Trouble with getting OpenVPN running

Hey all. Since a couple of days now I try to get a OpenVPN setup running. The aim is to connect to a network behind a WG3526 router with Rooter / OpenWRT 19.07.06 installed. Therefore I configured an OpenVPN Server on the router via CLI based on the OpenWRT wiki. As a result I do have at least a running OpenVPN process ... But as I do not have that much OpenVPN related messages in the log, I am not sure where to start troubleshooting. Is there a dedicated OpenVPN logfile ? Not sure about those wan related messages in the syslog ? wan connection itself is up and I have access to the www from inside the lan...

I have prepared as well a log & config collection. Not sure how to upload txt as it seems to be not possible.

3445	nobody	/usr/sbin/openvpn --syslog openvpn(server) --status /var/run/openvpn.server.status --cd /etc/openvpn --config /etc/openvpn/server.conf
from sys log:
Wed Oct 19 16:36:37 2022 user.notice QMI Connect: Handle raw-ip
Wed Oct 19 16:36:37 2022 daemon.notice netifd: Interface 'wan1' is enabled
Wed Oct 19 16:36:37 2022 daemon.notice netifd: Network device 'wwan0' link is up
Wed Oct 19 16:36:37 2022 daemon.notice netifd: Interface 'wan1' has link connectivity
Wed Oct 19 16:36:37 2022 daemon.notice netifd: Interface 'wan1' is setting up now
Wed Oct 19 16:36:37 2022 user.err wsdd2[4642]: error: wsdd-mcast-v4: wsd_send_soap_msg: send: Network unreachable
Wed Oct 19 16:36:37 2022 daemon.notice netifd: Interface 'wan1' is now down
Wed Oct 19 16:36:37 2022 user.err wsdd2[4642]: error: wsdd-mcast-v4: wsd_send_soap_msg: send: Network unreachable
Wed Oct 19 16:36:37 2022 daemon.notice netifd: Interface 'wan1' is disabled
Wed Oct 19 16:36:37 2022 daemon.notice netifd: Interface 'wan1' is enabled
Wed Oct 19 16:36:37 2022 daemon.notice netifd: Interface 'wan1' is setting up now
Wed Oct 19 16:36:37 2022 user.notice URL-DEBUG: hotplug (iface): action='ifdown' interface='wan1'
Wed Oct 19 16:36:37 2022 user.notice Create Connection: Modem 1 Connected
Wed Oct 19 16:36:37 2022 user.notice Connection Monitor: Start Connection Monitor for Modem 1
Wed Oct 19 16:36:37 2022 daemon.notice netifd: wan1 (7293): udhcpc: started, v1.30.1
Wed Oct 19 16:36:37 2022 user.notice PostConnect: Running PostConnect script
Wed Oct 19 16:36:37 2022 daemon.notice netifd: wan1 (7293): udhcpc: sending discover
Wed Oct 19 16:36:38 2022 daemon.notice netifd: wan1 (7293): udhcpc: sending select for 10.201.106.192
Wed Oct 19 16:36:38 2022 daemon.notice netifd: wan1 (7293): udhcpc: lease of 10.201.106.192 obtained, lease time 7200
Wed Oct 19 16:36:38 2022 daemon.notice netifd: Interface 'wan1' is now up
Wed Oct 19 16:36:38 2022 daemon.info dnsmasq[4443]: reading /tmp/resolv.conf.auto
Wed Oct 19 16:36:38 2022 daemon.info dnsmasq[4443]: using local addresses only for domain test
Wed Oct 19 16:36:38 2022 daemon.info dnsmasq[4443]: using local addresses only for domain onion
Wed Oct 19 16:36:38 2022 daemon.info dnsmasq[4443]: using local addresses only for domain localhost
Wed Oct 19 16:36:38 2022 daemon.info dnsmasq[4443]: using local addresses only for domain local
Wed Oct 19 16:36:38 2022 daemon.info dnsmasq[4443]: using local addresses only for domain invalid
Wed Oct 19 16:36:38 2022 daemon.info dnsmasq[4443]: using local addresses only for domain bind
Wed Oct 19 16:36:38 2022 daemon.info dnsmasq[4443]: using local addresses only for domain lan
Wed Oct 19 16:36:38 2022 daemon.info dnsmasq[4443]: using nameserver 10.74.210.210#53
Wed Oct 19 16:36:38 2022 daemon.info dnsmasq[4443]: using nameserver 10.74.210.211#53
Wed Oct 19 16:36:38 2022 user.notice mwan3rtmon[3188]: Stopping mwan3rtmon...
Wed Oct 19 16:36:41 2022 user.notice URL-DEBUG: hotplug (iface): action='ifup' interface='wan1'
Wed Oct 19 16:36:42 2022 user.notice URL-DEBUG: hotplug (iface): action='ifup' interface='wan1'
Wed Oct 19 16:36:42 2022 user.notice mwan3[7743]: Using firewall mask 0x3F00
Wed Oct 19 16:36:42 2022 user.notice mwan3[7743]: Max interface count is 60
Wed Oct 19 16:36:43 2022 user.notice mwan3[7743]: Execute ifup event on interface wan1 (wwan0)
Wed Oct 19 16:36:44 2022 user.notice mwan3[7743]: Starting tracker on interface wan1 (wwan0)
Wed Oct 19 16:36:45 2022 user.notice URL-DEBUG: hotplug (iface): action='connected' interface='wan1'
Wed Oct 19 16:36:46 2022 user.notice mwan3[7798]: Execute ifup event on interface wan1 (wwan0)
Wed Oct 19 16:36:47 2022 user.notice mwan3[7798]: Starting tracker on interface wan1 (wwan0)
Wed Oct 19 16:36:48 2022 user.notice URL-DEBUG: hotplug (iface): action='connected' interface='wan1'
Wed Oct 19 16:36:48 2022 user.info mwan3rtmon[8599]: Detect rtchange event.
Wed Oct 19 16:36:49 2022 user.notice Custom MTU: wwan0 set to 1500
Wed Oct 19 16:36:49 2022 user.notice firewall: Reloading firewall due to ifup of wan1 (wwan0)
Wed Oct 19 16:36:49 2022 user.notice Custom MTU: wwan0 set to 1500
Wed Oct 19 16:36:49 2022 user.notice firewall: Reloading firewall due to ifup of wan1 (wwan0)
Wed Oct 19 16:36:50 2022 user.notice ddns-scripts[8824]: dyndns_ipv4: PID '8824' started at 2022-10-19 16:36
Wed Oct 19 16:36:51 2022 user.notice ddns-scripts[9062]: dyndns_ipv4: PID '9062' started at 2022-10-19 16:36
Wed Oct 19 16:36:52 2022 user.notice ddns-scripts[8824]: dyndns_ipv4: PID '8824' terminated by 'SIGTERM' at 2022-10-19 16:36
Wed Oct 19 18:12:16 2022 user.notice sms process: Reread SMS Messages on Modem 1
Wed Oct 19 18:17:57 2022 user.info mwan3track[8524]: Check (ping) failed for target "1.1.1.1" on interface wan1 (wwan0)
Wed Oct 19 18:18:12 2022 user.info mwan3track[8524]: Check (ping) failed for target "1.1.1.1" on interface wan1 (wwan0)
Wed Oct 19 18:19:07 2022 user.info mwan3track[8524]: Check (ping) failed for target "1.1.1.1" on interface wan1 (wwan0)
Wed Oct 19 18:20:53 2022 user.info mwan3track[8524]: Check (ping) failed for target "1.1.1.1" on interface wan1 (wwan0)
Wed Oct 19 18:23:11 2022 user.info mwan3track[8524]: Check (ping) failed for target "1.1.1.1" on interface wan1 (wwan0)
Wed Oct 19 18:24:16 2022 user.info mwan3track[8524]: Check (ping) failed for target "1.1.1.1" on interface wan1 (wwan0)

If you followed the guide in the wiki, there is a troubleshooting guide at the bottom of the page.
One more thing, since I noticed the mwan3 in the logs, make sure the OpenVPN packets are steered to the same egress interface.

Sure. Already checked the config with the different commands mentioned in the troubleshooting section. Based on my little basic knowledge I am not able to find any issues ....

firewall.ovpn=rule
firewall.ovpn.name='Allow-OpenVPN'
firewall.ovpn.dest_port='1194'
firewall.ovpn.proto='udp'
firewall.ovpn.target='ACCEPT'
firewall.ovpn.src='wan'
firewall.wgzone=zone
firewall.wgzone.name='wg'
firewall.wgzone.forward='ACCEPT'
firewall.wgzone.output='ACCEPT'
firewall.wgzone.network='wg0 wg1'
firewall.wgzone.input='ACCEPT'
firewall.wgzone.masq='1'
firewall.wgzone.mtu_fix='1'

root@ROOter:~# uci show openvpn
openvpn.settings=settings
openvpn.settings.country='CA'
openvpn.settings.city='Abbotsford'
openvpn.settings.organ='ROOter'
openvpn.settings.days='3650'
openvpn.settings.vpn2lan='0'
openvpn.settings.vpns2lan='0'
openvpn.settings.vpn2wan='0'
openvpn.settings.wanopendns='0'
openvpn.settings.wangoogle='0'
openvpn.settings.lanopendns='0'
openvpn.settings.langoogle='0'
openvpn.settings.nclient='1'

oot@ROOter:~# uci show network
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd2c:702d:d3ff::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ifname='eth0.1 tap0 tap-server'
network.lan_eth0_1_dev=device
network.lan_eth0_1_dev.name='eth0.1'
network.lan_eth0_1_dev.macaddr='f8:5e:3c:20:5e:28'
network.wan=interface
network.wan.ifname='eth0.2'
network.wan.proto='dhcp'
network.wan.metric='1'
network.wan_eth0_2_dev=device
network.wan_eth0_2_dev.name='eth0.2'
network.wan_eth0_2_dev.macaddr='f8:5e:3c:20:5e:29'
network.wan6=interface
network.wan6.ifname='eth0.2'
network.wan6.proto='dhcpv6'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='0 1 2 3 6t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='4 6t'
network.VPN=interface
network.VPN.proto='none'
network.VPN.ifname='tun0'
network.VPN.auto='0'
network.VPNS=interface
network.VPNS.proto='none'
network.VPNS.ifname='tun-server'
network.VPNS.auto='0'
network.TAP=interface
network.TAP.proto='none'
network.TAP.ifname='tap0'
network.TAP.auto='1'
network.TAPS=interface
network.TAPS.proto='none'
network.TAPS.ifname='tap-server'
network.TAPS.auto='0'
network.wwan=interface
network.wwan.proto='dhcp'
network.wwan.metric='2'
network.wwan6=interface
network.wwan6.proto='dhcpv6'
network.wan2=interface
network.wan2.proto='dhcp'
network.wan2.metric='20'
network.wan2.ifname='wan2'
network.wg0=interface
network.wg0.proto='wireguard'
network.wg0.auto='0'
network.wg0.addresses=''
network.wg1=interface
network.wg1.proto='wireguard'
network.wg1.auto='0'
network.wg1.addresses=''
network.wan1=interface
network.wan1.proto='dhcp'
network.wan1.ifname='wwan0'
network.wan1._orig_bridge='false'
network.wan1.metric='10'

oot@ROOter:~# head -v -n -0 /etc/openvpn/*.conf
==> /etc/openvpn/server.conf <==
user nobody
group nogroup
dev tun
port 1194
proto udp
server 192.168.8.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
push "dhcp-option DNS 192.168.8.1"
push "dhcp-option DOMAIN lan"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>

ot@ROOter:~# logread -e openvpn; netstat -l -n -p | grep -e openvpn
Wed Oct 19 16:35:07 2022 daemon.notice openvpn(server)[3445]: OpenVPN 2.4.7 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Wed Oct 19 16:35:07 2022 daemon.notice openvpn(server)[3445]: library versions: OpenSSL 1.1.1i  8 Dec 2020, LZO 2.10
Wed Oct 19 16:35:07 2022 daemon.notice openvpn(server)[3445]: TUN/TAP device tun0 opened
Wed Oct 19 16:35:07 2022 daemon.notice openvpn(server)[3445]: /sbin/ifconfig tun0 192.168.8.1 netmask 255.255.255.0 mtu 1500 broadcast 192.168.8.255
Wed Oct 19 16:35:07 2022 daemon.warn openvpn(server)[3445]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Wed Oct 19 16:35:07 2022 daemon.notice openvpn(server)[3445]: UDPv4 link local (bound): [AF_INET][undef]:1194
Wed Oct 19 16:35:07 2022 daemon.notice openvpn(server)[3445]: UDPv4 link remote: [AF_UNSPEC]
Wed Oct 19 16:35:07 2022 daemon.notice openvpn(server)[3445]: GID set to nogroup
Wed Oct 19 16:35:07 2022 daemon.notice openvpn(server)[3445]: UID set to nobody
Wed Oct 19 16:35:07 2022 daemon.notice openvpn(server)[3445]: Initialization Sequence Completed
udp        0      0 0.0.0.0:1194            0.0.0.0:*                           3445/openvpn
root@ROOter:~# 

The server is coming up fine.

However you don't enable it on boot, auto='0'
Do you see packets inbound? iptabeles-save -c | grep 1194

Hm. Haven't noticed that yet. I would doubt that I did not enable it manually after rebooting yesterday. But thanks for the hint - I will enable it for auto.

Regarding your question: No. I am not convinced that there is inbound traffic...

root@ROOter:~# iptables-save -c | grep 1194
[0:0] -A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: Allow-OpenVPN" -j ACCEPT

As mentioned I am struggeling with the wan interfaces. Maybe you can advice.

I thought that my interface to the outside world is "wwan0" within zone "wan1". Not sure about "wan" itself - seems to be a software vlan ?. But why is "wan1" reporting an IP 10.201.106.192 where I would expect 80.187.102.192 ?

Following cmd should give the public IP - correct ?

root@ROOter:~# . /lib/functions/network.sh; network_find_wan NET_IF; network_get_ipaddr NET_ADDR "${NET_IF}"; echo "${NET_ADDR}"
10.201.106.192

But public ipv4 is the following:

root@ROOter:~# curl https://api.ipify.org/
80.187.102.192root@ROOter:~#

Your ISP is doing carrier NAT. This means that incoming connections cannot reach your router, since you don't have a public IP on your WAN. The 80.187 IP will be shared among many customers. An OpenVPN server cannot work behind CGNAT.

Uh. Had to google that first... but yep as I am connected via 4G LTE modem that seems to be the issue as german telekom is doing CG NAT. Shit. It seems that there is no way around - correct ?

Question: Is this someting which is related to ipv4 only ? Because normally mobile data connection is working via ipv6 per default (as far as I know) but I was not able to get that running and switched back to ipv4...

If you have IPv6 from your provider it will most likely not be NATed and you'll just need to bind the OpenVPN server on the IPv6 address instead of IPv4.

That's exactly what I tried within the past hour. I switched the LTE apn to ipv6 version, but can't establish any connection. Log is only stating "call failed" ... Regarding protocol type I already tried ipv6 only and ipv4+ipv6. Both without success ... Is there any detailed log somewhere ? to check what call failed exactly means ...

Ask your provider if they indeed offer Ipv6 first.

They do. There is an official announcement from 2020 already ..
Telekomhilft - Neuer IPv6 Zugang

APN Name: 	    Telekom Internet IPv6
APN:		    internet.v6.telekom
Benutzername:   telekom
Passwort:       tm

Can you post the uci export network ?

Sure.

root@ROOter:~# uci export network
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd2c:702d:d3ff::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ifname 'eth0.1 tap0 tap-server'

config device 'lan_eth0_1_dev'
        option name 'eth0.1'
        option macaddr 'f8:5e:3c:20:5e:28'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'
        option metric '1'

config device 'wan_eth0_2_dev'
        option name 'eth0.2'
        option macaddr 'f8:5e:3c:20:5e:29'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6t'

config interface 'VPN'
        option proto 'none'
        option ifname 'tun0'

config interface 'VPNS'
        option proto 'none'
        option ifname 'tun-server'
        option auto '0'

config interface 'TAP'
        option proto 'none'
        option ifname 'tap0'
        option auto '1'

config interface 'TAPS'
        option proto 'none'
        option ifname 'tap-server'
        option auto '0'

config interface 'wwan'
        option proto 'dhcp'
        option metric '2'

config interface 'wwan6'
        option proto 'dhcpv6'

config interface 'wan2'
        option proto 'dhcp'
        option metric '20'
        option ifname 'wan2'

config interface 'wg0'
        option proto 'wireguard'
        option auto '0'
        list addresses ''

config interface 'wg1'
        option proto 'wireguard'
        option auto '0'
        list addresses ''

config interface 'wan1'
        option proto 'dhcp'
        option ifname 'wwan0'
        option _orig_bridge 'false'
        option metric '10'

root@ROOter:~#

I don't see any configuration for 3g/LTE.
I am not sure if you can get much help anyways, since you are using some fork of OpenWrt and an unsupported version.

Wann info do you expect ? wwan0 is the interface with the Quectel EP06 modem... Is there maybe any other command to execute ?

Where is the dhcpv6 protocol to get IPv6 then? There is only DHCP in wan1.