OpenVPN TLS Error

Hi,
I was trying to install an OpenVPN server on my TP-Link Archer C7v5. Its running snapshot build (because stable wouldnt install). I did everything as described here: https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic
This is the error on the log:

Mon Feb  4 13:49:21 2019 daemon.notice netifd: Interface 'HomeVPN' is setting up now
Mon Feb  4 13:49:21 2019 daemon.notice netifd: HomeVPN (5578): Line unrecognized: `PublicKey='
Mon Feb  4 13:49:21 2019 daemon.notice netifd: HomeVPN (5578): Configuration parsing error
Mon Feb  4 13:49:22 2019 daemon.warn odhcpd[1176]: A default route is present but there is no public prefix on br-lan thus we don't announce a default route!

and this is the error on the client

Mon Feb  4 17:13:47 2019 OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2018
Mon Feb  4 17:13:47 2019 library versions: OpenSSL 1.1.1a  20 Nov 2018, LZO 2.10
Enter Private Key Password: ******
Mon Feb  4 17:13:49 2019 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Mon Feb  4 17:13:49 2019 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Feb  4 17:13:49 2019 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Mon Feb  4 17:13:49 2019 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Feb  4 17:13:50 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xxx:1194
Mon Feb  4 17:13:50 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Mon Feb  4 17:13:50 2019 UDP link local: (not bound)
Mon Feb  4 17:13:50 2019 UDP link remote: [AF_INET]91.xx.xx.xxx:1194
Mon Feb  4 17:14:50 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Feb  4 17:14:50 2019 TLS Error: TLS handshake failed
Mon Feb  4 17:14:50 2019 SIGUSR1[soft,tls-error] received, process restarting

Im not sure if the port is opened. I checked with nmap and it says the port is "filtered". The C7 is behind an ISPs router that forwards all ports to the C7(So I can use the proprietary VoIP landline).
Also I added another Port forward in the firewall for 1194. Is this necessary?

thanks in advance for any help

PS: what is the odhcpd error about?

Can you post your configs (client ans server)?

Client:

verb 3
nobind
dev tun
client
remote [mydomain.com] 1194 udp
fast-io
compress lzo
auth-nocache
remote-cert-tls server
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
.... [all the keys after here]

Server:

uci show network; uci show firewall; uci show openvpn

root@OpenWrt:~# uci show network
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd34:2bdb:a815::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.wan=interface
network.wan.ifname='eth0.2'
network.wan.proto='dhcp'
network.wan6=interface
network.wan6.ifname='eth0.2'
network.wan6.proto='dhcpv6'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='2 3 4 5 0t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='1 0t'
network.vpnserver=interface
network.vpnserver.ifname='tun0'
network.vpnserver.proto='none'
network.vpnserver.auto='1'
network.HomeVPN=interface
network.HomeVPN.proto='wireguard'
network.HomeVPN.private_key='xxx'
network.HomeVPN.listen_port='51820'
network.@wireguard_HomeVPN[0]=wireguard_HomeVPN

root@OpenWrt:~# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan wan6'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@rule[9]=rule
firewall.@rule[9].name='Allow-OpenVPN'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest_port='1194'
firewall.@rule[9].proto='tcp udp'
firewall.@rule[9].target='ACCEPT'
firewall.@zone[2]=zone
firewall.@zone[2].name='vpnserver'
firewall.@zone[2].network='vpnserver'
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='REJECT'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='vpnserver'
firewall.@forwarding[1].dest='wan'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].src='vpnserver'
firewall.@forwarding[2].dest='lan'
firewall.@rule[10]=rule
firewall.@rule[10].name='Allow-OpenVPN'
firewall.@rule[10].src='wan'
firewall.@rule[10].dest_port='1194'
firewall.@rule[10].proto='tcp udp'
firewall.@rule[10].target='ACCEPT'
firewall.@zone[3]=zone
firewall.@zone[3].name='vpnserver'
firewall.@zone[3].input='ACCEPT'
firewall.@zone[3].output='ACCEPT'
firewall.@zone[3].forward='REJECT'
firewall.@zone[3].network='vpnserver'
firewall.@forwarding[3]=forwarding
firewall.@forwarding[3].src='vpnserver'
firewall.@forwarding[3].dest='wan'
firewall.@forwarding[4]=forwarding
firewall.@forwarding[4].src='vpnserver'
firewall.@forwarding[4].dest='lan'
firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].dest='vpnserver'
firewall.@redirect[0].proto='udp'
firewall.@redirect[0].src_dport='1194'
firewall.@redirect[0].dest_ip='192.168.1.1'
firewall.@redirect[0].dest_port='1194'
firewall.@redirect[0].name='openvpn'

root@OpenWrt:~# uci show openvpn
openvpn.custom_config=openvpn
openvpn.custom_config.config='/etc/openvpn/my-vpn.conf'
openvpn.sample_server=openvpn
openvpn.sample_server.port='1194'
openvpn.sample_server.proto='udp'
openvpn.sample_server.dev='tun'
openvpn.sample_server.ca='/etc/openvpn/ca.crt'
openvpn.sample_server.cert='/etc/openvpn/server.crt'
openvpn.sample_server.key='/etc/openvpn/server.key'
openvpn.sample_server.dh='/etc/openvpn/dh1024.pem'
openvpn.sample_server.server='10.8.0.0 255.255.255.0'
openvpn.sample_server.ifconfig_pool_persist='/tmp/ipp.txt'
openvpn.sample_server.keepalive='10 120'
openvpn.sample_server.compress='lzo'
openvpn.sample_server.persist_key='1'
openvpn.sample_server.persist_tun='1'
openvpn.sample_server.user='nobody'
openvpn.sample_server.status='/tmp/openvpn-status.log'
openvpn.sample_server.verb='3'
openvpn.sample_client=openvpn
openvpn.sample_client.client='1'
openvpn.sample_client.dev='tun'
openvpn.sample_client.proto='udp'
openvpn.sample_client.remote='my_server_1 1194'
openvpn.sample_client.resolv_retry='infinite'
openvpn.sample_client.nobind='1'
openvpn.sample_client.persist_key='1'
openvpn.sample_client.persist_tun='1'
openvpn.sample_client.user='nobody'
openvpn.sample_client.ca='/etc/openvpn/ca.crt'
openvpn.sample_client.cert='/etc/openvpn/client.crt'
openvpn.sample_client.key='/etc/openvpn/client.key'
openvpn.sample_client.compress='lzo'
openvpn.sample_client.verb='3'
openvpn.vpnserver=openvpn
openvpn.vpnserver.enabled='1'
openvpn.vpnserver.verb='3'
openvpn.vpnserver.dev='tun0'
openvpn.vpnserver.topology='subnet'
openvpn.vpnserver.port='1194'
openvpn.vpnserver.proto='udp'
openvpn.vpnserver.server='192.168.200.0 255.255.255.0'
openvpn.vpnserver.client_to_client='1'
openvpn.vpnserver.compress='lzo'
openvpn.vpnserver.keepalive='10 120'
openvpn.vpnserver.persist_tun='1'
openvpn.vpnserver.persist_key='1'
openvpn.vpnserver.dh='/etc/openvpn/dh.pem'
openvpn.vpnserver.tls_crypt='/etc/openvpn/tc.pem'
openvpn.vpnserver.ca='/etc/openvpn/ca.crt'
openvpn.vpnserver.cert='/etc/openvpn/vpnserver.crt'
openvpn.vpnserver.key='/etc/openvpn/vpnserver.key'
openvpn.vpnserver.push='redirect-gateway def1' 'route 192.168.1.0 255.255.255.0' 'dhcp-option DNS 192.168.1.1' 'compress lzo' 'persist-tun' 'persist-key' 'dhcp-option DOMAIN lan' 'redirect-gateway def1' 'route 192.168.1.0 255.255.255.0' 'dhcp-option DNS 192.168.1.1' 'compress lzo' 'persist-tun' 'persist-key' 'dhcp-option DOMAIN lan'

That's a syntax error in your WireGuard network config, it has nothing to do with OpenVPN.

Don't use password protected key when you run OpenVPN client as service.

sudo nmap -sU -p1194 VPN_HOST

I just followed what the wiki said

sudo nmap -sU -p 1194 hostname
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-05 15:32 CET
Nmap scan report for hostname (ipv4)
Host is up (0.0046s latency).
Other addresses for hostname (not scanned): ipv6-adress
rDNS record for IP hostname

PORT     STATE         SERVICE
1194/udp open|filtered openvpn

Nmap done: 1 IP address (1 host up) scanned in 0.41 seconds

Anyone got any more ideas?

Disable passphrase in your key in openvpn server and use option cipher in your configs. Different openvpn versions (especially client/server) might use different default cipher settings.

Looks like you are using an older guide version.
I've recently updated it to utilize Easy-RSA which should improve compatibility.

I used this docu
https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic
Is this the newer one? Maybe the old one should be deleted then
https://openwrt.org/docs/guide-user/services/vpn/openvpn/dual_stack

OpenVPN Client, Basic (IPv4 only), Dual Stack (IPv4+IPv6) - all 3 are up to date.
However, according to your configs, you've used previous guide version:

Thank you it works now. However when I connect this Error occurs. Seems to be some local problem but maybe you can help. My machine is running Arch Linux

[me@linux ~]$ sudo openvpn vpn.ovpn   
Fri Feb 15 12:28:55 2019 OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2018
Fri Feb 15 12:28:55 2019 library versions: OpenSSL 1.1.1a  20 Nov 2018, LZO 2.10
Fri Feb 15 12:28:55 2019 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Feb 15 12:28:55 2019 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Feb 15 12:28:55 2019 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Feb 15 12:28:55 2019 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Feb 15 12:28:55 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]IP
Fri Feb 15 12:28:55 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Fri Feb 15 12:28:55 2019 UDP link local: (not bound)
Fri Feb 15 12:28:55 2019 UDP link remote: [AF_INET]IP
Fri Feb 15 12:28:55 2019 TLS: Initial packet from [AF_INET]IP, sid=7d44b3b5 0739ad0a
Fri Feb 15 12:28:56 2019 VERIFY OK: depth=1, CN=vpnca
Fri Feb 15 12:28:56 2019 VERIFY KU OK
Fri Feb 15 12:28:56 2019 Validating certificate extended key usage
Fri Feb 15 12:28:56 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Fri Feb 15 12:28:56 2019 VERIFY EKU OK
Fri Feb 15 12:28:56 2019 VERIFY OK: depth=0, CN=vpnserver
Fri Feb 15 12:28:56 2019 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1542'
Fri Feb 15 12:28:56 2019 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Fri Feb 15 12:28:56 2019 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Fri Feb 15 12:28:56 2019 [vpnserver] Peer Connection Initiated with [AF_INET]IP
Fri Feb 15 12:28:57 2019 SENT CONTROL [vpnserver]: 'PUSH_REQUEST' (status=1)
Fri Feb 15 12:28:57 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,route 192.168.1.0 255.255.255.0,dhcp-option DNS 192.168.1.1,compress lzo,persist-tun,persist-key,dhcp-option DOMAIN lan,redirect-gateway def1,route 192.168.1.0 255.255.255.0,dhcp-option DNS 192.168.1.1,compress lzo,persist-tun,persist-key,dhcp-option DOMAIN lan,redirect-gateway def1,dhcp-option DOMAIN lan,dhcp-option DNS 192.168.1.1,persist-tun,persist-key,redirect-gateway def1,dhcp-option DOMAIN lan,dhcp-option DNS 192.168.1.1,persist-tun,persist-key,redirect-gateway def1,dhcp-option DOMAIN lan,dhcp-option DNS 192.168.1.1,persist-tun,persist-key,redirect-gateway def1,dhcp-option DOMAIN lan,dhcp-option DNS 192.168.1.1,persist-tun,persist-key,route-gateway 192.168.8.1,topology subnet,ping 10,ping-restart 120,ifconfig 192.168.8.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Fri Feb 15 12:28:57 2019 OPTIONS IMPORT: timers and/or timeouts modified
Fri Feb 15 12:28:57 2019 OPTIONS IMPORT: compression parms modified
Fri Feb 15 12:28:57 2019 OPTIONS IMPORT: --persist options modified
Fri Feb 15 12:28:57 2019 OPTIONS IMPORT: --ifconfig/up options modified
Fri Feb 15 12:28:57 2019 OPTIONS IMPORT: route options modified
Fri Feb 15 12:28:57 2019 OPTIONS IMPORT: route-related options modified
Fri Feb 15 12:28:57 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri Feb 15 12:28:57 2019 OPTIONS IMPORT: peer-id set
Fri Feb 15 12:28:57 2019 OPTIONS IMPORT: adjusting link_mtu to 1624
Fri Feb 15 12:28:57 2019 OPTIONS IMPORT: data channel crypto options modified
Fri Feb 15 12:28:57 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Fri Feb 15 12:28:57 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Feb 15 12:28:57 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Feb 15 12:28:57 2019 ROUTE_GATEWAY 192.168.43.1/255.255.255.0 IFACE=wlp3s0 HWADDR=MAC
Fri Feb 15 12:28:57 2019 TUN/TAP device tun0 opened
Fri Feb 15 12:28:57 2019 TUN/TAP TX queue length set to 100
Fri Feb 15 12:28:57 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Fri Feb 15 12:28:57 2019 /usr/bin/ip link set dev tun0 up mtu 1500
Fri Feb 15 12:28:57 2019 /usr/bin/ip addr add dev tun0 192.168.8.2/24 broadcast 192.168.8.255
Fri Feb 15 12:28:57 2019 /usr/bin/ip route add 91.64.43.171/32 via 192.168.43.1
Fri Feb 15 12:28:57 2019 /usr/bin/ip route add 0.0.0.0/1 via 192.168.8.1
Fri Feb 15 12:28:57 2019 /usr/bin/ip route add 128.0.0.0/1 via 192.168.8.1
Fri Feb 15 12:28:57 2019 /usr/bin/ip route add 192.168.1.0/24 via 192.168.8.1
Fri Feb 15 12:28:57 2019 /usr/bin/ip route add 192.168.1.0/24 via 192.168.8.1
RTNETLINK answers: File exists
Fri Feb 15 12:28:57 2019 ERROR: Linux route add command failed: external program exited with error status: 2
Fri Feb 15 12:28:57 2019 Initialization Sequence Completed

Also hostname dont seem to be working. I can access 192.168.1.1 but not openwrt.lan

Remove duplicate routes from your VPN-server/client configuration.

Use NetworkManager with OpenVPN plugin, it can import VPN-profiles and should create the routes with proper metrics:

nmcli connection modify vpnclient ipv4.route-metric 1000

That's one more reason to use NetworkManager, it will properly apply the settings pushed by VPN-server.

You'll have to use the Openwrt as NameServer for that to work.

How? Where?

I use the kde applet and tried to import the .ovpn file, but when I tried to connect it didnt connect and didnt display any errors.

https://openwrt.org/docs/guide-user/services/vpn/openvpn/server#troubleshooting

sudo journalctl --no-pager --since="5m ago" --unit="NetworkManager"

Feb 18 18:49:38 denkbrett NetworkManager[480]: <info>  [1550512178.9802] vpn-connection[0x55e7b4312350,1b4158b2-e5c3-4159-b4eb-2b7fb6ee4eb4,"vpn",0]: Started the VPN service, PID 3879
Feb 18 18:49:39 denkbrett NetworkManager[480]: <info>  [1550512179.0012] vpn-connection[0x55e7b4312350,1b4158b2-e5c3-4159-b4eb-2b7fb6ee4eb4,"vpn",0]: Saw the service appear; activating connec>
Feb 18 18:49:39 denkbrett NetworkManager[480]: <info>  [1550512179.0251] vpn-connection[0x55e7b4312350,1b4158b2-e5c3-4159-b4eb-2b7fb6ee4eb4,"vpn",0]: VPN plugin: state changed: starting (3)
Feb 18 18:49:39 denkbrett nm-openvpn[3882]: WARNING: file '/home/user/.local/share/networkmanagement/certificates/vpn/private.key' is group or others accessible
Feb 18 18:49:39 denkbrett nm-openvpn[3882]: OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2018
Feb 18 18:49:39 denkbrett nm-openvpn[3882]: library versions: OpenSSL 1.1.1a  20 Nov 2018, LZO 2.10
Feb 18 18:49:39 denkbrett nm-openvpn[3882]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Feb 18 18:49:39 denkbrett nm-openvpn[3882]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 18 18:49:39 denkbrett nm-openvpn[3882]: TCP/UDP: Preserving recently used remote address: [AF_INET]IP
Feb 18 18:49:39 denkbrett nm-openvpn[3882]: UDP link local: (not bound)
Feb 18 18:49:39 denkbrett nm-openvpn[3882]: UDP link remote: [AF_INET]IP
Feb 18 18:49:39 denkbrett nm-openvpn[3882]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay

Is it because of the permissions of the keyfile? What permissions does it need?

chmod --recursive "u=rwX,g=,o=" "$HOME"

Your client-profile is missing an option:

remote-cert-tls server

And that should be only the beginning of the log.
List it downwards or use --no-pager option to see the full log.

The option is in the client profile

remote-cert-tls server

full log now:

Feb 18 20:29:16 denkbrett NetworkManager[480]: <info>  [1550518156.4792] vpn-connection[0x55e7b4312770,4d556963-d997-450b-963a-2c15c68fd3f2,"vpn",0]: Started the VPN service, PID 6256
Feb 18 20:29:16 denkbrett NetworkManager[480]: <info>  [1550518156.4912] vpn-connection[0x55e7b4312770,4d556963-d997-450b-963a-2c15c68fd3f2,"vpn",0]: Saw the service appear; activating connec>
Feb 18 20:29:16 denkbrett NetworkManager[480]: <info>  [1550518156.5230] vpn-connection[0x55e7b4312770,4d556963-d997-450b-963a-2c15c68fd3f2,"vpn",0]: VPN plugin: state changed: starting (3)
Feb 18 20:29:16 denkbrett nm-openvpn[6259]: OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2018
Feb 18 20:29:16 denkbrett nm-openvpn[6259]: library versions: OpenSSL 1.1.1a  20 Nov 2018, LZO 2.10
Feb 18 20:29:16 denkbrett nm-openvpn[6259]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Feb 18 20:29:16 denkbrett nm-openvpn[6259]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 18 20:29:16 denkbrett nm-openvpn[6259]: TCP/UDP: Preserving recently used remote address: [AF_INET]IP
Feb 18 20:29:16 denkbrett nm-openvpn[6259]: UDP link local: (not bound)
Feb 18 20:29:16 denkbrett nm-openvpn[6259]: UDP link remote: [AF_INET]IP
Feb 18 20:29:16 denkbrett nm-openvpn[6259]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Feb 18 20:30:16 denkbrett NetworkManager[480]: <warn>  [1550518216.5941] vpn-connection[0x55e7b4312770,4d556963-d997-450b-963a-2c15c68fd3f2,"vpn",0]: VPN connection: connect timeout exceeded.
Feb 18 20:30:16 denkbrett nm-openvpn-serv[6256]: Connect timer expired, disconnecting.
Feb 18 20:30:16 denkbrett nm-openvpn[6259]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Feb 18 20:30:16 denkbrett nm-openvpn[6259]: TLS Error: TLS handshake failed
Feb 18 20:30:16 denkbrett nm-openvpn[6259]: SIGTERM[hard,tls-error] received, process exiting
Feb 18 20:30:16 denkbrett NetworkManager[480]: <warn>  [1550518216.6010] vpn-connection[0x55e7b4312770,4d556963-d997-450b-963a-2c15c68fd3f2,"vpn",0]: VPN plugin: failed: connect-failed (1)
Feb 18 20:30:16 denkbrett NetworkManager[480]: <info>  [1550518216.6015] vpn-connection[0x55e7b4312770,4d556963-d997-450b-963a-2c15c68fd3f2,"vpn",0]: VPN plugin: state changed: stopping (5)
Feb 18 20:30:16 denkbrett NetworkManager[480]: <info>  [1550518216.6017] vpn-connection[0x55e7b4312770,4d556963-d997-450b-963a-2c15c68fd3f2,"vpn",0]: VPN plugin: state changed: stopped (6)
lines 62-102/102 (END)