Thanks. Unfortunately I don't have the tools required to troubleshoot the clients.
Interestingly enough these errors only appears with Apple devices (there are two iPads and two iPhones at home, and only their MAC address appear in these error messages).
Anyway, I am still suspecting it is somehow related to a device roaming across different OpenWRT access points. See errors below, they are from DMESG from two different OpenWRT access points, probably happened when the devices were roaming (however this is only an hypothesis and I have not tested enough to confirm). Or it's an iOS bug...
Anyway, I rebooted all devices last night and so far only two of these errors appeared. For now I will ignore them, but I have a feeling that in fact there is a bug somewhere (either in iOS or OpenWRT).
One possible test I will do sometime is to disable 802.11r in all devices and see if these errors disappear.
Additionally apple might be trying to do some "smart roaming" which might be somehow conflicting with OpenWRT implementation - namely "PMKID caching" used by Apple, see here and here).
See the following comments from Cisco:
(...) This is possible because, every time a client is fully EAP-authenticated, the client and Authentication Server derive an MSK, which is used in order to derive the PMK. This is used as the seed for the WPA2 4-Way handshake in order to derive the final unicast encryption key (PTK) that is used for the session (until the client roams to another AP or the session expires); hence, this method prevents the EAP authentication phase when roaming because it reutilizes the original PMK cached by the client and the AP. The client only has to go through the WPA2 4-Way handshake in order to derive new encryption keys.
(...)
This method is optional and is not supported by all WPA2 devices, because the purpose of the 802.11i amendment does not concern fast-secure roaming, and the IEEE was already working on another amendment to standardize fast-secure roaming for WLANs (802.11r, which is covered later in this document).(...)
OpenWRT Access point 1 (192.168.1.1):
[ 23.129576] br-lan: port 6(wlan1) entered blocking state
[ 23.134921] br-lan: port 6(wlan1) entered forwarding state
[ 794.739624] Rekeying PTK for STA xx:xx:xx:xx:82:11 but driver can't safely do that.
[ 799.229220] Rekeying PTK for STA xx:xx:xx:xx:3b:f3 but driver can't safely do that.
EOF
OpenWRT Access point 3 (192.168.1.3):
[ 19.436263] br-lan: port 6(wlan1) entered forwarding state
[ 842.181201] Rekeying PTK for STA xx:xx:xx:xx:82:11 but driver can't safely do that.
[ 843.943349] Rekeying PTK for STA xx:xx:xx:xx:3b:f3 but driver can't safely do that.
EOF
EDITED: below are some additional errors from logread which might or might not be related to these issues:
Thu Sep 16 23:09:09 2021 daemon.err hostapd: nl80211: kernel reports: key addition failed
Thu Sep 16 23:09:09 2021 daemon.err hostapd: nl80211: NL80211_ATTR_STA_VLAN (addr=xx:xx:xx:xx:82:11 ifname=wlan1 vlan_id=0) failed: -2 (No such file or directory)
Thu Sep 16 23:09:09 2021 daemon.err hostapd: nl80211: kernel reports: key addition failed
Thu Sep 16 23:09:09 2021 daemon.err hostapd: nl80211: NL80211_ATTR_STA_VLAN (addr=xx:xx:xx:xx:3b:f3 ifname=wlan1 vlan_id=0) failed: -2 (No such file or directory)
Fri Sep 17 06:33:47 2021 daemon.err hostapd: nl80211: kernel reports: key addition failed
Fri Sep 17 06:56:02 2021 daemon.err hostapd: nl80211: kernel reports: key addition failed
Fri Sep 17 06:56:02 2021 daemon.err hostapd: nl80211: NL80211_ATTR_STA_VLAN (addr=xx:xx:xx:xx:3b:f3 ifname=wlan1 vlan_id=0) failed: -2 (No such file or directory)
Fri Sep 17 07:06:52 2021 daemon.err hostapd: nl80211: kernel reports: key addition failed
Fri Sep 17 07:06:52 2021 daemon.err hostapd: nl80211: NL80211_ATTR_STA_VLAN (addr=xx:xx:xx:xx:82:11 ifname=wlan1 vlan_id=0) failed: -2 (No such file or directory)
Fri Sep 17 08:10:42 2021 daemon.err hostapd: nl80211: kernel reports: key addition failed