Ok. Server configuration file (server.conf or server.ovpn, depend of who say)
#start of the "server.conf/ovpn"
port 1194
proto udp4
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
mute 20
explicit-exit-notify 1
client-config-dir /etc/openvpn/ccd
route 10.15.0.0 255.255.252.0 10.8.0.15
route 10.16.0.0 255.255.252.0 10.8.0.16
route 10.17.0.0 255.255.252.0 10.8.0.17
#Notify: On server ifconfig say inet 10.80.9.195 netmask 255.252.0.0 broadcast 10.83.255.255 destination 10.80.9.195
push "route 10.80.9.195 255.252.0.0 vpn_gateway 1000"
push "route 10.15.0.0 255.255.252.0 10.8.0.15 1000"
push "route 10.16.0.0 255.255.252.0 10.8.0.16 1000"
push "route 10.17.0.0 255.255.252.0 10.8.0.17 1000"
#end of the server.cond/ovpn
ccd-FOLDER:
File client1
ifconfig-push 10.8.0.15 255.255.255.0
iroute 10.15.0.0 255.255.252.0
push-remove redirect-gateway
File client2
ifconfig-push 10.8.0.16 255.255.255.0
iroute 10.16.0.0 255.255.252.0
push-remove redirect-gateway
File client3
ifconfig-push 10.8.0.17 255.255.255.0
iroute 10.17.0.0 255.255.252.0
push-remove redirect-gateway
SO this is server.conf. When manually start, much text found and look this is ok.
CLIENT CONFIGURATION
client.conf/ovpn, CLIENT CONFIGURATION FILE
#start of client.conf/ovpn
client
dev tun
proto udp
remote <this.is.public.ip.of.the.server> 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert client2.crt
key client2.key
remote-cert-tls server
cipher AES-256-CBC
verb 3
mute 20
#end of client.conf/ovpn
NETWORK FILE ON CLIENT, THIS IS CLIENT1
#start of /etc/config/network-file
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdc1:e63d:b73e::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0'
option proto 'static'
option netmask '255.255.252.0'
option ip6assign '60'
option ipaddr '10.16.0.1'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
option hostname 'client2'
config route
option interface 'lan'
option netmask '255.255.252.0'
option gateway '10.16.0.1'
option target '10.15.0.0'
config route
option interface 'lan'
option netmask '255.255.252.0'
option gateway '10.16.0.1'
option target '10.17.0.0'
#end of /etc/config/network-file
QUESTION: Server.conf/ovpn: Notify "ovpn_serv_lan": ifconfig on server says "inet 10.80.9.195 netmask 255.252.0.0 broadcast 10.83.255.255 destination 10.80.9.195". So I understand this "push route ovpnservlan must be this 10.80.9.195 and mask 255.252.0.0 (yes, 255.252, ifconfig say this). Right?
QUESTION: "In addition, if the VPN clients are not installed on remote LAN gateways, you need to add static routes to remote LANs and VPN on each LAN gateway."
a) openvpn installed on router client1, client 2 (and later client3).
b) router is x86 so keyboard and display direct on router. Ping 10.8.0.1 answer, ping 10.8.0.15 answer, ping 10.8.0.16 answer. (And, of course, client2 router is 10.16.0.0/22, ping 10.16.0.1 answer)
c) Computer connected to LAN on router: Luci ok, ssh-cli ok. Ping 10.16.0.1 answer, ping 10.8.0.16 answer. Ping answer. Ping 10.8.0.15 not answer, ping 10.8.0.1 not answer. Firewall? Route?
d) "add static routes etc", as you see, static routes added. Please see network-file: as you see, "config route, interface lan, netmask /22, gateway 10.16.0.1 (router gateway add), target 10.15.0.0 network. And second, route to network 17. This similar in every network. Right? I search openwrt-manual, and there is routing example just this way. Is this right?
e) need any firewall adjusting?