Port not open for OpenVPN access

RudderDuck · May 9, 2026, 3:12pm

I'm still quite new to OpenWRT and tried creating an OpenVPN server using the documentation at:

However, using a port scanner at https://www.grc.com/shieldsup I can see that port 1194 is still closed. This means that I cannot connect. Below is the information that I assume is of use for determining what I did wrong?

Note: I also tried to run the All-in-One OpenVPN Management Script which probably left some unused parts in the below output.

Output of:

cat /etc/openvpn/server.conf)

user nobody
group nogroup
dev tun
port 1194
proto udp
server 192.168.9.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
push "dhcp-option DNS 192.168.9.1"
push "dhcp-option DOMAIN lan"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>
-----BEGIN DH PARAMETERS-----
removed
-----END DH PARAMETERS-----
</dh>
<tls-crypt-v2>
-----BEGIN OpenVPN tls-crypt-v2 server key-----
removed
-----END OpenVPN tls-crypt-v2 server key-----
</tls-crypt-v2>
<key>
-----BEGIN PRIVATE KEY-----
removed
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
removed
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----
removed
-----END CERTIFICATE-----
</ca>

Outpout of:

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	list ipaddr '127.0.0.1/8'

config globals 'globals'
	option dhcp_default_duid 'removed'
	option ula_prefix 'fremoved'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	list ipaddr '192.168.1.1/24'
	option ip6assign '60'
	option multipath 'off'

config interface 'wan'
	option proto 'dhcp'
	option device 'wan.2011'
	option multipath 'off'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config device
	option type '8021q'
	option ifname 'wan'
	option vid '2011'
	option name 'wan.2011'
	option ipv6 '0'

config device 'guest_dev'
	option type 'bridge'
	option name 'br-guest'

config interface 'guest'
	option proto 'static'
	option device 'br-guest'
	option ipaddr '192.168.3.1/24'

config interface 'vpn'
	option proto 'none'
	option device 'tun0'
	option multipath 'off'

config device
	option name 'tun0'

Output of:

cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone 'lan'
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'tun+'

config zone 'wan'
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone 'guest'
	option name 'guest'
	option network 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding 'guest_wan'
	option src 'guest'
	option dest 'wan'

config rule 'guest_dns'
	option name 'Allow-DNS-Guest'
	option src 'guest'
	option dest_port '53'
	option proto 'tcp udp'
	option target 'ACCEPT'

config rule 'guest_dhcp'
	option name 'Allow-DHCP-Guest'
	option src 'guest'
	option dest_port '67'
	option proto 'udp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule 'ovpn'
	option name 'Allow-OpenVPN'
	option src 'wan'
	option dest_port '1194'
	option proto 'udp'
	option target 'ACCEPT'

Output of:

cat /etc/config/openvpn

config openvpn 'custom_config'
	option enabled '0'
	option config '/etc/openvpn/my-vpn.conf'

config openvpn 'sample_server'
	option enabled '0'
	option port '1194'
	option proto 'udp'
	option dev 'tun'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/server.crt'
	option key '/etc/openvpn/server.key'
	option dh '/etc/openvpn/dh2048.pem'
	option server '10.8.0.0 255.255.255.0'
	option ifconfig_pool_persist '/tmp/ipp.txt'
	option keepalive '10 120'
	option persist_key '1'
	option persist_tun '1'
	option user 'nobody'
	option status '/tmp/openvpn-status.log'
	option verb '3'

config openvpn 'sample_client'
	option enabled '0'
	option client '1'
	option dev 'tun'
	option proto 'udp'
	list remote 'my_server_1 1194'
	option resolv_retry 'infinite'
	option nobind '1'
	option persist_key '1'
	option persist_tun '1'
	option user 'nobody'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/client.crt'
	option key '/etc/openvpn/client.key'
	option verb '3'

config openvpn 'server'
	option enabled '1'
	option config '/etc/openvpn/server.conf'

AndrewZ · May 9, 2026, 3:14pm

Do you have a public IP address on your WAN interface?
Just yes/no.

psherman · May 9, 2026, 3:16pm

Just in case, when you look at the address on your OpenWrt wan, let's see only the first 2 octets (in bold: aaa.bbb.ccc.ddd) from ifstatus wan | grep address

RudderDuck · May 9, 2026, 3:19pm

Output of:

ifstatus wan | grep address

"ipv4-address": [
			"address": "185.55.x.x",
	"ipv6-address": [
		"ipv4-address": [
		"ipv6-address": [

psherman · May 9, 2026, 3:21pm

You do have a public ip on your wan. Have you tried actually connecting?

Alternatively, have you considered wireguard?

RudderDuck · May 9, 2026, 3:23pm

Yes, I tried from another computer but the connection fails. I'm not familiar with wireguard, atm I would like to stick to openvpn if possible.

psherman · May 9, 2026, 3:25pm

Let’s look at the logs on the router.

logread -e openvpn

RudderDuck · May 9, 2026, 3:29pm

That shows a problem:

Sat May  9 17:25:14 2026 daemon.err openvpn(server)[14024]: tls_crypt_v2_unwrap_client_key: client key authentication error
Sat May  9 17:25:14 2026 daemon.err openvpn(server)[14024]: Can not unwrap tls-crypt-v2 client key
Sat May  9 17:25:14 2026 daemon.err openvpn(server)[14024]: TLS Error: can not extract tls-crypt-v2 client key from [AF_INET]178.230.x.x:18251

egc · May 9, 2026, 3:34pm

For testing remove tls-crypt key from server and client

Test from outside your network

AndrewZ · May 9, 2026, 3:36pm

That shows that there is no problem with the port, so "port not open" topic can be closed.
Consider using WireGuard as suggested earlier.

RudderDuck · May 9, 2026, 3:49pm

Will close this topic. The log output should help me figure out what is going wrong with OpenVPN. This should now be more of an OpenVPN problem rather than OpenWRT problem.