I am back... Seems like the new tagging broke my OpenVPN connection. I see these errors on my server log:
Tue Mar 20 19:58:37 2018 daemon.notice openvpn(bravo)[1088]: x.x.x.x:xxxx TLS: Initial packet from [AF_INET]x.x.x.x:xxxx, sid=xxx
Tue Mar 20 19:58:42 2018 daemon.notice openvpn(bravo)[1088]: x.x.x.x:xxxx TLS: Initial packet from [AF_INET]x.x.x.x:xxxx, sid=xxx
Tue Mar 20 19:59:37 2018 daemon.err openvpn(bravo)[1088]: x.x.x.x:xxxx TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Mar 20 19:59:37 2018 daemon.err openvpn(bravo)[1088]: x.x.x.x:xxxx TLS Error: TLS handshake failed
Tue Mar 20 19:59:37 2018 daemon.notice openvpn(bravo)[1088]: x.x.x.x:xxxx SIGUSR1[soft,tls-error] received, client-instance restarting
Tue Mar 20 19:59:42 2018 daemon.err openvpn(bravo)[1088]: x.x.x.x:xxxx TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Mar 20 19:59:42 2018 daemon.err openvpn(bravo)[1088]: x.x.x.x:xxxx TLS Error: TLS handshake failed
Tue Mar 20 19:59:42 2018 daemon.notice openvpn(bravo)[1088]: x.x.x.x:xxxx SIGUSR1[soft,tls-error] received, client-instance restarting
On my Macbook Tunnelblick client i see an error that the Certificate is expired (which expires in 2028, so this is false), and on my Android openvpn client i see SSL certificate read error (which seems to be the issue indeed).
It states that the firewall should be the issue. When introducing this tagging, did i forgot to add some firewall rule for this? I thought it would have no impact?
It's unclear what you're trying to do with OpenVPN. Is your router the OpenVPN client, or a server? If you are running a server you do need to open its port in the firewall.
Sorry guys for the lack of info, here is some more:
I have an OpenVPN server running since day 1, was working perfectly untill i did the port tagging and setup the bridges. Port 1194 is open like it always was. OpenVPN clients had access to the complete LAN, since i am the only OpenVPN user.
I tried to switch from UDP to TCP, but then too i get a connection error. When i look in my system logs, i see the initial connection packet arriving, but after that, the client cannot connect and the server recieves nothing more. I think its when the certificate should be validated. The certificate is also the same as a couple of days ago when it was working.
A packet in one direction, then "nothing more" often indicates a routing problem. Box A had a "good" route to Box B, but Box B doesn't have a good route to Box A. By "routing problem" that includes not only the routing table itself, but firewall rules, cables, ...
Over the years, I've had problems where a routing table sent packets back over a different physical link than on which they arrived. A valid route, yes, but a failed or failing cable can cause much head scratching.
Let me try to summarize, a remote vpn client is connecting to a vpn server on your router listening on wan, and used to work... But after adjusting for vlans it stalls after the first packet?
Other than this, everything else works as normal after the guest addition?
Thats 100% correct sir! I also have some other open wan ports, and connecting through them from the outside world still works like a charm.
I did some more investigating and read something about openvpn tun mode doesnt work with bridges. I guess only the wlan points are bridges, so it should not impact right?
There's probably no reason why port 1 should have wan vlan tagged in it. Remove wan from port 1 see if this helps perhaps something strange there... Seems unlikely but could be.
I'm not sure what's connected where for the VLANs. As I look at your switch diagram, all clients connected to the LAN 1 port need to be VLAN-aware. If that is a trunk to a VLAN-aware switch or router, then it makes sense as that device will/should be stripping / applying VLAN tags for its outbound / inbound connections to "normal" clients. If that's not the case, that might be some of the problem.
OpenVPN pushes routes over its connection to the far end. Probably the VPN client can't connect to the LAN members because it hasn't had a route pushed to it saying "to contact x.x.x.x network route through the VPN" this is an OpenVPN config issue.