TP-Link Archer C7 v4 - Trying to get OpenVPN on the router as well as my iPhone ...
Then to access my NAS drive
All set up but not working
Something silly but I cant pin point
Q: Is anyone able to offer any assistance at all please?
sure... we can help. But you need to provide more information.
You may actually find that WireGuard is an attractive option because it is 1) easier to configure and 2) much more performant.
If you want to use WG instead, there is some documentation here.
If you are planning to stick with OpenVPN, we'll need to see your configuration details, starting with the following:
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/openvpn
cat /etc/config/firewall
/root$ cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '****:****:****::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.1.254'
config device
option name 'eth0.2'
option macaddr 'b0:4e:26:**:**:**'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'
/root$ cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '****:****:****::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.1.254'
config device
option name 'eth0.2'
option macaddr 'b0:4e:26:**:**:**'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'
/root$ cat /etc/config/openvpn
config openvpn 'custom_config'
option config '/etc/openvpn/my-vpn.conf'
config openvpn 'sample_server'
option port '1194'
option proto 'udp'
option dev 'tun'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/server.crt'
option key '/etc/openvpn/server.key'
option dh '/etc/openvpn/dh2048.pem'
option server '10.8.0.0 255.255.255.0'
option ifconfig_pool_persist '/tmp/ipp.txt'
option keepalive '10 120'
option persist_key '1'
option persist_tun '1'
option user 'nobody'
option status '/tmp/openvpn-status.log'
option verb '3'
config openvpn 'sample_client'
option client '1'
option dev 'tun'
option proto 'udp'
list remote 'my_server_1 1194'
option resolv_retry 'infinite'
option nobind '1'
option persist_key '1'
option persist_tun '1'
option user 'nobody'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/client.crt'
option key '/etc/openvpn/client.key'
option verb '3'
config openvpn 'server'
option enabled '1'
option config '/etc/openvpn/server.conf'
/root$ cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '****:****:****::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.1.254'
config device
option name 'eth0.2'
option macaddr 'b0:4e:26:**:**:**'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'
/root$ cat /etc/config/openvpn
config openvpn 'custom_config'
option config '/etc/openvpn/my-vpn.conf'
config openvpn 'sample_server'
option port '1194'
option proto 'udp'
option dev 'tun'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/server.crt'
option key '/etc/openvpn/server.key'
option dh '/etc/openvpn/dh2048.pem'
option server '10.8.0.0 255.255.255.0'
option ifconfig_pool_persist '/tmp/ipp.txt'
option keepalive '10 120'
option persist_key '1'
option persist_tun '1'
option user 'nobody'
option status '/tmp/openvpn-status.log'
option verb '3'
config openvpn 'sample_client'
option client '1'
option dev 'tun'
option proto 'udp'
list remote 'my_server_1 1194'
option resolv_retry 'infinite'
option nobind '1'
option persist_key '1'
option persist_tun '1'
option user 'nobody'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/client.crt'
option key '/etc/openvpn/client.key'
option verb '3'
config openvpn 'server'
option enabled '1'
option config '/etc/openvpn/server.conf'
/root$ cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'REJECT'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list device 'tun+'
list network 'lan'
config zone 'wan'
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
option forward 'REJECT'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip '****::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'CCTV'
option src 'wan'
option src_dport '85'
option dest_ip '192.168.1.239'
option dest_port '85'
config redirect
option dest 'lan'
option target 'DNAT'
option src 'wan'
option dest_port '9'
option src_dport '9'
option name 'WoL'
list proto 'tcp'
list proto 'udp'
option dest_ip '192.168.1.10'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'WoL - NAS'
option src 'wan'
option dest_ip '192.168.1.13'
list proto 'tcp'
list proto 'udp'
option src_dport '4343'
option dest_port '9'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'OpenVPNserver'
list proto 'udp'
option src 'wan'
option dest_ip '192.168.1.13'
option src_dport '1194'
option dest_port '1194'
config rule 'ovpn'
option name 'Allow-OpenVPN'
option src 'wan'
option dest_port '1194'
option proto 'udp'
option target 'ACCEPT'
option family 'ipv4'
Hello psherman,
Thank you for taking the time
Hopefully I have followed your instructions correctly ...
I have substituted any private information with ****
TiA
Let's also see these:
cat /etc/openvpn/server.conf
cat /etc/openvpn/my-vpn.conf
Is this your main router, or is this connected to another router?
/root$ cat /etc/openvpn/server.conf
user nobody
group nogroup
dev tun
port 1194
proto udp
server 192.168.8.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
push "dhcp-option DNS 192.168.8.1"
push "dhcp-option DOMAIN lan"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEAoEMBXhceWIRdsJ3iPmel+cVkoNsbms7RrEXKGcfp8IN9+BGm/Gvk
Cd3Tkd4cukuu9NEHKNItZwXAk4SGWNxdk7B6GUVTBRivcNXLPISiknD9Crux/wor
N3kVz3QEaSh6csXxKQkMRc3MGtonNbagXOsnjKDIhWwsKZxP8xmqzmm8T3r5b5N9
ucIZ+wn4GlC0SymAEY9L+ilosNqKJC5KiXx7OTRiFJz9JfccVPOL4pvt/ZxltaXH
RXjO0FNlkWLjssCaTCmo805zM4vo6mXVFvD1cBN1TZ7HXR5c+vMjpvQx1eB1TbN1
ryS2Dkrd5r6U0TYD62jyRShASzcP**********==
-----END DH PARAMETERS-----
</dh>
<tls-crypt-v2>
-----BEGIN OpenVPN tls-crypt-v2 server key-----
3basbK2H8vLhJ0XchkhJ2tnKkXgmY3yEJmPqe5sQs3nyeW/nYweMdm5RgoyTFL6i
Tt7gYdrg9RETF9FIN5yKxqkj99qcgqFK7O6qhKuRBJdjhwjzbL9KAY8aAsf+Weuo
YuwjQcfe4zKLkc7iUDMt7YWr2/sUptO8O**********=
-----END OpenVPN tls-crypt-v2 server key-----
</tls-crypt-v2>
<key>
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDBydrZ6ZKLw60B
U0fJSfesOH72XworoTpJawt862ls3vP14Ibyq+eNNtsx9ac7uNfCzWN/+bUREu1j
87/B6uFK+W+4AXKvUdpHGmjQpnS2jrRNlhKIoTIu4X91NcVMn5ONEPQYPynNL1nG
DWH1PMu8pvfEK77XZn0u8y1J9s8EhBCxTeY7xl5yT4Nv9A/Ajl6N3XXfDYbFwBxS
8G9oY43n26Ni3xAelImYTE2AQreih1BPtA0N95gePWGqIHy64/lqtXJzjrSNFTvW
90v2z44lhJgsUz0+tWFB9GHbsenkgwNLwYzAjIVHkSPGdiyWrq4QZl9jUyJW1KLM
O4Mvj/YpAgMBAAECggEBAKS3R287ypVD0FS1Dep5FazsJHaTV9i35QwskYovqt+g
LmsK2omANoPgYbX4YJoxxitNWsqXXCFUHjV8JLzWQYLxu9UCXhHJGCihuP/IzKGz
cGwWKFC7+yTABQ+Ckd5MMSWRiHjnj0dZfQwLqfzCHUaQAT9cE42RDsyOZCtfPp1N
jN3hTJZ9I/z4yhgmHiFOh4tZyR3h+yN5X6VSGFRpWhkx/9uj5JjgwIIYtQCaDbpp
Xl4RXv3vBrCTMmvvYtyEpwjjvUigvxNzrFPxOPA9kLelxbG9z+FkvAL19GzrlyOa
ZjeLs+Tv+eKEis0EefLFoNI/NQ8P8lLE0Il+zTwhIxECgYEA50W1pkAgm3t/54ym
IpriuWcUAzUlSxU04CwUgCN8s8xFEwRX/M04id4JUMgHMHoZbbP4u2eB/Y928Grs
QQRqWJogpST1g10g09/BXXN53wgmX+5xv27ET7wLGuHUf0jLqBZRTjVlU0syoqXM
LNEi+B271MqOFHz9AXb2xRc5Kt0CgYEA1oInaT0v6KqMIYGgs6Ko3GC6KSFjgabK
IomARrjIQHt2PhmMWtFa//n4UkeichzD21cyu1IoLG8tE6bKZF3CMNXAnISet6sm
sCDNol2jk2EKiUF/9u3qi53mjzhUKINOa5oE2fcQWeWLlg212yOBaMA/T1poK35+
gpwdAonJBb0CgYEAiLDz9yop25v38hR4UTW4UZqyAl9UBnenQ+Ppzf6rgt116hKE
Kr/k7d+VI/DGBwnzo5pepe08sHAt/VVFA/ynGm0mZFVe4uCVOYUjladd3cvEWqjl
BB9k2jerXJ0jaoPNEzD1p0L5+2wTpnxWHBsUDxAL52484bEqHMaCfeUG/eUCgYA0
jKgJAQNWlUlFABOVTjjd3Bhe8R4GagzEzziMmsH8AgLijbGzoewQH3W0+nWSTPey
KTd1algLIqVBVi/ozItBGWxZK6gSSKxuo2qc5yGmfjRtkY0+ueQmleUgmuULE7fH
ZnDf0MXBsBk1BmDRsW4HcmlQEE7KsO9fIc19jLGhZQKBgCi5n3vbA26Cls5QTXp+
m7f94nsGajrl3iZp2G16Pn1yJH0FzD/GazHBQRY6DdkTRNixpSyb6QLTP6J2AaAD
GfKqZ+cUPRlqaxCkGs5xomoce+I//aKegxKMQP09wvnGSAeHRg36K/DdY5NJ+/LQ
ASGr6wInRsz9F4**********
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
MIIDXjCCAkagAwIBAgIRAIt928is6zG2YvUaYx9gs+EwDQYJKoZIhvcNAQELBQAw
ETEPMA0GA1UEAwwGb3ZwbmNhMB4XDTIyMTEyMDE2NDc0N1oXDTMyMTExNzE2NDc0
N1owETEPMA0GA1UEAwwGc2VydmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAwcna2emSi8OtAVNHyUn3rDh+9l8KK6E6SWsLfOtpbN7z9eCG8qvnjTbb
MfWnO7jXws1jf/m1ERLtY/O/werhSvlvuAFyr1HaRxpo0KZ0to60TZYSiKEyLuF/
dTXFTJ+TjRD0GD8pzS9Zxg1h9TzLvKb3xCu+12Z9LvMtSfbPBIQQsU3mO8Zeck+D
b/QPwI5ejd113w2GxcAcUvBvaGON59ujYt8QHpSJmExNgEK3oodQT7QNDfeYHj1h
qiB8uuP5arVyc460jRU71vdL9s+OJYSYLFM9PrVhQfRh27Hp5IMDS8GMwIyFR5Ej
xnYslq6uEGZfY1MiVtSizDuDL4/2KQIDAQABo4GwMIGtMAkGA1UdEwQCMAAwHQYD
VR0OBBYEFCv94LIumt49zPJeiZJ7sZ407eVWMEwGA1UdIwRFMEOAFAJNTRfUwA4K
NPsIeTD5oHFEOdw2oRWkEzARMQ8wDQYDVQQDDAZvdnBuY2GCFDk4sPHrz1IVkbwJ
SyqVZ1FrU+CPMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIFoDARBgNV
HREECjAIggZzZXJ2ZXIwDQYJKoZIhvcNAQELBQADggEBAE8HUYP7feymvsV8auao
FQgiD/BYgZDLSX2A+Qt6cBm95xWt6gtsSyHFZ9LkZ9xzycGNG/Xi9wh68gCQIgeW
d/tTRdeREkRc5lOP36GcQVDfwQ0CQ+0ykF+Ed9zXc63/z9EyRDA7PGv0ladwc2KY
epz9U+RnA7ZuVjgOMJehZYFzL9Zo6BWTM2dUq/W1Gwh05X1DyOw6WiYvBsQ3RbAr
sCHaGXdc3mCd+jKzWBVwvaR5LtA8ipz3cjy4uTIqb5CsIkJHJ1tIK0QRxAQ0wCPu
SqYE/L79X6oQrOqJ3f8kCPWSpS9Qkqo8uhJd4WZskXCXijdBomZLSe**********
8Go=
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----
MIIDPDCCAiSgAwIBAgIUOTiw8evPUhWRvAlLKpVnUWtT4I8wDQYJKoZIhvcNAQEL
BQAwETEPMA0GA1UEAwwGb3ZwbmNhMB4XDTIyMTEyMDE2NDY1N1oXDTMyMTExNzE2
NDY1N1owETEPMA0GA1UEAwwGb3ZwbmNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAyBTm1l4XQeRSk6kEiT8G71q9YiY7cF3EIlfNuk95753e9Hv3EIR3
AB1gFK0N9BbvJj4u9UdbLEOkVxwZRD5e95Iy4onQkCaG0L3BjIwJDsUXLa6MvDTI
3lv7bWrJfIZrU8PUZWpRR6OgNxVTnQ4lUaogCr+ItfRaacE94hBMnWPsDB1WFwcG
la8RxzPViWx3b5bdTdnro836bt1I37uU8lXq1QdUA6NRZbn+Xu3xEYhUE3sUVOot
O9To4ZYSPNBdsrlFBtYs7PRdvMVBYosdrCyND10ySTvLXQFHVi/WaqMu4t+qrSqW
9FF4fzKPO174ZAIz4Uy+86nIOD/FYifiPwIDAQABo4GLMIGIMB0GA1UdDgQWBBQC
TU0X1MAOCjT7CHkw+aBxRDncNjBMBgNVHSMERTBDgBQCTU0X1MAOCjT7CHkw+aBx
RDncNqEVpBMwETEPMA0GA1UEAwwGb3ZwbmNhghQ5OLDx689SFZG8CUsqlWdRa1Pg
jzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEA
KCkfv5TrQJTrUlNzJ6mygKvbFO8uFNrdKFOdWpitC+yVqNKTQVVcbxUAyqrIDAWf
rDT0irxqcmjezC1rkmYNz716EcnJMSoTsbISYpGvNAfOluETFUAuEhGOifNsWwZK
Qx5clIYNb9oR/PviVdhs4q9suRCURBsZV2yrpRsMqusLFuHwSXyxBLX2E9j/UYVM
4JFcdCRuiDPJCXUmlqCA2r7g1Mpuhdi1YJ+3J48sg7OTPARnOPXp0KJpycu/qqh9
2F1k/GEouUIrQzshmuoc0EEiS5uAWec98/YsOnV98OWITVDGqLc5lyDIxujXj2Km
YSl8BEX1gue9**********==
-----END CERTIFICATE-----
</ca>
/root$ cat /etc/openvpn/my-vpn.conf
cat: can't open '/etc/openvpn/my-vpn.conf': No such file or directory
The TPLink router is plugged into the Virgin Media Router
The Virgin Media unit is set to MoDem mode
You have exposed your openVPN keys... you may want to regenerate your keys.
I redacted the last 10 characters
1 Like
ok... good! 
The following rule needs to be removed because it is conflicting.
restart the firewall and see if you can get a connection started.
How do i remove a rule?
How did you create the rule in the first place? (I ask because that may be the method you are most comfortable using)
Wow .. now you are asking haha
It was awhile ago
I think i used WINSCP?
Ok... so, you can use the LuCI web interface, find the rule under port forwards and then hit delete. Or you can edit using the command line (using a text editor like vi, or the UCI commands).
Deleted 
Great. Make sure the firewall has been restarted and then test a connection attempt. If it doesn't work, we'll need to look at the logs and the client config.