Final testings running. Final result is "site-to-site vpn". Network 10.5.0.0/22 is client1, named "koti", it is "home". Second network is 10.16.0.0/22, client2, named "halli", "hall".
Mask "22" it is not so popular. But, reason is simply: many years I use mask 24, and old network on home was 10.15.10.0/24. Static ip area was 10.15.10.1-10.15.10.19. Frustative allways think addresses. So present "10.15.0.1 gw, static ip 10.15.0.1-254, dhcp 10.15.1.1-254", spare 10.15.2" is excelent and make me free.
OK: SERVER IS Ubuntu 18.04 on Jelastic. It is cloud service. There is openvpn-server.
SERVER-SIDE:
#start of the /etc/openvpn/server.conf on the server
#port standard, protocol udp tcp4, dev tun
port 1194
proto udp4
dev tun
#keys
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
#pool standard, all examples speak 10.8.0.0 so we use it
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
mute 20
explicit-exit-notify 1
#then routes, we select logical 10.15.0.0 is vpn 10.8.0.15 etc
client-config-dir /etc/openvpn/ccd
route 10.15.0.0 255.255.252.0 10.8.0.15
route 10.16.0.0 255.255.252.0 10.8.0.16
route 10.17.0.0 255.255.252.0 10.8.0.17
push "route 10.15.0.0 255.255.252.0 10.8.0.15 1000"
push "route 10.16.0.0 255.255.252.0 10.8.0.16 1000"
push "route 10.17.0.0 255.255.252.0 10.8.0.17 1000"
#end of the /etc/openvpn/server.conf on the server
CCD
#start of the /etc/openvpn/ccd-file client1
ifconfig-push 10.8.0.15 255.255.255.0
iroute 10.15.0.0 255.255.252.0
push-remove redirect-gateway
#end of the /etc/openvpn/ccd-file client1
And client2 is 16, client3 17 etc.
THIS IS WORKING CONFIGURATION ON SERVER-SIDE.
CLIENT1 "KOTI", "HOME"-NETWORK. SETTINGS.
#start of /etc/config/network-file on client1 koti-network. Openwrt-x86-router.
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdc1:e63d:b73e::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0'
option proto 'static'
option netmask '255.255.252.0'
option ip6assign '60'
option ipaddr '10.15.0.1'
#this is home-network adsl. Later must check if vpn use 4G reason speed.
config interface 'wan'
option ifname 'eth1'
option proto 'static'
option netmask '255.255.255.252'
option ip6assign '60'
option ipaddr ''
option gateway ''
list dns '8.8.8.8'
list dns '8.8.4.4'
#end of /etc/config/network-file on client1
FIREWALL SETTINGS ON CLIENT1
#Start of /etc/config/firewall on client1-router
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone 'lan'
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list device 'tun0'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan'
config forwarding 'lan_wan'
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule 'ovpn'
option name 'Allow-OpenVPN'
option src 'wan'
option dest_port '1194'
option proto 'udp'
option target 'ACCEPT'
#end of /etc/config/firewall on client1-router
And then openvpn configuration on client1
CLIENT1 OPENVPN CONFIGURATION FILE
#start of /etc/openvpn/client.conf on client1 home
client
dev tun
proto udp
remote 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
remote-cert-tls server
cipher AES-256-CBC
verb 3
mute 20
#end of /etc/openvpn/client.conf
AND CLIENT2, 3 ETC SAME WAY