R7800 OpenVPN Server Connects But No Traffic Flows

Installing and Using OpenWrt
1

Hello,

I'm trying to setup a OpenVPN server on a R7800 but something seems strange. Clients are able to connect however no traffic flows - I can't ping the router from a client or vice versa. My goal is to have devices access the local network and push all internet traffic through the vpn.

Main router network: 172.21.1.0/24
VPN network: 172.21.4.0/24
OpenWRT: OpenWrt 24.10.4 r28959-29397011cc / LuCI openwrt-24.10 branch 26.101.22949~8aafcdf

/etc/config/openvpn

config openvpn 'ovpn'
        option dev 'tun0'
        option comp_lzo 'no'
        option dh '/etc/openvpn/dh-router.pem'
        option keepalive '10 60'
        option key '/etc/openvpn/router.key'
        option cert '/etc/openvpn/router.crt'
        option verb '3'
        option ca '/etc/openvpn/ca-router.crt'
        option server '172.21.4.0 255.255.255.0'
        option port '41391'
        option proto 'tcp-server'
        option key_direction '0'
        option dev_type 'tun'
        option enabled '1'
        option persist_tun '0'
        option tls_server '1'
        option tls_auth '/etc/openvpn/tls-auth-router.key'
        option auth 'SHA512'
        list tls_cipher 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384'
        option tun_mtu '1200'
        option topology 'subnet'
        list push 'route 172.21.1.0 255.255.255.0'
        list push 'redirect-gateway def1'
        option mode 'server'

/etc/config/firewall

cat 
config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list device 'tun0'

(...)

config rule
        option name 'Allow-OVPN'
        option family 'ipv4'
        option src 'wan'
        option dest_port '41391'
        option target 'ACCEPT'
        list proto 'tcp'

ip a

15: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1200 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none
    inet 172.21.4.1/24 brd 172.21.4.255 scope global tun0
       valid_lft forever preferred_lft forever

Client configuration:

client
pull
dev tun
proto tcp
remote router.example.org 41391 tcp
user nobody
group nogroup
nobind
cipher AES-256-CBC
verb 3
resolv-retry infinite
tls-version-min 1.2
auth SHA512
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
persist-key
persist-tun
mute-replay-warnings
redirect-gateway def1

verify-x509-name 'C=PT, ST=XXXX, L=XXXX, O=YYY, OU=router, CN=router, emailAddress=xxxx' subject
remote-cert-eku "TLS Web Server Authentication"

<ca>
....
</ca>

<cert>
....
</cert>

<key>
....
</key>

<tls-auth>
...
</tls-auth>
key-direction 1

When the client connects there are no errors, here's the log from the router:

Sun Apr 19 23:21:00 2026 daemon.notice openvpn(ovpn)[6468]: TCP connection established with [AF_INET]xxx.xxx.xxx.73:53849
Sun Apr 19 23:21:00 2026 daemon.notice openvpn(ovpn)[6468]: xxx.xxx.xxx.73:53849 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.73:53849, sid=229af30c 0a4ae207
Sun Apr 19 23:21:00 2026 daemon.notice openvpn(ovpn)[6468]: xxx.xxx.xxx.73:53849 VERIFY OK: depth=1, C=PT, ST=XXX, L=XXX, O=YYY, OU=router, CN=router, emailAddress=xxxx
Sun Apr 19 23:21:01 2026 daemon.notice openvpn(ovpn)[6468]: xxx.xxx.xxx.73:53849 VERIFY OK: depth=0, C=PT, ST=XXX, L=XXX, O=YYY, OU=router, CN=iphone, emailAddress=xxxx
Sun Apr 19 23:21:01 2026 daemon.notice openvpn(ovpn)[6468]: xxx.xxx.xxx.73:53849 peer info: IV_VER=3.11.1
Sun Apr 19 23:21:01 2026 daemon.notice openvpn(ovpn)[6468]: xxx.xxx.xxx.73:53849 peer info: IV_PLAT=ios
Sun Apr 19 23:21:01 2026 daemon.notice openvpn(ovpn)[6468]: xxx.xxx.xxx.73:53849 peer info: IV_NCP=2
Sun Apr 19 23:21:01 2026 daemon.notice openvpn(ovpn)[6468]: xxx.xxx.xxx.73:53849 peer info: IV_TCPNL=1
Sun Apr 19 23:21:01 2026 daemon.notice openvpn(ovpn)[6468]: xxx.xxx.xxx.73:53849 peer info: IV_PROTO=8094
Sun Apr 19 23:21:01 2026 daemon.notice openvpn(ovpn)[6468]: xxx.xxx.xxx.73:53849 peer info: IV_MTU=1600
Sun Apr 19 23:21:01 2026 daemon.notice openvpn(ovpn)[6468]: xxx.xxx.xxx.73:53849 peer info: IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
Sun Apr 19 23:21:01 2026 daemon.notice openvpn(ovpn)[6468]: xxx.xxx.xxx.73:53849 peer info: IV_AUTO_SESS=1
Sun Apr 19 23:21:01 2026 daemon.notice openvpn(ovpn)[6468]: xxx.xxx.xxx.73:53849 peer info: IV_GUI_VER=net.openvpn.connect.ios_3.7.2-6402
Sun Apr 19 23:21:01 2026 daemon.notice openvpn(ovpn)[6468]: xxx.xxx.xxx.73:53849 peer info: IV_SSO=webauth,crtext
Sun Apr 19 23:21:01 2026 daemon.notice openvpn(ovpn)[6468]: xxx.xxx.xxx.73:53849 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Sun Apr 19 23:21:01 2026 daemon.notice openvpn(ovpn)[6468]: xxx.xxx.xxx.73:53849 TLS: tls_multi_process: initial untrusted session promoted to trusted
Sun Apr 19 23:21:01 2026 daemon.notice openvpn(ovpn)[6468]: xxx.xxx.xxx.73:53849 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 384 bits ECsecp384r1, signature: ecdsa-with-SHA256, peer temporary key: 253 bits X25519
Sun Apr 19 23:21:01 2026 daemon.notice openvpn(ovpn)[6468]: xxx.xxx.xxx.73:53849 [iphone] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.73:53849
Sun Apr 19 23:21:01 2026 daemon.notice openvpn(ovpn)[6468]: iphone/xxx.xxx.xxx.73:53849 MULTI_sva: pool returned IPv4=172.21.4.2, IPv6=(Not enabled)
Sun Apr 19 23:21:01 2026 daemon.notice openvpn(ovpn)[6468]: iphone/xxx.xxx.xxx.73:53849 MULTI: Learn: 172.21.4.2 -> iphone/xxx.xxx.xxx.73:53849
Sun Apr 19 23:21:01 2026 daemon.notice openvpn(ovpn)[6468]: iphone/xxx.xxx.xxx.73:53849 MULTI: primary virtual IP for iphone/xxx.xxx.xxx.73:53849: 172.21.4.2
Sun Apr 19 23:21:01 2026 daemon.notice openvpn(ovpn)[6468]: iphone/xxx.xxx.xxx.73:53849 SENT CONTROL [iphone]: 'PUSH_REPLY,route 172.21.1.0 255.255.255.0,redirect-gateway def1,route-gateway 172.21.4.1,topology subnet,ping 10,ping-restart 60,ifconfig 172.21.4.2 255.255.255.0,peer-id 0,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1200' (status=1)
Sun Apr 19 23:21:01 2026 daemon.notice openvpn(ovpn)[6468]: iphone/xxx.xxx.xxx.73:53849 PUSH: Received control message: 'PUSH_REQUEST'
Sun Apr 19 23:21:02 2026 daemon.notice openvpn(ovpn)[6468]: iphone/xxx.xxx.xxx.73:53849 Data Channel: cipher 'AES-256-GCM', peer-id: 0, compression: 'stub'
Sun Apr 19 23:21:02 2026 daemon.notice openvpn(ovpn)[6468]: iphone/xxx.xxx.xxx.73:53849 Timers: ping 10, ping-restart 120
Sun Apr 19 23:21:02 2026 daemon.notice openvpn(ovpn)[6468]: iphone/xxx.xxx.xxx.73:53849 Protocol options: protocol-flags cc-exit tls-ekm dyn-tls-crypt

Any tips on how to debug this or what might be wrong?

Thank you.

2

I would recommend upgrading to 25.12 since that is now available (and 24.10 is EOL now).

Have you considered WireGuard? It is much easier to configure and also far more performant.

3

Hi,

Thanks for the reply. Upgrading will most likely mean I'll have to setup everything from scratch again.

About Wireguard, I'm using it and it works fine in mobile and whatnot. Problem is that sometimes I use a network that doesn't allow UDP traffic but allows any type of TCP on port 80 or 443.

Openvpn is capable of TCP over TCP and that's why I'm trying it after not using it for years :slight_smile:

4

nah, you can use ASU or OWUT to upgrade with all packages and config intact.

5

I would certainly upgrade.

Can you show the client?

About the settings:
On the server:
remove compression (comp-lzo)
You mtu is rather low I would recommend to use 1280 as minimum and then also set that on the client side

On the client:
Use same tun-mtu as the server side
This is wrong:

Should be proto tcp-client

6

Hi, thanks for the tip once again old friend :slight_smile:

It was indeed comp-lzo that was causing the problem.