP 129.6.15.30'

    # Pushed Gateways #
#------------------------------------------------
    list    push                'route-gateway    dhcp'
    list    push                'redirect-gateway def1'

    # Encryption #
#------------------------------------------------
    # Diffie-Hellman:
    option  dh                  '/etc/openvpn/dh2048.pem'

    # PKCS12:
    #   option  pkcs12             '/etc/openvpn/my-server.p12'

    # SSL:
    option  cipher              AES-256-CBC
    option  auth                'SHA256'
    option  tls_auth            '/etc/openvpn/tls-auth.key 0'

    # TLS:
    option  tls_server          1
    option  tls_version_min     1.2
    option  tls_cipher          'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:!aNULL:!eNULL:!LOW:!3DES:!MD5:!SHA:!EXP:!PSK:!SRP:!DSS:!RC4:!kRSA'

    # X509:
    option  ca                  '/etc/openvpn/ca.crt'
    option  cert                '/etc/openvpn/my-server.crt'
    option  key                 '/etc/openvpn/my-server.key'

    # Logging #
#------------------------------------------------
    option  log_append          '/tmp/openvpn.log'
    option  status              '/tmp/openvpn-status.log'
    option  verb                5

    # Connection Options #
#------------------------------------------------
    option  keepalive           '10 120'
    option  comp_lzo            'yes'

    # Connection Reliability #
#------------------------------------------------
    option  client_to_client    1
    option  persist_key         1
    option  persist_tun         1

    # Connection Speed #
#------------------------------------------------
    option  sndbuf              393216
    option  rcvbuf              393216
    option  fragment            0
    option  mssfix              0
    option  tun_mtu             48000

    # Pushed Buffers #
#------------------------------------------------
    list    push                'sndbuf 393216'
    list    push                'rcvbuf 393216'

    # Permissions #
#------------------------------------------------
    option  user                'nobody'
    option  group               'nogroup'
  • You need to do some additional steps.
    • Generate TLS-Auth key
      • You will need to save this at /etc/openvpn/tls-auth.key

Please replace your client config with the following:

# Config Type #
#------------------------------------------------
client

# Connection  #
#------------------------------------------------
dev tun
proto tcp
remote your.ddns.com 1194

# Speed #
#------------------------------------------------
mssfix 0
fragment 0
tun-mtu 48000

# Reliability #
#------------------------------------------------
float
nobind
comp-lzo

persist-key
persist-tun
resolv-retry infinite

# Encryption #
#------------------------------------------------
auth SHA256
auth-nocache

# --- SSL --- #
cipher AES-256-CBC

<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----
</key>

# --- TLS --- #
key-direction 1
tls-version-min 1.2

remote-cert-eku 'TLS Web Server Authentication'

<tls-auth>
-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----
</tls-auth>

# Logging #
#------------------------------------------------
verb 7
  • I've never bothered inlining certs since I use PKCS12's, however I'm almost positive the openssl x509 output is not what goes inline; instead, the text output of the cert is what should go inline (i.e. open cert/key in a text editor, copy & paste)

  • The output of the tls-auth.key goes inline within the xml space for it.

Additionally, it is pointless to utilize a 4096bit key, as 2048bit will remain unbreakable until at least 2030. 4096bit keys to secure a VPN tunnel serve zero purpose, doing nothing other than serving to stress the CPUs of the server and client(s), along with massively slowing throughput

Is it a subjective opinion or has there been some testing done on consumer-grade hardware?

No, anyone can test the speeds: openssl speed rsa

  • There's literally no benefit to utilizing 4096bit keys, as there's not a single existing supercomputer than can break 2048bit. Even the NSA recommends 2048bit, with 3072bit starting this year or next for TS/SCI data. Last I read about it, 2048bit would remain unbreakable until at least 2030.
    • If someone was super paranoid, simply have the session renegotiate keys every 30 - 60min

  • Windows 10, 4C/8T, i7-4710MQ
     PS D:\JW0914\Documents\GnuPG\Certs\Intermediate\WRT1900ACS\CA> openssl speed rsa
     WARNING: can't open config file: /etc/ssl/openssl.cnf
     Doing 512 bit private rsa's for 10s: 186457 512 bit private RSA's in 9.97s
     Doing 512 bit public rsa's for 10s: 2403931 512 bit public RSA's in 10.00s
     Doing 1024 bit private rsa's for 10s: 68154 1024 bit private RSA's in 10.00s
     Doing 1024 bit public rsa's for 10s: 1018930 1024 bit public RSA's in 9.98s
     Doing 2048 bit private rsa's for 10s: 14808 2048 bit private RSA's in 9.98s
     Doing 2048 bit public rsa's for 10s: 330324 2048 bit public RSA's in 9.98s
     Doing 4096 bit private rsa's for 10s: 1438 4096 bit private RSA's in 10.00s
     Doing 4096 bit public rsa's for 10s: 92898 4096 bit public RSA's in 10.02s
    
     OpenSSL 1.0.2l  25 May 2017
     built on: reproducible build, date unspecified
     options:bn(64,64) rc4(16x,int) des(idx,cisc,2,long) aes(partial) idea(int) blowfish(idx)
     compiler: x86_64-w64-mingw32-gcc -I. -I.. -I../include  -D_WINDLL -DOPENSSL_PIC -DOPENSSL_THREADS -D_MT -DDSO_WIN32 -static-libgcc -DL_ENDIAN -O3 -Wall -DWIN32_LEAN_AND_MEAN -DUNICODE -D_UNICODE -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
    
                       sign    verify    sign/s verify/s
     rsa  512 bits 0.000053s 0.000004s  18704.2 240393.1
     rsa 1024 bits 0.000147s 0.000010s   6815.4 102052.5
     rsa 2048 bits 0.000674s 0.000030s   1483.1  33084.1
     rsa 4096 bits 0.006954s 0.000108s    143.8   9275.3
    

  • Linksys WRT1900ACS [4.9.52-2017.10.01, r4964-25abd71efb)]

     [root@LEDE] ~ # openssl speed rsa
     WARNING: can't open config file: /etc/ssl/openssl.cnf
     Doing 512 bit private rsa's for 10s: 19561 512 bit private RSA's in 10.00s
     Doing 512 bit public rsa's for 10s: 187634 512 bit public RSA's in 10.00s
     Doing 1024 bit private rsa's for 10s: 2770 1024 bit private RSA's in 10.00s
     Doing 1024 bit public rsa's for 10s: 59677 1024 bit public RSA's in 10.00s
     Doing 2048 bit private rsa's for 10s: 421 2048 bit private RSA's in 10.01s
     Doing 2048 bit public rsa's for 10s: 16307 2048 bit public RSA's in 10.00s
     Doing 4096 bit private rsa's for 10s: 62 4096 bit private RSA's in 10.16s
     Doing 4096 bit public rsa's for 10s: 4224 4096 bit public RSA's in 10.00s
    
     OpenSSL 1.0.2l  25 May 2017
     built on: reproducible build, date unspecified
     options:bn(64,32) rc4(ptr,char) des(idx,cisc,2,long) aes(partial) blowfish(ptr)
     compiler: arm-openwrt-linux-muslgnueabi-gcc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -I/home/jw/lede/source/staging_dir/target-arm_cortex-a9+vfpv3_musl_eabi/usr/include -I/home/jw/lede/source/staging_dir/target-arm_cortex-a9+vfpv3_musl_eabi/include -I/home/jw/lede/source/staging_dir/toolchain-arm_cortex-a9+vfpv3_gcc-5.4.0_musl_eabi/usr/include -I/home/jw/lede/source/staging_dir/toolchain-arm_cortex-a9+vfpv3_gcc-5.4.0_musl_eabi/include/fortify -I/home/jw/lede/source/staging_dir/toolchain-arm_cortex-a9+vfpv3_gcc-5.4.0_musl_eabi/include -znow -zrelro -DOPENSSL_SMALL_FOOTPRINT -DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS -DOPENSSL_NO_ERR -DTERMIOS -Os -pipe -mcpu=cortex-a9 -mfpu=vfpv3-d16 -fno-caller-saves -fno-plt -fhonour-copts -Wno-error=unused-but-set-variable -Wno-error=unused-result -mfloat-abi=hard -iremap/home/jw/lede/source/build_dir/target-arm_cortex-a9+vfpv3_musl_eabi/openssl-1.0.2l:openssl-1.0.2l -Wformat -Werror=format-security -fstack-protector -D_FORTIFY_SOURCE=1 -Wl,-z,now -Wl,-z,relro -fpic -I/home/jw/lede/source/package/libs/openssl/include -ffunction-sections -fdata-sections -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM
    
                       sign    verify    sign/s verify/s
     rsa  512 bits 0.000511s 0.000053s   1956.1  18763.4
     rsa 1024 bits 0.003610s 0.000168s    277.0   5967.7
     rsa 2048 bits 0.023777s 0.000613s     42.1   1630.7
     rsa 4096 bits 0.163871s 0.002367s      6.1    422.4
    

I was copying over the server openvpn file, but the openvpn service cannot be started. Clicking on the start button in LUCI does nothing,

Troubleshooting should be done via cli, not LuCI. To restart OpenVPN: /etc/init.d/openvpn restart.

If it's the first time restarting it since changing the config, issue the following:

  • /etc/init.d/openvpn restart ; sleep 2 ; cat /tmp/openvpn.log
    • This will show if any errors prevented OpenVPN from restarting