OpenVPN server - TLS key failed to occur within 60 secs

I cannot find the openvpn server log, there is no such filename in the tmp folder. Android Client Log file in next post (due to max character restriction).

NB: Just to reiterate (and if it helps), I followed this guide for setup: https://lede-project.org/docs/user-guide/openvpnserver.setup My command line programming skills are evidently not good at all. So I just followed the instructions on that post parrot-fashion.

Firewall:

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'REJECT'
	option forward 'REJECT'
	option network 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config zone
	option forward 'REJECT'
	option output 'ACCEPT'
	option name 'Guest'
	option input 'REJECT'
	option network 'Guest'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'Guest DNS'
	option src 'Guest'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '67-68'
	option name 'Guest DHCP'
	option src 'Guest'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport '8125'
	option dest_ip '10.10.10.99'
	option dest_port '8125'
	option name 'CCTV Web 8125'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport '554'
	option dest_ip '10.10.10.99'
	option dest_port '554'
	option name 'CCTV RTSP 554'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport '8000'
	option dest_port '8000'
	option name 'CCTV SDK 8000'
	option dest_ip '10.10.10.99'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'udp'
	option src_dport '8124'
	option dest_ip '10.10.10.99'
	option dest_port '8124'
	option name 'CCTV WEB 8124'

config forwarding
	option dest 'wan'
	option src 'Guest'

config forwarding
	option dest 'wan'
	option src 'lan'

config rule
	option name 'Allow-OpenVPN-Inbound'
	option target 'ACCEPT'
	option src '*'
	option proto 'tcp udp'
	option dest_port '1194'

config zone
	option name 'vpnserver'
	option input 'ACCEPT'
	option forward 'REJECT'
	option output 'ACCEPT'
	option masq '1'
	option network 'vpnserver'

config forwarding
	option src 'vpnserver'
	option dest 'wan'

config forwarding
	option src 'vpnserver'
	option dest 'lan'

config redirect
	option target 'DNAT'
	option src 'wan'
	option proto 'udp'
	option src_dport '1194'
	option dest_port '1194'
	option name 'InboundUDP'
	option dest_ip '10.10.10.10'
	option dest 'lan'

Openvpn:

config openvpn 'vpnserver'
	option enabled '1'
	option dev_type 'tun'
	option dev 'ovpns0'
	option port '1194'
	option proto 'tcp'
	option comp_lzo 'yes'
	option keepalive '10 120'
	option persist_key '1'
	option persist_tun '1'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/my-server.crt'
	option key '/etc/openvpn/my-server.key'
	option dh '/etc/openvpn/dh2048.pem'
	option mode 'server'
	option tls_server '1'
	option server '192.168.200.0 255.255.255.0'
	option topology 'subnet'
	option route_gateway 'dhcp'
	option client_to_client '1'
	option key_direction '0'
	verb 5
	list push 'comp-lzo yes'
	list push 'persist-key'
	list push 'persist-tun'
	list push 'topology subnet'
	list push 'route-gateway dhcp'
	list push 'redirect-gateway def1'
	list push 'route 192.168.200.0 255.255.255.0'
	list push 'dhcp-option DNS 192.168.1.1'

VPNClient.ovpn

client
  dev tun
  proto tcp
  fast-io
  remote X.X.X.X 1194
  remote-cert-tls server
  nobind
  persist-key
  persist-tun
  comp-lzo no
  verb 7
<ca>
-----BEGIN CERTIFICATE-----
MIIFNTCCAx2gAwIBAgIJAIfH8OcMg73zDjuOG9nqGz/mTFvWg=
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4097 (0x1001)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=GB, ST=London, O=WWW Ltd.
        Validity
            Not Before: Feb  1 10:03:30 2018 GMT
            Not After : Jan 30 10:03:30 2028 GMT
        Subject: CN=my-client
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:ad:7d:1a:75:de
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: 
                Digital Signature
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
    Signature Algorithm: sha256WithRSAEncryption
         9c:e6:06:0c:78:3e:32:b8:84:e2:92:69:d1:51:ab:c0:56:5c:
         
-----BEGIN CERTIFICATE-----
MIIE5TCCAs2gAwIBAgICEAEwDQ
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwg
-----END PRIVATE KEY-----
</key>

Android Client Log:

2018-02-01 17:37:46 official build 0.6.73 running on samsung SM-J320FN (SC9830I), Android 5.1.1 (LMY47V) API 22, ABI armeabi-v7a, (samsung/j3xnltexx/j3xnlte:5.1.1/LMY47V/J320FNXXU0AQJ4:user/release-keys)
2018-02-01 17:37:46 Building configuration…
2018-02-01 17:37:46 New OpenVPN Status (VPN_GENERATE_CONFIG->LEVEL_START): 
2018-02-01 17:37:46 New OpenVPN Status (VPN_GENERATE_CONFIG->LEVEL_START): 
2018-02-01 17:37:46 started Socket Thread
2018-02-01 17:37:46 Network Status: CONNECTED HSUPA to MOBILE everywhere
2018-02-01 17:37:46 Debug state info: CONNECTED HSUPA to MOBILE everywhere, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 
2018-02-01 17:37:46 P:WARNING: linker: /data/data/de.blinkt.openvpn/cache/c_pie_openvpn.armeabi-v7a: unused DT entry: type 0x6ffffffe arg 0x338
2018-02-01 17:37:46 P:WARNING: linker: /data/data/de.blinkt.openvpn/cache/c_pie_openvpn.armeabi-v7a: unused DT entry: type 0x6fffffff arg 0x1
2018-02-01 17:37:46 P:WARNING: linker: libopenvpn.so: unused DT entry: type 0x6ffffffe arg 0x455a4
2018-02-01 17:37:46 P:WARNING: linker: libopenvpn.so: unused DT entry: type 0x6fffffff arg 0x3
2018-02-01 17:37:46 Debug state info: CONNECTED HSUPA to MOBILE everywhere, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 
2018-02-01 17:37:46 P:Initializing Google Breakpad!
2018-02-01 17:37:46 Current Parameter Settings:
2018-02-01 17:37:46 Waiting 0s seconds between connection attempt
2018-02-01 17:37:46   config = '/data/data/de.blinkt.openvpn/cache/android.conf'
2018-02-01 17:37:46   mode = 0
2018-02-01 17:37:46   show_ciphers = DISABLED
2018-02-01 17:37:46   show_digests = DISABLED
2018-02-01 17:37:46   show_engines = DISABLED
2018-02-01 17:37:46   genkey = DISABLED
2018-02-01 17:37:46   key_pass_file = '[UNDEF]'
2018-02-01 17:37:46   show_tls_ciphers = DISABLED
2018-02-01 17:37:46   connect_retry_max = 0
2018-02-01 17:37:46 Connection profiles [0]:
2018-02-01 17:37:46   proto = tcp-client
2018-02-01 17:37:46   local = '[UNDEF]'
2018-02-01 17:37:46   local_port = '[UNDEF]'
2018-02-01 17:37:46   remote = 'X.X.X.X'
2018-02-01 17:37:46   remote_port = '1194'
2018-02-01 17:37:46   remote_float = DISABLED
2018-02-01 17:37:46   bind_defined = DISABLED
2018-02-01 17:37:46   bind_local = DISABLED
2018-02-01 17:37:46   bind_ipv6_only = DISABLED
2018-02-01 17:37:46   connect_retry_seconds = 2
2018-02-01 17:37:46   connect_timeout = 120
2018-02-01 17:37:46   socks_proxy_server = '[UNDEF]'
2018-02-01 17:37:46   socks_proxy_port = '[UNDEF]'
2018-02-01 17:37:46   tun_mtu = 1500
2018-02-01 17:37:46   tun_mtu_defined = ENABLED
2018-02-01 17:37:46   link_mtu = 1500
2018-02-01 17:37:47   link_mtu_defined = DISABLED
2018-02-01 17:37:47   tun_mtu_extra = 0
2018-02-01 17:37:47   tun_mtu_extra_defined = DISABLED
2018-02-01 17:37:47   mtu_discover_type = -1
2018-02-01 17:37:47   fragment = 0
2018-02-01 17:37:47   mssfix = 1450
2018-02-01 17:37:47   explicit_exit_notification = 0
2018-02-01 17:37:47 Connection profiles END
2018-02-01 17:37:47   remote_random = DISABLED
2018-02-01 17:37:47 New OpenVPN Status (TCP_CONNECT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2018-02-01 17:37:47 New OpenVPN Status (TCP_CONNECT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2018-02-01 17:37:47   ipchange = '[UNDEF]'
2018-02-01 17:37:47   dev = 'tun'
2018-02-01 17:37:47   dev_type = '[UNDEF]'
2018-02-01 17:37:47   dev_node = '[UNDEF]'
2018-02-01 17:37:47   lladdr = '[UNDEF]'
2018-02-01 17:37:47   topology = 1
2018-02-01 17:37:47   ifconfig_local = '[UNDEF]'
2018-02-01 17:37:47   ifconfig_remote_netmask = '[UNDEF]'
2018-02-01 17:37:47   ifconfig_noexec = DISABLED
2018-02-01 17:37:47   ifconfig_nowarn = ENABLED
2018-02-01 17:37:47   ifconfig_ipv6_local = '[UNDEF]'
2018-02-01 17:37:47   ifconfig_ipv6_netbits = 0
2018-02-01 17:37:47   ifconfig_ipv6_remote = '[UNDEF]'
2018-02-01 17:37:47   shaper = 0
2018-02-01 17:37:47   mtu_test = 0
2018-02-01 17:37:47   mlock = DISABLED
2018-02-01 17:37:47   keepalive_ping = 0
2018-02-01 17:37:47   keepalive_timeout = 0
2018-02-01 17:37:47   inactivity_timeout = 0
2018-02-01 17:37:47   ping_send_timeout = 0
2018-02-01 17:37:47   ping_rec_timeout = 0
2018-02-01 17:37:47   ping_rec_timeout_action = 0
2018-02-01 17:37:47   ping_timer_remote = DISABLED
2018-02-01 17:37:47   remap_sigusr1 = 0
2018-02-01 17:37:47   persist_tun = ENABLED
2018-02-01 17:37:47   persist_local_ip = DISABLED
2018-02-01 17:37:47   persist_remote_ip = DISABLED
2018-02-01 17:37:47   persist_key = DISABLED
2018-02-01 17:37:47   passtos = DISABLED
2018-02-01 17:37:47   resolve_retry_seconds = 60
2018-02-01 17:37:47   resolve_in_advance = ENABLED
2018-02-01 17:37:47   username = '[UNDEF]'
2018-02-01 17:37:47   groupname = '[UNDEF]'
2018-02-01 17:37:47   chroot_dir = '[UNDEF]'
2018-02-01 17:37:47   cd_dir = '[UNDEF]'
2018-02-01 17:37:47   writepid = '[UNDEF]'
2018-02-01 17:37:47   up_script = '[UNDEF]'
2018-02-01 17:37:47   down_script = '[UNDEF]'
2018-02-01 17:37:47   down_pre = DISABLED
2018-02-01 17:37:47   up_restart = DISABLED
2018-02-01 17:37:47   up_delay = DISABLED
2018-02-01 17:37:47   daemon = DISABLED
2018-02-01 17:37:47   inetd = 0
2018-02-01 17:37:47   log = DISABLED
2018-02-01 17:37:47   suppress_timestamps = DISABLED
2018-02-01 17:37:47   machine_readable_output = ENABLED
2018-02-01 17:37:47   nice = 0
2018-02-01 17:37:47   verbosity = 4
2018-02-01 17:37:47   mute = 0
2018-02-01 17:37:47   gremlin = 0
2018-02-01 17:37:47   status_file = '[UNDEF]'
2018-02-01 17:37:47   status_file_version = 1
2018-02-01 17:37:47   status_file_update_freq = 60
2018-02-01 17:37:47   occ = ENABLED
2018-02-01 17:37:47   rcvbuf = 0
2018-02-01 17:37:47   sndbuf = 0
2018-02-01 17:37:47   sockflags = 0
2018-02-01 17:37:47   fast_io = ENABLED
2018-02-01 17:37:47   comp.alg = 2
2018-02-01 17:37:47   comp.flags = 1
2018-02-01 17:37:47   route_script = '[UNDEF]'
2018-02-01 17:37:47   route_default_gateway = '[UNDEF]'
2018-02-01 17:37:47   route_default_metric = 0
2018-02-01 17:37:47   route_noexec = DISABLED
2018-02-01 17:37:47   route_delay = 0
2018-02-01 17:37:47   route_delay_window = 30
2018-02-01 17:37:47   route_delay_defined = DISABLED
2018-02-01 17:37:47   route_nopull = DISABLED
2018-02-01 17:37:47   route_gateway_via_dhcp = DISABLED
2018-02-01 17:37:47   allow_pull_fqdn = DISABLED
2018-02-01 17:37:47   management_addr = '/data/data/de.blinkt.openvpn/cache/mgmtsocket'
2018-02-01 17:37:47   management_port = 'unix'
2018-02-01 17:37:47   management_user_pass = '[UNDEF]'
2018-02-01 17:37:47   management_log_history_cache = 250
2018-02-01 17:37:47   management_echo_buffer_size = 100
2018-02-01 17:37:47   management_write_peer_info_file = '[UNDEF]'
2018-02-01 17:37:47   management_client_user = '[UNDEF]'
2018-02-01 17:37:47   management_client_group = '[UNDEF]'
2018-02-01 17:37:47   management_flags = 4390
2018-02-01 17:37:47   shared_secret_file = '[UNDEF]'
2018-02-01 17:37:47   key_direction = (null)
2018-02-01 17:37:47   ciphername = 'BF-CBC'
2018-02-01 17:37:47   ncp_enabled = ENABLED
2018-02-01 17:37:47   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
2018-02-01 17:37:47   authname = 'SHA1'
2018-02-01 17:37:47   prng_hash = 'SHA1'
2018-02-01 17:37:47   prng_nonce_secret_len = 16
2018-02-01 17:37:47   keysize = 0
2018-02-01 17:37:47   engine = DISABLED
2018-02-01 17:37:47   replay = ENABLED
2018-02-01 17:37:47   mute_replay_warnings = DISABLED
2018-02-01 17:37:47   replay_window = 64
2018-02-01 17:37:47   replay_time = 15
2018-02-01 17:37:47   packet_id_file = '[UNDEF]'
2018-02-01 17:37:47   test_crypto = DISABLED
2018-02-01 17:37:47   tls_server = DISABLED
2018-02-01 17:37:47   tls_client = ENABLED
2018-02-01 17:37:47   key_method = 2
2018-02-01 17:37:47   ca_file = '[[INLINE]]'
2018-02-01 17:37:47   ca_path = '[UNDEF]'
2018-02-01 17:37:47   dh_file = '[UNDEF]'
2018-02-01 17:37:47   cert_file = '[[INLINE]]'
2018-02-01 17:37:47   extra_certs_file = '[UNDEF]'
2018-02-01 17:37:47   priv_key_file = '[[INLINE]]'
2018-02-01 17:37:47   pkcs12_file = '[UNDEF]'
2018-02-01 17:37:47   cipher_list = '[UNDEF]'
2018-02-01 17:37:47   tls_verify = '[UNDEF]'
2018-02-01 17:37:47   tls_export_cert = '[UNDEF]'
2018-02-01 17:37:47   verify_x509_type = 0
2018-02-01 17:37:47   verify_x509_name = '[UNDEF]'
2018-02-01 17:37:47   crl_file = '[UNDEF]'
2018-02-01 17:37:47   ns_cert_type = 0
2018-02-01 17:37:47   remote_cert_ku[i] = 65535
2018-02-01 17:37:47   remote_cert_ku[i] = 0
2018-02-01 17:37:47   remote_cert_ku[i] = 0
2018-02-01 17:37:47   remote_cert_ku[i] = 0
2018-02-01 17:37:47   remote_cert_ku[i] = 0
2018-02-01 17:37:47   remote_cert_ku[i] = 0
2018-02-01 17:37:47   remote_cert_ku[i] = 0
2018-02-01 17:37:47   remote_cert_ku[i] = 0
2018-02-01 17:37:47   remote_cert_ku[i] = 0
2018-02-01 17:37:47   remote_cert_ku[i] = 0
2018-02-01 17:37:47   remote_cert_ku[i] = 0
2018-02-01 17:37:47   remote_cert_ku[i] = 0
2018-02-01 17:37:47   remote_cert_ku[i] = 0
2018-02-01 17:37:47   remote_cert_ku[i] = 0
2018-02-01 17:37:47   remote_cert_ku[i] = 0
2018-02-01 17:37:47   remote_cert_ku[i] = 0
2018-02-01 17:37:47   remote_cert_eku = 'TLS Web Server Authentication'
2018-02-01 17:37:47   ssl_flags = 0
2018-02-01 17:37:47   tls_timeout = 2
2018-02-01 17:37:47   renegotiate_bytes = -1
2018-02-01 17:37:47   renegotiate_packets = 0
2018-02-01 17:37:47   renegotiate_seconds = 3600
2018-02-01 17:37:47   handshake_window = 60
2018-02-01 17:37:47   transition_window = 3600
2018-02-01 17:37:47   single_session = DISABLED
2018-02-01 17:37:47   push_peer_info = DISABLED
2018-02-01 17:37:47   tls_exit = DISABLED
2018-02-01 17:37:47   tls_auth_file = '[[INLINE]]'
2018-02-01 17:37:47   tls_crypt_file = '[UNDEF]'
2018-02-01 17:37:47   client = ENABLED
2018-02-01 17:37:47   pull = ENABLED
2018-02-01 17:37:47   auth_user_pass_file = '[UNDEF]'
2018-02-01 17:37:47 OpenVPN 2.5-icsopenvpn [git:icsopenvpn-d51333c645c12713+] android-14-armeabi-v7a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jun 26 2017
2018-02-01 17:37:47 library versions: OpenSSL 1.1.0f  25 May 2017, LZO 2.10
2018-02-01 17:37:47 MANAGEMENT: Connected to management server at /data/data/de.blinkt.openvpn/cache/mgmtsocket
2018-02-01 17:37:47 MANAGEMENT: CMD 'hold release'
2018-02-01 17:37:47 MANAGEMENT: CMD 'proxy NONE'
2018-02-01 17:37:47 MANAGEMENT: CMD 'bytecount 2'
2018-02-01 17:37:47 MANAGEMENT: CMD 'state on'
2018-02-01 17:37:47 NOTE: --fast-io is disabled since we are not using UDP
2018-02-01 17:37:47 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-02-01 17:37:47 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-02-01 17:37:47 LZO compression initializing
2018-02-01 17:37:47 Control Channel MTU parms [ L:1624 D:1182 EF:68 EB:0 ET:0 EL:3 ]
2018-02-01 17:37:47 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
2018-02-01 17:37:47 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
2018-02-01 17:37:47 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
2018-02-01 17:37:47 TCP/UDP: Preserving recently used remote address: [AF_INET]X.X.X.X:1194
2018-02-01 17:37:47 Socket Buffers: R=[244668->244668] S=[100663->100663]
2018-02-01 17:37:47 Attempting to establish TCP connection with [AF_INET]X.X.X.X:1194 [nonblock]
2018-02-01 17:37:47 MANAGEMENT: >STATE:1517506667,TCP_CONNECT,,,,,,
2018-02-01 17:37:47 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2018-02-01 17:37:48 TCP connection established with [AF_INET]X.X.X.X:1194
2018-02-01 17:37:48 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2018-02-01 17:37:48 TCP_CLIENT link local: (not bound)
2018-02-01 17:37:48 TCP_CLIENT link remote: [AF_INET]X.X.X.X:1194
2018-02-01 17:37:48 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2018-02-01 17:37:48 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2018-02-01 17:37:48 MANAGEMENT: >STATE:1517506668,WAIT,,,,,,
2018-02-01 17:37:48 Connection reset, restarting [0]
2018-02-01 17:37:48 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): connection-reset,,,,,
2018-02-01 17:37:48 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): connection-reset,,,,,
2018-02-01 17:37:48 TCP/UDP: Closing socket
2018-02-01 17:37:48 SIGUSR1[soft,connection-reset] received, process restarting
2018-02-01 17:37:48 MANAGEMENT: >STATE:1517506668,RECONNECTING,connection-reset,,,,,
2018-02-01 17:37:48 New OpenVPN Status (CONNECTRETRY->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): 2
2018-02-01 17:37:48 New OpenVPN Status (CONNECTRETRY->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): 2
2018-02-01 17:37:48 Waiting 2s seconds between connection attempt
2018-02-01 17:37:53 MANAGEMENT: CMD 'hold release'
2018-02-01 17:37:53 MANAGEMENT: CMD 'proxy NONE'
2018-02-01 17:37:53 MANAGEMENT: CMD 'bytecount 2'
2018-02-01 17:37:53 MANAGEMENT: CMD 'state on'
2018-02-01 17:37:54 New OpenVPN Status (TCP_CONNECT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2018-02-01 17:37:54 New OpenVPN Status (TCP_CONNECT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2018-02-01 17:37:54 NOTE: --fast-io is disabled since we are not using UDP
2018-02-01 17:37:54 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-02-01 17:37:54 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-02-01 17:37:54 LZO compression initializing
2018-02-01 17:37:54 Control Channel MTU parms [ L:1624 D:1182 EF:68 EB:0 ET:0 EL:3 ]
2018-02-01 17:37:54 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
2018-02-01 17:37:54 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
2018-02-01 17:37:54 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
2018-02-01 17:37:54 TCP/UDP: Preserving recently used remote address: [AF_INET]X.X.X.X:1194
2018-02-01 17:37:54 Socket Buffers: R=[244668->244668] S=[100663->100663]
2018-02-01 17:37:54 Attempting to establish TCP connection with [AF_INET]X.X.X.X:1194 [nonblock]
2018-02-01 17:37:54 MANAGEMENT: >STATE:1517506674,TCP_CONNECT,,,,,,
2018-02-01 17:37:54 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2018-02-01 17:37:55 TCP connection established with [AF_INET]X.X.X.X:1194
2018-02-01 17:37:55 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2018-02-01 17:37:55 TCP_CLIENT link local: (not bound)
2018-02-01 17:37:55 TCP_CLIENT link remote: [AF_INET]X.X.X.X:1194
2018-02-01 17:37:55 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2018-02-01 17:37:55 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2018-02-01 17:37:55 MANAGEMENT: >STATE:1517506675,WAIT,,,,,,
2018-02-01 17:37:56 Connection reset, restarting [0]
2018-02-01 17:37:56 TCP/UDP: Closing socket
2018-02-01 17:37:56 SIGUSR1[soft,connection-reset] received, process restarting
2018-02-01 17:37:56 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): connection-reset,,,,,
2018-02-01 17:37:56 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): connection-reset,,,,,
2018-02-01 17:37:56 MANAGEMENT: >STATE:1517506676,RECONNECTING,connection-reset,,,,,
2018-02-01 17:37:56 New OpenVPN Status (CONNECTRETRY->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): 2
2018-02-01 17:37:56 New OpenVPN Status (CONNECTRETRY->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): 2
2018-02-01 17:37:56 Waiting 2s seconds between connection attempt
2018-02-01 17:38:01 MANAGEMENT: CMD 'hold release'
2018-02-01 17:38:01 MANAGEMENT: CMD 'proxy NONE'
2018-02-01 17:38:01 MANAGEMENT: CMD 'bytecount 2'
2018-02-01 17:38:01 MANAGEMENT: CMD 'state on'
2018-02-01 17:38:01 MANAGEMENT: CMD 'signal SIGUSR1'
2018-02-01 17:38:01 NOTE: --fast-io is disabled since we are not using UDP
2018-02-01 17:38:01 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): close_context usr1 to hup,,,,,
2018-02-01 17:38:01 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): close_context usr1 to hup,,,,,
2018-02-01 17:38:01 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-02-01 17:38:01 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-02-01 17:38:01 SIGHUP[hard,close_context usr1 to hup] received, process restarting
2018-02-01 17:38:01 MANAGEMENT: >STATE:1517506681,RECONNECTING,close_context usr1 to hup,,,,,
2018-02-01 17:38:01 Current Parameter Settings:
2018-02-01 17:38:01   config = '/data/data/de.blinkt.openvpn/cache/android.conf'
2018-02-01 17:38:01   mode = 0
2018-02-01 17:38:01 New OpenVPN Status (USERPAUSE->LEVEL_VPNPAUSED): 
2018-02-01 17:38:01 New OpenVPN Status (USERPAUSE->LEVEL_VPNPAUSED): 
2018-02-01 17:38:01   show_ciphers = DISABLED
2018-02-01 17:38:01   show_digests = DISABLED
2018-02-01 17:38:01   show_engines = DISABLED
2018-02-01 17:38:01   genkey = DISABLED
2018-02-01 17:38:01   key_pass_file = '[UNDEF]'
2018-02-01 17:38:01   show_tls_ciphers = DISABLED
2018-02-01 17:38:01   connect_retry_max = 0
2018-02-01 17:38:01 Connection profiles [0]:
2018-02-01 17:38:01   proto = tcp-client
2018-02-01 17:38:01   local = '[UNDEF]'
2018-02-01 17:38:01   local_port = '[UNDEF]'
2018-02-01 17:38:01   remote = 'X.X.X.X'
2018-02-01 17:38:01   remote_port = '1194'
2018-02-01 17:38:01   remote_float = DISABLED
2018-02-01 17:38:01   bind_defined = DISABLED
2018-02-01 17:38:01   bind_local = DISABLED
2018-02-01 17:38:01   bind_ipv6_only = DISABLED
2018-02-01 17:38:01   connect_retry_seconds = 2
2018-02-01 17:38:01   connect_timeout = 120
2018-02-01 17:38:01   socks_proxy_server = '[UNDEF]'
2018-02-01 17:38:01   socks_proxy_port = '[UNDEF]'
2018-02-01 17:38:01   tun_mtu = 1500
2018-02-01 17:38:01   tun_mtu_defined = ENABLED
2018-02-01 17:38:01   link_mtu = 1500
2018-02-01 17:38:01   link_mtu_defined = DISABLED
2018-02-01 17:38:01   tun_mtu_extra = 0
2018-02-01 17:38:01   tun_mtu_extra_defined = DISABLED
2018-02-01 17:38:01   mtu_discover_type = -1
2018-02-01 17:38:01   fragment = 0
2018-02-01 17:38:01   mssfix = 1450
2018-02-01 17:38:01   explicit_exit_notification = 0
2018-02-01 17:38:01 Connection profiles END
2018-02-01 17:38:01   remote_random = DISABLED
2018-02-01 17:38:01   ipchange = '[UNDEF]'
2018-02-01 17:38:01   dev = 'tun'
2018-02-01 17:38:01   dev_type = '[UNDEF]'
2018-02-01 17:38:01   dev_node = '[UNDEF]'
2018-02-01 17:38:01   lladdr = '[UNDEF]'
2018-02-01 17:38:01   topology = 1
2018-02-01 17:38:01   ifconfig_local = '[UNDEF]'
2018-02-01 17:38:01   ifconfig_remote_netmask = '[UNDEF]'
2018-02-01 17:38:01   ifconfig_noexec = DISABLED
2018-02-01 17:38:01   ifconfig_nowarn = ENABLED
2018-02-01 17:38:01   ifconfig_ipv6_local = '[UNDEF]'
2018-02-01 17:38:01   ifconfig_ipv6_netbits = 0
2018-02-01 17:38:01   ifconfig_ipv6_remote = '[UNDEF]'
2018-02-01 17:38:01   shaper = 0
2018-02-01 17:38:01   mtu_test = 0
2018-02-01 17:38:01   mlock = DISABLED
2018-02-01 17:38:01   keepalive_ping = 0
2018-02-01 17:38:01   keepalive_timeout = 0
2018-02-01 17:38:01   inactivity_timeout = 0
2018-02-01 17:38:01   ping_send_timeout = 0
2018-02-01 17:38:01   ping_rec_timeout = 0
2018-02-01 17:38:01   ping_rec_timeout_action = 0
2018-02-01 17:38:01   ping_timer_remote = DISABLED
2018-02-01 17:38:01   remap_sigusr1 = 0
2018-02-01 17:38:01   persist_tun = ENABLED
2018-02-01 17:38:01   persist_local_ip = DISABLED
2018-02-01 17:38:01   persist_remote_ip = DISABLED
2018-02-01 17:38:01   persist_key = DISABLED
2018-02-01 17:38:01   passtos = DISABLED
2018-02-01 17:38:01   resolve_retry_seconds = 60
2018-02-01 17:38:01   resolve_in_advance = ENABLED
2018-02-01 17:38:01   username = '[UNDEF]'
2018-02-01 17:38:01   groupname = '[UNDEF]'
2018-02-01 17:38:01   chroot_dir = '[UNDEF]'
2018-02-01 17:38:01   cd_dir = '[UNDEF]'
2018-02-01 17:38:01   writepid = '[UNDEF]'
2018-02-01 17:38:01   up_script = '[UNDEF]'
2018-02-01 17:38:01   down_script = '[UNDEF]'
2018-02-01 17:38:01   down_pre = DISABLED
2018-02-01 17:38:01   up_restart = DISABLED
2018-02-01 17:38:01   up_delay = DISABLED
2018-02-01 17:38:01   daemon = DISABLED
2018-02-01 17:38:01   inetd = 0
2018-02-01 17:38:01   log = DISABLED
2018-02-01 17:38:01   suppress_timestamps = DISABLED
2018-02-01 17:38:01   machine_readable_output = ENABLED
2018-02-01 17:38:01   nice = 0
2018-02-01 17:38:01   verbosity = 4
2018-02-01 17:38:01   mute = 0
2018-02-01 17:38:01   gremlin = 0
2018-02-01 17:38:01   status_file = '[UNDEF]'
2018-02-01 17:38:01   status_file_version = 1
2018-02-01 17:38:01   status_file_update_freq = 60
2018-02-01 17:38:01   occ = ENABLED
2018-02-01 17:38:01   rcvbuf = 0
2018-02-01 17:38:01   sndbuf = 0
2018-02-01 17:38:01   sockflags = 0
2018-02-01 17:38:01   fast_io = ENABLED
2018-02-01 17:38:01   comp.alg = 2
2018-02-01 17:38:01   comp.flags = 1
2018-02-01 17:38:01   route_script = '[UNDEF]'
2018-02-01 17:38:01   route_default_gateway = '[UNDEF]'
2018-02-01 17:38:01   route_default_metric = 0
2018-02-01 17:38:01   route_noexec = DISABLED
2018-02-01 17:38:01   route_delay = 0
2018-02-01 17:38:01   route_delay_window = 30
2018-02-01 17:38:01   route_delay_defined = DISABLED
2018-02-01 17:38:01   route_nopull = DISABLED
2018-02-01 17:38:01   route_gateway_via_dhcp = DISABLED
2018-02-01 17:38:01   allow_pull_fqdn = DISABLED
2018-02-01 17:38:01   management_addr = '/data/data/de.blinkt.openvpn/cache/mgmtsocket'
2018-02-01 17:38:01   management_port = 'unix'
2018-02-01 17:38:01   management_user_pass = '[UNDEF]'
2018-02-01 17:38:01   management_log_history_cache = 250
2018-02-01 17:38:01   management_echo_buffer_size = 100
2018-02-01 17:38:01   management_write_peer_info_file = '[UNDEF]'
2018-02-01 17:38:01   management_client_user = '[UNDEF]'
2018-02-01 17:38:01   management_client_group = '[UNDEF]'
2018-02-01 17:38:01   management_flags = 4390
2018-02-01 17:38:01   shared_secret_file = '[UNDEF]'
2018-02-01 17:38:01   key_direction = (null)
2018-02-01 17:38:01   ciphername = 'BF-CBC'
2018-02-01 17:38:01   ncp_enabled = ENABLED
2018-02-01 17:38:01   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
2018-02-01 17:38:01   authname = 'SHA1'
2018-02-01 17:38:01   prng_hash = 'SHA1'
2018-02-01 17:38:01   prng_nonce_secret_len = 16
2018-02-01 17:38:01   keysize = 0
2018-02-01 17:38:01   engine = DISABLED
2018-02-01 17:38:01   replay = ENABLED
2018-02-01 17:38:01   mute_replay_warnings = DISABLED
2018-02-01 17:38:01   replay_window = 64
2018-02-01 17:38:01   replay_time = 15
2018-02-01 17:38:01   packet_id_file = '[UNDEF]'
2018-02-01 17:38:01   test_crypto = DISABLED
2018-02-01 17:38:01   tls_server = DISABLED
2018-02-01 17:38:01   tls_client = ENABLED
2018-02-01 17:38:01   key_method = 2
2018-02-01 17:38:01   ca_file = '[[INLINE]]'
2018-02-01 17:38:01   ca_path = '[UNDEF]'
2018-02-01 17:38:01   dh_file = '[UNDEF]'
2018-02-01 17:38:01   cert_file = '[[INLINE]]'
2018-02-01 17:38:01   extra_certs_file = '[UNDEF]'
2018-02-01 17:38:01   priv_key_file = '[[INLINE]]'
2018-02-01 17:38:01   pkcs12_file = '[UNDEF]'
2018-02-01 17:38:01   cipher_list = '[UNDEF]'
2018-02-01 17:38:01   tls_verify = '[UNDEF]'
2018-02-01 17:38:01   tls_export_cert = '[UNDEF]'
2018-02-01 17:38:01   verify_x509_type = 0
2018-02-01 17:38:01   verify_x509_name = '[UNDEF]'
2018-02-01 17:38:01   crl_file = '[UNDEF]'
2018-02-01 17:38:01   ns_cert_type = 0
2018-02-01 17:38:01   remote_cert_ku[i] = 65535
2018-02-01 17:38:01   remote_cert_ku[i] = 0
2018-02-01 17:38:01   remote_cert_ku[i] = 0
2018-02-01 17:38:01   remote_cert_ku[i] = 0
2018-02-01 17:38:01   remote_cert_ku[i] = 0
2018-02-01 17:38:01   remote_cert_ku[i] = 0
2018-02-01 17:38:01   remote_cert_ku[i] = 0
2018-02-01 17:38:01   remote_cert_ku[i] = 0
2018-02-01 17:38:01   remote_cert_ku[i] = 0
2018-02-01 17:38:01   remote_cert_ku[i] = 0
2018-02-01 17:38:01   remote_cert_ku[i] = 0
2018-02-01 17:38:01   remote_cert_ku[i] = 0
2018-02-01 17:38:01   remote_cert_ku[i] = 0
2018-02-01 17:38:01   remote_cert_ku[i] = 0
2018-02-01 17:38:01   remote_cert_ku[i] = 0
2018-02-01 17:38:01   remote_cert_ku[i] = 0
2018-02-01 17:38:01   remote_cert_eku = 'TLS Web Server Authentication'
2018-02-01 17:38:01   ssl_flags = 0
2018-02-01 17:38:01   tls_timeout = 2
2018-02-01 17:38:01   renegotiate_bytes = -1
2018-02-01 17:38:01   renegotiate_packets = 0
2018-02-01 17:38:01   renegotiate_seconds = 3600
2018-02-01 17:38:01   handshake_window = 60
2018-02-01 17:38:01   transition_window = 3600
2018-02-01 17:38:01   single_session = DISABLED
2018-02-01 17:38:01   push_peer_info = DISABLED
2018-02-01 17:38:01   tls_exit = DISABLED
2018-02-01 17:38:01   tls_auth_file = '[[INLINE]]'
2018-02-01 17:38:01   tls_crypt_file = '[UNDEF]'
2018-02-01 17:38:01   client = ENABLED
2018-02-01 17:38:01   pull = ENABLED
2018-02-01 17:38:01   auth_user_pass_file = '[UNDEF]'
2018-02-01 17:38:01 OpenVPN 2.5-icsopenvpn [git:icsopenvpn-d51333c645c12713+] android-14-armeabi-v7a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jun 26 2017
2018-02-01 17:38:01 library versions: OpenSSL 1.1.0f  25 May 2017, LZO 2.10
2018-02-01 17:38:12 MANAGEMENT: CMD 'signal SIGINT'
2018-02-01 17:38:12 Signal received from management interface, exiting
2018-02-01 17:38:12 New OpenVPN Status (NOPROCESS->LEVEL_NOTCONNECTED): No process running.
2018-02-01 17:38:12 New OpenVPN Status (NOPROCESS->LEVEL_NOTCONNECTED): No process running.

Add

log /tmp/openvpn.log
verb 9

to your openvpn config. That will generate log you can post.

verb 5 is all that's needed in the server config

verb 5 was not working, so I tried dziny's suggestion:

Openvpn server log:

Thu Feb  1 20:32:44 2018 us=536238 OpenVPN 2.4.3 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Thu Feb  1 20:32:44 2018 us=536320 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.10
Thu Feb  1 20:32:44 2018 us=537151 Diffie-Hellman initialized with 2048 bit key
Thu Feb  1 20:32:44 2018 us=538243 TLS-Auth MTU parms [ L:1624 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Thu Feb  1 20:32:44 2018 us=538931 TUN/TAP device ovpns0 opened
Thu Feb  1 20:32:44 2018 us=539011 TUN/TAP TX queue length set to 100
Thu Feb  1 20:32:44 2018 us=539062 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Feb  1 20:32:44 2018 us=539134 /sbin/ifconfig ovpns0 192.168.200.1 netmask 255.255.255.0 mtu 1500 broadcast 192.168.200.255
Thu Feb  1 20:32:44 2018 us=544717 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Thu Feb  1 20:32:44 2018 us=544805 Could not determine IPv4/IPv6 protocol. Using AF_INET
Thu Feb  1 20:32:44 2018 us=544865 Socket Buffers: R=[87380->87380] S=[16384->16384]
Thu Feb  1 20:32:44 2018 us=544919 Listening for incoming TCP connection on [AF_INET][undef]:1194
Thu Feb  1 20:32:44 2018 us=544972 TCPv4_SERVER link local (bound): [AF_INET][undef]:1194
Thu Feb  1 20:32:44 2018 us=545011 TCPv4_SERVER link remote: [AF_UNSPEC]
Thu Feb  1 20:32:44 2018 us=545053 MULTI: multi_init called, r=256 v=256
Thu Feb  1 20:32:44 2018 us=545122 IFCONFIG POOL: base=192.168.200.2 size=252, ipv6=0
Thu Feb  1 20:32:44 2018 us=545196 MULTI: TCP INIT maxclients=1024 maxevents=1028
Thu Feb  1 20:32:44 2018 us=545289 Initialization Sequence Completed
Thu Feb  1 20:32:44 2018 us=545428  read from TUN/TAP returned 76
Thu Feb  1 20:32:44 2018 us=570087  read from TUN/TAP returned 76
Thu Feb  1 20:32:44 2018 us=969969  read from TUN/TAP returned 76
Thu Feb  1 20:32:45 2018 us=200000  read from TUN/TAP returned 76
Thu Feb  1 20:32:53 2018 us=235680 MULTI: multi_create_instance called
Thu Feb  1 20:32:53 2018 us=235829 Re-using SSL/TLS context
Thu Feb  1 20:32:53 2018 us=235878 LZO compression initializing
Thu Feb  1 20:32:53 2018 us=236098 Control Channel MTU parms [ L:1624 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Thu Feb  1 20:32:53 2018 us=236188 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Thu Feb  1 20:32:53 2018 us=236246 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
Thu Feb  1 20:32:53 2018 us=236285 calc_options_string_link_mtu: link-mtu 1624 -> 1544
Thu Feb  1 20:32:53 2018 us=236361 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
Thu Feb  1 20:32:53 2018 us=236399 calc_options_string_link_mtu: link-mtu 1624 -> 1544
Thu Feb  1 20:32:53 2018 us=236455 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Thu Feb  1 20:32:53 2018 us=236492 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Thu Feb  1 20:32:53 2018 us=236562 TCP connection established with [AF_INET]X.X.X.X:33354
Thu Feb  1 20:32:53 2018 us=236602 TCP_SERVER link local: (not bound)
Thu Feb  1 20:32:53 2018 us=236648 TCP_SERVER link remote: [AF_INET]X.X.X.X:33354
Thu Feb  1 20:32:53 2018 us=535830 X.X.X.X:33354 TCP_SERVER read returned 42
Thu Feb  1 20:32:53 2018 us=535944 X.X.X.X:33354 TCP_SERVER READ [42] from [AF_INET]X.X.X.X:33354: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=d7b715e9 aedc7eae [ 1897339418 2864812131 3997836989 1137368410 169910784 346 1937340160 0 ]
Thu Feb  1 20:32:53 2018 us=536003 X.X.X.X:33354 TLS: Initial packet from [AF_INET]X.X.X.X:33354, sid=d7b715e9 aedc7eae
Thu Feb  1 20:32:53 2018 us=536044 X.X.X.X:33354 TLS Error: reading acknowledgement record from packet
Thu Feb  1 20:32:53 2018 us=536094 X.X.X.X:33354 Fatal TLS error (check_tls_errors_co), restarting
Thu Feb  1 20:32:53 2018 us=536133 X.X.X.X:33354 SIGUSR1[soft,tls-error] received, client-instance restarting
Thu Feb  1 20:32:53 2018 us=536256 TCP/UDP: Closing socket
Thu Feb  1 20:33:00 2018 us=835411 MULTI: multi_create_instance called
Thu Feb  1 20:33:00 2018 us=835553 Re-using SSL/TLS context
Thu Feb  1 20:33:00 2018 us=835603 LZO compression initializing
Thu Feb  1 20:33:00 2018 us=835776 Control Channel MTU parms [ L:1624 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Thu Feb  1 20:33:00 2018 us=835852 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Thu Feb  1 20:33:00 2018 us=835942 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
Thu Feb  1 20:33:00 2018 us=835983 calc_options_string_link_mtu: link-mtu 1624 -> 1544
Thu Feb  1 20:33:00 2018 us=836055 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
Thu Feb  1 20:33:00 2018 us=836093 calc_options_string_link_mtu: link-mtu 1624 -> 1544
Thu Feb  1 20:33:00 2018 us=836148 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Thu Feb  1 20:33:00 2018 us=836185 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Thu Feb  1 20:33:00 2018 us=836249 TCP connection established with [AF_INET]X.X.X.X:33355
Thu Feb  1 20:33:00 2018 us=836288 TCP_SERVER link local: (not bound)
Thu Feb  1 20:33:00 2018 us=836329 TCP_SERVER link remote: [AF_INET]X.X.X.X:33355
Thu Feb  1 20:33:01 2018 us=223196 X.X.X.X:33355 TCP_SERVER read returned 42
Thu Feb  1 20:33:01 2018 us=223314 X.X.X.X:33355 TCP_SERVER READ [42] from [AF_INET]X.X.X.X:33355: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=0d3e51b8 7e4834f4 [ 4113720783 1029741513 3022168451 3348788222 987409408 346 1937341952 0 ]
Thu Feb  1 20:33:01 2018 us=223375 X.X.X.X:33355 TLS: Initial packet from [AF_INET]X.X.X.X:33355, sid=0d3e51b8 7e4834f4
Thu Feb  1 20:33:01 2018 us=223417 X.X.X.X:33355 TLS Error: reading acknowledgement record from packet
Thu Feb  1 20:33:01 2018 us=223471 X.X.X.X:33355 Fatal TLS error (check_tls_errors_co), restarting
Thu Feb  1 20:33:01 2018 us=223510 X.X.X.X:33355 SIGUSR1[soft,tls-error] received, client-instance restarting
Thu Feb  1 20:33:01 2018 us=223629 TCP/UDP: Closing socket
Thu Feb  1 20:33:11 2018 us=590674 MULTI: multi_create_instance called
Thu Feb  1 20:33:11 2018 us=590809 Re-using SSL/TLS context
Thu Feb  1 20:33:11 2018 us=590858 LZO compression initializing
Thu Feb  1 20:33:11 2018 us=591041 Control Channel MTU parms [ L:1624 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Thu Feb  1 20:33:11 2018 us=591122 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Thu Feb  1 20:33:11 2018 us=591177 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
Thu Feb  1 20:33:11 2018 us=591215 calc_options_string_link_mtu: link-mtu 1624 -> 1544
Thu Feb  1 20:33:11 2018 us=591282 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
Thu Feb  1 20:33:11 2018 us=591319 calc_options_string_link_mtu: link-mtu 1624 -> 1544
Thu Feb  1 20:33:11 2018 us=591374 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Thu Feb  1 20:33:11 2018 us=591410 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Thu Feb  1 20:33:11 2018 us=591478 TCP connection established with [AF_INET]X.X.X.X:33356
Thu Feb  1 20:33:11 2018 us=591518 TCP_SERVER link local: (not bound)
Thu Feb  1 20:33:11 2018 us=591559 TCP_SERVER link remote: [AF_INET]X.X.X.X:33356
Thu Feb  1 20:33:11 2018 us=870082 X.X.X.X:33356 TCP_SERVER read returned 42
Thu Feb  1 20:33:11 2018 us=870190 X.X.X.X:33356 TCP_SERVER READ [42] from [AF_INET]X.X.X.X:33356: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=f9a9545a 595f45ce [ 2964377152 852077731 3746216662 4202494899 2001741568 346 1937344768 0 ]
Thu Feb  1 20:33:11 2018 us=870256 X.X.X.X:33356 TLS: Initial packet from [AF_INET]X.X.X.X:33356, sid=f9a9545a 595f45ce
Thu Feb  1 20:33:11 2018 us=870299 X.X.X.X:33356 TLS Error: reading acknowledgement record from packet
Thu Feb  1 20:33:11 2018 us=870352 X.X.X.X:33356 Fatal TLS error (check_tls_errors_co), restarting
Thu Feb  1 20:33:11 2018 us=870391 X.X.X.X:33356 SIGUSR1[soft,tls-error] received, client-instance restarting
Thu Feb  1 20:33:11 2018 us=870504 TCP/UDP: Closing socket
Thu Feb  1 20:33:16 2018 us=851144 MULTI: multi_create_instance called
Thu Feb  1 20:33:16 2018 us=851280 Re-using SSL/TLS context
Thu Feb  1 20:33:16 2018 us=851329 LZO compression initializing
Thu Feb  1 20:33:16 2018 us=851504 Control Channel MTU parms [ L:1624 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Thu Feb  1 20:33:16 2018 us=851579 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Thu Feb  1 20:33:16 2018 us=851637 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
Thu Feb  1 20:33:16 2018 us=851675 calc_options_string_link_mtu: link-mtu 1624 -> 1544
Thu Feb  1 20:33:16 2018 us=851742 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
Thu Feb  1 20:33:16 2018 us=851781 calc_options_string_link_mtu: link-mtu 1624 -> 1544
Thu Feb  1 20:33:16 2018 us=851836 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Thu Feb  1 20:33:16 2018 us=851873 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Thu Feb  1 20:33:16 2018 us=851937 TCP connection established with [AF_INET]X.X.X.X:33357
Thu Feb  1 20:33:16 2018 us=851975 TCP_SERVER link local: (not bound)
Thu Feb  1 20:33:16 2018 us=852017 TCP_SERVER link remote: [AF_INET]X.X.X.X:33357
Thu Feb  1 20:33:17 2018 us=595028 X.X.X.X:33357 TCP_SERVER read returned 42
Thu Feb  1 20:33:17 2018 us=595146 X.X.X.X:33357 TCP_SERVER READ [42] from [AF_INET]X.X.X.X:33357: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=c3c38ca5 3fd896ce [ 2664788199 615180072 1390340468 937328838 3186128896 346 1937346304 0 ]
Thu Feb  1 20:33:17 2018 us=595208 X.X.X.X:33357 TLS: Initial packet from [AF_INET]X.X.X.X:33357, sid=c3c38ca5 3fd896ce
Thu Feb  1 20:33:17 2018 us=595250 X.X.X.X:33357 TLS Error: reading acknowledgement record from packet
Thu Feb  1 20:33:17 2018 us=595303 X.X.X.X:33357 Fatal TLS error (check_tls_errors_co), restarting
Thu Feb  1 20:33:17 2018 us=595343 X.X.X.X:33357 SIGUSR1[soft,tls-error] received, client-instance restarting
Thu Feb  1 20:33:17 2018 us=595461 TCP/UDP: Closing socket
Thu Feb  1 20:33:24 2018 us=961553 MULTI: multi_create_instance called
Thu Feb  1 20:33:24 2018 us=961688 Re-using SSL/TLS context
Thu Feb  1 20:33:24 2018 us=961742 LZO compression initializing
Thu Feb  1 20:33:24 2018 us=961923 Control Channel MTU parms [ L:1624 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Thu Feb  1 20:33:24 2018 us=962001 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Thu Feb  1 20:33:24 2018 us=962055 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
Thu Feb  1 20:33:24 2018 us=962093 calc_options_string_link_mtu: link-mtu 1624 -> 1544
Thu Feb  1 20:33:24 2018 us=962159 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
Thu Feb  1 20:33:24 2018 us=962196 calc_options_string_link_mtu: link-mtu 1624 -> 1544
Thu Feb  1 20:33:24 2018 us=962254 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Thu Feb  1 20:33:24 2018 us=962292 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Thu Feb  1 20:33:24 2018 us=962363 TCP connection established with [AF_INET]X.X.X.X:33358
Thu Feb  1 20:33:24 2018 us=962405 TCP_SERVER link local: (not bound)
Thu Feb  1 20:33:24 2018 us=962451 TCP_SERVER link remote: [AF_INET]X.X.X.X:33358
Thu Feb  1 20:33:25 2018 us=330885 X.X.X.X:33358 TCP_SERVER read returned 42
Thu Feb  1 20:33:25 2018 us=330987 X.X.X.X:33358 TCP_SERVER READ [42] from [AF_INET]X.X.X.X:33358: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=ec4d0765 028c33b3 [ 828900258 271948470 3789509320 1801071330 1129668096 346 1937348096 0 ]
Thu Feb  1 20:33:25 2018 us=331046 X.X.X.X:33358 TLS: Initial packet from [AF_INET]X.X.X.X:33358, sid=ec4d0765 028c33b3
Thu Feb  1 20:33:25 2018 us=331085 X.X.X.X:33358 TLS Error: reading acknowledgement record from packet
Thu Feb  1 20:33:25 2018 us=331135 X.X.X.X:33358 Fatal TLS error (check_tls_errors_co), restarting
Thu Feb  1 20:33:25 2018 us=331178 X.X.X.X:33358 SIGUSR1[soft,tls-error] received, client-instance restarting
Thu Feb  1 20:33:25 2018 us=331292 TCP/UDP: Closing socket
Thu Feb  1 20:33:31 2018 us=167979 MULTI: multi_create_instance called
Thu Feb  1 20:33:31 2018 us=168110 Re-using SSL/TLS context
Thu Feb  1 20:33:31 2018 us=168159 LZO compression initializing
Thu Feb  1 20:33:31 2018 us=168336 Control Channel MTU parms [ L:1624 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Thu Feb  1 20:33:31 2018 us=168416 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Thu Feb  1 20:33:31 2018 us=168469 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
Thu Feb  1 20:33:31 2018 us=168510 calc_options_string_link_mtu: link-mtu 1624 -> 1544
Thu Feb  1 20:33:31 2018 us=168577 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
Thu Feb  1 20:33:31 2018 us=168614 calc_options_string_link_mtu: link-mtu 1624 -> 1544
Thu Feb  1 20:33:31 2018 us=168669 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Thu Feb  1 20:33:31 2018 us=168705 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Thu Feb  1 20:33:31 2018 us=168768 TCP connection established with [AF_INET]X.X.X.X:33359
Thu Feb  1 20:33:31 2018 us=168807 TCP_SERVER link local: (not bound)
Thu Feb  1 20:33:31 2018 us=168848 TCP_SERVER link remote: [AF_INET]X.X.X.X:33359
Thu Feb  1 20:33:31 2018 us=911008 X.X.X.X:33359 TCP_SERVER read returned 42
Thu Feb  1 20:33:31 2018 us=911116 X.X.X.X:33359 TCP_SERVER READ [42] from [AF_INET]X.X.X.X:33359: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=e47c08b2 0980bfeb [ 2154507713 1839281328 631901780 367760635 4229032960 346 1937349888 0 ]
Thu Feb  1 20:33:31 2018 us=911177 X.X.X.X:33359 TLS: Initial packet from [AF_INET]X.X.X.X:33359, sid=e47c08b2 0980bfeb
Thu Feb  1 20:33:31 2018 us=911217 X.X.X.X:33359 TLS Error: reading acknowledgement record from packet
Thu Feb  1 20:33:31 2018 us=911267 X.X.X.X:33359 Fatal TLS error (check_tls_errors_co), restarting
Thu Feb  1 20:33:31 2018 us=911311 X.X.X.X:33359 SIGUSR1[soft,tls-error] received, client-instance restarting
Thu Feb  1 20:33:31 2018 us=911425 TCP/UDP: Closing socket
Thu Feb  1 20:33:46 2018 us=20672 MULTI: multi_create_instance called
Thu Feb  1 20:33:46 2018 us=20765 Re-using SSL/TLS context
Thu Feb  1 20:33:46 2018 us=20808 LZO compression initializing
Thu Feb  1 20:33:46 2018 us=20986 Control Channel MTU parms [ L:1624 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Thu Feb  1 20:33:46 2018 us=21068 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Thu Feb  1 20:33:46 2018 us=21122 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
Thu Feb  1 20:33:46 2018 us=21166 calc_options_string_link_mtu: link-mtu 1624 -> 1544
Thu Feb  1 20:33:46 2018 us=21238 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
Thu Feb  1 20:33:46 2018 us=21276 calc_options_string_link_mtu: link-mtu 1624 -> 1544
Thu Feb  1 20:33:46 2018 us=21331 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Thu Feb  1 20:33:46 2018 us=21367 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Thu Feb  1 20:33:46 2018 us=21432 TCP connection established with [AF_INET]X.X.X.X:33360
Thu Feb  1 20:33:46 2018 us=21473 TCP_SERVER link local: (not bound)
Thu Feb  1 20:33:46 2018 us=21515 TCP_SERVER link remote: [AF_INET]X.X.X.X:33360
Thu Feb  1 20:33:46 2018 us=340953 X.X.X.X:33360 TCP_SERVER read returned 42
Thu Feb  1 20:33:46 2018 us=341058 X.X.X.X:33360 TCP_SERVER READ [42] from [AF_INET]X.X.X.X:33360: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=0d6f63a3 f8486c86 [ 3316259378 4076818278 176722422 4165536446 626409984 346 1937353472 0 ]
Thu Feb  1 20:33:46 2018 us=341117 X.X.X.X:33360 TLS: Initial packet from [AF_INET]X.X.X.X:33360, sid=0d6f63a3 f8486c86
Thu Feb  1 20:33:46 2018 us=341156 X.X.X.X:33360 TLS Error: reading acknowledgement record from packet
Thu Feb  1 20:33:46 2018 us=341205 X.X.X.X:33360 Fatal TLS error (check_tls_errors_co), restarting
Thu Feb  1 20:33:46 2018 us=341245 X.X.X.X:33360 SIGUSR1[soft,tls-error] received, client-instance restarting
Thu Feb  1 20:33:46 2018 us=341362 TCP/UDP: Closing socket

I was stating that the verbosity for the server log doesn't need to be more than 5, as anything above that will log r/w access, which is not needed.

Whomever wrote that wiki obviously never bothered testing it, since it puts forth an improperly configured server config, hence your problems.

Please replace your server config with the following (double check I imported everything correctly)

config openvpn 'VPNserver'
    option  enabled             1

    # Protocol #
#------------------------------------------------
    option  dev                 'tun'
    option  dev                 'ovpns0'
    option  topology            'subnet'
    option  proto               'tcp'
    option  port                1194

    # Routes #
#------------------------------------------------
    option  server              '192.168.200.0 255.255.255.0'
    option  ifconfig            '192.168.200.1 255.255.255.0'
    option  route_gateway       'dhcp'

    # Client Config #
#------------------------------------------------
    #   option  ccd_exclusive           1
    #   option  ifconfig_pool_persist   '/etc/openvpn/clients/ipp.txt'
    #   option  client_config_dir       '/etc/openvpn/clients/'

    # Pushed Routes #
#------------------------------------------------
    list    push                'route 192.168.1.0 255.255.255.0'
    list    push                'dhcp-option    DNS 192.168.1.1'
    list    push                'dhcp-option    WINS 192.168.1.1'
    list    push                'dhcp-option    DNS 208.67.222.123'
    list    push                'dhcp-option    DNS 208.67.220.123'
    list    push                'dhcp-option    NTP 129.6.15.30'

    # Pushed Gateways #
#------------------------------------------------
    list    push                'route-gateway    dhcp'
    list    push                'redirect-gateway def1'

    # Encryption #
#------------------------------------------------
    # Diffie-Hellman:
    option  dh                  '/etc/openvpn/dh2048.pem'

    # PKCS12:
    #   option  pkcs12             '/etc/openvpn/my-server.p12'

    # SSL:
    option  cipher              AES-256-CBC
    option  auth                'SHA256'
    option  tls_auth            '/etc/openvpn/tls-auth.key 0'

    # TLS:
    option  tls_server          1
    option  tls_version_min     1.2
    option  tls_cipher          'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:!aNULL:!eNULL:!LOW:!3DES:!MD5:!SHA:!EXP:!PSK:!SRP:!DSS:!RC4:!kRSA'

    # X509:
    option  ca                  '/etc/openvpn/ca.crt'
    option  cert                '/etc/openvpn/my-server.crt'
    option  key                 '/etc/openvpn/my-server.key'

    # Logging #
#------------------------------------------------
    option  log_append          '/tmp/openvpn.log'
    option  status              '/tmp/openvpn-status.log'
    option  verb                5

    # Connection Options #
#------------------------------------------------
    option  keepalive           '10 120'
    option  comp_lzo            'yes'

    # Connection Reliability #
#------------------------------------------------
    option  client_to_client    1
    option  persist_key         1
    option  persist_tun         1

    # Connection Speed #
#------------------------------------------------
    option  sndbuf              393216
    option  rcvbuf              393216
    option  fragment            0
    option  mssfix              0
    option  tun_mtu             48000

    # Pushed Buffers #
#------------------------------------------------
    list    push                'sndbuf 393216'
    list    push                'rcvbuf 393216'

    # Permissions #
#------------------------------------------------
    option  user                'nobody'
    option  group               'nogroup'
  • You need to do some additional steps.
    • Generate TLS-Auth key
      • You will need to save this at /etc/openvpn/tls-auth.key

Please replace your client config with the following:

# Config Type #
#------------------------------------------------
client

# Connection  #
#------------------------------------------------
dev tun
proto tcp
remote your.ddns.com 1194

# Speed #
#------------------------------------------------
mssfix 0
fragment 0
tun-mtu 48000

# Reliability #
#------------------------------------------------
float
nobind
comp-lzo

persist-key
persist-tun
resolv-retry infinite

# Encryption #
#------------------------------------------------
auth SHA256
auth-nocache

# --- SSL --- #
cipher AES-256-CBC

<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----
</key>

# --- TLS --- #
key-direction 1
tls-version-min 1.2

remote-cert-eku 'TLS Web Server Authentication'

<tls-auth>
-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----
</tls-auth>

# Logging #
#------------------------------------------------
verb 7
  • I've never bothered inlining certs since I use PKCS12's, however I'm almost positive the openssl x509 output is not what goes inline; instead, the text output of the cert is what should go inline (i.e. open cert/key in a text editor, copy & paste)

  • The output of the tls-auth.key goes inline within the xml space for it.

Additionally, it is pointless to utilize a 4096bit key, as 2048bit will remain unbreakable until at least 2030. 4096bit keys to secure a VPN tunnel serve zero purpose, doing nothing other than serving to stress the CPUs of the server and client(s), along with massively slowing throughput

Is it a subjective opinion or has there been some testing done on consumer-grade hardware?

No, anyone can test the speeds: openssl speed rsa

  • There's literally no benefit to utilizing 4096bit keys, as there's not a single existing supercomputer than can break 2048bit. Even the NSA recommends 2048bit, with 3072bit starting this year or next for TS/SCI data. Last I read about it, 2048bit would remain unbreakable until at least 2030.
    • If someone was super paranoid, simply have the session renegotiate keys every 30 - 60min

  • Windows 10, 4C/8T, i7-4710MQ
     PS D:\JW0914\Documents\GnuPG\Certs\Intermediate\WRT1900ACS\CA> openssl speed rsa
     WARNING: can't open config file: /etc/ssl/openssl.cnf
     Doing 512 bit private rsa's for 10s: 186457 512 bit private RSA's in 9.97s
     Doing 512 bit public rsa's for 10s: 2403931 512 bit public RSA's in 10.00s
     Doing 1024 bit private rsa's for 10s: 68154 1024 bit private RSA's in 10.00s
     Doing 1024 bit public rsa's for 10s: 1018930 1024 bit public RSA's in 9.98s
     Doing 2048 bit private rsa's for 10s: 14808 2048 bit private RSA's in 9.98s
     Doing 2048 bit public rsa's for 10s: 330324 2048 bit public RSA's in 9.98s
     Doing 4096 bit private rsa's for 10s: 1438 4096 bit private RSA's in 10.00s
     Doing 4096 bit public rsa's for 10s: 92898 4096 bit public RSA's in 10.02s
    
     OpenSSL 1.0.2l  25 May 2017
     built on: reproducible build, date unspecified
     options:bn(64,64) rc4(16x,int) des(idx,cisc,2,long) aes(partial) idea(int) blowfish(idx)
     compiler: x86_64-w64-mingw32-gcc -I. -I.. -I../include  -D_WINDLL -DOPENSSL_PIC -DOPENSSL_THREADS -D_MT -DDSO_WIN32 -static-libgcc -DL_ENDIAN -O3 -Wall -DWIN32_LEAN_AND_MEAN -DUNICODE -D_UNICODE -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
    
                       sign    verify    sign/s verify/s
     rsa  512 bits 0.000053s 0.000004s  18704.2 240393.1
     rsa 1024 bits 0.000147s 0.000010s   6815.4 102052.5
     rsa 2048 bits 0.000674s 0.000030s   1483.1  33084.1
     rsa 4096 bits 0.006954s 0.000108s    143.8   9275.3
    

  • Linksys WRT1900ACS [4.9.52-2017.10.01, r4964-25abd71efb)]

     [root@LEDE] ~ # openssl speed rsa
     WARNING: can't open config file: /etc/ssl/openssl.cnf
     Doing 512 bit private rsa's for 10s: 19561 512 bit private RSA's in 10.00s
     Doing 512 bit public rsa's for 10s: 187634 512 bit public RSA's in 10.00s
     Doing 1024 bit private rsa's for 10s: 2770 1024 bit private RSA's in 10.00s
     Doing 1024 bit public rsa's for 10s: 59677 1024 bit public RSA's in 10.00s
     Doing 2048 bit private rsa's for 10s: 421 2048 bit private RSA's in 10.01s
     Doing 2048 bit public rsa's for 10s: 16307 2048 bit public RSA's in 10.00s
     Doing 4096 bit private rsa's for 10s: 62 4096 bit private RSA's in 10.16s
     Doing 4096 bit public rsa's for 10s: 4224 4096 bit public RSA's in 10.00s
    
     OpenSSL 1.0.2l  25 May 2017
     built on: reproducible build, date unspecified
     options:bn(64,32) rc4(ptr,char) des(idx,cisc,2,long) aes(partial) blowfish(ptr)
     compiler: arm-openwrt-linux-muslgnueabi-gcc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -I/home/jw/lede/source/staging_dir/target-arm_cortex-a9+vfpv3_musl_eabi/usr/include -I/home/jw/lede/source/staging_dir/target-arm_cortex-a9+vfpv3_musl_eabi/include -I/home/jw/lede/source/staging_dir/toolchain-arm_cortex-a9+vfpv3_gcc-5.4.0_musl_eabi/usr/include -I/home/jw/lede/source/staging_dir/toolchain-arm_cortex-a9+vfpv3_gcc-5.4.0_musl_eabi/include/fortify -I/home/jw/lede/source/staging_dir/toolchain-arm_cortex-a9+vfpv3_gcc-5.4.0_musl_eabi/include -znow -zrelro -DOPENSSL_SMALL_FOOTPRINT -DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS -DOPENSSL_NO_ERR -DTERMIOS -Os -pipe -mcpu=cortex-a9 -mfpu=vfpv3-d16 -fno-caller-saves -fno-plt -fhonour-copts -Wno-error=unused-but-set-variable -Wno-error=unused-result -mfloat-abi=hard -iremap/home/jw/lede/source/build_dir/target-arm_cortex-a9+vfpv3_musl_eabi/openssl-1.0.2l:openssl-1.0.2l -Wformat -Werror=format-security -fstack-protector -D_FORTIFY_SOURCE=1 -Wl,-z,now -Wl,-z,relro -fpic -I/home/jw/lede/source/package/libs/openssl/include -ffunction-sections -fdata-sections -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM
    
                       sign    verify    sign/s verify/s
     rsa  512 bits 0.000511s 0.000053s   1956.1  18763.4
     rsa 1024 bits 0.003610s 0.000168s    277.0   5967.7
     rsa 2048 bits 0.023777s 0.000613s     42.1   1630.7
     rsa 4096 bits 0.163871s 0.002367s      6.1    422.4
    

I was copying over the server openvpn file, but the openvpn service cannot be started. Clicking on the start button in LUCI does nothing,

Troubleshooting should be done via cli, not LuCI. To restart OpenVPN: /etc/init.d/openvpn restart.

If it's the first time restarting it since changing the config, issue the following:

  • /etc/init.d/openvpn restart ; sleep 2 ; cat /tmp/openvpn.log
    • This will show if any errors prevented OpenVPN from restarting

If I temporarily add the old server config, that one starts/stops/restarts as expected.

This is the error log for the new server config:

root@LEDE:~# /etc/init.d/openvpn restart ; sleep 2 ; cat /tmp/openvpn.log
Sat Feb  3 20:58:00 2018 us=193934 OpenVPN 2.4.3 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4]          [EPOLL] [MH/PKTINFO] [AEAD]
Sat Feb  3 20:58:00 2018 us=194014 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.10
Sat Feb  3 20:58:00 2018 us=194817 Diffie-Hellman initialized with 2048 bit key
Sat Feb  3 20:58:00 2018 us=196108 TLS-Auth MTU parms [ L:1624 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Sat Feb  3 20:58:00 2018 us=199740 TUN/TAP device ovpns0 opened
Sat Feb  3 20:58:00 2018 us=199825 TUN/TAP TX queue length set to 100
Sat Feb  3 20:58:00 2018 us=199878 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat Feb  3 20:58:00 2018 us=199949 /sbin/ifconfig ovpns0 192.168.200.1 netmask 255.255.255.0 mtu 1         500 broadcast 192.168.200.255
Sat Feb  3 20:58:00 2018 us=203251 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3          ]
Sat Feb  3 20:58:00 2018 us=203340 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sat Feb  3 20:58:00 2018 us=203396 Socket Buffers: R=[87380->87380] S=[16384->16384]
Sat Feb  3 20:58:00 2018 us=203448 Listening for incoming TCP connection on [AF_INET][undef]:1194
Sat Feb  3 20:58:00 2018 us=203496 TCPv4_SERVER link local (bound): [AF_INET][undef]:1194
Sat Feb  3 20:58:00 2018 us=203534 TCPv4_SERVER link remote: [AF_UNSPEC]
Sat Feb  3 20:58:00 2018 us=203575 MULTI: multi_init called, r=256 v=256
Sat Feb  3 20:58:00 2018 us=203644 IFCONFIG POOL: base=192.168.200.2 size=252, ipv6=0
Sat Feb  3 20:58:00 2018 us=203715 MULTI: TCP INIT maxclients=1024 maxevents=1028
Sat Feb  3 20:58:00 2018 us=203806 Initialization Sequence Completed
Sat Feb  3 20:58:00 2018 us=203952  read from TUN/TAP returned 76
Sat Feb  3 20:58:00 2018 us=222001  read from TUN/TAP returned 76
Sat Feb  3 20:58:00 2018 us=491861  read from TUN/TAP returned 76
Sat Feb  3 20:58:00 2018 us=531872  read from TUN/TAP returned 76
Sat Feb  3 21:01:44 2018 us=96693 TCP/UDP: Closing socket
Sat Feb  3 21:01:44 2018 us=96829 Closing TUN/TAP interface
Sat Feb  3 21:01:44 2018 us=96881 /sbin/ifconfig ovpns0 0.0.0.0
Sat Feb  3 21:01:44 2018 us=141946 SIGTERM[hard,] received, process exiting
only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap

You're not using the config I posted, or the copy and paste went awry... please post /etc/config/openvpn

I create and edit these files with WinSCP if that makes any difference. All I did was copy and paste the config you posted earlier to the location.

This is the current /etc/config/openvpn i have just extracted:

config openvpn 'VPNserver'
    option  enabled             1

    # Protocol #
#------------------------------------------------
    option  dev                 'tun'
    option  dev                 'tun0'
    option  topology            'subnet'
    option  proto               'tcp'
    option  port                'ovpns0'

    # Routes #
#------------------------------------------------
    option  server              '192.168.200.0 255.255.255.0'
    option  ifconfig            '192.168.200.1 255.255.255.0'
    option  route_gateway       'dhcp'

    # Client Config #
#------------------------------------------------
    #   option  ccd_exclusive           1
    #   option  ifconfig_pool_persist   '/etc/openvpn/clients/ipp.txt'
    #   option  client_config_dir       '/etc/openvpn/clients/'

    # Pushed Routes #
#------------------------------------------------
    list    push                'route 192.168.1.0 255.255.255.0'
    list    push                'dhcp-option    DNS 192.168.1.1'
    list    push                'dhcp-option    WINS 192.168.1.1'
    list    push                'dhcp-option    DNS 208.67.222.123'
    list    push                'dhcp-option    DNS 208.67.220.123'
    list    push                'dhcp-option    NTP 129.6.15.30'

    # Pushed Gateways #
#------------------------------------------------
    list    push                'route-gateway    dhcp'
    list    push                'redirect-gateway def1'

    # Encryption #
#------------------------------------------------
    # Diffie-Hellman:
    option  dh                  '/etc/openvpn/dh2048.pem'

    # PKCS12:
    #   option  pkcs12             '/etc/openvpn/my-server.p12'

    # SSL:
    option  cipher              AES-256-CBC
    option  auth                'SHA256'
    option  tls_auth            '/etc/openvpn/tls-auth.key 0'

    # TLS:
    option  tls_server          1
    option  tls_version_min     1.2
    option  tls_cipher          'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:!aNULL:!eNULL:!LOW:!3DES:!MD5:!SHA:!EXP:!PSK:!SRP:!DSS:!RC4:!kRSA'

    # X509:
    option  ca                  '/etc/openvpn/ca.crt'
    option  cert                '/etc/openvpn/my-server.crt'
    option  key                 '/etc/openvpn/my-server.key'

    # Logging #
#------------------------------------------------
    option  log_append          '/tmp/openvpn.log'
    option  status              '/tmp/openvpn-status.log'
    option  verb                5

    # Connection Options #
#------------------------------------------------
    option  keepalive           '10 120'
    option  comp_lzo            'yes'

    # Connection Reliability #
#------------------------------------------------
    option  client_to_client    1
    option  persist_key         1
    option  persist_tun         1

    # Connection Speed #
#------------------------------------------------
    option  sndbuf              393216
    option  rcvbuf              393216
    option  fragment            0
    option  mssfix              0
    option  tun_mtu             48000

    # Pushed Buffers #
#------------------------------------------------
    list    push                'sndbuf 393216'
    list    push                'rcvbuf 393216'

    # Permissions #
#------------------------------------------------
    option  user                'nobody'
    option  group               'nogroup'

My bad, I mistyped a setting and doesn't look like you caught it when you double checked if I ported everything over correctly.

Change:

  • option dev 'tun0' to option dev 'ovpns0'
  • option port 'ovpns0' to option port 1194

Please verify if all the parameters, especially the network IPs, match your environment.

  • 192.168.1.0/24 subnet
  • 192.168.200.0/24 subnet

I also updated my post with the configs

Are those network addresses not just the ones that will be assigned for the VPN server/client? Therefore independent of my internal LAN addresses (my internal LAN is a 10.x.x.x range).

After making the changes, restarting vpn from command line, this is the openvpn.log:

Sat Feb  3 20:58:00 2018 us=193934 OpenVPN 2.4.3 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Feb  3 20:58:00 2018 us=194014 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.10
Sat Feb  3 20:58:00 2018 us=194817 Diffie-Hellman initialized with 2048 bit key
Sat Feb  3 20:58:00 2018 us=196108 TLS-Auth MTU parms [ L:1624 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Sat Feb  3 20:58:00 2018 us=199740 TUN/TAP device ovpns0 opened
Sat Feb  3 20:58:00 2018 us=199825 TUN/TAP TX queue length set to 100
Sat Feb  3 20:58:00 2018 us=199878 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat Feb  3 20:58:00 2018 us=199949 /sbin/ifconfig ovpns0 192.168.200.1 netmask 255.255.255.0 mtu 1500 broadcast 192.168.200.255
Sat Feb  3 20:58:00 2018 us=203251 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Sat Feb  3 20:58:00 2018 us=203340 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sat Feb  3 20:58:00 2018 us=203396 Socket Buffers: R=[87380->87380] S=[16384->16384]
Sat Feb  3 20:58:00 2018 us=203448 Listening for incoming TCP connection on [AF_INET][undef]:1194
Sat Feb  3 20:58:00 2018 us=203496 TCPv4_SERVER link local (bound): [AF_INET][undef]:1194
Sat Feb  3 20:58:00 2018 us=203534 TCPv4_SERVER link remote: [AF_UNSPEC]
Sat Feb  3 20:58:00 2018 us=203575 MULTI: multi_init called, r=256 v=256
Sat Feb  3 20:58:00 2018 us=203644 IFCONFIG POOL: base=192.168.200.2 size=252, ipv6=0
Sat Feb  3 20:58:00 2018 us=203715 MULTI: TCP INIT maxclients=1024 maxevents=1028
Sat Feb  3 20:58:00 2018 us=203806 Initialization Sequence Completed
Sat Feb  3 20:58:00 2018 us=203952  read from TUN/TAP returned 76
Sat Feb  3 20:58:00 2018 us=222001  read from TUN/TAP returned 76
Sat Feb  3 20:58:00 2018 us=491861  read from TUN/TAP returned 76
Sat Feb  3 20:58:00 2018 us=531872  read from TUN/TAP returned 76
Sat Feb  3 21:01:44 2018 us=96693 TCP/UDP: Closing socket
Sat Feb  3 21:01:44 2018 us=96829 Closing TUN/TAP interface
Sat Feb  3 21:01:44 2018 us=96881 /sbin/ifconfig ovpns0 0.0.0.0
Sat Feb  3 21:01:44 2018 us=141946 SIGTERM[hard,] received, process exiting
only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.

Something isn't right with your config encoding or EOLs, or gateway redirect is improperly configured, as this is what the log should resemble, and should generate "No valid translation" errors for the TLS ciphers I disabled:

[root@LEDE] ~ # /etc/init.d/openvpn restart ; sleep 2 ; cat /tmp/vpnsec-server.log
Sat Feb  3 15:26:04 2018 us=606624 OpenVPN 2.4.4 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Feb  3 15:26:04 2018 us=606910 library versions: OpenSSL 1.0.2n  7 Dec 2017, LZO 2.10
Sat Feb  3 15:26:04 2018 us=609137 Diffie-Hellman initialized with 2048 bit key
Sat Feb  3 15:26:04 2018 us=609396 No valid translation found for TLS cipher '!aNULL'
Sat Feb  3 15:26:04 2018 us=609545 No valid translation found for TLS cipher '!eNULL'
Sat Feb  3 15:26:04 2018 us=609715 No valid translation found for TLS cipher '!3DES'
Sat Feb  3 15:26:04 2018 us=609850 No valid translation found for TLS cipher '!MD5'
Sat Feb  3 15:26:04 2018 us=609987 No valid translation found for TLS cipher '!SHA'
Sat Feb  3 15:26:04 2018 us=610154 No valid translation found for TLS cipher '!PSK'
Sat Feb  3 15:26:04 2018 us=610321 No valid translation found for TLS cipher '!DSS'
Sat Feb  3 15:26:04 2018 us=610463 No valid translation found for TLS cipher '!RC4'
Sat Feb  3 15:26:04 2018 us=657073 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Sat Feb  3 15:26:04 2018 us=657230 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Sat Feb  3 15:26:04 2018 us=657368 TLS-Auth MTU parms [ L:48122 D:1172 EF:78 EB:0 ET:0 EL:3 ]
Sat Feb  3 15:26:04 2018 us=683084 TUN/TAP device tun1 opened
Sat Feb  3 15:26:04 2018 us=683263 TUN/TAP TX queue length set to 100
Sat Feb  3 15:26:04 2018 us=683440 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat Feb  3 15:26:04 2018 us=683907 /sbin/ifconfig tun1 10.10.3.1 netmask 255.255.255.248 mtu 48000 broadcast 10.10.3.7
Sat Feb  3 15:26:04 2018 us=697828 Data Channel MTU parms [ L:48122 D:48122 EF:122 EB:8156 ET:0 EL:3 ]
Sat Feb  3 15:26:04 2018 us=698162 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sat Feb  3 15:26:04 2018 us=698321 Socket Buffers: R=[163840->327680] S=[163840->327680]
Sat Feb  3 15:26:04 2018 us=698503 UDPv4 link local (bound): [AF_INET][undef]:50950
Sat Feb  3 15:26:04 2018 us=698632 UDPv4 link remote: [AF_UNSPEC]
Sat Feb  3 15:26:04 2018 us=698754 GID set to nogroup
Sat Feb  3 15:26:04 2018 us=698882 UID set to nobody
Sat Feb  3 15:26:04 2018 us=699006 MULTI: multi_init called, r=256 v=256
Sat Feb  3 15:26:04 2018 us=699173 IFCONFIG POOL: base=10.10.3.2 size=4, ipv6=0
Sat Feb  3 15:26:04 2018 us=699321 IFCONFIG POOL LIST
Sat Feb  3 15:26:04 2018 us=700163 Initialization Sequence Completed

In order to narrow down the issue, please disable the 3 options for gateway redirect:

    #option  route_gateway       'dhcp'
    #list    push                'route-gateway    dhcp'
    #list    push                'redirect-gateway def1'

then issue:
cd /etc/config ; mv openvpn openvpn.bak ; cat openvpn.bak > openvpn ; /etc/init.d/openvpn restart ; sleep 2 ; cat /tmp/openvpn.log


  • option server '192.168.200.0 255.255.255.0': OpenVPN subnet
  • option ifconfig '192.168.200.1 255.255.255.0': OpenVPN server IP
  • list push 'route 192.168.1.0 255.255.255.0': LAN or other network subnet you want accessible to clients
  • list push 'dhcp-option DNS 192.168.1.1': DNS Server for clients accessing LAN or other network subnet
  • list push 'dhcp-option WINS 192.168.1.1': Windows clients sometimes need a WINS address specified, of which will always be the DNS server IP for the LAN or other network subnet

Please also post your network config: /etc/config/network

This is the error log after disabling those three lines:

Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.

Yes, I cannot see an issue with the network IP addresses.

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd1d:9152:16f0::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '10.10.10.10'
	option _orig_ifname 'eth0.1 radio0.network1 radio1.network1'
	option _orig_bridge 'true'
	option dns '8.8.8.8'
	option ifname 'eth0 eth0.1'

config interface 'wan'
	option ifname 'eth1.2'
	option _orig_ifname 'eth1.2'
	option _orig_bridge 'false'
	option proto 'static'
	option ipaddr '172.16.0.2'
	option netmask '255.255.255.0'
	option gateway '172.16.0.1'

config interface 'wan6'
	option ifname 'eth1.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0 1 2 3 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'
	option vid '2'

config interface 'Guest'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option dns '8.8.8.8'

config interface 'vpnserver'
	option proto 'none'
	option ifname 'ovpns0'
	option auto '1'

There is no server directive, as that error refers to option mode 'server', of which is not needed and is not in my config...

At this point, I'd recommend following a known working wiki, else @stangri needs to troubleshoot since it's his wiki you followed, and is a wiki he still has not fixed.