Trying to get openvpn server reach lan side

Hi

I’m trying to setup my vpnserver dual stack with ipv4/ipv6 everyting working and ipv6 connects fine with ddns, over internet but can’t reach LAN-side.

Can anyone give any suggestions to make it work?

my config:

/etc/configs/openvpn

config openvpn 'DefconVpnServer'
	option enabled '1'
	option dev 'tun21'
			 option proto 'udp6'
#	option proto 'udp'
	option port '1234'
# Encryption and security
	option cipher 'AES-256-GCM'
	list data_ciphers 'AES-256-GCM'
	list data_ciphers 'AES-128-GCM'
	list data_ciphers 'CHACHA20-POLY1305'
	option auth_nocache '1'
	option tls_crypt_v2 '/etc/openvpn/tls-crypt-v2-server.key'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/server.crt'
	option key '/etc/openvpn/server.key'
	option dh '/etc/openvpn/dh.pem'
	option topology 'subnet'
# Compression and performance
	option comp_lzo 'no'
	option allow_compression 'no'
	option fast_io '1'
# Server networks (IPv4 + IPv6)
	option server '10.0.42.0 255.255.255.0'
			option server_ipv6 'fd42:4242:4242::/64'
# Push routes and DNS
	list push 'route 192.168.42.0 255.255.255.0 vpn_gateway 500'
			list push 'route-ipv6 2000::/3'
			list push 'redirect-gateway def1 ipv6'
	list push 'dhcp-option DOMAIN home.lan'
	list push 'dhcp-option DNS 192.168.42.1'
			list push 'dhcp-option DNS fd42:4242:4242::1'
# Client handling
	option client_to_client '1'
	option client_config_dir '/etc/openvpn/ccd'
	option ifconfig_pool_persist '/etc/openvpn/ipp.txt 600'
# Logging
	option verb '3'
	option log '/var/log/openvpn-1.log'
	option status_version '2'
# Keepalive and scripts
	option keepalive '10 60'
	option script_security '2'	

Firewall:

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'tun21'

config zone 'wan'
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'wan'

config rule
	option src 'guest'
	option name 'Allow-DNS-Guest'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option src 'guest'
	option name 'Allow-DHCP-Guest'
	list proto 'udp'
	option dest_port '67'
	option target 'ACCEPT'

config rule
	option src 'lan'
	option dest 'wan'
	option name 'Block-8.8.8.8'
	option target 'REJECT'
	option family 'ipv4'
	list dest_ip '8.8.8.8'

config rule
	option src 'lan'
	option dest 'wan'
	option name 'Block-8.8.4.4'
	option target 'REJECT'
	option family 'ipv4'
	list dest_ip '8.8.4.4'

config rule 'ovpn'
	option name 'OpenVPNServer1'
	option src 'wan'
	option dest_port '1234'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'DefconVpnServer'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'

config forwarding
	option src 'DefconVpnServer'
	option dest 'lan'

config forwarding
	option src 'DefconVpnServer'
	option dest 'wan'

traffic_rules982×126 10.3 KB

I seems to have connected to vpn server both way from testing phone.
I can’t reach Other LAN or routed out to WAN.

I really need som suggestions here!

zones983×123 9.15 KB

Screenshot_20251031_211527_One UI Home(1)1920×578 40.8 KB

Firewall:

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'tun21'

config zone 'wan'
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'wan'

config rule
	option src 'guest'
	option name 'Allow-DNS-Guest'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option src 'guest'
	option name 'Allow-DHCP-Guest'
	list proto 'udp'
	option dest_port '67'
	option target 'ACCEPT'

config rule
	option src 'lan'
	option dest 'wan'
	option name 'Block-8.8.8.8'
	option target 'REJECT'
	option family 'ipv4'
	list dest_ip '8.8.8.8'

config rule
	option src 'lan'
	option dest 'wan'
	option name 'Block-8.8.4.4'
	option target 'REJECT'
	option family 'ipv4'
	list dest_ip '8.8.4.4'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'tun21'

config forwarding
	option src 'lan'
	option dest 'vpn'

config forwarding
	option src 'vpn'
	option dest 'lan'

config forwarding
	option src 'vpn'
	option dest 'wan'

config rule 'ovpn'
	option name 'ALLOW-OpenVPN'
	option src 'wan'
	option proto 'udp'
	option dest_port '1234'
	option target 'ACCEPT'
  	list network 'vpn'

Network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdxx:35f6:xxxx::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config interface 'TRB140'
	option proto 'static'
	option device '@wan'
	option ipaddr '192.168.25.2'
	option netmask '255.255.255.0'

config device
	option type 'bridge'
	option name 'br-guest'
	option bridge_empty '1'

config interface 'guest'
	option proto 'static'
	option device 'br-guest'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option gateway '192.168.1.1'

config interface 'tun21'
	option proto 'none'
	option device 'tun21'

FWIW, wireguard is far easier to setup and much more performant.

That said, you have tun21 associated with 2 firewall zones. It must only be in one. If it's fully trusted, simply delete all of the vpn zone related stuff since it's already listed in the lan zone:

Then, edit the lan zone's tun21 device to be simply tun+

And in the OpenVPN config, it looks like you're redirecting ipv6, but not ipv4.

Where does 192.168.42.0/24 exist?

I can’t reach lan or wan side. Is there any settings in vpn phone program to set?

I have removed this:

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'tun21'

config forwarding
	option src 'lan'
	option dest 'vpn'

config forwarding
	option src 'vpn'
	option dest 'lan'

config forwarding
	option src 'vpn'
	option dest 'wan'

And changed tun21 to tunx

config zone 'lan'
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'tunx'

Push routes and DNS
list push 'route 192.168.42.0 255.255.255.0 vpn_gateway 500'
list push 'route-ipv6 2000::/3'
list push 'redirect-gateway def1 ipv6'
list push 'dhcp-option DOMAIN home.lan'
list push 'dhcp-option DNS 192.168.42.1'
list push 'dhcp-option DNS fd42:4242:4242::1'

Server networks (IPv4 + IPv6)
option server '10.0.42.0 255.255.255.0'
option server_ipv6 'fd42:4242:4242::/64'

Not tunx... it should be tun+ (plus sign)

You didn't answer:

Not tunx... it should be tun+ (plus sign)

Sorry just wrote wrong sign, have (+) setted.

Where does 192.168.42.0/24 exist?

option server '10.8.42.0 255.255.255.0'

list push 'route 192.168.42.0 255.255.255.0 vpn_gateway 500'

But I can't connect to my lan or wan side....

Tryed to change to:

list push 'route 192.168.1.1 255.255.255.0 vpn_gateway 500'

PUSH string ipv6:

SENT CONTROL [johan24]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0 vpn_gateway 500,route-ipv6 2000::/3,redirect-gateway def1 ipv6,dhcp-option DOMAIN home.lan,dhcp-option DNS 192.168.1.1,dhcp-option DNS fd42:4242:4242::1,tun-ipv6,route-gateway 10.8.42.1,topology subnet,ping 10,ping-restart 60,ifconfig-ipv6 fd42:4242:4242::1002/64 fd42:4242:4242::1,ifconfig 10.8.42.4 255.255.255.0,peer-id 0,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500' (status=1)

Sorry guys.

I'm out of ideas both ipv4 and ipv6 connect fine but can't connect to the LAN side.
Everything looks right I think I've tried most of it.
Hope someone has a solution!?

Thanks in advance octopus

@egc Any thoughts please.....

Some general recommendations:
-Reboot the router after you are done configuration
-Always test from outside e.g. with your phone or laptop on cellular
-Clients on the lan e.g. servers, PC's etc will have their own firewall, so in order to reach those you have to disable the firewall on those lan clients or at least allow the OpenVPN subnet (10.0.42.0/24)

Lets start with the current configs, Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have but do not redact private RFC 1918 IP addresses as that is not needed:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
ip route show
ip -6 route show
cat /etc/config/openvpn
for ovpn in $(ls /etc/openvpn/*.ovpn);do echo $ovpn; cat $ovpn; echo;done
for vpn in $(ls /tmp/etc/openvpn*.conf);do echo $vpn;cat $vpn;echo;done
logread | grep openvpn

Furthermore show the log of the OpenVPN client connected

ubus call system board

> {
> root@Defcon:~# ubus call system board
>         "kernel": "6.6.110",
>         "hostname": "Defcon",
>         "system": "ARMv8 Processor rev 4",
>         "model": "GL.iNet GL-MT6000",
>         "board_name": "glinet,gl-mt6000",
>         "rootfs_type": "squashfs",
>         "release": {
>                 "distribution": "OpenWrt",
>                 "version": "24.10.4",
>                 "revision": "r28959-29397011cc",
>                 "target": "mediatek/filogic",
>                 "description": "OpenWrt 24.10.4 r28959-29397011cc",
>                 "builddate": "1760891865"
>         }
> }

cat /etc/config/network

> config globals 'globals'
>         option ula_prefix 'fd65:xxxx:a308::/48'
>         option packet_steering '1'
> 
> config device
>         option name 'br-lan'
>         option type 'bridge'
>         list ports 'lan1'
>         list ports 'lan2'
>         list ports 'lan3'
>         list ports 'lan4'
>         list ports 'lan5'
> 
> config interface 'lan'
>         option device 'br-lan'
>         option proto 'static'
>         option ipaddr '192.168.1.1'
>         option netmask '255.255.255.0'
>         option ip6assign '60'
> 
> config interface 'wan'
>         option device 'eth1'
>         option proto 'dhcp'
> 
> config interface 'wan6'
>         option device 'eth1'
>         option proto 'dhcpv6'
> 
> config interface 'TRB140'
>         option proto 'static'
>         option device '@wan'
>         option ipaddr '192.168.25.2'
>         option netmask '255.255.255.0'
> 
> config device
>         option type 'bridge'
>         option name 'br-guest'
>         option bridge_empty '1'
> 
> config interface 'guest'
>         option proto 'static'
>         option device 'br-guest'
>         option ipaddr '192.168.2.1'
>         option netmask '255.255.255.0'
>         option gateway '192.168.1.1'
> 
> config interface 'tun21'
>         option proto 'none'
>         option device 'tun21'

cat /etc/config/firewall

> root@Defcon:~# cat /etc/config/firewall
> config defaults
>         option input 'REJECT'
>         option output 'ACCEPT'
>         option forward 'REJECT'
>         option synflood_protect '1'
> 
> config zone 'lan'
>         option name 'lan'
>         list network 'lan'
>         option input 'ACCEPT'
>         option output 'ACCEPT'
>         option forward 'ACCEPT'
>         list device 'tun21'
> 
> config zone 'wan'
>         option name 'wan'
>         list network 'wan'
>         list network 'wan6'
>         option input 'REJECT'
>         option output 'ACCEPT'
>         option forward 'REJECT'
>         option masq '1'
>         option mtu_fix '1'
> 
> config forwarding
>         option src 'lan'
>         option dest 'wan'
> 
> config rule
>         option name 'Allow-DHCP-Renew'
>         option src 'wan'
>         option proto 'udp'
>         option dest_port '68'
>         option target 'ACCEPT'
>         option family 'ipv4'
> 
> config rule
>         option name 'Allow-Ping'
>         option src 'wan'
>         option proto 'icmp'
>         option icmp_type 'echo-request'
>         option family 'ipv4'
>         option target 'ACCEPT'
> 
> config rule
>         option name 'Allow-IGMP'
>         option src 'wan'
>         option proto 'igmp'
>         option family 'ipv4'
>         option target 'ACCEPT'
> 
> config rule
>         option name 'Allow-DHCPv6'
>         option src 'wan'
>         option proto 'udp'
>         option dest_port '546'
>         option family 'ipv6'
>         option target 'ACCEPT'
> 
> config rule
>         option name 'Allow-MLD'
>         option src 'wan'
>         option proto 'icmp'
>         option src_ip 'fe80::/10'
>         list icmp_type '130/0'
>         list icmp_type '131/0'
>         list icmp_type '132/0'
>         list icmp_type '143/0'
>         option family 'ipv6'
>         option target 'ACCEPT'
> 
> config rule
>         option name 'Allow-ICMPv6-Input'
>         option src 'wan'
>         option proto 'icmp'
>         list icmp_type 'echo-request'
>         list icmp_type 'echo-reply'
>         list icmp_type 'destination-unreachable'
>         list icmp_type 'packet-too-big'
>         list icmp_type 'time-exceeded'
>         list icmp_type 'bad-header'
>         list icmp_type 'unknown-header-type'
>         list icmp_type 'router-solicitation'
>         list icmp_type 'neighbour-solicitation'
>         list icmp_type 'router-advertisement'
>         list icmp_type 'neighbour-advertisement'
>         option limit '1000/sec'
>         option family 'ipv6'
>         option target 'ACCEPT'
> 
> config rule
>         option name 'Allow-ICMPv6-Forward'
>         option src 'wan'
>         option dest '*'
>         option proto 'icmp'
>         list icmp_type 'echo-request'
>         list icmp_type 'echo-reply'
>         list icmp_type 'destination-unreachable'
>         list icmp_type 'packet-too-big'
>         list icmp_type 'time-exceeded'
>         list icmp_type 'bad-header'
>         list icmp_type 'unknown-header-type'
>         option limit '1000/sec'
>         option family 'ipv6'
>         option target 'ACCEPT'
> 
> config rule
>         option name 'Allow-IPSec-ESP'
>         option src 'wan'
>         option dest 'lan'
>         option proto 'esp'
>         option target 'ACCEPT'
> 
> config rule
>         option name 'Allow-ISAKMP'
>         option src 'wan'
>         option dest 'lan'
>         option dest_port '500'
>         option proto 'udp'
>         option target 'ACCEPT'
> 
> config zone
>         option name 'guest'
>         option input 'REJECT'
>         option output 'ACCEPT'
>         option forward 'REJECT'
>         list network 'guest'
> 
> config forwarding
>         option src 'guest'
>         option dest 'wan'
> 
> config rule
>         option src 'guest'
>         option name 'Allow-DNS-Guest'
>         option dest_port '53'
>         option target 'ACCEPT'
> 
> config rule
>         option src 'guest'
>         option name 'Allow-DHCP-Guest'
>         list proto 'udp'
>         option dest_port '67'
>         option target 'ACCEPT'
> 
> config rule
>         option src 'lan'
>         option dest 'wan'
>         option name 'Block-8.8.8.8'
>         option target 'REJECT'
>         option family 'ipv4'
>         list dest_ip '8.8.8.8'
> 
> config rule
>         option src 'lan'
>         option dest 'wan'
>         option name 'Block-8.8.4.4'
>         option target 'REJECT'
>         option family 'ipv4'
>         list dest_ip '8.8.4.4'
> 
> config rule 'ovpn'
>         option name 'ALLOW-OpenVPN'
>         option src 'wan'
>         option proto 'udp'
>         option dest_port '2196'
>         option target 'ACCEPT'
>         list network 'vpn'

ip route show

> root@Defcon:~# ip route show
> default via 100.69.0.1 dev eth1  src 100.xx.xx.38
> 10.8.42.0/24 dev tun21 scope link  src 10.8.42.1
> 100.69.0.0/17 dev eth1 scope link  src 100.xx.xx.38
> 192.168.1.0/24 dev br-lan scope link  src 192.168.1.1
> 192.168.2.0/24 dev br-guest scope link  src 192.168.2.1
> 192.168.25.0/24 dev eth1 scope link  src 192.168.25.2

ip -6 route show

root@Defcon:~# ip -6 route show
default from 2001:9b0:41::c934:xxxx via fe80::xxxx:2cff:fe9e:ea01 dev eth1  metric 512
default from 2001:9b1:dfe:a100::/56 via fe80::xxxx:2cff:xxxx:ea01 dev eth1  metric 512
2001:9b1:dfe:a100::/64 dev br-lan  metric 1024
unreachable 2001:9b1:dfe:a100::/56 dev lo  metric 2147483647
fd42:4242:4242::/64 dev tun21  metric 256
fd65:35f6:a308::/64 dev br-lan  metric 1024
unreachable fd65:35f6:a308::/48 dev lo  metric 2147483647
fe80::/64 dev eth0  metric 256
fe80::/64 dev br-lan  metric 256
fe80::/64 dev eth1  metric 256
fe80::/64 dev br-guest  metric 256
fe80::/64 dev ifb4eth1  metric 256
fe80::/64 dev tun21  metric 256
anycast 2001:9b1:dfe:a100:: dev br-lan  metric 0
anycast fd42:4242:4242:: dev tun21  metric 0
anycast fd65:35f6:a308:: dev br-lan  metric 0
anycast fe80:: dev eth0  metric 0
anycast fe80:: dev br-lan  metric 0
anycast fe80:: dev eth1  metric 0
anycast fe80:: dev br-guest  metric 0
anycast fe80:: dev ifb4eth1  metric 0
anycast fe80:: dev tun21  metric 0
multicast ff00::/8 dev eth0  metric 256
multicast ff00::/8 dev br-lan  metric 256
multicast ff00::/8 dev eth1  metric 256
multicast ff00::/8 dev br-guest  metric 256
multicast ff00::/8 dev ifb4eth1  metric 256
multicast ff00::/8 dev tun21  metric 256

cat /etc/config/openvpn

root@Defcon:~# cat /etc/config/openvpn

config openvpn 'DefconVpnServer'
        option enabled '1'
        option dev 'tun21'
                option proto 'udp6'
#       option proto 'udp'
        option port '2196'
# Encryption and security
        option cipher 'AES-256-GCM'
        list data_ciphers 'AES-256-GCM'
        list data_ciphers 'AES-128-GCM'
        list data_ciphers 'CHACHA20-POLY1305'
        option auth_nocache '1'
        option tls_crypt_v2 '/etc/openvpn/tls-crypt-v2-server.key'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/server.crt'
        option key '/etc/openvpn/server.key'
        option dh '/etc/openvpn/dh.pem'
        option topology 'subnet'
# Compression and performance
        option comp_lzo 'no'
        option allow_compression 'no'
        option fast_io '1'
# Server networks (IPv4 + IPv6)
        option server '10.8.42.0 255.255.255.0'
                option server_ipv6 'fd42:4242:4242::/64'
# Push routes and DNS
        list push 'route 192.168.1.0 255.255.255.0 vpn_gateway 500'
        list push 'dhcp-option DOMAIN home.lan'
        list push 'dhcp-option DNS 192.168.1.1'
                list push 'route-ipv6 2000::/3'
                list push 'redirect-gateway def1 ipv6'
                list push 'dhcp-option DNS fd42:4242:4242::1'
# Client handling
        option client_to_client '1'
        option client_config_dir '/etc/openvpn/ccd'
        option ifconfig_pool_persist '/etc/openvpn/ipp.txt 600'
# Logging
        option verb '3'
        option log '/var/log/openvpn-1.log'
        option status_version '2'
# Keepalive and scripts
        option keepalive '10 60'
        option script_security '2'root@Defcon:~#

for ovpn in $(ls /etc/openvpn/*.ovpn);do echo $ovpn; cat $ovpn; echo;done

root@Defcon:~# for ovpn in $(ls /etc/openvpn/*.ovpn);do echo $ovpn; cat $ovpn; echo;done
ls: /etc/openvpn/*.ovpn: No such file or directory

for vpn in $(ls /tmp/etc/openvpn*.conf);do echo $vpn;cat $vpn;echo;done

root@Defcon:~# for vpn in $(ls /tmp/etc/openvpn*.conf);do echo $vpn;cat $vpn;echo;done
/tmp/etc/openvpn-DefconVpnServer.conf
auth-nocache
client-to-client
fast-io
allow-compression no
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
cipher AES-256-GCM
client-config-dir /etc/openvpn/ccd
comp-lzo no
dev tun21
dh /etc/openvpn/dh.pem
ifconfig-pool-persist /etc/openvpn/ipp.txt 600
keepalive 10 60
key /etc/openvpn/server.key
log /var/log/openvpn-1.log
port 2196
proto udp6
push "route 192.168.1.0 255.255.255.0 vpn_gateway 500"
push "dhcp-option DOMAIN home.lan"
push "dhcp-option DNS 192.168.1.1"
push "route-ipv6 2000::/3"
push "redirect-gateway def1 ipv6"
push "dhcp-option DNS fd42:4242:4242::1"
server 10.8.42.0 255.255.255.0
server-ipv6 fd42:4242:4242::/64
status-version 2
tls-crypt-v2 /etc/openvpn/tls-crypt-v2-server.key
topology subnet
verb 3
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305

logread | grep openvpn (log /var/log/openvpn-1.log)

2025-11-02 13:39:47 Control Channel: using tls-crypt-v2 key
2025-11-02 13:39:47 Connection Attempt Control Channel: using tls-crypt-v2 key
2025-11-02 13:39:47 2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e Control Channel: using tls-crypt-v2 key
2025-11-02 13:39:47 2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e VERIFY OK: depth=1, CN=MyVPN-CA
2025-11-02 13:39:47 2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e VERIFY OK: depth=0, CN=johanpc
2025-11-02 13:39:47 2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e peer info: IV_VER=2.6.15
2025-11-02 13:39:47 2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e peer info: IV_PLAT=win
2025-11-02 13:39:47 2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e peer info: IV_TCPNL=1
2025-11-02 13:39:47 2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e peer info: IV_MTU=1600
2025-11-02 13:39:47 2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e peer info: IV_NCP=2
2025-11-02 13:39:47 2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
2025-11-02 13:39:47 2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e peer info: IV_PROTO=990
2025-11-02 13:39:47 2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e peer info: IV_GUI_VER=OpenVPN_GUI_11.56.0.0
2025-11-02 13:39:47 2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e peer info: IV_SSO=openurl,webauth,crtext
2025-11-02 13:39:47 2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2025-11-02 13:39:47 2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e TLS: tls_multi_process: initial untrusted session promoted to trusted
2025-11-02 13:39:47 2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519
2025-11-02 13:39:47 2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e [johanpc] Peer Connection Initiated with [AF_INET6]2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e:55084
2025-11-02 13:39:47 johanpc/2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e MULTI_sva: pool returned IPv4=10.8.42.2, IPv6=fd42:4242:4242::1000
2025-11-02 13:39:47 johanpc/2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e MULTI: Learn: 10.8.42.2 -> johanpc/2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e
2025-11-02 13:39:47 johanpc/2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e MULTI: primary virtual IP for johanpc/2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e: 10.8.42.2
2025-11-02 13:39:47 johanpc/2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e MULTI: Learn: fd42:4242:4242::1000 -> johanpc/2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e
2025-11-02 13:39:47 johanpc/2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e MULTI: primary virtual IPv6 for johanpc/2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e: fd42:4242:4242::1000
2025-11-02 13:39:47 johanpc/2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e SENT CONTROL [johanpc]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0 vpn_gateway 500,dhcp-option DOMAIN home.lan,dhcp-option DNS 192.168.1.1,route-ipv6 2000::/3,redirect-gateway def1 ipv6,dhcp-option DNS fd42:4242:4242::1,tun-ipv6,route-gateway 10.8.42.1,topology subnet,ping 10,ping-restart 60,ifconfig-ipv6 fd42:4242:4242::1000/64 fd42:4242:4242::1,ifconfig 10.8.42.2 255.255.255.0,peer-id 0,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500' (status=1)
2025-11-02 13:39:48 johanpc/2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e Data Channel: cipher 'AES-256-GCM', peer-id: 0, compression: 'stub'
2025-11-02 13:39:48 johanpc/2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e Timers: ping 10, ping-restart 120
2025-11-02 13:39:48 johanpc/2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e Protocol options: protocol-flags cc-exit tls-ekm dyn-tls-crypt
2025-11-02 13:41:48 johanpc/2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e [johanpc] Inactivity timeout (--ping-restart), restarting
2025-11-02 13:41:48 johanpc/2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e SIGUSR1[soft,ping-restart] received, client-instance restarting
2025-11-02 13:42:50 Control Channel: using tls-crypt-v2 key
2025-11-02 13:42:50 Connection Attempt Control Channel: using tls-crypt-v2 key
2025-11-02 13:42:50 2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e Control Channel: using tls-crypt-v2 key
2025-11-02 13:42:50 2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e VERIFY OK: depth=1, CN=MyVPN-CA
2025-11-02 13:42:50 2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e VERIFY OK: depth=0, CN=johanpc
2025-11-02 13:42:50 2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e peer info: IV_VER=2.6.15
2025-11-02 13:42:50 2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e peer info: IV_PLAT=win
2025-11-02 13:42:50 2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e peer info: IV_TCPNL=1
2025-11-02 13:42:50 2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e peer info: IV_MTU=1600
2025-11-02 13:42:50 2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e peer info: IV_NCP=2
2025-11-02 13:42:50 2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
2025-11-02 13:42:50 2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e peer info: IV_PROTO=990
2025-11-02 13:42:50 2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e peer info: IV_GUI_VER=OpenVPN_GUI_11.56.0.0
2025-11-02 13:42:50 2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e peer info: IV_SSO=openurl,webauth,crtext
2025-11-02 13:42:50 2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2025-11-02 13:42:50 2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e TLS: tls_multi_process: initial untrusted session promoted to trusted
2025-11-02 13:42:53 2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519
2025-11-02 13:42:53 2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e [johanpc] Peer Connection Initiated with [AF_INET6]2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e:53463
2025-11-02 13:42:53 johanpc/2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e MULTI_sva: pool returned IPv4=10.8.42.2, IPv6=fd42:4242:4242::1000
2025-11-02 13:42:53 johanpc/2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e MULTI: Learn: 10.8.42.2 -> johanpc/2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e
2025-11-02 13:42:53 johanpc/2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e MULTI: primary virtual IP for johanpc/2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e: 10.8.42.2
2025-11-02 13:42:53 johanpc/2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e MULTI: Learn: fd42:4242:4242::1000 -> johanpc/2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e
2025-11-02 13:42:53 johanpc/2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e MULTI: primary virtual IPv6 for johanpc/2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e: fd42:4242:4242::1000
2025-11-02 13:42:53 johanpc/2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e SENT CONTROL [johanpc]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0 vpn_gateway 500,dhcp-option DOMAIN home.lan,dhcp-option DNS 192.168.1.1,route-ipv6 2000::/3,redirect-gateway def1 ipv6,dhcp-option DNS fd42:4242:4242::1,tun-ipv6,route-gateway 10.8.42.1,topology subnet,ping 10,ping-restart 60,ifconfig-ipv6 fd42:4242:4242::1000/64 fd42:4242:4242::1,ifconfig 10.8.42.2 255.255.255.0,peer-id 0,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500' (status=1)
2025-11-02 13:42:54 johanpc/2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e Data Channel: cipher 'AES-256-GCM', peer-id: 0, compression: 'stub'
2025-11-02 13:42:54 johanpc/2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e Timers: ping 10, ping-restart 120
2025-11-02 13:42:54 johanpc/2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e Protocol options: protocol-flags cc-exit tls-ekm dyn-tls-crypt
2025-11-02 13:43:28 johanpc/2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e Delayed exit in 5 seconds
2025-11-02 13:43:33 johanpc/2a00:801:7af:ddb4:90d1:5b7a:996c:ca6e SIGTERM[soft,delayed-exit] received, client-instance exiting

log from client

2025-11-02 13:39:39 OpenVPN 2.6.15 [git:v2.6.15/90bdd59a95170169] Windows [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Sep 22 2025
2025-11-02 13:39:39 Windows version 10.0 (Windows 10 or greater), amd64 executable
2025-11-02 13:39:39 library versions: OpenSSL 3.5.3 16 Sep 2025, LZO 2.10
2025-11-02 13:39:39 DCO version: 1.3.3
2025-11-02 13:39:39 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
2025-11-02 13:39:39 Need hold release from management interface, waiting...
2025-11-02 13:39:39 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:63933
2025-11-02 13:39:39 MANAGEMENT: CMD 'state on'
2025-11-02 13:39:39 MANAGEMENT: CMD 'log on all'
2025-11-02 13:39:39 MANAGEMENT: CMD 'echo on all'
2025-11-02 13:39:39 MANAGEMENT: CMD 'bytecount 5'
2025-11-02 13:39:39 MANAGEMENT: CMD 'state'
2025-11-02 13:39:39 MANAGEMENT: CMD 'hold off'
2025-11-02 13:39:39 MANAGEMENT: CMD 'hold release'
2025-11-02 13:39:39 MANAGEMENT: >STATE:1762087179,RESOLVE,,,,,,
2025-11-02 13:39:39 TCP/UDP: Preserving recently used remote address: [AF_INET6]2001:9b0:xx::c934:xxxx:2196
2025-11-02 13:39:39 ovpn-dco device [OpenVPN Data Channel Offload] opened
2025-11-02 13:39:39 UDP link local: (not bound)
2025-11-02 13:39:39 UDP link remote: [AF_INET6]2001:9b0:41::c934:936b:2196
2025-11-02 13:39:39 MANAGEMENT: >STATE:1762087179,WAIT,,,,,,
2025-11-02 13:39:39 MANAGEMENT: >STATE:1762087179,AUTH,,,,,,
2025-11-02 13:39:39 TLS: Initial packet from [AF_INET6]2001:9b0:xx::c934:xxxx:2196, sid=b1cd7f4a 76513b89
2025-11-02 13:39:39 VERIFY OK: depth=1, CN=MyVPN-CA
2025-11-02 13:39:39 VERIFY X509NAME OK: CN=xxxxxx.xxxxxx.se
2025-11-02 13:39:39 VERIFY OK: depth=0, CN=xxxxxx.xxxxxx.se
2025-11-02 13:39:40 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519
2025-11-02 13:39:40 [xxxxx.xxxxx.se] Peer Connection Initiated with [AF_INET6]2001:9b0:41::c934:936b:2196
2025-11-02 13:39:40 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2025-11-02 13:39:40 TLS: tls_multi_process: initial untrusted session promoted to trusted
2025-11-02 13:39:40 PUSH: Received control message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0 vpn_gateway 500,dhcp-option DOMAIN home.lan,dhcp-option DNS 192.168.1.1,route-ipv6 2000::/3,redirect-gateway def1 ipv6,dhcp-option DNS fd42:4242:4242::1,tun-ipv6,route-gateway 10.8.42.1,topology subnet,ping 10,ping-restart 60,ifconfig-ipv6 fd42:4242:4242::1000/64 fd42:4242:4242::1,ifconfig 10.8.42.2 255.255.255.0,peer-id 0,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500'
2025-11-02 13:39:40 OPTIONS IMPORT: --ifconfig/up options modified
2025-11-02 13:39:40 OPTIONS IMPORT: route options modified
2025-11-02 13:39:40 OPTIONS IMPORT: route-related options modified
2025-11-02 13:39:40 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2025-11-02 13:39:40 OPTIONS IMPORT: tun-mtu set to 1500
2025-11-02 13:39:40 interactive service msg_channel=620
2025-11-02 13:39:40 ROUTE_GATEWAY 10.127.22.55/255.255.255.0 I=16 HWADDR=6c:2f:80:df:dd:f6
2025-11-02 13:39:40 GDG6: remote_host_ipv6=2001:9b0:41::c934:936b
2025-11-02 13:39:40 GetBestInterfaceEx() returned if=16
2025-11-02 13:39:40 GDG6: II=16 DP=::/0 NH=fe80::a4a4:90ff:fe89:1218
2025-11-02 13:39:40 GDG6: Metric=16, Loopback=0, AA=1, I=0
2025-11-02 13:39:40 ROUTE6_GATEWAY fe80::a4a4:90ff:fe89:1218 I=16
2025-11-02 13:39:40 ROUTE6: 2000::/4 overlaps IPv6 remote 2001:9b0:41::c934:936b, adding host route to VPN endpoint
2025-11-02 13:39:40 ROUTE6: 2000::/3 overlaps IPv6 remote 2001:9b0:41::c934:936b, adding host route to VPN endpoint
2025-11-02 13:39:40 MANAGEMENT: >STATE:1762087180,ASSIGN_IP,,10.8.42.2,,,,,fd42:4242:4242::1000
2025-11-02 13:39:40 INET address service: add 10.8.42.2/24
2025-11-02 13:39:40 IPv4 dns servers set using service
2025-11-02 13:39:41 DNS domain set using service
2025-11-02 13:39:41 IPv4 MTU set to 1500 on interface 7 using service
2025-11-02 13:39:41 INET6 address service: add fd42:4242:4242::1000/128
2025-11-02 13:39:41 add_route_ipv6(fd42:4242:4242::/64 -> fd42:4242:4242::1000 metric 0) IF 7
2025-11-02 13:39:41 IPv6 route addition via service succeeded
2025-11-02 13:39:41 IPv6 dns servers set using service
2025-11-02 13:39:41 IPv6 MTU set to 1500 on interface 7 using service
2025-11-02 13:39:41 ROUTE remote_host protocol differs from tunneled
2025-11-02 13:39:41 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.42.1
2025-11-02 13:39:41 Route addition via service succeeded
2025-11-02 13:39:41 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.42.1
2025-11-02 13:39:41 Route addition via service succeeded
2025-11-02 13:39:41 MANAGEMENT: >STATE:1762087181,ADD_ROUTES,,,,,,
2025-11-02 13:39:41 C:\WINDOWS\system32\route.exe ADD 192.168.1.0 MASK 255.255.255.0 10.8.42.1 METRIC 500
2025-11-02 13:39:41 Route addition via service succeeded
2025-11-02 13:39:41 add_route_ipv6(2001:9b0:41::xxx:936b/128 -> fe80::a4a4:90ff:fe89:1218 metric 1) IF 16
2025-11-02 13:39:41 IPv6 route addition via service succeeded
2025-11-02 13:39:41 add_route_ipv6(2000::/3 -> fd42:4242:4242::1 metric 200) IF 7
2025-11-02 13:39:41 IPv6 route addition via service succeeded
2025-11-02 13:39:41 add_route_ipv6(::/3 -> fd42:4242:4242::1 metric 200) IF 7
2025-11-02 13:39:41 IPv6 route addition via service succeeded
2025-11-02 13:39:41 add_route_ipv6(2000::/4 -> fd42:4242:4242::1 metric 200) IF 7
2025-11-02 13:39:41 IPv6 route addition via service succeeded
2025-11-02 13:39:41 add_route_ipv6(3000::/4 -> fd42:4242:4242::1 metric 200) IF 7
2025-11-02 13:39:41 IPv6 route addition via service succeeded
2025-11-02 13:39:41 add_route_ipv6(fc00::/7 -> fd42:4242:4242::1 metric 200) IF 7
2025-11-02 13:39:41 IPv6 route addition via service succeeded
2025-11-02 13:39:41 Initialization Sequence Completed
2025-11-02 13:39:41 MANAGEMENT: >STATE:1762087181,CONNECTED,SUCCESS,10.8.42.2,2001:9b0:xx::c934:936b,xxxx,,,fd42:4242:4242::1000
2025-11-02 13:39:41 Data Channel: cipher 'AES-256-GCM', peer-id: 0
2025-11-02 13:39:41 Timers: ping 10, ping-restart 60
2025-11-02 13:39:41 Protocol options: explicit-exit-notify 2, protocol-flags cc-exit tls-ekm dyn-tls-crypt

This looks like it should work. If the LAN device that you are trying to reach is Windows it is possible it is firewalling requests from outside its own LAN. Run some packet captures on the router to see if remote requests are arriving on the tunnel and being forwarded to the LAN.

Also if the remote machine is connected to your home network or another network overlapping 192.168.1.0/24 it will not work. To test at home turn on the hotspot in your phone and connect the laptop to it. Using an obscure IP range for the home LAN is recommended in case you are at a hotel etc. that uses 192.168.1.0.

It indeed looks like it should work, especially take note of the firewall of the LAN clients you want to reach you really should disable that on the LAN clients

To be sure the routing on the client is OK you can check on the Windows client with:

route PRINT

There are a few things on the server which might play a role, I would remove the compression to begin with:

Reboot and check again

Furthermore try with proto udp instead of proto udp6

Thanks for your replays: @mk24 @egc

Change from udp6 to udp get client not to connect.
Manual says udp6 working to both ipv4 and ipv6.

That really change things is to remove " option comp_lzo 'no'" then it start to connect....

route PRINT

===========================================================================
Interface List
  2...........................Wintun Userspace Tunnel
  4...d4 5d 64 f1 64 eb ......Intel(R) Ethernet Controller (2) I225-V
 19...00 ff 7e 94 bc 0b ......TAP-Windows Adapter V9
  7...........................OpenVPN Data Channel Offload
 25...6c 2f 80 df dd f7 ......Microsoft Wi-Fi Direct Virtual Adapter
 13...6e 2f 80 df dd f6 ......Microsoft Wi-Fi Direct Virtual Adapter #2
 16...6c 2f 80 df dd f6 ......Intel(R) Wi-Fi 6E AX210 160MHz
 18...6c 2f 80 df dd fa ......Bluetooth Device (Personal Area Network) #2
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.133     20
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
      192.168.1.0    255.255.255.0         On-link     192.168.1.133    276
    192.168.1.133  255.255.255.255         On-link     192.168.1.133    276
    192.168.1.255  255.255.255.255         On-link     192.168.1.133    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link     192.168.1.133    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link     192.168.1.133    276
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  4    276 ::/0                     fe80::9683:c4ff:fea5:ff7f
  1    331 ::1/128                  On-link
  4    276 2001:9b1:dfe:a100::/56   fe80::9683:c4ff:fea5:ff7f
  4    276 2001:9b1:dfe:a100::/64   On-link
  4    276 2001:9b1:dfe:a100::2f6/128
                                    On-link
  4    276 2001:9b1:dfe:a100:a817:ea85:e1f3:eb7b/128
                                    On-link
  4    276 2001:9b1:dfe:a100:c6cf:2a8f:3783:8df1/128
                                    On-link
  4    276 fd65:35f6:a308::/48      fe80::9683:c4ff:fea5:ff7f
  4    276 fd65:35f6:a308::/64      On-link
  4    276 fd65:35f6:a308::2f6/128  On-link
  4    276 fd65:35f6:a308:0:a817:ea85:e1f3:eb7b/128
                                    On-link
  4    276 fd65:35f6:a308:0:d2b6:ed2c:fd03:8df8/128
                                    On-link
  4    276 fe80::/64                On-link
  4    276 fe80::66c2:6712:e6f6:4c2e/128
                                    On-link
  1    331 ff00::/8                 On-link
  4    276 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

Compression is deprecated because it can make it easier to crack the encryption. Recommended setup of a server is not to allow compression.

I have setted

# Compression and performance
       option comp_lzo 'no'
       option allow_compression 'no'

but removed "option comp_lzo 'no'"

The option you must use is --allow-compression and it comes in three flavours:

    asym (default in OpenVPN 2.5) - Use this.
    no - Use this to completely disable compression. Note: This will become default in OpenVPN 2.6
    yes - Use this if you really do need compression AND you understand the Risk you are taking.

It indeed looks like it should work, especially take note of the firewall of the LAN clients you want to reach you really should disable that on the LAN clients

To be sure the routing on the client is OK you can check on the Windows client with:

@egc

Just a last Q can you explain what you mean here?

especially take note of the firewall of the LAN clients you want to reach you really
should disable that on the LAN clients

The clients on you local LAN have their own firewall and usually will only allow traffic from the local subnet that means those LAN clients will not allow traffic from the openvpn subnet so an OpenVPN client which is connected from outside will not automatically have access to the local LAN clients unless the firewall of those local LAN clients is disabled or set to allow the OpenVPN subnet.

For my Windows clients I added a rule to allow incoming traffic from 10.8.0.0/24 which is my OpenVPN subnet (routers subnet is 192.168.6.0/24)

Note sometimes the firewall is setup to allow traffic from all private RFC1918 subnets in which case it will work.

Bottom line if you have a good connection and traffic flowing but still cannot connect to local LAN clients have a look at their firewall

Okey, thanks.
Rule is on "PC"

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.