Yet another OpenVPN Client fail

DarryDoo · December 27, 2018, 9:47pm

Hello, all. I've followed the OpenVPN client instructions here, but I am unable to connect from LAN clients to the internet when OpenVPN is running. With either TCP or UDP, LAN clients cannot access the Internet. Stop OpenVPN, and there's immediate connectivity.

I've looked at recent threads with similar issues, but no solution presented itself. I'm pretty sure I'm overlooking something simple.

I created my .ovpn file, thusly:
(contents suggested by VPN provider script located here; ugly coding is all me, after filing off serial numbers)


#!/bin/sh

rm -rf /tmp/ovpn-create
mkdir /tmp/ovpn-create

wget -O /tmp/ovpn-create/nh_configs.zip https://www.newshosting.com/vpn/software/nh_configs.zip
mkdir /tmp/ovpn-create/nh_configs
unzip /tmp/ovpn-create/nh_configs.zip -d /tmp/ovpn-create/nh_configs
cp -f /tmp/ovpn-create/nh_configs/vpn.crt /etc/openvpn/vpn.crt
cat << "EOF" > /etc/openvpn/vpnclient.ovpn
client
dev tun
proto udp
remote-random
resolv-retry 10
nobind
persist-key
persist-tun
persist-remote-ip
ca /etc/openvpn/vpn.crt

tls-client
remote-cert-tls server
auth-user-pass /etc/openvpn/vpnclient.auth
auth-nocache
comp-lzo
verb 3

auth SHA256
cipher AES-256-CBC

EOF


grep -hF "remote " /tmp/ovpn-create/nh_configs/tor*.ovpn | sed s/1194/443/ >> /etc/openvpn/vpnclien$

This generates the following .ovpn file:

client
dev tun
proto udp
remote-random
resolv-retry 10
nobind
persist-key
persist-tun
persist-remote-ip
ca /etc/openvpn/vpn.crt

tls-client
remote-cert-tls server
auth-user-pass /etc/openvpn/vpnclient.auth
auth-nocache
comp-lzo
verb 3

auth SHA256
cipher AES-256-CBC


remote tor-a01.wlvpn.com 443
remote tor-a02.wlvpn.com 443
remote tor-a03.wlvpn.com 443
remote tor-a04.wlvpn.com 443
remote tor-a05.wlvpn.com 443
remote tor-a06.wlvpn.com 443
remote tor-a07.wlvpn.com 443
remote tor-a08.wlvpn.com 443
remote tor-a09.wlvpn.com 443
remote tor-a10.wlvpn.com 443
remote tor-a11.wlvpn.com 443
remote tor-a12.wlvpn.com 443
remote tor-a13.wlvpn.com 443
remote tor-a14.wlvpn.com 443
remote tor-a15.wlvpn.com 443
remote tor-a16.wlvpn.com 443
remote tor-a17.wlvpn.com 443
remote tor-a18.wlvpn.com 443
remote tor-a19.wlvpn.com 443
remote tor-a20.wlvpn.com 443

Starting OpenVPN using UDP, verb 7:

root@router:~# service log restart; service openvpn start; sleep 10;  ps | grep [o]penvpn
; echo && logread -e openvpn
12494 root      3116 S    /usr/sbin/openvpn --syslog openvpn(vpnclient) --status /var/run/openvpn.

Thu Dec 27 16:11:10 2018 daemon.notice openvpn(vpnclient)[12494]: OpenVPN 2.4.5 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Thu Dec 27 16:11:10 2018 daemon.notice openvpn(vpnclient)[12494]: library versions: OpenSSL 1.0.2p  14 Aug 2018, LZO 2.10
Thu Dec 27 16:11:10 2018 daemon.notice openvpn(vpnclient)[12494]: LZO compression initializing
Thu Dec 27 16:11:10 2018 daemon.notice openvpn(vpnclient)[12494]: Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Thu Dec 27 16:11:11 2018 daemon.notice openvpn(vpnclient)[12494]: Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Thu Dec 27 16:11:11 2018 daemon.notice openvpn(vpnclient)[12494]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 68 bytes
Thu Dec 27 16:11:11 2018 daemon.notice openvpn(vpnclient)[12494]: calc_options_string_link_mtu: link-mtu 1622 -> 1570
Thu Dec 27 16:11:11 2018 daemon.notice openvpn(vpnclient)[12494]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 68 bytes
Thu Dec 27 16:11:11 2018 daemon.notice openvpn(vpnclient)[12494]: calc_options_string_link_mtu: link-mtu 1622 -> 1570
Thu Dec 27 16:11:11 2018 daemon.notice openvpn(vpnclient)[12494]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client'
Thu Dec 27 16:11:11 2018 daemon.notice openvpn(vpnclient)[12494]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server'
Thu Dec 27 16:11:11 2018 daemon.notice openvpn(vpnclient)[12494]: TCP/UDP: Preserving recently used remote address: [AF_INET]216.151.184.7:443
Thu Dec 27 16:11:11 2018 daemon.notice openvpn(vpnclient)[12494]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Thu Dec 27 16:11:11 2018 daemon.notice openvpn(vpnclient)[12494]: UDP link local: (not bound)
Thu Dec 27 16:11:11 2018 daemon.notice openvpn(vpnclient)[12494]: UDP link remote: [AF_INET]216.151.184.7:443
Thu Dec 27 16:11:11 2018 daemon.notice openvpn(vpnclient)[12494]: UDP WRITE [14] to [AF_INET]216.151.184.7:443: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Thu Dec 27 16:11:11 2018 daemon.notice openvpn(vpnclient)[12494]: UDP READ [26] from [AF_INET]216.151.184.7:443: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=0 DATA len=0
Thu Dec 27 16:11:11 2018 daemon.notice openvpn(vpnclient)[12494]: TLS: Initial packet from [AF_INET]216.151.184.7:443, sid=b9eb6199 43318c63
Thu Dec 27 16:11:11 2018 daemon.notice openvpn(vpnclient)[12494]: UDP WRITE [22] to [AF_INET]216.151.184.7:443: P_ACK_V1 kid=0 [ 0 ]
Thu Dec 27 16:11:11 2018 daemon.notice openvpn(vpnclient)[12494]: UDP WRITE [178] to [AF_INET]216.151.184.7:443: P_CONTROL_V1 kid=0 [ ] pid=1 DATA len=164
Thu Dec 27 16:11:11 2018 daemon.notice openvpn(vpnclient)[12494]: UDP READ [1200] from [AF_INET]216.151.184.7:443: P_CONTROL_V1 kid=0 [ 1 ] pid=1 DATA len=1174
Thu Dec 27 16:11:11 2018 daemon.notice openvpn(vpnclient)[12494]: UDP WRITE [22] to [AF_INET]216.151.184.7:443: P_ACK_V1 kid=0 [ 1 ]
Thu Dec 27 16:11:11 2018 daemon.notice openvpn(vpnclient)[12494]: UDP READ [1188] from [AF_INET]216.151.184.7:443: P_CONTROL_V1 kid=0 [ ] pid=2 DATA len=1174
Thu Dec 27 16:11:11 2018 daemon.notice openvpn(vpnclient)[12494]: UDP WRITE [22] to [AF_INET]216.151.184.7:443: P_ACK_V1 kid=0 [ 2 ]
Thu Dec 27 16:11:11 2018 daemon.notice openvpn(vpnclient)[12494]: UDP READ [371] from [AF_INET]216.151.184.7:443: P_CONTROL_V1 kid=0 [ ] pid=3 DATA len=357
Thu Dec 27 16:11:11 2018 daemon.notice openvpn(vpnclient)[12494]: VERIFY OK: depth=1, C=US, ST=VPN, L=VPN, O=VPN, OU=VPN, CN=VPN, name=VPN, emailAddress=VPN
Thu Dec 27 16:11:11 2018 daemon.notice openvpn(vpnclient)[12494]: VERIFY KU OK
Thu Dec 27 16:11:11 2018 daemon.notice openvpn(vpnclient)[12494]: Validating certificate extended key usage
Thu Dec 27 16:11:11 2018 daemon.notice openvpn(vpnclient)[12494]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Dec 27 16:11:11 2018 daemon.notice openvpn(vpnclient)[12494]: VERIFY EKU OK
Thu Dec 27 16:11:11 2018 daemon.notice openvpn(vpnclient)[12494]: VERIFY OK: depth=0, C=US, ST=VPN, L=VPN, O=VPN, OU=VPN, CN=vpn, name=VPN
Thu Dec 27 16:11:11 2018 daemon.notice openvpn(vpnclient)[12494]: UDP WRITE [152] to [AF_INET]216.151.184.7:443: P_CONTROL_V1 kid=0 [ 3 ] pid=2 DATA len=126
Thu Dec 27 16:11:11 2018 daemon.notice openvpn(vpnclient)[12494]: UDP READ [77] from [AF_INET]216.151.184.7:443: P_CONTROL_V1 kid=0 [ 2 ] pid=4 DATA len=51
Thu Dec 27 16:11:11 2018 daemon.notice openvpn(vpnclient)[12494]: UDP WRITE [465] to [AF_INET]216.151.184.7:443: P_CONTROL_V1 kid=0 [ 4 ] pid=3 DATA len=439
Thu Dec 27 16:11:11 2018 daemon.notice openvpn(vpnclient)[12494]: UDP READ [263] from [AF_INET]216.151.184.7:443: P_CONTROL_V1 kid=0 [ 3 ] pid=5 DATA len=237
Thu Dec 27 16:11:11 2018 daemon.notice openvpn(vpnclient)[12494]: UDP WRITE [22] to [AF_INET]216.151.184.7:443: P_ACK_V1 kid=0 [ 5 ]
Thu Dec 27 16:11:11 2018 daemon.notice openvpn(vpnclient)[12494]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Thu Dec 27 16:11:11 2018 daemon.notice openvpn(vpnclient)[12494]: [vpn] Peer Connection Initiated with [AF_INET]216.151.184.7:443
Thu Dec 27 16:11:12 2018 daemon.notice openvpn(vpnclient)[12494]: SENT CONTROL [vpn]: 'PUSH_REQUEST' (status=1)
Thu Dec 27 16:11:12 2018 daemon.notice openvpn(vpnclient)[12494]: UDP WRITE [56] to [AF_INET]216.151.184.7:443: P_CONTROL_V1 kid=0 [ ] pid=4 DATA len=42
Thu Dec 27 16:11:12 2018 daemon.notice openvpn(vpnclient)[12494]: UDP READ [22] from [AF_INET]216.151.184.7:443: P_ACK_V1 kid=0 [ 4 ]
Thu Dec 27 16:11:12 2018 daemon.notice openvpn(vpnclient)[12494]: UDP READ [337] from [AF_INET]216.151.184.7:443: P_CONTROL_V1 kid=0 [ ] pid=6 DATA len=323
Thu Dec 27 16:11:12 2018 daemon.notice openvpn(vpnclient)[12494]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 198.18.0.1,dhcp-option DNS 198.18.0.2,rcvbuf 493216,sndbuf 493216,explicit-exit-notify 5,comp-lzo no,route-gateway 172.21.82.1,topology subnet,ping 20,ping-restart 40,ifconfig 172.21.82.229 255.255.254.0,peer-id 2,cipher AES-256-GCM'
Thu Dec 27 16:11:12 2018 daemon.notice openvpn(vpnclient)[12494]: OPTIONS IMPORT: timers and/or timeouts modified
Thu Dec 27 16:11:12 2018 daemon.notice openvpn(vpnclient)[12494]: OPTIONS IMPORT: explicit notify parm(s) modified
Thu Dec 27 16:11:12 2018 daemon.notice openvpn(vpnclient)[12494]: OPTIONS IMPORT: compression parms modified
Thu Dec 27 16:11:12 2018 daemon.notice openvpn(vpnclient)[12494]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Thu Dec 27 16:11:12 2018 daemon.notice openvpn(vpnclient)[12494]: Socket Buffers: R=[163840->327680] S=[163840->327680]
Thu Dec 27 16:11:12 2018 daemon.notice openvpn(vpnclient)[12494]: OPTIONS IMPORT: --ifconfig/up options modified
Thu Dec 27 16:11:12 2018 daemon.notice openvpn(vpnclient)[12494]: OPTIONS IMPORT: route options modified
Thu Dec 27 16:11:12 2018 daemon.notice openvpn(vpnclient)[12494]: OPTIONS IMPORT: route-related options modified
Thu Dec 27 16:11:12 2018 daemon.notice openvpn(vpnclient)[12494]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Dec 27 16:11:12 2018 daemon.notice openvpn(vpnclient)[12494]: OPTIONS IMPORT: peer-id set
Thu Dec 27 16:11:12 2018 daemon.notice openvpn(vpnclient)[12494]: OPTIONS IMPORT: adjusting link_mtu to 1625
Thu Dec 27 16:11:12 2018 daemon.notice openvpn(vpnclient)[12494]: OPTIONS IMPORT: data channel crypto options modified
Thu Dec 27 16:11:12 2018 daemon.notice openvpn(vpnclient)[12494]: Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Dec 27 16:11:12 2018 daemon.notice openvpn(vpnclient)[12494]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 48 bytes
Thu Dec 27 16:11:12 2018 daemon.notice openvpn(vpnclient)[12494]: Data Channel MTU parms [ L:1553 D:1450 EF:53 EB:406 ET:0 EL:3 ]
Thu Dec 27 16:11:12 2018 daemon.notice openvpn(vpnclient)[12494]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Dec 27 16:11:12 2018 daemon.notice openvpn(vpnclient)[12494]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Dec 27 16:11:12 2018 daemon.notice openvpn(vpnclient)[12494]: TUN/TAP device tun0 opened
Thu Dec 27 16:11:12 2018 daemon.notice openvpn(vpnclient)[12494]: TUN/TAP TX queue length set to 100
Thu Dec 27 16:11:12 2018 daemon.notice openvpn(vpnclient)[12494]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Dec 27 16:11:12 2018 daemon.notice openvpn(vpnclient)[12494]: /sbin/ifconfig tun0 172.21.82.229 netmask 255.255.254.0 mtu 1500 broadcast 172.21.83.255
Thu Dec 27 16:11:12 2018 daemon.notice openvpn(vpnclient)[12494]: /sbin/route add -net 216.151.184.7 netmask 255.255.255.255 gw 192.168.209.1
Thu Dec 27 16:11:12 2018 daemon.notice openvpn(vpnclient)[12494]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 172.21.82.1
Thu Dec 27 16:11:12 2018 daemon.notice openvpn(vpnclient)[12494]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 172.21.82.1
Thu Dec 27 16:11:12 2018 daemon.notice openvpn(vpnclient)[12494]: Initialization Sequence Completed
Thu Dec 27 16:11:12 2018 daemon.notice openvpn(vpnclient)[12494]: UDP WRITE [22] to [AF_INET]216.151.184.7:443: P_ACK_V1 kid=0 [ 6 ]
Thu Dec 27 16:11:12 2018 daemon.notice openvpn(vpnclient)[12494]: UDP WRITE [101] to [AF_INET]216.151.184.7:443: P_DATA_V2 kid=0 DATA len=100
Thu Dec 27 16:11:12 2018 daemon.notice openvpn(vpnclient)[12494]: UDP WRITE [101] to [AF_INET]216.151.184.7:443: P_DATA_V2 kid=0 DATA len=100
Thu Dec 27 16:11:12 2018 daemon.notice openvpn(vpnclient)[12494]: UDP WRITE [101] to [AF_INET]216.151.184.7:443: P_DATA_V2 kid=0 DATA len=100
Thu Dec 27 16:11:13 2018 daemon.notice openvpn(vpnclient)[12494]: UDP WRITE [101] to [AF_INET]216.151.184.7:443: P_DATA_V2 kid=0 DATA len=100
Thu Dec 27 16:11:13 2018 daemon.notice openvpn(vpnclient)[12494]: UDP WRITE [65] to [AF_INET]216.151.184.7:443: P_DATA_V2 kid=0 DATA len=64
Thu Dec 27 16:11:14 2018 daemon.notice openvpn(vpnclient)[12494]: UDP WRITE [65] to [AF_INET]216.151.184.7:443: P_DATA_V2 kid=0 DATA len=64
Thu Dec 27 16:11:15 2018 daemon.notice openvpn(vpnclient)[12494]: UDP WRITE [65] to [AF_INET]216.151.184.7:443: P_DATA_V2 kid=0 DATA len=64
Thu Dec 27 16:11:17 2018 daemon.notice openvpn(vpnclient)[12494]: UDP WRITE [65] to [AF_INET]216.151.184.7:443: P_DATA_V2 kid=0 DATA len=64

Starting OpenVPN using TCP, verb 7:

root@router:~# service log restart; service openvpn start; sleep 10;  ps | grep [o]penvpn; echo && l
ogread -e openvpn
12712 root      3120 S    /usr/sbin/openvpn --syslog openvpn(vpnclient) --status /var/run/openvpn.

Thu Dec 27 16:13:32 2018 daemon.notice openvpn(vpnclient)[12712]: OpenVPN 2.4.5 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Thu Dec 27 16:13:32 2018 daemon.notice openvpn(vpnclient)[12712]: library versions: OpenSSL 1.0.2p  14 Aug 2018, LZO 2.10
Thu Dec 27 16:13:32 2018 daemon.notice openvpn(vpnclient)[12712]: LZO compression initializing
Thu Dec 27 16:13:32 2018 daemon.notice openvpn(vpnclient)[12712]: Control Channel MTU parms [ L:1624 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Thu Dec 27 16:13:32 2018 daemon.notice openvpn(vpnclient)[12712]: Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Thu Dec 27 16:13:32 2018 daemon.notice openvpn(vpnclient)[12712]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 68 bytes
Thu Dec 27 16:13:32 2018 daemon.notice openvpn(vpnclient)[12712]: calc_options_string_link_mtu: link-mtu 1624 -> 1572
Thu Dec 27 16:13:32 2018 daemon.notice openvpn(vpnclient)[12712]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 68 bytes
Thu Dec 27 16:13:32 2018 daemon.notice openvpn(vpnclient)[12712]: calc_options_string_link_mtu: link-mtu 1624 -> 1572
Thu Dec 27 16:13:32 2018 daemon.notice openvpn(vpnclient)[12712]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client'
Thu Dec 27 16:13:32 2018 daemon.notice openvpn(vpnclient)[12712]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server'
Thu Dec 27 16:13:32 2018 daemon.notice openvpn(vpnclient)[12712]: TCP/UDP: Preserving recently used remote address: [AF_INET]216.151.184.29:443
Thu Dec 27 16:13:32 2018 daemon.notice openvpn(vpnclient)[12712]: Socket Buffers: R=[87380->87380] S=[16384->16384]
Thu Dec 27 16:13:32 2018 daemon.notice openvpn(vpnclient)[12712]: Attempting to establish TCP connection with [AF_INET]216.151.184.29:443 [nonblock]
Thu Dec 27 16:13:33 2018 daemon.notice openvpn(vpnclient)[12712]: TCP connection established with [AF_INET]216.151.184.29:443
Thu Dec 27 16:13:33 2018 daemon.notice openvpn(vpnclient)[12712]: TCP_CLIENT link local: (not bound)
Thu Dec 27 16:13:33 2018 daemon.notice openvpn(vpnclient)[12712]: TCP_CLIENT link remote: [AF_INET]216.151.184.29:443
Thu Dec 27 16:13:33 2018 daemon.notice openvpn(vpnclient)[12712]: TCP_CLIENT WRITE [14] to [AF_INET]216.151.184.29:443: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Thu Dec 27 16:13:33 2018 daemon.notice openvpn(vpnclient)[12712]: TCP_CLIENT READ [26] from [AF_INET]216.151.184.29:443: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=0 DATA len=0
Thu Dec 27 16:13:33 2018 daemon.notice openvpn(vpnclient)[12712]: TLS: Initial packet from [AF_INET]216.151.184.29:443, sid=9312de2b bca9a061
Thu Dec 27 16:13:33 2018 daemon.notice openvpn(vpnclient)[12712]: TCP_CLIENT WRITE [22] to [AF_INET]216.151.184.29:443: P_ACK_V1 kid=0 [ 0 ]
Thu Dec 27 16:13:33 2018 daemon.notice openvpn(vpnclient)[12712]: TCP_CLIENT WRITE [178] to [AF_INET]216.151.184.29:443: P_CONTROL_V1 kid=0 [ ] pid=1 DATA len=164
Thu Dec 27 16:13:33 2018 daemon.notice openvpn(vpnclient)[12712]: TCP_CLIENT READ [1196] from [AF_INET]216.151.184.29:443: P_CONTROL_V1 kid=0 [ 1 ] pid=1 DATA len=1170
Thu Dec 27 16:13:33 2018 daemon.notice openvpn(vpnclient)[12712]: TCP_CLIENT WRITE [22] to [AF_INET]216.151.184.29:443: P_ACK_V1 kid=0 [ 1 ]
Thu Dec 27 16:13:33 2018 daemon.notice openvpn(vpnclient)[12712]: TCP_CLIENT READ [1184] from [AF_INET]216.151.184.29:443: P_CONTROL_V1 kid=0 [ ] pid=2 DATA len=1170
Thu Dec 27 16:13:33 2018 daemon.notice openvpn(vpnclient)[12712]: TCP_CLIENT WRITE [22] to [AF_INET]216.151.184.29:443: P_ACK_V1 kid=0 [ 2 ]
Thu Dec 27 16:13:33 2018 daemon.notice openvpn(vpnclient)[12712]: TCP_CLIENT READ [379] from [AF_INET]216.151.184.29:443: P_CONTROL_V1 kid=0 [ ] pid=3 DATA len=365
Thu Dec 27 16:13:33 2018 daemon.notice openvpn(vpnclient)[12712]: VERIFY OK: depth=1, C=US, ST=VPN, L=VPN, O=VPN, OU=VPN, CN=VPN, name=VPN, emailAddress=VPN
Thu Dec 27 16:13:33 2018 daemon.notice openvpn(vpnclient)[12712]: VERIFY KU OK
Thu Dec 27 16:13:33 2018 daemon.notice openvpn(vpnclient)[12712]: Validating certificate extended key usage
Thu Dec 27 16:13:33 2018 daemon.notice openvpn(vpnclient)[12712]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Dec 27 16:13:33 2018 daemon.notice openvpn(vpnclient)[12712]: VERIFY EKU OK
Thu Dec 27 16:13:33 2018 daemon.notice openvpn(vpnclient)[12712]: VERIFY OK: depth=0, C=US, ST=VPN, L=VPN, O=VPN, OU=VPN, CN=vpn, name=VPN
Thu Dec 27 16:13:33 2018 daemon.notice openvpn(vpnclient)[12712]: TCP_CLIENT WRITE [152] to [AF_INET]216.151.184.29:443: P_CONTROL_V1 kid=0 [ 3 ] pid=2 DATA len=126
Thu Dec 27 16:13:34 2018 daemon.notice openvpn(vpnclient)[12712]: TCP_CLIENT READ [77] from [AF_INET]216.151.184.29:443: P_CONTROL_V1 kid=0 [ 2 ] pid=4 DATA len=51
Thu Dec 27 16:13:34 2018 daemon.notice openvpn(vpnclient)[12712]: TCP_CLIENT WRITE [472] to [AF_INET]216.151.184.29:443: P_CONTROL_V1 kid=0 [ 4 ] pid=3 DATA len=446
Thu Dec 27 16:13:34 2018 daemon.notice openvpn(vpnclient)[12712]: TCP_CLIENT READ [270] from [AF_INET]216.151.184.29:443: P_CONTROL_V1 kid=0 [ 3 ] pid=5 DATA len=244
Thu Dec 27 16:13:34 2018 daemon.notice openvpn(vpnclient)[12712]: TCP_CLIENT WRITE [22] to [AF_INET]216.151.184.29:443: P_ACK_V1 kid=0 [ 5 ]
Thu Dec 27 16:13:34 2018 daemon.notice openvpn(vpnclient)[12712]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Thu Dec 27 16:13:34 2018 daemon.notice openvpn(vpnclient)[12712]: [vpn] Peer Connection Initiated with [AF_INET]216.151.184.29:443
Thu Dec 27 16:13:35 2018 daemon.notice openvpn(vpnclient)[12712]: SENT CONTROL [vpn]: 'PUSH_REQUEST' (status=1)
Thu Dec 27 16:13:35 2018 daemon.notice openvpn(vpnclient)[12712]: TCP_CLIENT WRITE [56] to [AF_INET]216.151.184.29:443: P_CONTROL_V1 kid=0 [ ] pid=4 DATA len=42
Thu Dec 27 16:13:35 2018 daemon.notice openvpn(vpnclient)[12712]: TCP_CLIENT READ [22] from [AF_INET]216.151.184.29:443: P_ACK_V1 kid=0 [ 4 ]
Thu Dec 27 16:13:35 2018 daemon.notice openvpn(vpnclient)[12712]: TCP_CLIENT READ [308] from [AF_INET]216.151.184.29:443: P_CONTROL_V1 kid=0 [ ] pid=6 DATA len=294
Thu Dec 27 16:13:35 2018 daemon.notice openvpn(vpnclient)[12712]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 198.18.0.1,dhcp-option DNS 198.18.0.2,explicit-exit-notify 5,comp-lzo no,route-gateway 172.21.86.1,topology subnet,ping 20,ping-restart 40,ifconfig 172.21.86.17 255.255.254.0,peer-id 0,cipher AES-256-GCM'
Thu Dec 27 16:13:35 2018 daemon.notice openvpn(vpnclient)[12712]: OPTIONS IMPORT: timers and/or timeouts modified
Thu Dec 27 16:13:35 2018 daemon.notice openvpn(vpnclient)[12712]: OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp
Thu Dec 27 16:13:35 2018 daemon.notice openvpn(vpnclient)[12712]: OPTIONS IMPORT: compression parms modified
Thu Dec 27 16:13:35 2018 daemon.notice openvpn(vpnclient)[12712]: OPTIONS IMPORT: --ifconfig/up options modified
Thu Dec 27 16:13:35 2018 daemon.notice openvpn(vpnclient)[12712]: OPTIONS IMPORT: route options modified
Thu Dec 27 16:13:35 2018 daemon.notice openvpn(vpnclient)[12712]: OPTIONS IMPORT: route-related options modified
Thu Dec 27 16:13:35 2018 daemon.notice openvpn(vpnclient)[12712]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Dec 27 16:13:35 2018 daemon.notice openvpn(vpnclient)[12712]: OPTIONS IMPORT: peer-id set
Thu Dec 27 16:13:35 2018 daemon.notice openvpn(vpnclient)[12712]: OPTIONS IMPORT: adjusting link_mtu to 1627
Thu Dec 27 16:13:35 2018 daemon.notice openvpn(vpnclient)[12712]: OPTIONS IMPORT: data channel crypto options modified
Thu Dec 27 16:13:35 2018 daemon.notice openvpn(vpnclient)[12712]: Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Dec 27 16:13:35 2018 daemon.notice openvpn(vpnclient)[12712]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 48 bytes
Thu Dec 27 16:13:35 2018 daemon.notice openvpn(vpnclient)[12712]: Data Channel MTU parms [ L:1555 D:1450 EF:55 EB:406 ET:0 EL:3 ]
Thu Dec 27 16:13:35 2018 daemon.notice openvpn(vpnclient)[12712]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Dec 27 16:13:35 2018 daemon.notice openvpn(vpnclient)[12712]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Dec 27 16:13:35 2018 daemon.notice openvpn(vpnclient)[12712]: TUN/TAP device tun0 opened
Thu Dec 27 16:13:35 2018 daemon.notice openvpn(vpnclient)[12712]: TUN/TAP TX queue length set to 100
Thu Dec 27 16:13:35 2018 daemon.notice openvpn(vpnclient)[12712]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Dec 27 16:13:35 2018 daemon.notice openvpn(vpnclient)[12712]: /sbin/ifconfig tun0 172.21.86.17 netmask 255.255.254.0 mtu 1500 broadcast 172.21.87.255
Thu Dec 27 16:13:35 2018 daemon.notice openvpn(vpnclient)[12712]: /sbin/route add -net 216.151.184.29 netmask 255.255.255.255 gw 192.168.209.1
Thu Dec 27 16:13:35 2018 daemon.notice openvpn(vpnclient)[12712]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 172.21.86.1
Thu Dec 27 16:13:35 2018 daemon.notice openvpn(vpnclient)[12712]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 172.21.86.1
Thu Dec 27 16:13:35 2018 daemon.notice openvpn(vpnclient)[12712]: Initialization Sequence Completed
Thu Dec 27 16:13:35 2018 daemon.notice openvpn(vpnclient)[12712]: TCP_CLIENT WRITE [22] to [AF_INET]216.151.184.29:443: P_ACK_V1 kid=0 [ 6 ]
Thu Dec 27 16:13:35 2018 daemon.notice openvpn(vpnclient)[12712]: TCP_CLIENT WRITE [101] to [AF_INET]216.151.184.29:443: P_DATA_V2 kid=0 DATA len=100
Thu Dec 27 16:13:35 2018 daemon.notice openvpn(vpnclient)[12712]: TCP_CLIENT WRITE [101] to [AF_INET]216.151.184.29:443: P_DATA_V2 kid=0 DATA len=100
Thu Dec 27 16:13:35 2018 daemon.notice openvpn(vpnclient)[12712]: TCP_CLIENT WRITE [101] to [AF_INET]216.151.184.29:443: P_DATA_V2 kid=0 DATA len=100
Thu Dec 27 16:13:36 2018 daemon.notice openvpn(vpnclient)[12712]: TCP_CLIENT WRITE [101] to [AF_INET]216.151.184.29:443: P_DATA_V2 kid=0 DATA len=100

The rest of the troubleshooting steps from the link at top:

root@router:~# uci show firewall; echo && uci show network; echo && uci show openvpn; echo
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[2]=zone
firewall.@zone[2].name='vpnclient'
firewall.@zone[2].network='vpnclient'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].masq='1'
firewall.@zone[2].mtu_fix='1'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='lan'
firewall.@forwarding[1].dest='vpnclient'

network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd23:f5fa:c15a::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.3.1'
network.lan.delegate='0'
network.wan=interface
network.wan.ifname='eth1.2'
network.wan.proto='dhcp'
network.wan6=interface
network.wan6.ifname='eth1.2'
network.wan6.proto='dhcpv6'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='0 1 2 3 5t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='4 6t'
network.vpnclient==interface
network.vpnclient.ifname='tun0'
network.vpnclient.proto='none'

openvpn.custom_config=openvpn
openvpn.custom_config.enabled='0'
openvpn.custom_config.config='/etc/openvpn/my-vpn.conf'
openvpn.sample_server=openvpn
openvpn.sample_server.enabled='0'
openvpn.sample_server.port='1194'
openvpn.sample_server.proto='udp'
openvpn.sample_server.dev='tun'
openvpn.sample_server.ca='/etc/openvpn/ca.crt'
openvpn.sample_server.cert='/etc/openvpn/server.crt'
openvpn.sample_server.key='/etc/openvpn/server.key'
openvpn.sample_server.dh='/etc/openvpn/dh1024.pem'
openvpn.sample_server.server='10.8.0.0 255.255.255.0'
openvpn.sample_server.ifconfig_pool_persist='/tmp/ipp.txt'
openvpn.sample_server.keepalive='10 120'
openvpn.sample_server.compress='lzo'
openvpn.sample_server.persist_key='1'
openvpn.sample_server.persist_tun='1'
openvpn.sample_server.user='nobody'
openvpn.sample_server.status='/tmp/openvpn-status.log'
openvpn.sample_server.verb='3'
openvpn.sample_client=openvpn
openvpn.sample_client.enabled='0'
openvpn.sample_client.client='1'
openvpn.sample_client.dev='tun'
openvpn.sample_client.proto='udp'
openvpn.sample_client.remote='my_server_1 1194'
openvpn.sample_client.resolv_retry='infinite'
openvpn.sample_client.nobind='1'
openvpn.sample_client.persist_key='1'
openvpn.sample_client.persist_tun='1'
openvpn.sample_client.user='nobody'
openvpn.sample_client.ca='/etc/openvpn/ca.crt'
openvpn.sample_client.cert='/etc/openvpn/client.crt'
openvpn.sample_client.key='/etc/openvpn/client.key'
openvpn.sample_client.compress='lzo'
openvpn.sample_client.verb='3'
openvpn.vpnclient=openvpn
openvpn.vpnclient.enabled='1'
openvpn.vpnclient.config='/etc/openvpn/vpnclient.ovpn'
openvpn.vpnclient.verb='7'
openvpn.vpnclient.proto='tcp'

(setting proto and verb, as per the troubleshooting instructions in the first link up top, were completely ineffectual, so I modified my .ovpn as required)

root@router:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         172.21.86.1     128.0.0.0       UG    0      0        0 tun0
default         192.168.209.1   0.0.0.0         UG    0      0        0 eth1.2
128.0.0.0       172.21.86.1     128.0.0.0       UG    0      0        0 tun0
172.21.86.0     *               255.255.254.0   U     0      0        0 tun0
192.168.3.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.209.0   *               255.255.255.0   U     0      0        0 eth1.2
216.151.184.29  192.168.209.1   255.255.255.255 UGH   0      0        0 eth1.2

Thanks in advance!

tfft · December 6, 2019, 6:30pm

Hi, did you resolve your issue ? if so, what was the solution ?

I seem to be in the same predicament - can't connect from LAN though the router which is running openvpn just fine (akin to your first paragraph).

DarryDoo · December 6, 2019, 8:55pm

Nope, never resolved. I assume I should just "know" the solution, since the silence was so deafening.

ulmwind · December 7, 2019, 5:01pm

What is your question? Are you running OpenVPN-client on router? You should configure firewall to make it working.

DarryDoo · December 9, 2019, 7:17pm

Pretty sure the question, in both cases, was "what are we doing wrong?" The first paragraph in my OP sums it up pretty well.

I followed the instructions linked in the first paragraph to the letter. What further config is required?

More importantly, why is documentation missing something so crucial?

Note the OP was a year ago. I have not attempted since. I'm no neophyte, but I'm no expert either; I'm not familiar enough with firewall rules to troubleshoot (can't imagine I'm alone in this). The resounding silence certainly left a bitter taste in my mouth.

ulmwind · December 9, 2019, 8:10pm

OK, I don't like read uci output, please, provide contents of /etc/config/network and /etc/config/firewall