Setup openVPN server through LuCI with access to LAN

I'm not sure what is the unrecognized option or the missing parameter.
Here is the server.conf file in /etc/openvpn
https://pastebin.com/gABF6XJX

Please post the configs here instead of pastebin.

Maybe something is wrong with the script?

Here are my outputs

root@OpenWrt:~# uci get firewall.ovpn.dest_port
55555
root@OpenWrt:~# uci get firewall.ovpn.proto
udp

But for some reason the respective values in server.conf are "emptyspace" and "all" respectively.
Even though I manually entered them in server.conf which now gives the following output

root@OpenWrt:~# /etc/init.d/log restart; /etc/init.d/openvpn restart; sleep 10
root@OpenWrt:~# logread -e openvpn; netstat -l -n -p | grep -e openvpn
Sat May  9 14:57:10 2020 daemon.err openvpn(server)[10112]: event_wait : Interrupted system call (code=4)
Sat May  9 14:57:10 2020 daemon.notice openvpn(server)[10112]: Closing TUN/TAP interface
Sat May  9 14:57:10 2020 daemon.notice openvpn(server)[10112]: /sbin/ifconfig tun0 0.0.0.0
Sat May  9 14:57:10 2020 daemon.warn openvpn(server)[10112]: Linux ip addr del failed: external program exited with error status: 1
Sat May  9 14:57:10 2020 daemon.notice openvpn(server)[10112]: SIGTERM[hard,] received, process exiting
Sat May  9 14:57:10 2020 daemon.notice openvpn(server)[10200]: OpenVPN 2.4.5 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat May  9 14:57:10 2020 daemon.notice openvpn(server)[10200]: library versions: OpenSSL 1.0.2u  20 Dec 2019, LZO 2.10
Sat May  9 14:57:10 2020 daemon.notice openvpn(server)[10200]: Diffie-Hellman initialized with 2048 bit key
Sat May  9 14:57:10 2020 daemon.notice openvpn(server)[10200]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sat May  9 14:57:10 2020 daemon.notice openvpn(server)[10200]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sat May  9 14:57:10 2020 daemon.notice openvpn(server)[10200]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sat May  9 14:57:10 2020 daemon.notice openvpn(server)[10200]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sat May  9 14:57:10 2020 daemon.notice openvpn(server)[10200]: TUN/TAP device tun0 opened
Sat May  9 14:57:10 2020 daemon.notice openvpn(server)[10200]: TUN/TAP TX queue length set to 100
Sat May  9 14:57:10 2020 daemon.notice openvpn(server)[10200]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat May  9 14:57:10 2020 daemon.notice openvpn(server)[10200]: /sbin/ifconfig tun0 192.168.8.1 netmask 255.255.255.0 mtu 1500 broadcast 192.168.8.255
Sat May  9 14:57:10 2020 daemon.warn openvpn(server)[10200]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Sat May  9 14:57:10 2020 daemon.notice openvpn(server)[10200]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Sat May  9 14:57:10 2020 daemon.notice openvpn(server)[10200]: UDPv4 link local (bound): [AF_INET][undef]:55555
Sat May  9 14:57:10 2020 daemon.notice openvpn(server)[10200]: UDPv4 link remote: [AF_UNSPEC]
Sat May  9 14:57:10 2020 daemon.notice openvpn(server)[10200]: GID set to nogroup
Sat May  9 14:57:10 2020 daemon.notice openvpn(server)[10200]: UID set to nobody
Sat May  9 14:57:10 2020 daemon.notice openvpn(server)[10200]: MULTI: multi_init called, r=256 v=256
Sat May  9 14:57:10 2020 daemon.notice openvpn(server)[10200]: IFCONFIG POOL: base=192.168.8.2 size=252, ipv6=0
Sat May  9 14:57:10 2020 daemon.notice openvpn(server)[10200]: Initialization Sequence Completed
udp        0      0 0.0.0.0:55555           0.0.0.0:*                           10200/openvpn

client still wont connect

It should be port 55555 on line 5 of your server config. Happy VPNning!

server.conf after manually editing lines 5 and 6:

verb 3
user nobody
group nogroup
dev tun0
port 55555
proto udp
server 192.168.8.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 120
persist-tun
persist-key
push "dhcp-option DNS 192.168.8.1"
push "dhcp-option DOMAIN lan"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>
-----BEGIN DH PARAMETERS-----
****
-----END DH PARAMETERS-----
</dh>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
****
-----END OpenVPN Static key V1-----
</tls-crypt>
<ca>
-----BEGIN CERTIFICATE-----
****
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
****
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
****
-----END PRIVATE KEY-----
</key>

Still no connection from client.
My LAN subnet is 192.168.1.0/24 maybe I should change to that subnet in server.conf as well?

Also proto all.. I dont know if thats valid. Set proto udp instead. And nope, the 192.168.8.0/24 is the virtual subnet where your VPN gets dropped in. It's fine. What does the client log say?

If I change to proto all here is the output from troubleshooting

root@OpenWrt:~# logread -e openvpn; netstat -l -n -p | grep -e openvpn
Sat May  9 15:04:10 2020 daemon.err openvpn(server)[10308]: event_wait : Interrupted system call (code=4)
Sat May  9 15:04:10 2020 daemon.notice openvpn(server)[10308]: Closing TUN/TAP interface
Sat May  9 15:04:10 2020 daemon.notice openvpn(server)[10308]: /sbin/ifconfig tun0 0.0.0.0
Sat May  9 15:04:10 2020 daemon.warn openvpn(server)[10308]: Linux ip addr del failed: external program exited with error status: 1
Sat May  9 15:04:10 2020 daemon.notice openvpn(server)[10308]: SIGTERM[hard,] received, process exiting
Sat May  9 15:04:10 2020 daemon.err openvpn(server)[10410]: Options error: Bad protocol: 'all'.  Allowed protocols with --proto option: [proto-uninitialized] [udp] [tcp-server] [tcp-client] [tcp] [udp4] [tcp4-server] [tcp4-client] [tcp4] [udp6] [tcp6-server] [tcp6-client] [tcp6]
Sat May  9 15:04:10 2020 daemon.warn openvpn(server)[10410]: Use --help for more information.
Sat May  9 15:04:15 2020 daemon.err openvpn(server)[10418]: Options error: Bad protocol: 'all'.  Allowed protocols with --proto option: [proto-uninitialized] [udp] [tcp-server] [tcp-client] [tcp] [udp4] [tcp4-server] [tcp4-client] [tcp4] [udp6] [tcp6-server] [tcp6-client] [tcp6]
Sat May  9 15:04:15 2020 daemon.warn openvpn(server)[10418]: Use --help for more information.
Sat May  9 15:04:20 2020 daemon.err openvpn(server)[10422]: Options error: Bad protocol: 'all'.  Allowed protocols with --proto option: [proto-uninitialized] [udp] [tcp-server] [tcp-client] [tcp] [udp4] [tcp4-server] [tcp4-client] [tcp4] [udp6] [tcp6-server] [tcp6-client] [tcp6]
Sat May  9 15:04:20 2020 daemon.warn openvpn(server)[10422]: Use --help for more information.
Sat May  9 15:04:25 2020 daemon.err openvpn(server)[10426]: Options error: Bad protocol: 'all'.  Allowed protocols with --proto option: [proto-uninitialized] [udp] [tcp-server] [tcp-client] [tcp] [udp4] [tcp4-server] [tcp4-client] [tcp4] [udp6] [tcp6-server] [tcp6-client] [tcp6]
Sat May  9 15:04:25 2020 daemon.warn openvpn(server)[10426]: Use --help for more information.

Client log:

⏎5/9/2020, 3:06:53 PM Connecting to [x.x.x.x]:55555 (y.y.y.y) via UDPv4
⏎5/9/2020, 3:06:53 PM EVENT: WAIT ⏎5/9/2020, 3:07:03 PM Server poll timeout, trying next remote entry...
⏎5/9/2020, 3:07:03 PM EVENT: RECONNECTING ⏎5/9/2020, 3:07:03 PM EVENT: RESOLVE ⏎5/9/2020, 3:07:03 PM EVENT: WAIT ⏎5/9/2020, 3:07:03 PM Contacting x.x.x.x:55555 via UDP
⏎5/9/2020, 3:07:03 PM Connecting to [x.x.x.x]:55555 (y.y.y.y) via UDPv4

Hehe, no you must change it to proto udp. Your pastebin says it was proto all. Also, make sure the changes reflects the client profile. Can you post an example of that.

Also, these are the errors I found in your server config.

port --> port 55555
proto all --> proto udp
push "persist-tun" --> not valid, delete the line
push "persist-key" --> not valid, delete the line
push "redirect-gateway def1" --> push "redirect-gateway def1 bypass-dhcp"
and udp tunnels need the following line

explicit-exit-notify 1

Ok so to get things straight: here is my /etc/openvpn/server.conf:

verb 3
user nobody
group nogroup
dev tun0
port 55555
proto udp
server 192.168.8.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 120
persist-tun
persist-key
push "dhcp-option DNS 192.168.8.1"
push "dhcp-option DOMAIN lan"
push "redirect-gateway def1"
explicit-exit-notify 1
<dh>
-----BEGIN DH PARAMETERS-----
****
-----END DH PARAMETERS-----
</dh>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
****
-----END OpenVPN Static key V1-----
</tls-crypt>
<ca>
-----BEGIN CERTIFICATE-----
****
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
****
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
****
-----END PRIVATE KEY-----
</key>

still cannot connect from client

What are the logs from server and client?

Yes looks good now (I did made one sneak edit with that redirect-gateway thing, adjust that too). Btw use udp6 to make the server accesible from IPv6. Now post an example client profile (not log).

Short server logs:

root@OpenWrt:~# /etc/init.d/log restart; /etc/init.d/openvpn restart; sleep 5
root@OpenWrt:~# logread -e openvpn; netstat -l -n -p | grep -e openvpn
Sat May  9 15:10:03 2020 daemon.err openvpn(server)[11165]: event_wait : Interrupted system call (code=4)
Sat May  9 15:10:03 2020 daemon.notice openvpn(server)[11165]: Closing TUN/TAP interface
Sat May  9 15:10:03 2020 daemon.notice openvpn(server)[11165]: /sbin/ifconfig tun0 0.0.0.0
Sat May  9 15:10:03 2020 daemon.warn openvpn(server)[11165]: Linux ip addr del failed: external program exited with error status: 1
Sat May  9 15:10:03 2020 daemon.notice openvpn(server)[11165]: SIGTERM[hard,] received, process exiting
Sat May  9 15:10:03 2020 daemon.notice openvpn(server)[11268]: OpenVPN 2.4.5 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat May  9 15:10:03 2020 daemon.notice openvpn(server)[11268]: library versions: OpenSSL 1.0.2u  20 Dec 2019, LZO 2.10
Sat May  9 15:10:03 2020 daemon.notice openvpn(server)[11268]: Diffie-Hellman initialized with 2048 bit key
Sat May  9 15:10:03 2020 daemon.notice openvpn(server)[11268]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sat May  9 15:10:03 2020 daemon.notice openvpn(server)[11268]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sat May  9 15:10:03 2020 daemon.notice openvpn(server)[11268]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sat May  9 15:10:03 2020 daemon.notice openvpn(server)[11268]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sat May  9 15:10:03 2020 daemon.notice openvpn(server)[11268]: TUN/TAP device tun0 opened
Sat May  9 15:10:03 2020 daemon.notice openvpn(server)[11268]: TUN/TAP TX queue length set to 100
Sat May  9 15:10:03 2020 daemon.notice openvpn(server)[11268]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat May  9 15:10:03 2020 daemon.notice openvpn(server)[11268]: /sbin/ifconfig tun0 192.168.8.1 netmask 255.255.255.0 mtu 1500 broadcast 192.168.8.255
Sat May  9 15:10:03 2020 daemon.warn openvpn(server)[11268]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Sat May  9 15:10:03 2020 daemon.notice openvpn(server)[11268]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Sat May  9 15:10:03 2020 daemon.notice openvpn(server)[11268]: UDPv4 link local (bound): [AF_INET][undef]:55555
Sat May  9 15:10:03 2020 daemon.notice openvpn(server)[11268]: UDPv4 link remote: [AF_UNSPEC]
Sat May  9 15:10:03 2020 daemon.notice openvpn(server)[11268]: GID set to nogroup
Sat May  9 15:10:03 2020 daemon.notice openvpn(server)[11268]: UID set to nobody
Sat May  9 15:10:03 2020 daemon.notice openvpn(server)[11268]: MULTI: multi_init called, r=256 v=256
Sat May  9 15:10:03 2020 daemon.notice openvpn(server)[11268]: IFCONFIG POOL: base=192.168.8.2 size=252, ipv6=0
Sat May  9 15:10:03 2020 daemon.notice openvpn(server)[11268]: Initialization Sequence Completed
udp        0      0 0.0.0.0:55555           0.0.0.0:*                           11268/openvpn

client logs same as above

client.ovpn file:

verb 3
dev tun
nobind
client
remote x.x.x.x 55555 udp
auth-nocache
remote-cert-tls server
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
****
-----END OpenVPN Static key V1-----
</tls-crypt>
<ca>
-----BEGIN CERTIFICATE-----
****
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
****
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
****
-----END PRIVATE KEY-----
</key>

Noticed that private key is not the same as in server.conf, is this normal?

Yes.

Since you don't have any connection attempt in the server log, make sure that the client is using the correct port and IP to reach the server. Stop worrying about revealing the port of the OpenVPN server, you can change it later.

Ports are correct 100%

Yes. The private key is the private key of the client certificate. In your server config, that private key is the private key of server certificate.

Change this

remote x.x.x.x 55555 udp -> remote x.x.x.x 55555
proto udp <- add this line
auth-nocache --> remove this line, we're using certificates to authenticate
auth SHA256 --> add this line instead
key-direction 1 --> add this line
persist-key --> add this line since you were trying to push them in your server config
persist-tun --> add this line since you were trying to push them in your server config

Maybe add some cipher directives too? Let's try first without them.

Ok changed them , still nothing, client log here

⏎5/9/2020, 3:23:54 PM EVENT: RECONNECTING ⏎5/9/2020, 3:23:54 PM EVENT: RESOLVE ⏎5/9/2020, 3:23:54 PM EVENT: WAIT ⏎5/9/2020, 3:23:54 PM Contacting x.x.x.x:55555 via UDP
⏎5/9/2020, 3:23:54 PM Connecting to [x.x.x.x]:55555 (x.x.x.x) via UDPv4
⏎5/9/2020, 3:24:04 PM Server poll timeout, trying next remote entry...

Okay at first glance, your configs should be fine now. Maybe post both client profile and server config so i can verify it for the last time. But there's still another error we have to work out (that of your ports). Do you run OpenWRT in a Double NAT? E.g.,- ISP router -> OpenWRT?