If I temporarily add the old server config, that one starts/stops/restarts as expected.
This is the error log for the new server config:
root@LEDE:~# /etc/init.d/openvpn restart ; sleep 2 ; cat /tmp/openvpn.log
Sat Feb 3 20:58:00 2018 us=193934 OpenVPN 2.4.3 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Feb 3 20:58:00 2018 us=194014 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
Sat Feb 3 20:58:00 2018 us=194817 Diffie-Hellman initialized with 2048 bit key
Sat Feb 3 20:58:00 2018 us=196108 TLS-Auth MTU parms [ L:1624 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Sat Feb 3 20:58:00 2018 us=199740 TUN/TAP device ovpns0 opened
Sat Feb 3 20:58:00 2018 us=199825 TUN/TAP TX queue length set to 100
Sat Feb 3 20:58:00 2018 us=199878 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat Feb 3 20:58:00 2018 us=199949 /sbin/ifconfig ovpns0 192.168.200.1 netmask 255.255.255.0 mtu 1 500 broadcast 192.168.200.255
Sat Feb 3 20:58:00 2018 us=203251 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Sat Feb 3 20:58:00 2018 us=203340 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sat Feb 3 20:58:00 2018 us=203396 Socket Buffers: R=[87380->87380] S=[16384->16384]
Sat Feb 3 20:58:00 2018 us=203448 Listening for incoming TCP connection on [AF_INET][undef]:1194
Sat Feb 3 20:58:00 2018 us=203496 TCPv4_SERVER link local (bound): [AF_INET][undef]:1194
Sat Feb 3 20:58:00 2018 us=203534 TCPv4_SERVER link remote: [AF_UNSPEC]
Sat Feb 3 20:58:00 2018 us=203575 MULTI: multi_init called, r=256 v=256
Sat Feb 3 20:58:00 2018 us=203644 IFCONFIG POOL: base=192.168.200.2 size=252, ipv6=0
Sat Feb 3 20:58:00 2018 us=203715 MULTI: TCP INIT maxclients=1024 maxevents=1028
Sat Feb 3 20:58:00 2018 us=203806 Initialization Sequence Completed
Sat Feb 3 20:58:00 2018 us=203952 read from TUN/TAP returned 76
Sat Feb 3 20:58:00 2018 us=222001 read from TUN/TAP returned 76
Sat Feb 3 20:58:00 2018 us=491861 read from TUN/TAP returned 76
Sat Feb 3 20:58:00 2018 us=531872 read from TUN/TAP returned 76
Sat Feb 3 21:01:44 2018 us=96693 TCP/UDP: Closing socket
Sat Feb 3 21:01:44 2018 us=96829 Closing TUN/TAP interface
Sat Feb 3 21:01:44 2018 us=96881 /sbin/ifconfig ovpns0 0.0.0.0
Sat Feb 3 21:01:44 2018 us=141946 SIGTERM[hard,] received, process exiting
only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Are those network addresses not just the ones that will be assigned for the VPN server/client? Therefore independent of my internal LAN addresses (my internal LAN is a 10.x.x.x range).
After making the changes, restarting vpn from command line, this is the openvpn.log:
Sat Feb 3 20:58:00 2018 us=193934 OpenVPN 2.4.3 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Feb 3 20:58:00 2018 us=194014 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
Sat Feb 3 20:58:00 2018 us=194817 Diffie-Hellman initialized with 2048 bit key
Sat Feb 3 20:58:00 2018 us=196108 TLS-Auth MTU parms [ L:1624 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Sat Feb 3 20:58:00 2018 us=199740 TUN/TAP device ovpns0 opened
Sat Feb 3 20:58:00 2018 us=199825 TUN/TAP TX queue length set to 100
Sat Feb 3 20:58:00 2018 us=199878 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat Feb 3 20:58:00 2018 us=199949 /sbin/ifconfig ovpns0 192.168.200.1 netmask 255.255.255.0 mtu 1500 broadcast 192.168.200.255
Sat Feb 3 20:58:00 2018 us=203251 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Sat Feb 3 20:58:00 2018 us=203340 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sat Feb 3 20:58:00 2018 us=203396 Socket Buffers: R=[87380->87380] S=[16384->16384]
Sat Feb 3 20:58:00 2018 us=203448 Listening for incoming TCP connection on [AF_INET][undef]:1194
Sat Feb 3 20:58:00 2018 us=203496 TCPv4_SERVER link local (bound): [AF_INET][undef]:1194
Sat Feb 3 20:58:00 2018 us=203534 TCPv4_SERVER link remote: [AF_UNSPEC]
Sat Feb 3 20:58:00 2018 us=203575 MULTI: multi_init called, r=256 v=256
Sat Feb 3 20:58:00 2018 us=203644 IFCONFIG POOL: base=192.168.200.2 size=252, ipv6=0
Sat Feb 3 20:58:00 2018 us=203715 MULTI: TCP INIT maxclients=1024 maxevents=1028
Sat Feb 3 20:58:00 2018 us=203806 Initialization Sequence Completed
Sat Feb 3 20:58:00 2018 us=203952 read from TUN/TAP returned 76
Sat Feb 3 20:58:00 2018 us=222001 read from TUN/TAP returned 76
Sat Feb 3 20:58:00 2018 us=491861 read from TUN/TAP returned 76
Sat Feb 3 20:58:00 2018 us=531872 read from TUN/TAP returned 76
Sat Feb 3 21:01:44 2018 us=96693 TCP/UDP: Closing socket
Sat Feb 3 21:01:44 2018 us=96829 Closing TUN/TAP interface
Sat Feb 3 21:01:44 2018 us=96881 /sbin/ifconfig ovpns0 0.0.0.0
Sat Feb 3 21:01:44 2018 us=141946 SIGTERM[hard,] received, process exiting
only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Something isn't right with your config encoding or EOLs, or gateway redirect is improperly configured, as this is what the log should resemble, and should generate "No valid translation" errors for the TLS ciphers I disabled:
[root@LEDE] ~ # /etc/init.d/openvpn restart ; sleep 2 ; cat /tmp/vpnsec-server.log
Sat Feb 3 15:26:04 2018 us=606624 OpenVPN 2.4.4 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Feb 3 15:26:04 2018 us=606910 library versions: OpenSSL 1.0.2n 7 Dec 2017, LZO 2.10
Sat Feb 3 15:26:04 2018 us=609137 Diffie-Hellman initialized with 2048 bit key
Sat Feb 3 15:26:04 2018 us=609396 No valid translation found for TLS cipher '!aNULL'
Sat Feb 3 15:26:04 2018 us=609545 No valid translation found for TLS cipher '!eNULL'
Sat Feb 3 15:26:04 2018 us=609715 No valid translation found for TLS cipher '!3DES'
Sat Feb 3 15:26:04 2018 us=609850 No valid translation found for TLS cipher '!MD5'
Sat Feb 3 15:26:04 2018 us=609987 No valid translation found for TLS cipher '!SHA'
Sat Feb 3 15:26:04 2018 us=610154 No valid translation found for TLS cipher '!PSK'
Sat Feb 3 15:26:04 2018 us=610321 No valid translation found for TLS cipher '!DSS'
Sat Feb 3 15:26:04 2018 us=610463 No valid translation found for TLS cipher '!RC4'
Sat Feb 3 15:26:04 2018 us=657073 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Sat Feb 3 15:26:04 2018 us=657230 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Sat Feb 3 15:26:04 2018 us=657368 TLS-Auth MTU parms [ L:48122 D:1172 EF:78 EB:0 ET:0 EL:3 ]
Sat Feb 3 15:26:04 2018 us=683084 TUN/TAP device tun1 opened
Sat Feb 3 15:26:04 2018 us=683263 TUN/TAP TX queue length set to 100
Sat Feb 3 15:26:04 2018 us=683440 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat Feb 3 15:26:04 2018 us=683907 /sbin/ifconfig tun1 10.10.3.1 netmask 255.255.255.248 mtu 48000 broadcast 10.10.3.7
Sat Feb 3 15:26:04 2018 us=697828 Data Channel MTU parms [ L:48122 D:48122 EF:122 EB:8156 ET:0 EL:3 ]
Sat Feb 3 15:26:04 2018 us=698162 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sat Feb 3 15:26:04 2018 us=698321 Socket Buffers: R=[163840->327680] S=[163840->327680]
Sat Feb 3 15:26:04 2018 us=698503 UDPv4 link local (bound): [AF_INET][undef]:50950
Sat Feb 3 15:26:04 2018 us=698632 UDPv4 link remote: [AF_UNSPEC]
Sat Feb 3 15:26:04 2018 us=698754 GID set to nogroup
Sat Feb 3 15:26:04 2018 us=698882 UID set to nobody
Sat Feb 3 15:26:04 2018 us=699006 MULTI: multi_init called, r=256 v=256
Sat Feb 3 15:26:04 2018 us=699173 IFCONFIG POOL: base=10.10.3.2 size=4, ipv6=0
Sat Feb 3 15:26:04 2018 us=699321 IFCONFIG POOL LIST
Sat Feb 3 15:26:04 2018 us=700163 Initialization Sequence Completed
In order to narrow down the issue, please disable the 3 options for gateway redirect:
option server '192.168.200.0 255.255.255.0': OpenVPN subnet
option ifconfig '192.168.200.1 255.255.255.0': OpenVPN server IP
list push 'route 192.168.1.0 255.255.255.0': LAN or other network subnet you want accessible to clients
list push 'dhcp-option DNS 192.168.1.1': DNS Server for clients accessing LAN or other network subnet
list push 'dhcp-option WINS 192.168.1.1': Windows clients sometimes need a WINS address specified, of which will always be the DNS server IP for the LAN or other network subnet
This is the error log after disabling those three lines:
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Yes, I cannot see an issue with the network IP addresses.
There is no server directive, as that error refers to option mode 'server', of which is not needed and is not in my config...
At this point, I'd recommend following a known working wiki, else @stangri needs to troubleshoot since it's his wiki you followed, and is a wiki he still has not fixed.
The guide that I did use just seemed easier (not knowing whether it works or not), so followed that. I'll restore back to a backed up config with just my basic network running and follow the guide you linked.
config zone
option name 'vpnserver'
option network 'vpnserver'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'tcp udp'
option src *
option dest_port 1194
option name 'Allow Forwarded OpenVPN Request -> Router'
config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'tcp udp'
option src 'vpnserver'
option src_ip '192.168.200.0/24'
option dest_ip '10.10.10.0/24'
option name 'Allow OpenVPN -> LAN'
config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'tcp udp'
option src 'vpnserver'
option dest *
option name 'Allow Forwarded OpenVPN -> Router'
config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'icmp'
option src 'vpnserver'
option src_ip '192.168.200.0/24'
option dest 'lan'
option name 'Allow OpenVPN (ICMP) -> LAN'
config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'icmp'
list icmp_type 'echo-request'
option src 'vpnserver'
option src_ip '10.10.30.0/29'
option dest 'wan'
option name 'Allow OpenVPN (echo-request) -> WAN'
config forwarding
option dest 'lan'
option src 'vpnserver'
config forwarding
option dest 'wan'
option src 'vpnserver'
Now issue the following: cd /etc/init.d ; ./network restart ; ./dnsmasq restart ; ./odhcpd restart ; ./firewall restart ; ./openvpn restart ; sleep 2 ; cat /tmp/openvpn.log
If this doesn't resolve your issue, reboot, then check /tmp/openvpn.log, as the above is from a known working configuration. The only other thing that plays into this are the SSL certs.
Sorry for the late reply. JW: Unfortunately I had already reverted to a backup config before your last reply. Given that the guide I followed is not yours,. I'm not sure if it is worth getting the config back to this stage or try out your guide.
It doesn't matter which guide you follow, as the issues you were having, while initially due to information missing in the wiki you followed, were due to something in your environment, or user error, of which I mentioned above. You were getting log output impossible to get if your openvpn server was utilizing the config I posted, as a known bug has existed in OpenVPN for years that causes disabled ciphers to barf an error in the logfile:
No valid translation found for TLS cipher '!<disabled cipher>'
which is something not shown in your log file, hence the config I posted wasn't being loaded by your openvpn server. OpenVPN devs were made aware of this issue years ago and since it's purely aesthetic, it will not be addressed.
Additionally, your original config was still being loaded into the openvpn server due to this error
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
as the server directive option mode server is not needed, and thereby not utilized in my configs, if:
option tls_server 1 is utilized
AND
EKU server-auth is specified in the server cert and EKU client-auth in the client cert
That error was generated with your initial config due to
option dev_type 'tun', which should be option dev 'tun'
After looking at the config in your OP again, it's likely you were still specifying
I am trying to follow the same guide that has been discussed here and made some good progress but am stuck. My server if failing to start and I don't know enough about LEDE to know what to look for to know what is wrong. I am basically to the same point Sh500 was at and the server is failing to start. Here is my log output I am getting while attempting to start the server
Sun Feb 11 21:21:45 2018 us=919701 OpenVPN 2.4.4 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sun Feb 11 21:21:45 2018 us=919892 library versions: OpenSSL 1.0.2n 7 Dec 2017, LZO 2.10
Sun Feb 11 21:21:45 2018 us=922472 Diffie-Hellman initialized with 2048 bit key
Sun Feb 11 21:21:45 2018 us=923001 No valid translation found for TLS cipher '!aNULL'
Sun Feb 11 21:21:45 2018 us=923322 No valid translation found for TLS cipher '!eNULL'
Sun Feb 11 21:21:45 2018 us=923693 No valid translation found for TLS cipher '!3DES'
Sun Feb 11 21:21:45 2018 us=923999 No valid translation found for TLS cipher '!MD5'
Sun Feb 11 21:21:45 2018 us=924309 No valid translation found for TLS cipher '!SHA'
Sun Feb 11 21:21:45 2018 us=924677 No valid translation found for TLS cipher '!PSK'
Sun Feb 11 21:21:45 2018 us=925047 No valid translation found for TLS cipher '!DSS'
Sun Feb 11 21:21:45 2018 us=925352 No valid translation found for TLS cipher '!RC4'
Sun Feb 11 21:21:45 2018 us=958444 neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for 'Enter Private Key Password:'. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.
Sun Feb 11 21:21:45 2018 us=958701 Exiting due to fatal error