Good to hear you figured it out. 
I dont want to be that guy but in all honesty, if you followed one of the guides and found there was an extra step needed or some other info needed you’re the best person to add it.
Create an account and make the changes you think would have helped the “past you” when you followed it the first time.
I appreciate your suggestion, but I got the impression there are some strong opinions among the authors about what belongs in the basic guide vs the comprehensive guide, and also in all honesty I'm fairly sure my specific problem was my own fault due to a previous attempt to install openvpn that was not fully cleaned up prior to following the steps in the basic guide. Even if I was confident of the steps that led to the problem I posted about I wouldn't be confident that the basic guide would be the appropriate document, not having been able to find the comprehensive guide yet.
That's still a mystery to me btw, the comprehensive guide is mentioned and linked several places but the links are all dead.
I like that the basic guide is minimalistic with a goal of being as simplistic as possible for beginners or taking off on tangents of which there are many. I'd really like to read the comprehensive guide if it exists, to know if that is a more appropriate place to describe how to unencrypt private keys for router-to-router use. The more I think about it, I don't want to muddy the waters in the basic guide if the comprehensive guide does exists and it's just a matter of fixing the links to it. When I ran into my issues, I hunted for the comprehensive guide and failed to find it, which is what led me to post here with impatient frustration. 
Edit: That said, I decided to at least add to the basic guide a mention that entering a passphrase is necessary to avoid errors.
@ohmeye: maybe you can help me to find the page where instructions with above mentioned scripts are posted. I used them a couple of days ago and now I am unable to find them anymore.
Maybe I am stupid or someone took them down. TIA
Thank you for your quick answer. I found that one as well. But it looks like they changed it. At least I do not find the scripts anymore.
okay great, thanks and yes I thought downloading a script is really convenient and easy....
It's not that simple.
Blindly downloading and running scripts without checksum verification and digital signature validation is a serious security flaw.
But you can still copy-paste the whole code-blocks.
Thx for copy and paste hint.
Unfortunately improved security leads now to a nasty error:
Failed to parse profile: option 'dev' must have at least 2 arguments
I worked with the "old" instruction scripts, I wonder what changed....
Show client profile excluding private data.
verb 3
dev
nobind
client
remote *.ddns.net 1194 udp
auth-nocache
remote-cert-tls server
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
****
-----END OpenVPN Static key V1-----
</tls-crypt>
<ca>
-----BEGIN CERTIFICATE-----
and so on.
"Failed to parse profile: option 'dev' must have at least 2 arguments"
Did you look in the OpenVPN documentation?
You either need to define a tun or tap device.
...also, if you admin both nodes I would highly recommend you to have a look at wireguard instead.
VPN-interface for client profiles is derived from VPN-server configuration.
Make sure your server configuration contains correct interface name.
It should match network interface assigned to VPN-network.
Just let me explain what I did wrong.
I had a working VPN solution. I did a sysupgrade yesterday to 18.06.2.
Killed my VPN setup.
Followed instruction on VPN basic, but skipped 2.Network, because I thought I already have a VPN interface. Why double create one.
I created my "old" vpn interface via luci.
Script is looking for uci. Maybe that is the reason why it is not working.
@diizzy I am looking into wireguard. Unfortunately documentation is still a bit "shallow".
Btw I really like to thank you guys behind the OpenWRT scenes you are doing a wonderful job.
Never bothered using uci for OpenVPN as I always found it to be obfuscating rather than helpful.
I guess someone else will need to help you with that part.
please disregard this post, I forgot to start openvpn service. 
But it is still not working:
Is this the correct intended firewall config? why does it show vpn twice?
uci show network; uci show firewall
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd66:7107:2c93::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth1.1'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.delegate='0'
network.lan.gateway='192.168.8.1'
network.wan=interface
network.wan.proto='static'
network.wan.ipaddr='192.168.8.100'
network.wan.netmask='255.255.255.0'
network.wan.gateway='192.168.8.1'
network.wan.peerdns='0'
network.wan.ifname='eth0.2'
network.wan.delegate='0'
network.wan6=interface
network.wan6.ifname='eth0.2'
network.wan6.proto='dhcpv6'
network.wan6.reqaddress='try'
network.wan6.reqprefix='auto'
network.wan6.peerdns='0'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='1 2 3 4 6t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='5 0t'
network.Wireguard=interface
network.Wireguard.proto='wireguard'
network.Wireguard.auto='0'
network.vpn=interface
network.vpn.ifname='tun0'
network.vpn.proto='none'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].flow_offloading='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan' 'vpn' 'vpn'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@rule[9]=rule
firewall.@rule[9].name='Allow-OpenVPN'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest_port='1194'
firewall.@rule[9].proto='tcp udp'
firewall.@rule[9].target='ACCEPT'
firewall.@rule[10]=rule
firewall.@rule[10].name='Allow-OpenVPN'
firewall.@rule[10].src='wan'
firewall.@rule[10].dest_port='1194'
firewall.@rule[10].proto='udp'
firewall.@rule[10].target='ACCEPT'
firewall.@rule[11]=rule
firewall.@rule[11].name='Allow-OpenVPN'
firewall.@rule[11].src='wan'
firewall.@rule[11].dest_port='1194'
firewall.@rule[11].proto='udp'
firewall.@rule[11].target='ACCEPT'