[solved] OpenVPN Basic Configuration routing problem

Installing and Using OpenWrt
1

Hi,

I want to set up a OpenVPN connect oepnwrt router to my iPhone. I configured everything accordung to the very good wiki page ([https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic]).

I managed to succefully establish a VPN connection, but there seems to be a routing problem since I cannot access any service on my private network.

My private network ist 192.168.1.0/255.255.255.0 and my iPhone got the private address 192.168.200.2. Do I have to add any route in openwrt, so that routing from 200er network to 1er network ist possible?

I did not post the configuration since it is exactly according to the wiki page.

3

My local network ist 192.168.1.0. The VPN network is 192.168.200.0 according to the wiki page:

uci set openvpn.vpnserver.server="192.168.200.0 255.255.255.0"

An I can see on my iPhone that the iPhone gets assigned the private address 192.168.200.2. This should be ok, shouldn't it?

4

Yes, and now you can ping your router to 192.168.200.1 from iPhone

5

To acces 192.168.1.0

You need option in vpn config

route 192.168.1.0 255.255.255.0
6

No if OpenVPN is installed on your main router, otherwise yes.
If it's still not working, check destination host routing and firewall.

7

But I have the option in my vpn config (according to wiki page):

uci add_list openvpn.vpnserver.push="route 192.168.1.0 255.255.255.0"

And OpenVPN is installed in my main router (192.168.1.1).

I can neither access 192.168.1.1 nor 192.168.200.1 from my iphone with established vpn connection (and private vpn address 192.168.200.2 on my iphone)

8

If you can not acces to 192.168.200.1 this is not routing problems.
It's connection problems, show openvpn log.

9

openvpn log (replace some ip addresses/host names with x):

Sun Jan 13 10:37:52 2019 daemon.notice openvpn(vpnserver)[17148]: OpenVPN 2.4.5 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sun Jan 13 10:37:52 2019 daemon.notice openvpn(vpnserver)[17148]: library versions: OpenSSL 1.0.2p  14 Aug 2018, LZO 2.10
Sun Jan 13 10:37:52 2019 daemon.notice openvpn(vpnserver)[17148]: Diffie-Hellman initialized with 2048 bit key
Sun Jan 13 10:37:52 2019 daemon.notice openvpn(vpnserver)[17148]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sun Jan 13 10:37:52 2019 daemon.notice openvpn(vpnserver)[17148]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Jan 13 10:37:52 2019 daemon.notice openvpn(vpnserver)[17148]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sun Jan 13 10:37:52 2019 daemon.notice openvpn(vpnserver)[17148]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Jan 13 10:37:52 2019 daemon.notice openvpn(vpnserver)[17148]: TUN/TAP device tun0 opened
Sun Jan 13 10:37:52 2019 daemon.notice openvpn(vpnserver)[17148]: TUN/TAP TX queue length set to 100
Sun Jan 13 10:37:52 2019 daemon.notice openvpn(vpnserver)[17148]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Jan 13 10:37:52 2019 daemon.notice openvpn(vpnserver)[17148]: /sbin/ifconfig tun0 192.168.200.1 netmask 255.255.255.0 mtu 1500 broadcast 192.168.200.255
Sun Jan 13 10:37:52 2019 daemon.warn openvpn(vpnserver)[17148]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Sun Jan 13 10:37:52 2019 daemon.notice openvpn(vpnserver)[17148]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Sun Jan 13 10:37:52 2019 daemon.notice openvpn(vpnserver)[17148]: UDPv4 link local (bound): [AF_INET][undef]:1194
Sun Jan 13 10:37:52 2019 daemon.notice openvpn(vpnserver)[17148]: UDPv4 link remote: [AF_UNSPEC]
Sun Jan 13 10:37:52 2019 daemon.notice openvpn(vpnserver)[17148]: MULTI: multi_init called, r=256 v=256
Sun Jan 13 10:37:52 2019 daemon.notice openvpn(vpnserver)[17148]: IFCONFIG POOL: base=192.168.200.2 size=252, ipv6=0
Sun Jan 13 10:37:52 2019 daemon.notice openvpn(vpnserver)[17148]: Initialization Sequence Completed
Sun Jan 13 10:38:58 2019 daemon.notice openvpn(vpnserver)[17148]: 109.41.64.x:23837 TLS: Initial packet from [AF_INET]109.41.64.x:23837, sid=25f2fa44 31c57649
Sun Jan 13 10:38:58 2019 daemon.err openvpn(vpnserver)[17148]: 109.41.64.x:23837 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1547372336) Sun Jan 13 10:38:56 2019 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Sun Jan 13 10:38:58 2019 daemon.err openvpn(vpnserver)[17148]: 109.41.64.x:23837 tls-crypt unwrap error: packet replay
Sun Jan 13 10:38:58 2019 daemon.err openvpn(vpnserver)[17148]: 109.41.64.x:23837 TLS Error: tls-crypt unwrapping failed from [AF_INET]109.41.64.x:23837
Sun Jan 13 10:39:00 2019 daemon.notice openvpn(vpnserver)[17148]: 109.41.64.x:23837 VERIFY OK: depth=1, C=GB, ST=London, O=WWW Ltd.
Sun Jan 13 10:39:00 2019 daemon.notice openvpn(vpnserver)[17148]: 109.41.64.x:23837 VERIFY OK: depth=0, CN=vpnclient
Sun Jan 13 10:39:00 2019 daemon.notice openvpn(vpnserver)[17148]: 109.41.64.x:23837 peer info: IV_GUI_VER=net.openvpn.connect.ios_3.0.2-894
Sun Jan 13 10:39:00 2019 daemon.notice openvpn(vpnserver)[17148]: 109.41.64.x:23837 peer info: IV_VER=3.2
Sun Jan 13 10:39:00 2019 daemon.notice openvpn(vpnserver)[17148]: 109.41.64.x:23837 peer info: IV_PLAT=ios
Sun Jan 13 10:39:00 2019 daemon.notice openvpn(vpnserver)[17148]: 109.41.64.x:23837 peer info: IV_NCP=2
Sun Jan 13 10:39:00 2019 daemon.notice openvpn(vpnserver)[17148]: 109.41.64.x:23837 peer info: IV_TCPNL=1
Sun Jan 13 10:39:00 2019 daemon.notice openvpn(vpnserver)[17148]: 109.41.64.x:23837 peer info: IV_PROTO=2
Sun Jan 13 10:39:00 2019 daemon.notice openvpn(vpnserver)[17148]: 109.41.64.x:23837 peer info: IV_LZO_STUB=1
Sun Jan 13 10:39:00 2019 daemon.notice openvpn(vpnserver)[17148]: 109.41.64.x:23837 peer info: IV_COMP_STUB=1
Sun Jan 13 10:39:00 2019 daemon.notice openvpn(vpnserver)[17148]: 109.41.64.x:23837 peer info: IV_COMP_STUBv2=1
Sun Jan 13 10:39:00 2019 daemon.notice openvpn(vpnserver)[17148]: 109.41.64.x:23837 peer info: IV_AUTO_SESS=1
Sun Jan 13 10:39:00 2019 daemon.notice openvpn(vpnserver)[17148]: 109.41.64.x:23837 peer info: IV_BS64DL=1
Sun Jan 13 10:39:00 2019 daemon.notice openvpn(vpnserver)[17148]: 109.41.64.x:23837 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Sun Jan 13 10:39:00 2019 daemon.notice openvpn(vpnserver)[17148]: 109.41.64.x:23837 [vpnclient] Peer Connection Initiated with [AF_INET]109.41.64.x:23837
Sun Jan 13 10:39:00 2019 daemon.notice openvpn(vpnserver)[17148]: vpnclient/109.41.64.x:23837 MULTI_sva: pool returned IPv4=192.168.200.2, IPv6=(Not enabled)
Sun Jan 13 10:39:00 2019 daemon.notice openvpn(vpnserver)[17148]: vpnclient/109.41.64.x:23837 MULTI: Learn: 192.168.200.2 -> vpnclient/109.41.64.x:23837
Sun Jan 13 10:39:00 2019 daemon.notice openvpn(vpnserver)[17148]: vpnclient/109.41.64.x:23837 MULTI: primary virtual IP for vpnclient/109.41.64.x:23837: 192.168.200.2
Sun Jan 13 10:39:00 2019 daemon.notice openvpn(vpnserver)[17148]: vpnclient/109.41.64.x:23837 PUSH: Received control message: 'PUSH_REQUEST'
Sun Jan 13 10:39:00 2019 daemon.notice openvpn(vpnserver)[17148]: vpnclient/109.41.64.x:23837 SENT CONTROL [vpnclient]: 'PUSH_REPLY,redirect-gateway def1,route 192.168.1.0 255.255.255.0,dhcp-option DNS 192.168.1.1,compress lzo,persist-tun,persist-key,dhcp-option DOMAIN lan,route-gateway 192.168.200.1,topology subnet,ping 10,ping-restart 120,ifconfig 192.168.200.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Sun Jan 13 10:39:00 2019 daemon.notice openvpn(vpnserver)[17148]: vpnclient/109.41.64.x:23837 Data Channel: using negotiated cipher 'AES-256-GCM'
Sun Jan 13 10:39:00 2019 daemon.notice openvpn(vpnserver)[17148]: vpnclient/109.41.64.x:23837 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Jan 13 10:39:00 2019 daemon.notice openvpn(vpnserver)[17148]: vpnclient/109.41.64.x:23837 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
10

Firewall config (replace some ip addresses/host names with x):

firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-OpenVPN'
firewall.@rule[0].src='wan'
firewall.@rule[0].dest_port='1194'
firewall.@rule[0].proto='tcp udp'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].enabled='1'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-DHCP-Renew'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='udp'
firewall.@rule[1].dest_port='68'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[1].family='ipv4'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-Ping'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='icmp'
firewall.@rule[2].icmp_type='echo-request'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='DROP'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fe80::/10'
firewall.@rule[3].src_port='547'
firewall.@rule[3].dest_ip='fe80::/10'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-ICMPv6-Input'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[4].limit='1000/sec'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='DROP'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Forward'
firewall.@rule[5].src='wan'
firewall.@rule[5].dest='*'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='DROP'
firewall.@rule[6]=rule
firewall.@rule[6].src='wan'
firewall.@rule[6].proto='esp'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[6].enabled='0'
firewall.@rule[7]=rule
firewall.@rule[7].src='wan'
firewall.@rule[7].proto='udp'
firewall.@rule[7].dest_port='500'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[7].enabled='0'
firewall.@rule[8]=rule
firewall.@rule[8].src='wan'
firewall.@rule[8].proto='udp'
firewall.@rule[8].dest_port='4500'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[8].enabled='0'
firewall.@rule[9]=rule
firewall.@rule[9].src='wan'
firewall.@rule[9].proto='ah'
firewall.@rule[9].target='ACCEPT'
firewall.@rule[9].enabled='0'
firewall.@rule[10]=rule
firewall.@rule[10].target='ACCEPT'
firewall.@rule[10].src='lan'
firewall.@rule[10].dest='wan'
firewall.@rule[10].name='ntp erlauben'
firewall.@rule[10].proto='udp'
firewall.@rule[10].dest_port='123'
firewall.@rule[11]=rule
firewall.@rule[11].target='ACCEPT'
firewall.@rule[11].src='lan'
firewall.@rule[11].dest='wan'
firewall.@rule[11].name='smtp erlauben'
firewall.@rule[11].proto='tcp'
firewall.@rule[11].dest_port='587'
firewall.@rule[12]=rule
firewall.@rule[12].src='lan'
firewall.@rule[12].src_ip='192.168.1.x'
firewall.@rule[12].name='ipcam x'
firewall.@rule[12].src_mac='x'
firewall.@rule[12].dest='wan'
firewall.@rule[12].target='REJECT'
firewall.@rule[13]=rule
firewall.@rule[13].src='lan'
firewall.@rule[13].src_ip='192.168.1.x'
firewall.@rule[13].name='ipcam x'
firewall.@rule[13].src_mac='x'
firewall.@rule[13].dest='wan'
firewall.@rule[13].target='REJECT'
firewall.@rule[14]=rule
firewall.@rule[14].src='lan'
firewall.@rule[14].name='ipcam x'
firewall.@rule[14].src_ip='192.168.1.x'
firewall.@rule[14].src_mac='x'
firewall.@rule[14].dest='wan'
firewall.@rule[14].target='REJECT'
firewall.@rule[15]=rule
firewall.@rule[15].src='lan'
firewall.@rule[15].src_ip='192.168.1.x'
firewall.@rule[15].name='ipcam x'
firewall.@rule[15].src_mac='x'
firewall.@rule[15].dest='wan'
firewall.@rule[15].target='REJECT'
firewall.@rule[16]=rule
firewall.@rule[16].src='lan'
firewall.@rule[16].name='ipcam x'
firewall.@rule[16].src_ip='192.168.1.x'
firewall.@rule[16].src_mac='x'
firewall.@rule[16].dest='wan'
firewall.@rule[16].target='REJECT'
firewall.@rule[17]=rule
firewall.@rule[17].src='lan'
firewall.@rule[17].name='aldicam x'
firewall.@rule[17].src_ip='192.168.1.x'
firewall.@rule[17].src_mac='x'
firewall.@rule[17].dest='wan'
firewall.@rule[17].target='REJECT'
firewall.@rule[18]=rule
firewall.@rule[18].target='ACCEPT'
firewall.@rule[18].proto='tcp udp'
firewall.@rule[18].dest_port='53'
firewall.@rule[18].name='guest dns'
firewall.@rule[18].src='guest'
firewall.@rule[19]=rule
firewall.@rule[19].target='ACCEPT'
firewall.@rule[19].proto='udp'
firewall.@rule[19].dest_port='67-68'
firewall.@rule[19].name='guest dhcp'
firewall.@rule[19].src='guest'
firewall.@rule[20]=rule
firewall.@rule[20].src='lan'
firewall.@rule[20].name='ipcam x'
firewall.@rule[20].src_ip='192.168.1.x'
firewall.@rule[20].target='REJECT'
firewall.@rule[20].src_mac='x'
firewall.@rule[20].dest='wan'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='REJECT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].input='DROP'
firewall.@zone[1].forward='DROP'
firewall.@zone[1].network='wan wan6'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@redirect[0]=redirect
firewall.@redirect[0].name='Divert DNS'
firewall.@redirect[0].proto='udp tcp'
firewall.@redirect[0].src='lan'
firewall.@redirect[0].src_dport='53'
firewall.@redirect[0].target='DNAT'
firewall.@redirect[1]=redirect
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].proto='tcp udp'
firewall.@redirect[1].src_dport='54321'
firewall.@redirect[1].dest_ip='192.168.1.x'
firewall.@redirect[1].dest_port='5500'
firewall.@redirect[1].name='ultravnc'
firewall.@redirect[1].enabled='0'
firewall.@zone[2]=zone
firewall.@zone[2].name='guest'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].network='guest'
firewall.@zone[2].input='REJECT'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='wan'
firewall.@forwarding[1].src='guest'
firewall.miniupnpd=include
firewall.miniupnpd.type='script'
firewall.miniupnpd.path='/usr/share/miniupnpd/firewall.include'
firewall.miniupnpd.family='any'
firewall.miniupnpd.reload='1'
firewall.@zone[3]=zone
firewall.@zone[3].name='vpnserver'
firewall.@zone[3].network='vpnserver'
firewall.@zone[3].input='ACCEPT'
firewall.@zone[3].output='ACCEPT'
firewall.@zone[3].forward='REJECT'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].src='vpnserver'
firewall.@forwarding[2].dest='wan'
firewall.@forwarding[3]=forwarding
firewall.@forwarding[3].src='vpnserver'
firewall.@forwarding[3].dest='lan'

network config:

network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='x::/48'
network.lan=interface
network.lan.ifname='eth1'
network.lan.type='bridge'
network.lan._orig_ifname='eth1 radio0.network1'
network.lan._orig_bridge='true'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.wan=interface
network.wan.ifname='eth0'
network.wan.proto='dhcp'
network.wan6=interface
network.wan6.ifname='eth0'
network.wan6.proto='dhcpv6'
network.wan6.reqaddress='try'
network.wan6.reqprefix='auto'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='0 1 2 3 4'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='5 6'
network.guest=interface
network.guest._orig_ifname='wlan0-1'
network.guest._orig_bridge='false'
network.guest.proto='static'
network.guest.ipaddr='192.168.3.1'
network.guest.netmask='255.255.255.0'
network.vpnserver=interface
network.vpnserver.ifname='tun0'
network.vpnserver.proto='none'

vpnserver config:

openvpn.vpnserver=openvpn
openvpn.vpnserver.verb='3'
openvpn.vpnserver.dev='tun0'
openvpn.vpnserver.topology='subnet'
openvpn.vpnserver.port='1194'
openvpn.vpnserver.proto='udp'
openvpn.vpnserver.server='192.168.200.0 255.255.255.0'
openvpn.vpnserver.client_to_client='1'
openvpn.vpnserver.compress='lzo'
openvpn.vpnserver.keepalive='10 120'
openvpn.vpnserver.persist_tun='1'
openvpn.vpnserver.persist_key='1'
openvpn.vpnserver.dh='/etc/openvpn/dh.pem'
openvpn.vpnserver.tls_crypt='/etc/openvpn/tc.pem'
openvpn.vpnserver.ca='/etc/openvpn/ca.crt'
openvpn.vpnserver.cert='/etc/openvpn/vpnserver.crt'
openvpn.vpnserver.key='/etc/openvpn/vpnserver.key'
openvpn.vpnserver.push='redirect-gateway def1' 'route 192.168.1.0 255.255.255.0' 'dhcp-option DNS 192.168.1.1' 'compress lzo' 'persist-tun' 'persist-key' 'dhcp-option DOMAIN lan'
openvpn.vpnserver.enabled='1'
11

The problem is here

Sun Jan 13 10:38:58 2019 daemon.err openvpn(vpnserver)[17148]: 109.41.64.x:23837 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1547372336) Sun Jan 13 10:38:56 2019 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Sun Jan 13 10:38:58 2019 daemon.err openvpn(vpnserver)[17148]: 109.41.64.x:23837 tls-crypt unwrap error: packet replay
Sun Jan 13 10:38:58 2019 daemon.err openvpn(vpnserver)[17148]: 109.41.64.x:23837 TLS Error: tls-crypt unwrapping failed from [AF_INET]109.41.64.x:23837

Show please client config.

12

And to solve this problem:

Sun Jan 13 10:37:52 2019 daemon.warn openvpn(vpnserver)[17148]: Could not determine IPv4/IPv6 protocol. Using AF_INET

Change this:

openvpn.vpnserver.proto='udp'

to this

openvpn.vpnserver.proto='udp4'
13 
openvpn.vpnserver.proto='udp4'

also didn't help. I still cannot ping 192.168.200.1 or 192.168.1.1.

I also tried tcp instead of udp, but no change...

Client config is:

verb 7
nobind
dev tun
client
remote x.de 1194 udp
fast-io
compress lzo
auth-nocache
remote-cert-tls server
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-crypt>
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
...
-----END ENCRYPTED PRIVATE KEY-----
</key>

new log:

Sun Jan 13 12:45:09 2019 daemon.notice openvpn(vpnserver)[8755]: OpenVPN 2.4.5 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sun Jan 13 12:45:09 2019 daemon.notice openvpn(vpnserver)[8755]: library versions: OpenSSL 1.0.2p  14 Aug 2018, LZO 2.10
Sun Jan 13 12:45:09 2019 daemon.notice openvpn(vpnserver)[8755]: Diffie-Hellman initialized with 2048 bit key
Sun Jan 13 12:45:09 2019 daemon.notice openvpn(vpnserver)[8755]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sun Jan 13 12:45:09 2019 daemon.notice openvpn(vpnserver)[8755]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Jan 13 12:45:09 2019 daemon.notice openvpn(vpnserver)[8755]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sun Jan 13 12:45:09 2019 daemon.notice openvpn(vpnserver)[8755]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Jan 13 12:45:09 2019 daemon.notice openvpn(vpnserver)[8755]: TLS-Auth MTU parms [ L:1622 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Sun Jan 13 12:45:09 2019 daemon.notice openvpn(vpnserver)[8755]: TUN/TAP device tun0 opened
Sun Jan 13 12:45:09 2019 daemon.notice openvpn(vpnserver)[8755]: TUN/TAP TX queue length set to 100
Sun Jan 13 12:45:10 2019 daemon.notice openvpn(vpnserver)[8755]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Jan 13 12:45:10 2019 daemon.notice openvpn(vpnserver)[8755]: /sbin/ifconfig tun0 192.168.200.1 pointopoint 192.168.200.2 mtu 1500
Sun Jan 13 12:45:10 2019 daemon.notice openvpn(vpnserver)[8755]: /sbin/route add -net 192.168.200.0 netmask 255.255.255.0 gw 192.168.200.2
Sun Jan 13 12:45:10 2019 daemon.notice openvpn(vpnserver)[8755]: Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Sun Jan 13 12:45:10 2019 daemon.notice openvpn(vpnserver)[8755]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Sun Jan 13 12:45:10 2019 daemon.notice openvpn(vpnserver)[8755]: UDPv4 link local (bound): [AF_INET][undef]:1194
Sun Jan 13 12:45:10 2019 daemon.notice openvpn(vpnserver)[8755]: UDPv4 link remote: [AF_UNSPEC]
Sun Jan 13 12:45:10 2019 daemon.notice openvpn(vpnserver)[8755]: MULTI: multi_init called, r=256 v=256
Sun Jan 13 12:45:10 2019 daemon.notice openvpn(vpnserver)[8755]: IFCONFIG POOL: base=192.168.200.4 size=62, ipv6=0
Sun Jan 13 12:45:10 2019 daemon.notice openvpn(vpnserver)[8755]: Initialization Sequence Completed
Sun Jan 13 12:45:35 2019 daemon.notice openvpn(vpnserver)[8755]: MULTI: multi_create_instance called
Sun Jan 13 12:45:35 2019 daemon.notice openvpn(vpnserver)[8755]: 109.41.64.x:31820 Re-using SSL/TLS context
Sun Jan 13 12:45:35 2019 daemon.notice openvpn(vpnserver)[8755]: 109.41.64.x:31820 LZO compression initializing
Sun Jan 13 12:45:35 2019 daemon.notice openvpn(vpnserver)[8755]: 109.41.64.x:31820 Control Channel MTU parms [ L:1622 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Sun Jan 13 12:45:35 2019 daemon.notice openvpn(vpnserver)[8755]: 109.41.64.x:31820 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Sun Jan 13 12:45:35 2019 daemon.notice openvpn(vpnserver)[8755]: 109.41.64.x:31820 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Sun Jan 13 12:45:35 2019 daemon.notice openvpn(vpnserver)[8755]: 109.41.64.x:31820 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Sun Jan 13 12:45:35 2019 daemon.notice openvpn(vpnserver)[8755]: 109.41.64.x:31820 TLS: Initial packet from [AF_INET]109.41.64.x:31820, sid=9fb60ccf 2b068445
Sun Jan 13 12:45:36 2019 daemon.notice openvpn(vpnserver)[8755]: 109.41.64.x:31820 VERIFY OK: depth=1, C=GB, ST=London, O=WWW Ltd.
Sun Jan 13 12:45:36 2019 daemon.notice openvpn(vpnserver)[8755]: 109.41.64.x:31820 VERIFY OK: depth=0, CN=vpnclient
Sun Jan 13 12:45:37 2019 daemon.notice openvpn(vpnserver)[8755]: 109.41.64.x:31820 peer info: IV_GUI_VER=net.openvpn.connect.ios_3.0.2-894
Sun Jan 13 12:45:37 2019 daemon.notice openvpn(vpnserver)[8755]: 109.41.64.x:31820 peer info: IV_VER=3.2
Sun Jan 13 12:45:37 2019 daemon.notice openvpn(vpnserver)[8755]: 109.41.64.x:31820 peer info: IV_PLAT=ios
Sun Jan 13 12:45:37 2019 daemon.notice openvpn(vpnserver)[8755]: 109.41.64.x:31820 peer info: IV_NCP=2
Sun Jan 13 12:45:37 2019 daemon.notice openvpn(vpnserver)[8755]: 109.41.64.x:31820 peer info: IV_TCPNL=1
Sun Jan 13 12:45:37 2019 daemon.notice openvpn(vpnserver)[8755]: 109.41.64.x:31820 peer info: IV_PROTO=2
Sun Jan 13 12:45:37 2019 daemon.notice openvpn(vpnserver)[8755]: 109.41.64.x:31820 peer info: IV_LZO_STUB=1
Sun Jan 13 12:45:37 2019 daemon.notice openvpn(vpnserver)[8755]: 109.41.64.x:31820 peer info: IV_COMP_STUB=1
Sun Jan 13 12:45:37 2019 daemon.notice openvpn(vpnserver)[8755]: 109.41.64.x:31820 peer info: IV_COMP_STUBv2=1
Sun Jan 13 12:45:37 2019 daemon.notice openvpn(vpnserver)[8755]: 109.41.64.x:31820 peer info: IV_AUTO_SESS=1
Sun Jan 13 12:45:37 2019 daemon.notice openvpn(vpnserver)[8755]: 109.41.64.x:31820 peer info: IV_BS64DL=1
Sun Jan 13 12:45:37 2019 daemon.notice openvpn(vpnserver)[8755]: 109.41.64.x:31820 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Sun Jan 13 12:45:37 2019 daemon.notice openvpn(vpnserver)[8755]: 109.41.64.x:31820 [vpnclient] Peer Connection Initiated with [AF_INET]109.41.64.x:31820
Sun Jan 13 12:45:37 2019 daemon.notice openvpn(vpnserver)[8755]: vpnclient/109.41.64.x:31820 MULTI_sva: pool returned IPv4=192.168.200.6, IPv6=(Not enabled)
Sun Jan 13 12:45:37 2019 daemon.notice openvpn(vpnserver)[8755]: vpnclient/109.41.64.x:31820 MULTI: Learn: 192.168.200.6 -> vpnclient/109.41.64.x:31820
Sun Jan 13 12:45:37 2019 daemon.notice openvpn(vpnserver)[8755]: vpnclient/109.41.64.x:31820 MULTI: primary virtual IP for vpnclient/109.41.64.x:31820: 192.168.200.6
Sun Jan 13 12:45:37 2019 daemon.notice openvpn(vpnserver)[8755]: vpnclient/109.41.64.x:31820 PUSH: Received control message: 'PUSH_REQUEST'
Sun Jan 13 12:45:37 2019 daemon.notice openvpn(vpnserver)[8755]: vpnclient/109.41.64.x:31820 SENT CONTROL [vpnclient]: 'PUSH_REPLY,redirect-gateway def1,route 192.168.1.0 255.255.255.0,dhcp-option DNS 192.168.1.1,compress lzo,persist-tun,persist-key,dhcp-option DOMAIN lan,route 192.168.200.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 192.168.200.6 192.168.200.5,peer-id 0,cipher AES-256-GCM' (status=1)
Sun Jan 13 12:45:37 2019 daemon.notice openvpn(vpnserver)[8755]: vpnclient/109.41.64.x:31820 Data Channel: using negotiated cipher 'AES-256-GCM'
Sun Jan 13 12:45:37 2019 daemon.notice openvpn(vpnserver)[8755]: vpnclient/109.41.64.x:31820 Data Channel MTU parms [ L:1550 D:1450 EF:50 EB:406 ET:0 EL:3 ]
Sun Jan 13 12:45:37 2019 daemon.notice openvpn(vpnserver)[8755]: vpnclient/109.41.64.x:31820 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Jan 13 12:45:37 2019 daemon.notice openvpn(vpnserver)[8755]: vpnclient/109.41.64.x:31820 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

my iphone openvpn app statistics show that tunneled packets go out, but no tunneled packets come in.

14

It seems there's an issue with OpenVPN+iPhone:
OpenVPN server + client working from mac but not from iPhone

15

That was the root cause! Without compression works! Thanks vgaetera!

server-side config:

comp-lzo no

and client-side config:

compress
16

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.