OpenVPN Server connection problem

Hi everyone,
I recently bought an OMNIA and like the functionality very much but I have a problem with the built-in OpenVPN server. To be honest I am a bit new to the whole topic. I am familiar with computer issues/topics but not too much with linux. Some ASUS Tomato experience but not much more. For sure I am ready to learn a lot now… :slightly_smiling_face:
Omnia OS version is 3.11.2
VPN Package download was OK.
Client configuration was created and I downloaded it on an Android Samsung S8, client is OpenVPN for Android, version 0.7.8.
I put in my static public IP address (as the server IP with port 1194) on the client. No further changes of the client configuration.
The OMNIA firewall VPN rule shown in LuCI was created automatically (vpn_turris_rule) and is activated: “any computer in WAN to any router IP and port 1194 in the device”.
I did not do changes of the firewall rules.
With that setup I do get the error message: ECONNREFUSED, connection refused (code 111) on the client.
WLAN was switched off, normal access through the mobile phone carrier.
The weird thing is that a portscan on the computer shows the OMNIA port 1194 as being closed. Open ports are 23, 8080 and 3128. I do not want these ports to be open but that is another topic.
I checked related posts in this really helpful forum but unfortunately that did not help to fix the issue.
Any suggestion from you would be much appreciated.
I would like to retrieve some log files from the Omnia but did not yet get an idea how.

Thank you

Wulf

Is Port 1194 open to WAN? (It looks like you checked it on the LAN interface with your PC). Check using a public port scan service.

Did you choose UDP or TCP?

Does your your ISP give you a full ipv4 stack (no DSlight whatsoever)

What does router log say (see LUCI -> Status -> System Log or cat /var/log/messages or grep „openvpn“ /var/log/messages (only shows openvpn output))? If there is no output from OpenVPN server the problem ist before the server (Client -> ISP -> TO firewall -> OpenVPN server)

Post corresponding Client and Server Log

Did you try to turn it off and on again? :grin:

Edit:

Does your Mobile Phone ISP block outgoing vpn connections?

Can you try on a diffrent client? Can you try from a remote Wifi?

Edit 2:

Is your OpenVPN client on your phone allowed to use mobile connection?

Have you followed our documentation on doc.turris.cz?

https://doc.turris.cz/doc/en/howto/openvpn_plugin#configuring_openvpn_on_the_client_side

You must to create and download client configuration file. Then import this file to OpenVPN client on your device you wish to connect to the VPN network.

You have probably enabled data collection. There are simple honeypots (called minipots) on these ports to trap bad guys trying to log in to you router. You can disable minipots in Data collection tab in the Foris.

PS: create another topic next time for different questions.

Thank you for the link. Yes, I did it exactly that way as described in the documentation. Including the import into the client and applied the static IP address.

Data collection is not yet enabled, so I assume there are no honeypots existing. Sorry for not creating an extra topic for the port issues.

[quote=“protree, post:2, topic:9752”]
Is Port 1194 open to WAN? (It looks like you checked it on the LAN interface with your PC). Check using a public port scan service.
#Thank you for all of the ideas! I did use public port scan services like an UDP scan on pentest-tools.com and also with other public providers. Only UDP port 1900 (upnp) seems to be open but filtered. According to the scan results UDP 1194 is closed.

Did you choose UDP or TCP?
#UDP

Does your your ISP give you a full ipv4 stack (no DSlight whatsoever)
#That is a good question. As far as I know it is a full public IPv4 address and fortunately not DSLite. Hesitant but finally my ISP gave me an IPv4 address as I told him that I need it for VPN access from abroad. But I have to check again on Monday if that is a real IPv4 one or if CG-NAT occurs at his end of the network to a public IPv6 address. If I put my public static IPv4 into whatismyipaddress.com I get the name of my ISP provider, Type: “corporate”, services: “none detected”, assignment: “static IP” etc. So it looks like being a real IPv4 one.

What does router log say (see LUCI -> Status -> System Log or cat /var/log/messages or grep „openvpn“ /var/log/messages (only shows openvpn output))? If there is no output from OpenVPN server the problem ist before the server (Client -> ISP -> TO firewall -> OpenVPN server)
#System log does not show anything about the process of the VPN connection… so I think you are right, the problem occurs before the server is reached! Makes sense. Grep oenvpn I must try

Post corresponding Client and Server Log
#Sure. Will do so later on

Did you try to turn it off and on again? :grin:
#Yes, several times. :slight_smile: I did even restore to the first (clean) OMNIA configuration file I have saved after installing the device. To ensure that no changes I have done afterwards (only minor ones like hooking up a SSD) might have interfered.
Edit:

Does your Mobile Phone ISP block outgoing vpn connections?
#Honestly I do not know. I work with Vodafone. I assume it should not be blocked. Otherwise nobody could easily use VPN though that ISP.

Can you try on a diffrent client? Can you try from a remote Wifi?
#Good point. I will try during the weekend.

Edit 2:

Is your OpenVPN client on your phone allowed to use mobile connection?
#I did not see a place where I can check or change that. But if I start the VPN-client connection to the server I can see that the phone is trying to connect, the small arrows (inbound/outbound traffic) next to the signal strength gauge are flashing instantly until I cut the attempt…
The weird thing is that I was able to connect quickly exactly one time after installation. Then never again.
Again, thanks a lot for your help!

That makes me curious. Ports are 23, 8080 and 3128 should be open to WAN, too, if you configured data collection as @vojtech.myslivec pointed out. So I think it‘s most likely that either you use a wrong WAN IP to scan and connect to or your ISP is blocking incoming traffic / there is a provider NAT in between.

Maybe try to prove this by trying to open a port like SSH to WAN (easy to find out how it works, see turris docs (link above)/openwrt docs) and then try to connect to it from remote connection and use something like ncat to try to see if ports 22/23/8080/3128/1194 are open. Maybe use an uncommon port for ssh test. As long as your root password isn‘t too bad and you open port only for a short time for testing I think this isn‘t too unsecure.

Nevertheless, you have some points to work through. Let us know if you need further assistance :+1:t3:

EDIT: And it‘s weird that you see port 1900 open… Again, correct ip? :smile:

EDIT 2: How does you TO get WAN access? Maybe you need to open ports on the modem/router in front of your TO, too? Is the WAN-IP in Turris Web Interface the IP you get when accessing something like ipv6-test.com ?

1 Like

#ipv6-test.com shows my public IPv4, same thing as in the Turris Web interface. That seems to be OK. It’s seems to be a real static public IPv4 address. There are no ports I have to open. In this straight test setup TO is the first line of defense behind the modem of the ISP, because TO has a firewall built in. Then there is the PC behind the TO. I can put the PC behind a second Firewall. But I thought TO is a good solution as being the first (FW)-device against threats of the internet, true? And by being the first device I can have the VPN connection without messing with opening ports etc. on a second router/FW.
Below as you asked for this is the log of the Android VPN client trying to connect to the TO VPN-Server. There is no VPN-related action in the TO System Log during that connection attempt. I could post the TO System Log of today but it has 250 pages… maybe a bit too much here!:grinning:

2019-03-16 21:44:08 offizielle Version 0.7.8 läuft auf samsung SM-G950F (universal8895), Android 9 API 28, ABI arm64-v8a, (samsung/dreamltexx/dreamlte:9/:user/release-keys)
2019-03-16 21:44:08 Generiere OpenVPN-Konfiguration…
2019-03-16 21:44:09 started Socket Thread
2019-03-16 21:44:09 Netzwerkstatus: CONNECTED EDGE to MOBILE web.vodafone.de
2019-03-16 21:44:09 Debug state info: CONNECTED EDGE to MOBILE web.vodafone.de, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2019-03-16 21:44:09 Debug state info: CONNECTED EDGE to MOBILE web.vodafone.de, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2019-03-16 21:44:09 WARNING: Compression enabled, Compression has been used in the past to break encryption. Enabling decompression of received packet only. Sent packets are not compressed.
2019-03-16 21:44:09 WARNING: Compression enabled, Compression has been used in the past to break encryption. Enabling decompression of received packet only. Sent packets are not compressed.
2019-03-16 21:44:09 Current Parameter Settings:
2019-03-16 21:44:09 config = '/data/user/0/de.blinkt.openvpn/cache/android.conf'
2019-03-16 21:44:09 mode = 0
2019-03-16 21:44:09 show_ciphers = DISABLED
2019-03-16 21:44:09 show_digests = DISABLED
2019-03-16 21:44:09 show_engines = DISABLED
2019-03-16 21:44:09 genkey = DISABLED
2019-03-16 21:44:09 key_pass_file = '[UNDEF]'
2019-03-16 21:44:09 show_tls_ciphers = DISABLED
2019-03-16 21:44:09 connect_retry_max = 0
2019-03-16 21:44:09 Connection profiles [0]:
2019-03-16 21:44:09 proto = udp
2019-03-16 21:44:09 local = '[UNDEF]'
2019-03-16 21:44:09 local_port = '[UNDEF]'
2019-03-16 21:44:09 Warte 0s Sekunden zwischen zwei Verbindungsversuchen
2019-03-16 21:44:09 Could not protect VPN socket
2019-03-16 21:44:09 remote = 'XXX.XX.XXX.XX'
2019-03-16 21:44:09 remote_port = '1194'
2019-03-16 21:44:09 remote_float = DISABLED
2019-03-16 21:44:09 bind_defined = DISABLED
2019-03-16 21:44:09 bind_local = DISABLED
2019-03-16 21:44:09 bind_ipv6_only = DISABLED
2019-03-16 21:44:09 connect_retry_seconds = 2
2019-03-16 21:44:09 connect_timeout = 120
2019-03-16 21:44:09 socks_proxy_server = '[UNDEF]'
2019-03-16 21:44:09 socks_proxy_port = '[UNDEF]'
2019-03-16 21:44:09 tun_mtu = 1500
2019-03-16 21:44:09 tun_mtu_defined = ENABLED
2019-03-16 21:44:09 link_mtu = 1500
2019-03-16 21:44:09 link_mtu_defined = DISABLED
2019-03-16 21:44:09 tun_mtu_extra = 0
2019-03-16 21:44:09 tun_mtu_extra_defined = DISABLED
2019-03-16 21:44:09 mtu_discover_type = -1
2019-03-16 21:44:09 fragment = 0
2019-03-16 21:44:09 mssfix = 1450
2019-03-16 21:44:09 explicit_exit_notification = 0
2019-03-16 21:44:09 tls_auth_file = '[UNDEF]'
2019-03-16 21:44:09 key_direction = not set
2019-03-16 21:44:09 tls_crypt_file = '[UNDEF]'
2019-03-16 21:44:09 tls_crypt_v2_file = '[UNDEF]'
2019-03-16 21:44:09 Connection profiles END
2019-03-16 21:44:09 remote_random = DISABLED
2019-03-16 21:44:09 ipchange = '[UNDEF]'
2019-03-16 21:44:09 dev = 'tun'
2019-03-16 21:44:09 dev_type = '[UNDEF]'
2019-03-16 21:44:09 dev_node = '[UNDEF]'
2019-03-16 21:44:09 lladdr = '[UNDEF]'
2019-03-16 21:44:09 topology = 1
2019-03-16 21:44:09 ifconfig_local = '[UNDEF]'
2019-03-16 21:44:09 ifconfig_remote_netmask = '[UNDEF]'
2019-03-16 21:44:09 ifconfig_noexec = DISABLED
2019-03-16 21:44:09 ifconfig_nowarn = ENABLED
2019-03-16 21:44:09 ifconfig_ipv6_local = '[UNDEF]'
2019-03-16 21:44:09 ifconfig_ipv6_netbits = 0
2019-03-16 21:44:09 ifconfig_ipv6_remote = '[UNDEF]'
2019-03-16 21:44:09 shaper = 0
2019-03-16 21:44:09 mtu_test = 0
2019-03-16 21:44:09 mlock = DISABLED
2019-03-16 21:44:09 keepalive_ping = 0
2019-03-16 21:44:09 keepalive_timeout = 0
2019-03-16 21:44:09 inactivity_timeout = 0
2019-03-16 21:44:09 ping_send_timeout = 0
2019-03-16 21:44:09 ping_rec_timeout = 0
2019-03-16 21:44:09 ping_rec_timeout_action = 0
2019-03-16 21:44:09 ping_timer_remote = DISABLED
2019-03-16 21:44:09 remap_sigusr1 = 0
2019-03-16 21:44:09 persist_tun = ENABLED
2019-03-16 21:44:09 persist_local_ip = DISABLED
2019-03-16 21:44:09 persist_remote_ip = DISABLED
2019-03-16 21:44:09 persist_key = DISABLED
2019-03-16 21:44:09 passtos = DISABLED
2019-03-16 21:44:09 resolve_retry_seconds = 1000000000
2019-03-16 21:44:09 resolve_in_advance = ENABLED
2019-03-16 21:44:09 username = '[UNDEF]'
2019-03-16 21:44:09 groupname = '[UNDEF]'
2019-03-16 21:44:09 chroot_dir = '[UNDEF]'
2019-03-16 21:44:09 cd_dir = '[UNDEF]'
2019-03-16 21:44:09 writepid = '[UNDEF]'
2019-03-16 21:44:09 up_script = '[UNDEF]'
2019-03-16 21:44:09 down_script = '[UNDEF]'
2019-03-16 21:44:09 down_pre = DISABLED
2019-03-16 21:44:09 up_restart = DISABLED
2019-03-16 21:44:09 up_delay = DISABLED
2019-03-16 21:44:09 daemon = DISABLED
2019-03-16 21:44:09 inetd = 0
2019-03-16 21:44:09 log = DISABLED
2019-03-16 21:44:09 suppress_timestamps = DISABLED
2019-03-16 21:44:09 machine_readable_output = ENABLED
2019-03-16 21:44:09 nice = 0
2019-03-16 21:44:09 verbosity = 4
2019-03-16 21:44:09 mute = 0
2019-03-16 21:44:09 gremlin = 0
2019-03-16 21:44:09 status_file = '[UNDEF]'
2019-03-16 21:44:09 status_file_version = 1
2019-03-16 21:44:09 status_file_update_freq = 60
2019-03-16 21:44:09 occ = ENABLED
2019-03-16 21:44:09 rcvbuf = 0
2019-03-16 21:44:09 sndbuf = 0
2019-03-16 21:44:09 sockflags = 0
2019-03-16 21:44:09 fast_io = DISABLED
2019-03-16 21:44:09 comp.alg = 2
2019-03-16 21:44:09 comp.flags = 0
2019-03-16 21:44:09 route_script = '[UNDEF]'
2019-03-16 21:44:09 route_default_gateway = '[UNDEF]'
2019-03-16 21:44:09 route_default_metric = 0
2019-03-16 21:44:09 route_noexec = DISABLED
2019-03-16 21:44:09 route_delay = 0
2019-03-16 21:44:09 route_delay_window = 30
2019-03-16 21:44:09 route_delay_defined = DISABLED
2019-03-16 21:44:09 route_nopull = DISABLED
2019-03-16 21:44:09 route_gateway_via_dhcp = DISABLED
2019-03-16 21:44:09 allow_pull_fqdn = DISABLED
2019-03-16 21:44:09 management_addr = '/data/user/0/de.blinkt.openvpn/cache/mgmtsocket'
2019-03-16 21:44:09 management_port = 'unix'
2019-03-16 21:44:09 management_user_pass = '[UNDEF]'
2019-03-16 21:44:09 management_log_history_cache = 250
2019-03-16 21:44:09 management_echo_buffer_size = 100
2019-03-16 21:44:09 management_write_peer_info_file = '[UNDEF]'
2019-03-16 21:44:09 management_client_user = '[UNDEF]'
2019-03-16 21:44:09 management_client_group = '[UNDEF]'
2019-03-16 21:44:09 management_flags = 294
2019-03-16 21:44:09 shared_secret_file = '[UNDEF]'
2019-03-16 21:44:09 key_direction = not set
2019-03-16 21:44:09 ciphername = 'BF-CBC'
2019-03-16 21:44:09 ncp_enabled = ENABLED
2019-03-16 21:44:09 ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
2019-03-16 21:44:09 authname = 'SHA1'
2019-03-16 21:44:09 prng_hash = 'SHA1'
2019-03-16 21:44:09 prng_nonce_secret_len = 16
2019-03-16 21:44:09 keysize = 0
2019-03-16 21:44:09 engine = DISABLED
2019-03-16 21:44:09 replay = ENABLED
2019-03-16 21:44:09 mute_replay_warnings = ENABLED
2019-03-16 21:44:09 replay_window = 64
2019-03-16 21:44:09 replay_time = 15
2019-03-16 21:44:09 packet_id_file = '[UNDEF]'
2019-03-16 21:44:09 test_crypto = DISABLED
2019-03-16 21:44:09 tls_server = DISABLED
2019-03-16 21:44:09 tls_client = ENABLED
2019-03-16 21:44:09 key_method = 2
2019-03-16 21:44:09 ca_file = '[[INLINE]]'
2019-03-16 21:44:09 ca_path = '[UNDEF]'
2019-03-16 21:44:09 dh_file = '[UNDEF]'
2019-03-16 21:44:09 cert_file = '[[INLINE]]'
2019-03-16 21:44:09 extra_certs_file = '[UNDEF]'
2019-03-16 21:44:09 priv_key_file = '[[INLINE]]'
2019-03-16 21:44:09 pkcs12_file = '[UNDEF]'
2019-03-16 21:44:09 cipher_list = '[UNDEF]'
2019-03-16 21:44:09 cipher_list_tls13 = '[UNDEF]'
2019-03-16 21:44:09 tls_cert_profile = '[UNDEF]'
2019-03-16 21:44:09 tls_verify = '[UNDEF]'
2019-03-16 21:44:09 tls_export_cert = '[UNDEF]'
2019-03-16 21:44:09 verify_x509_type = 0
2019-03-16 21:44:09 verify_x509_name = '[UNDEF]'
2019-03-16 21:44:09 crl_file = '[UNDEF]'
2019-03-16 21:44:09 ns_cert_type = 0
2019-03-16 21:44:09 remote_cert_ku[i] = 65535
2019-03-16 21:44:09 remote_cert_ku[i] = 0
2019-03-16 21:44:09 remote_cert_ku[i] = 0
2019-03-16 21:44:09 remote_cert_ku[i] = 0
2019-03-16 21:44:09 remote_cert_ku[i] = 0
2019-03-16 21:44:09 remote_cert_ku[i] = 0
2019-03-16 21:44:09 remote_cert_ku[i] = 0
2019-03-16 21:44:09 remote_cert_ku[i] = 0
2019-03-16 21:44:09 remote_cert_ku[i] = 0
2019-03-16 21:44:09 remote_cert_ku[i] = 0
2019-03-16 21:44:09 remote_cert_ku[i] = 0
2019-03-16 21:44:09 remote_cert_ku[i] = 0
2019-03-16 21:44:09 remote_cert_ku[i] = 0
2019-03-16 21:44:09 remote_cert_ku[i] = 0
2019-03-16 21:44:09 remote_cert_ku[i] = 0
2019-03-16 21:44:09 remote_cert_ku[i] = 0
2019-03-16 21:44:09 remote_cert_eku = 'TLS Web Server Authentication'
2019-03-16 21:44:09 ssl_flags = 0
2019-03-16 21:44:09 tls_timeout = 2
2019-03-16 21:44:09 renegotiate_bytes = -1
2019-03-16 21:44:09 renegotiate_packets = 0
2019-03-16 21:44:09 renegotiate_seconds = 3600
2019-03-16 21:44:09 handshake_window = 60
2019-03-16 21:44:09 transition_window = 3600
2019-03-16 21:44:09 single_session = DISABLED
2019-03-16 21:44:09 push_peer_info = DISABLED
2019-03-16 21:44:09 tls_exit = DISABLED
2019-03-16 21:44:09 tls_crypt_v2_genkey_type = '[UNDEF]'
2019-03-16 21:44:09 tls_crypt_v2_genkey_file = '[UNDEF]'
2019-03-16 21:44:09 tls_crypt_v2_metadata = '[UNDEF]'
2019-03-16 21:44:09 client = ENABLED
2019-03-16 21:44:09 pull = ENABLED
2019-03-16 21:44:09 auth_user_pass_file = '[UNDEF]'
2019-03-16 21:44:09 OpenVPN 2.5-icsopenvpn [git:icsopenvpn/v0.7.8-0-g168367a5] arm64-v8a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Feb 22 2019
2019-03-16 21:44:09 library versions: OpenSSL 1.1.1a 20 Nov 2018, LZO 2.10
2019-03-16 21:44:09 MANAGEMENT: Connected to management server at /data/user/0/de.blinkt.openvpn/cache/mgmtsocket
2019-03-16 21:44:09 MANAGEMENT: CMD 'version 3'
2019-03-16 21:44:09 MANAGEMENT: CMD 'hold release'
2019-03-16 21:44:09 LZO compression initializing
2019-03-16 21:44:09 Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
2019-03-16 21:44:09 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
2019-03-16 21:44:09 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
2019-03-16 21:44:09 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
2019-03-16 21:44:09 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XX.XXX.XX:1194
2019-03-16 21:44:09 Socket Buffers: R=[229376->229376] S=[229376->229376]
2019-03-16 21:44:09 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2019-03-16 21:44:09 UDP link local: (not bound)
2019-03-16 21:44:09 UDP link remote: [AF_INET]XXX.XX.XXX.XX:1194
2019-03-16 21:44:09 MANAGEMENT: CMD 'bytecount 2'
2019-03-16 21:44:09 MANAGEMENT: CMD 'state on'
2019-03-16 21:44:10 read UDP [ECONNREFUSED]: Connection refused (code=111)
2019-03-16 21:44:11 read UDP [ECONNREFUSED]: Connection refused (code=111)
2019-03-16 21:44:14 Debug state info: CONNECTED EDGE to MOBILE web.vodafone.de, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2019-03-16 21:44:15 read UDP [ECONNREFUSED]: Connection refused (code=111)
2019-03-16 21:44:25 read UDP [ECONNREFUSED]: Connection refused (code=111)
2019-03-16 21:44:42 read UDP [ECONNREFUSED]: Connection refused (code=111)
2019-03-16 21:44:57 MANAGEMENT: CMD 'signal SIGINT'
2019-03-16 21:44:57 TCP/UDP: Closing socket
2019-03-16 21:44:57 SIGINT[hard,] received, process exiting
2019-03-16 21:44:57 MANAGEMENT: >STATE:1552769097,EXITING,SIGINT,,,,,

Yes, properly configured Turris device can (and should) be connected directly to the Internet without any additional firewall or NAT before it. If you need a modem or other CPE device to connect to your ISP, this device should be configured in bridge or pass through mode (or whatever the modem vendor call such mode) to have public IP(s) assigned straight to your Turris device.

If you are sure your Turris has correct public address on its WAN interface, I would suggest to:

  1. Check downloaded turris.conf file. Look for remote directive which hsould be followed by your public IP address
  2. Try another client. Official OpenVPN client on Linux (and Windows?) machine or TunnelBlick on OS X works perfectly,
  3. Switch OpenVPN to TCP mode. You can either scan it comfortly via nmap and also debug via i.e. openssl s_client.

Just to compare your nmap output. Here is my standard Turris device with data collection enabled. All of these ports leads to honeypots/minipots.

nmap output
Not shown: 995 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
23/tcp   open  telnet
2323/tcp open  3d-nfsd
3128/tcp open  squid-http
8080/tcp open  http-proxy

And this is how it looks on another Turris device with data collection disabled:

nmap output
All 1000 scanned ports on router.example.com (*.*.*.*) are closed

OpenVPN is not shown there as I use UDP and nmap scans TCP only by default. I also allow Turris’ ssh on high-enough non-standard port which is not scanned by default.

You can force nmap to scan UDP ports as well however, this won’t help you much as you can’t distinguished opened and filtered port in that case.

Is OpenVPN Server up and running? Can you check in luci interface (I think it’s services -> startup) that openvpn service is activated and started? Can you run /etc/init.d/openvpn restart and post output in /var/log/messages ?

I have been on the road but could check if VPN is running now. Protree you were right, Server was not running, for whatever reason it has switched off itself… I do not know why that happened. Now all is OK, I could access TO from abroad via VPN. Thank you again for all the suggestions! At the end it was an easy task to solve everything.