Problems with OpenVPN configuring

Hardware: TPLink WDR4300
Firmware: OpenWrt 19.07.3 r11063-85e04e9f46
I'm attempting to install OpenVPN server, but having some incomprehensible problems.

Backstory: I've installed and configured OpenVpn server, started it, and connected ok, then i added "push route " from Vpn to Lan network using luci, after that I had an error applying settings and message about resetting last changes. And infinite loading, I never could connect to the router, and nothing helped. To my surprise internet worked, but not even ping to the gateway succeeded.
So, I did reset and firstboot, after that restored all settings, except "push route", and everything worked. Then I've added that option, and voila! Router "died" again..

Now: I've done firstboot again, and configured everything from the scratch, started OpenVpn server (without push route, I've done with that :smiley: ), but the problem now is I can't connect to the Vpn server from wan.

Firewall rules added:

config rule
	option dest_port '1194'
	option target 'ACCEPT'
	list proto 'udp'
	option src_port '1194'
	option name 'Allow-OpenVPN-Input'
	option src 'wan'

config zone
	option name 'vpn'
	option masq '1'
	option output 'ACCEPT'
	option network 'vpn0'
	option forward 'REJECT'
	option input 'REJECT'
	option mtu_fix '1'

config forwarding
	option dest 'lan'
	option src 'vpn'

config forwarding
	option dest 'vpn'
	option src 'lan'

config redirect
	option dest_port '1194'
	option src 'wan'
	option src_dport '1194'
	option target 'DNAT'
	option dest_ip '192.168.1.1'
	list proto 'udp'
	option name 'OVPN_Forwarding'
	option dest 'lan'
	option enabled '0'

As you can see I've tried to forward traffic with OVPN_Forwarding and it works, connection appempts, but with TLS handshake error (I think it's because forwarding itself).
So when I disable forwarding, there is no connection, not any messages from wan. From lan it works.

Server Config:

	option port '1194'
	option server '10.8.0.0 255.255.255.0'
	option ca '/etc/openvpn/ca.crt'
	option client_to_client '1'
	option dh '/etc/openvpn/dh2048.pem'
	option cert '/etc/openvpn/server.crt'
	option key '/etc/openvpn/server.key'
	option keepalive '10 120'
	option auth_nocache '1'
	option auth_user_pass_verify '/etc/openvpn/ovpnauth.sh via-file'
	option script_security '2'
	option key_direction '0'
	option username_as_common_name '1'
	option auth 'SHA256'
	option verify_client_cert 'optional'
	option proto 'udp'
	option verb '3'
	option tls_exit '1'
	option tls_crypt '/etc/openvpn/ta.key 0'
	option mute_replay_warnings '1'
	option comp_lzo 'yes'
	option persist_tun '1'
	option persist_key '1'
	option dev 'tun'
	option cipher 'AES-256-CBC'

Client Config:

dev tun
proto udp
remote <My remote address>
port 1194
client
resolv-retry infinite
auth SHA256
cipher AES-256-CBC
remote-cert-tls server
comp-lzo
persist-key
persist-tun
verb 3
auth-user-pass
route-delay 2
key-direction 1
auth-nocache
tls-client
<ca>
-----BEGIN CERTIFICATE-----
<My CA certificate>
-----END CERTIFICATE-----
</ca>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
<My TLS key>
-----END OpenVPN Static key V1-----
</tls-crypt>

What is the push route you were entering into your OpenVPN config? (needs to be the full syntax)

we also need to see your /etc/config/network file and your logs.

I've tried to add:
push " route 192.168.1.0 255.255.255.0"
But I've done, and I won't try it anymore, and find some other way.

Now the problem is connecting from wan.

/etc/config/network:


config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd13:6b9e:1f3f::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ip6assign '60'
	list ipaddr '192.168.1.1/24'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr 'c0:4a:00:34:2c:0d'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 0t'

config interface 'vpn0'
	option proto 'none'
	option ifname 'tun0'

vpn0 is the interface I've added for server.

Log of OpenVPN launch:

Thu Jul  2 09:30:34 2020 daemon.notice openvpn(Server)[6896]: OpenVPN 2.4.7 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Thu Jul  2 09:30:34 2020 daemon.notice openvpn(Server)[6896]: library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.10
Thu Jul  2 09:30:34 2020 daemon.warn openvpn(Server)[6896]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Jul  2 09:30:34 2020 daemon.notice openvpn(Server)[6896]: Diffie-Hellman initialized with 2048 bit key
Thu Jul  2 09:30:35 2020 daemon.notice openvpn(Server)[6896]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Thu Jul  2 09:30:35 2020 daemon.notice openvpn(Server)[6896]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Jul  2 09:30:35 2020 daemon.notice openvpn(Server)[6896]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Thu Jul  2 09:30:35 2020 daemon.notice openvpn(Server)[6896]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Jul  2 09:30:35 2020 daemon.notice openvpn(Server)[6896]: TUN/TAP device tun0 opened
Thu Jul  2 09:30:35 2020 daemon.notice openvpn(Server)[6896]: TUN/TAP TX queue length set to 100
Thu Jul  2 09:30:35 2020 daemon.notice openvpn(Server)[6896]: /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Thu Jul  2 09:30:35 2020 daemon.notice netifd: Network device 'tun0' link is up
Thu Jul  2 09:30:35 2020 daemon.notice netifd: Interface 'vpn0' has link connectivity
Thu Jul  2 09:30:35 2020 daemon.notice openvpn(Server)[6896]: /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Thu Jul  2 09:30:35 2020 daemon.warn openvpn(Server)[6896]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Thu Jul  2 09:30:35 2020 daemon.notice openvpn(Server)[6896]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Thu Jul  2 09:30:35 2020 daemon.notice openvpn(Server)[6896]: UDPv4 link local (bound): [AF_INET][undef]:1194
Thu Jul  2 09:30:35 2020 daemon.notice openvpn(Server)[6896]: UDPv4 link remote: [AF_UNSPEC]
Thu Jul  2 09:30:35 2020 daemon.notice openvpn(Server)[6896]: MULTI: multi_init called, r=256 v=256
Thu Jul  2 09:30:35 2020 daemon.notice openvpn(Server)[6896]: IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Thu Jul  2 09:30:35 2020 daemon.notice openvpn(Server)[6896]: Initialization Sequence Completed

And log of connecting from lan to OpenVPN:

Thu Jul  2 09:31:45 2020 daemon.info dnsmasq-dhcp[1829]: DHCPREQUEST(br-lan) 192.168.1.54 f8:4e:73:24:29:23
Thu Jul  2 09:31:45 2020 daemon.info dnsmasq-dhcp[1829]: DHCPACK(br-lan) 192.168.1.54 f8:4e:73:24:29:23 iPhone
Thu Jul  2 09:31:53 2020 daemon.notice openvpn(Server)[6896]: 192.168.1.78:43335 TLS: Initial packet from [AF_INET]192.168.1.78:43335, sid=fface1a6 f4375522
Thu Jul  2 09:31:54 2020 daemon.notice openvpn(Server)[6896]: 192.168.1.78:43335 peer info: IV_GUI_VER=OC30Android
Thu Jul  2 09:31:54 2020 daemon.notice openvpn(Server)[6896]: 192.168.1.78:43335 peer info: IV_VER=3.git::f225fcd0:Release
Thu Jul  2 09:31:54 2020 daemon.notice openvpn(Server)[6896]: 192.168.1.78:43335 peer info: IV_PLAT=android
Thu Jul  2 09:31:54 2020 daemon.notice openvpn(Server)[6896]: 192.168.1.78:43335 peer info: IV_NCP=2
Thu Jul  2 09:31:54 2020 daemon.notice openvpn(Server)[6896]: 192.168.1.78:43335 peer info: IV_TCPNL=1
Thu Jul  2 09:31:54 2020 daemon.notice openvpn(Server)[6896]: 192.168.1.78:43335 peer info: IV_PROTO=2
Thu Jul  2 09:31:54 2020 daemon.notice openvpn(Server)[6896]: 192.168.1.78:43335 peer info: IV_LZO_STUB=1
Thu Jul  2 09:31:54 2020 daemon.notice openvpn(Server)[6896]: 192.168.1.78:43335 peer info: IV_COMP_STUB=1
Thu Jul  2 09:31:54 2020 daemon.notice openvpn(Server)[6896]: 192.168.1.78:43335 peer info: IV_COMP_STUBv2=1
Thu Jul  2 09:31:54 2020 daemon.notice openvpn(Server)[6896]: 192.168.1.78:43335 TLS: Username/Password authentication succeeded for username 'user' [CN SET]
Thu Jul  2 09:31:54 2020 daemon.notice openvpn(Server)[6896]: 192.168.1.78:43335 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
Thu Jul  2 09:31:54 2020 daemon.notice openvpn(Server)[6896]: 192.168.1.78:43335 [user] Peer Connection Initiated with [AF_INET]192.168.1.78:43335
Thu Jul  2 09:31:54 2020 daemon.notice openvpn(Server)[6896]: user/192.168.1.78:43335 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Thu Jul  2 09:31:54 2020 daemon.notice openvpn(Server)[6896]: user/192.168.1.78:43335 MULTI: Learn: 10.8.0.6 -> user/192.168.1.78:43335
Thu Jul  2 09:31:54 2020 daemon.notice openvpn(Server)[6896]: user/192.168.1.78:43335 MULTI: primary virtual IP for user/192.168.1.78:43335: 10.8.0.6
Thu Jul  2 09:31:54 2020 daemon.notice openvpn(Server)[6896]: user/192.168.1.78:43335 PUSH: Received control message: 'PUSH_REQUEST'
Thu Jul  2 09:31:54 2020 daemon.notice openvpn(Server)[6896]: user/192.168.1.78:43335 SENT CONTROL [user]: 'PUSH_REPLY,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
Thu Jul  2 09:31:54 2020 daemon.notice openvpn(Server)[6896]: user/192.168.1.78:43335 Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Jul  2 09:31:54 2020 daemon.notice openvpn(Server)[6896]: user/192.168.1.78:43335 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Jul  2 09:31:54 2020 daemon.notice openvpn(Server)[6896]: user/192.168.1.78:43335 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

From wan I'm trying to connect via ddns btw.

Also sometime there can be seemed error messages:

Thu Jul  2 09:23:37 2020 daemon.notice openvpn(Server)[6476]: user/192.168.1.78:43872 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Jul  2 09:23:37 2020 daemon.notice openvpn(Server)[6476]: user/192.168.1.78:43872 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Jul  2 09:23:42 2020 daemon.err openvpn(Server)[6476]: 192.168.1.78:47495 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Jul  2 09:23:42 2020 daemon.err openvpn(Server)[6476]: 192.168.1.78:47495 TLS Error: TLS handshake failed
Thu Jul  2 09:23:42 2020 daemon.notice openvpn(Server)[6476]: 192.168.1.78:47495 SIGTERM[soft,tls-error] received, client-instance exiting
Thu Jul  2 09:23:52 2020 daemon.err openvpn(Server)[6476]: 192.168.1.78:48322 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Jul  2 09:23:52 2020 daemon.err openvpn(Server)[6476]: 192.168.1.78:48322 TLS Error: TLS handshake failed
Thu Jul  2 09:23:52 2020 daemon.notice openvpn(Server)[6476]: 192.168.1.78:48322 SIGTERM[soft,tls-error] received, client-instance exiting
Thu Jul  2 09:24:04 2020 daemon.notice openvpn(Server)[6476]: user/192.168.1.78:43872 SIGTERM[soft,remote-exit] received, client-instance exiting
Thu Jul  2 09:24:05 2020 daemon.notice hostapd: wlan1: AP-STA-DISCONNECTED 60:ab:67:f4:af:f1
Thu Jul  2 09:24:30 2020 daemon.err openvpn(Server)[6476]: 192.168.1.78:42949 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Jul  2 09:24:30 2020 daemon.err openvpn(Server)[6476]: 192.168.1.78:42949 TLS Error: TLS handshake failed
Thu Jul  2 09:24:30 2020 daemon.notice openvpn(Server)[6476]: 192.168.1.78:42949 SIGTERM[soft,tls-error] received, client-instance exiting

In case you were entering it as you showed above, that would be incorrect syntax. The correct syntax for this wold be:
list push 'route 192.168.1.0 255.255.255.0'

Your VPN zone in the firewall should not have masq enabled:

config zone
	option name 'vpn'
	option output 'ACCEPT'
	option network 'vpn0'
	option forward 'REJECT'
	option input 'REJECT'

If you are still unable to connect from WAN -- can you verify that you have a true public IP address on your WAN (look at the upstream IPv4 address and compare that against a search on Google for "What's my IP")?

How are you trying to connect when you connect via WAN? Are you doing this while you're on your LAN or are you doing it from a different network (such as cellular or at some other location)? Try a cellular connection and see if that works.

Sorry, I've tried to add route through luci interface, maybe it adds list to config itself.

I'm trying from cellular connection.
I've got masq option from OpenWRT site OpenVPN setup manual. Turned off masq now, and nothing changed.

If I activate Forwarding rule udp 1194 from gateway(router) to itself, I'm getting:

Thu Jul  2 09:46:22 2020 daemon.notice openvpn(Server)[1192]: 213.87.150.52:28253 TLS: Initial packet from [AF_INET]213.87.150.52:28253, sid=12ac1c44 109fa8bc
Thu Jul  2 09:46:23 2020 daemon.err openvpn(Server)[1192]: 213.87.150.52:28253 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1593672381) Thu Jul  2 09:46:21 2020 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Thu Jul  2 09:46:23 2020 daemon.err openvpn(Server)[1192]: 213.87.150.52:28253 tls-crypt unwrap error: packet replay
Thu Jul  2 09:46:23 2020 daemon.err openvpn(Server)[1192]: 213.87.150.52:28253 TLS Error: tls-crypt unwrapping failed from [AF_INET]213.87.150.52:28253
Thu Jul  2 09:46:24 2020 daemon.err openvpn(Server)[1192]: 213.87.150.52:28253 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1593672381) Thu Jul  2 09:46:21 2020 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Thu Jul  2 09:46:24 2020 daemon.err openvpn(Server)[1192]: 213.87.150.52:28253 tls-crypt unwrap error: packet replay
Thu Jul  2 09:46:24 2020 daemon.err openvpn(Server)[1192]: 213.87.150.52:28253 TLS Error: tls-crypt unwrapping failed from [AF_INET]213.87.150.52:28253
Thu Jul  2 09:46:25 2020 daemon.err openvpn(Server)[1192]: 213.87.150.52:28253 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1593672381) Thu Jul  2 09:46:21 2020 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Thu Jul  2 09:46:25 2020 daemon.err openvpn(Server)[1192]: 213.87.150.52:28253 tls-crypt unwrap error: packet replay
Thu Jul  2 09:46:25 2020 daemon.err openvpn(Server)[1192]: 213.87.150.52:28253 TLS Error: tls-crypt unwrapping failed from [AF_INET]213.87.150.52:28253
Thu Jul  2 09:46:26 2020 daemon.err openvpn(Server)[1192]: 213.87.150.52:28253 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1593672381) Thu Jul  2 09:46:21 2020 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Thu Jul  2 09:46:26 2020 daemon.err openvpn(Server)[1192]: 213.87.150.52:28253 tls-crypt unwrap error: packet replay
Thu Jul  2 09:46:26 2020 daemon.err openvpn(Server)[1192]: 213.87.150.52:28253 TLS Error: tls-crypt unwrapping failed from [AF_INET]213.87.150.52:28253
Thu Jul  2 09:46:27 2020 daemon.err openvpn(Server)[1192]: 213.87.150.52:28253 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1593672381) Thu Jul  2 09:46:21 2020 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Thu Jul  2 09:46:27 2020 daemon.err openvpn(Server)[1192]: 213.87.150.52:28253 tls-crypt unwrap error: packet replay
Thu Jul  2 09:46:27 2020 daemon.err openvpn(Server)[1192]: 213.87.150.52:28253 TLS Error: tls-crypt unwrapping failed from [AF_INET]213.87.150.52:28253
Thu Jul  2 09:46:28 2020 daemon.err openvpn(Server)[1192]: 213.87.150.52:28253 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1593672381) Thu Jul  2 09:46:21 2020 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Thu Jul  2 09:46:28 2020 daemon.err openvpn(Server)[1192]: 213.87.150.52:28253 tls-crypt unwrap error: packet replay
Thu Jul  2 09:46:28 2020 daemon.err openvpn(Server)[1192]: 213.87.150.52:28253 TLS Error: tls-crypt unwrapping failed from [AF_INET]213.87.150.52:28253
Thu Jul  2 09:46:29 2020 daemon.err openvpn(Server)[1192]: 213.87.150.52:28253 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1593672381) Thu Jul  2 09:46:21 2020 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Thu Jul  2 09:46:29 2020 daemon.err openvpn(Server)[1192]: 213.87.150.52:28253 tls-crypt unwrap error: packet replay
Thu Jul  2 09:46:29 2020 daemon.err openvpn(Server)[1192]: 213.87.150.52:28253 TLS Error: tls-crypt unwrapping failed from [AF_INET]213.87.150.52:28253
Thu Jul  2 09:46:30 2020 daemon.err openvpn(Server)[1192]: 213.87.150.52:28253 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1593672381) Thu Jul  2 09:46:21 2020 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Thu Jul  2 09:46:30 2020 daemon.err openvpn(Server)[1192]: 213.87.150.52:28253 tls-crypt unwrap error: packet replay
Thu Jul  2 09:46:30 2020 daemon.err openvpn(Server)[1192]: 213.87.150.52:28253 TLS Error: tls-crypt unwrapping failed from [AF_INET]213.87.150.52:28253

Maybe that will help to find out

You don’t get those errors when you connect with the same device via the lan?

Yes, absolutely.
I'm using android device with OpenVPN Connect app.
I'm turning off wifi and getting errors, when I turn on wifi and connect via wifi, it works well.
Also I have OpenVPN profile for my work organization server, and it also connects well from wifi and from cellular either.

Since the errors all seem to be tls related, have you tried removing the tls related items from the config files? My recommendation is to strip out all of the non-essential config directives to get it working and then add them one at a time until you find the issue.

I removed tls lines from server

	option tls_exit '1'
	option tls_crypt '/etc/openvpn/ta.key 0'

Removed lines from client, and removed tls-crypt

# remote-cert-tls server
# tls-client

Now I'm connecting from wifi:

Thu Jul  2 21:00:05 2020 daemon.notice openvpn(Server)[18930]: 192.168.1.78:47677 TLS: Initial packet from [AF_INET]192.168.1.78:47677, sid=f7c028b9 eb9d304e
Thu Jul  2 21:00:06 2020 daemon.notice openvpn(Server)[18930]: 192.168.1.78:47677 peer info: IV_GUI_VER=OC30Android
Thu Jul  2 21:00:06 2020 daemon.notice openvpn(Server)[18930]: 192.168.1.78:47677 peer info: IV_VER=3.git::f225fcd0:Release
Thu Jul  2 21:00:06 2020 daemon.notice openvpn(Server)[18930]: 192.168.1.78:47677 peer info: IV_PLAT=android
Thu Jul  2 21:00:06 2020 daemon.notice openvpn(Server)[18930]: 192.168.1.78:47677 peer info: IV_NCP=2
Thu Jul  2 21:00:06 2020 daemon.notice openvpn(Server)[18930]: 192.168.1.78:47677 peer info: IV_TCPNL=1
Thu Jul  2 21:00:06 2020 daemon.notice openvpn(Server)[18930]: 192.168.1.78:47677 peer info: IV_PROTO=2
Thu Jul  2 21:00:06 2020 daemon.notice openvpn(Server)[18930]: 192.168.1.78:47677 peer info: IV_LZO_STUB=1
Thu Jul  2 21:00:06 2020 daemon.notice openvpn(Server)[18930]: 192.168.1.78:47677 peer info: IV_COMP_STUB=1
Thu Jul  2 21:00:06 2020 daemon.notice openvpn(Server)[18930]: 192.168.1.78:47677 peer info: IV_COMP_STUBv2=1
Thu Jul  2 21:00:07 2020 daemon.notice openvpn(Server)[18930]: 192.168.1.78:47677 TLS: Username/Password authentication succeeded for username 'user' [CN SET]
Thu Jul  2 21:00:07 2020 daemon.notice openvpn(Server)[18930]: 192.168.1.78:47677 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
Thu Jul  2 21:00:07 2020 daemon.notice openvpn(Server)[18930]: 192.168.1.78:47677 [user] Peer Connection Initiated with [AF_INET]192.168.1.78:47677
Thu Jul  2 21:00:07 2020 daemon.notice openvpn(Server)[18930]: user/192.168.1.78:47677 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Thu Jul  2 21:00:07 2020 daemon.notice openvpn(Server)[18930]: user/192.168.1.78:47677 MULTI: Learn: 10.8.0.6 -> user/192.168.1.78:47677
Thu Jul  2 21:00:07 2020 daemon.notice openvpn(Server)[18930]: user/192.168.1.78:47677 MULTI: primary virtual IP for user/192.168.1.78:47677: 10.8.0.6
Thu Jul  2 21:00:07 2020 daemon.notice openvpn(Server)[18930]: user/192.168.1.78:47677 PUSH: Received control message: 'PUSH_REQUEST'
Thu Jul  2 21:00:07 2020 daemon.notice openvpn(Server)[18930]: user/192.168.1.78:47677 SENT CONTROL [user]: 'PUSH_REPLY,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
Thu Jul  2 21:00:07 2020 daemon.notice openvpn(Server)[18930]: user/192.168.1.78:47677 Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Jul  2 21:00:07 2020 daemon.notice openvpn(Server)[18930]: user/192.168.1.78:47677 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Jul  2 21:00:07 2020 daemon.notice openvpn(Server)[18930]: user/192.168.1.78:47677 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Jul  2 21:00:20 2020 daemon.notice openvpn(Server)[18930]: user/192.168.1.78:47677 SIGTERM[soft,remote-exit] received, client-instance exiting

And then from remote - there is no any messages.
If I enable port forwarding 1194 I'm getting:

Thu Jul  2 21:02:19 2020 daemon.notice openvpn(Server)[18930]: 213.87.156.153:39921 TLS: Initial packet from [AF_INET]213.87.156.153:39921, sid=9afbbcde 56f760e4
Thu Jul  2 21:02:29 2020 daemon.notice openvpn(Server)[18930]: 213.87.156.153:41936 TLS: Initial packet from [AF_INET]213.87.156.153:41936, sid=d27458fe 3ca89fe1
Thu Jul  2 21:02:39 2020 daemon.notice openvpn(Server)[18930]: 213.87.156.153:26012 TLS: Initial packet from [AF_INET]213.87.156.153:26012, sid=de875694 7f4f0842
Thu Jul  2 21:03:19 2020 daemon.err openvpn(Server)[18930]: 213.87.156.153:39921 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Jul  2 21:03:19 2020 daemon.err openvpn(Server)[18930]: 213.87.156.153:39921 TLS Error: TLS handshake failed
Thu Jul  2 21:03:19 2020 daemon.notice openvpn(Server)[18930]: 213.87.156.153:39921 SIGUSR1[soft,tls-error] received, client-instance restarting
Thu Jul  2 21:03:29 2020 daemon.err openvpn(Server)[18930]: 213.87.156.153:41936 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Jul  2 21:03:29 2020 daemon.err openvpn(Server)[18930]: 213.87.156.153:41936 TLS Error: TLS handshake failed
Thu Jul  2 21:03:29 2020 daemon.notice openvpn(Server)[18930]: 213.87.156.153:41936 SIGUSR1[soft,tls-error] received, client-instance restarting
Thu Jul  2 21:03:39 2020 daemon.err openvpn(Server)[18930]: 213.87.156.153:26012 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Jul  2 21:03:39 2020 daemon.err openvpn(Server)[18930]: 213.87.156.153:26012 TLS Error: TLS handshake failed
Thu Jul  2 21:03:39 2020 daemon.notice openvpn(Server)[18930]: 213.87.156.153:26012 SIGUSR1[soft,tls-error] received, client-instance restarting

So it seems like packets not passed with firewall rule, but I can't get why

You're still getting TLS errors.

Try this for server:

	option server '10.8.0.0 255.255.255.0'
	option ca '/etc/openvpn/ca.crt'
	option client_to_client '1'
	option dh '/etc/openvpn/dh2048.pem'
	option cert '/etc/openvpn/server.crt'
	option key '/etc/openvpn/server.key'
	option keepalive '10 120'
	option auth_nocache '1'
	option script_security '2'
	option auth 'SHA256'
	option proto 'udp'
	option verb '3'
	option mute_replay_warnings '1'
	option comp_lzo 'yes'
	option persist_tun '1'
	option persist_key '1'
	option dev 'tun'
	option cipher 'AES-256-CBC'

and this for client:

dev tun
proto udp
remote <My remote address>
port 1194
client
resolv-retry infinite
auth SHA256
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
verb 3
route-delay 2

It's disabled by

option auth_user_pass_verify '/etc/openvpn/ovpnauth.sh via-file'
option verify_client_cert 'optional'

on server and
auth-user-pass
on client

Problem is on firewall as I can see. There is 0B traffic on rule zone_wan_input Allow-OpenVPN-Input if I attempt to connect.
If I enable ovpn port forwarding, there is bytes in firewall zone_wan_prerouting OVPN_Forwarding and in zone_wan_input Accept port redirections.
So as far as i can see it's firewall problem.

upd. I tried to remove one by one rule options, after i removed option src_port '1194' connection worked like a charm.
Now I try to get back all TLS options and see what happens.
Btw. thank you gyus for helping!

Ok, now it seems to be working.
Is there any other way getting vpn clients access to the lan, without push route server directive?
Maybe I can add route in clients config instead?
I'm pretty sure, if I add push route on server again, I will be pretty busy resetting my router again :slight_smile:

Ok I've risked and added push route again (using luci), and it works now! Thank you all gyus.