OpenVPN server easy and fast

setup
openvpn

#104

Below I include the contents of the .config file, the logs from the client (–verb 5) and the tcp dump log from the server. I also include mwan3 troubleshooting.
From the tcpdump, it seems that the server receives the packet from the client but it responds from a different interface (the eth1 and not from the incoming 3g-Lte interface). Then i expect that the router from the client network rejects the traffic (server response)
I tried to impose a sticky rule in mwan3 in order to respond from the same interface (3g-Lte) for traffic coming from port 1194 but it does not work.

I appreciate any help and guidance.

##Config File###

    ##############################################
    # Openvpn client configuration generated by  #
    # router Turris based on Sample client-side  #
    # OpenVPN 2.0 config file                    #
    #                                            #
    # This configuration can be used only on     #
    # a single client.                           #
    #                                            #
    #                                            #
    # On Windows, you might want to rename this  #
    # file so it has a .ovpn extension           #
    ##############################################

    client

    # Use the same setting as you are using on
    # the server.
    # On most systems, the VPN will not function
    # unless you partially or fully disable
    # the firewall for the TUN/TAP interface.
    dev tun_turris

    # Windows needs the TAP-Win32 adapter name
    # from the Network Connections panel
    # if you have more than one.  On XP SP2,
    # you may need to disable the firewall
    # for the TAP adapter.
    ;dev-node MyTap

    proto udp

    # The hostname/IP and port of the server.
    # You can have multiple remote entries
    # to load balance between the servers.
    ;remote my-server-1 1194
    ;remote my-server-2 1194
    remote XXXXX.XXXXXX.XXXX 1194

    # Choose a random host from the remote
    # list for load-balancing.  Otherwise
    # try hosts in the order specified.
    ;remote-random

    # Keep trying indefinitely to resolve the
    # host name of the OpenVPN server.  Very useful
    # on machines which are not permanently connected
    # to the internet such as laptops.
    resolv-retry infinite

    # Most clients don't need to bind to
    # a specific local port number.
    nobind

    # Downgrade privileges after initialization (non-Windows only)
    ;user nobody
    ;group nobody

    # Try to preserve some state across restarts.
    persist-key
    persist-tun

    # If you are connecting through an
    # HTTP proxy to reach the actual OpenVPN
    # server, put the proxy server/IP and
    # port number here.  See the man page
    # if your proxy server requires
    # authentication.
    ;http-proxy-retry # retry on connection failures
    ;http-proxy [proxy server] [proxy port #]

    # Wireless networks often produce a lot
    # of duplicate packets.  Set this flag
    # to silence duplicate packet warnings.
    mute-replay-warnings

    <ca>
    -----BEGIN CERTIFICATE-----
    XXXX
    -----END CERTIFICATE-----
    </ca>
    <cert>
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number: 2 (0x2)
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: CN=openvpn
            Validity
                Not Before: Nov 19 16:48:25 2017 GMT
                Not After : Nov 17 16:48:25 2018 GMT
            Subject: CN=ubuntu
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (4096 bit)
                    Modulus:
                    XXXXXXXXXXX
                    Exponent: XXXXX (XXXXXX)
            X509v3 extensions:
                X509v3 Basic Constraints: 
                    CA:FALSE
                Netscape Cert Type: 
                    SSL Client
                X509v3 Subject Key Identifier: 
                    XXXXXXXXXXX
                X509v3 Authority Key Identifier: 
                    keyid:XXXXXXXXXXX

                X509v3 Issuer Alternative Name: 
                    <EMPTY>

        Signature Algorithm: XXXXXXXXXXX
    -----BEGIN CERTIFICATE-----
    XXXXXXXXXXX
    -----END CERTIFICATE-----
    </cert>
    <key>
    -----BEGIN PRIVATE KEY-----
    XXXXXXXXXXX
    -----END PRIVATE KEY-----
    </key>

    remote-cert-tls server





    comp-lzo

    # Set log file verbosity.
    verb 3

    # Silence repeating messages
    ;mute 20

    # To enable to process DNS push request from the server on linux machines (non systemd-resolved)
    # note that you might need to have resolvconf program installed
    ;script-security 2
    ;up /etc/openvpn/update-resolv-conf
    ;down /etc/openvpn/update-resolv-conf

    # To enable to process DNS push request from the server on linux machines (systemd-resolved)
    # see https://github.com/jonathanio/update-systemd-resolved
    ;script-security 2
    ;setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    ;up /etc/openvpn/update-systemd-resolved
    ;down /etc/openvpn/update-systemd-resolved
    ;down-pre

##client log##`

sudo openvpn --config ~/Downloads/turris.ovpn --verb 5
[sudo] password for dlaptop: 
Tue Nov 21 18:46:01 2017 us=592150 Current Parameter Settings:
Tue Nov 21 18:46:01 2017 us=592180   config = '/home/dlaptop/Downloads/turris.ovpn'
Tue Nov 21 18:46:01 2017 us=592188   mode = 0
Tue Nov 21 18:46:01 2017 us=592211   persist_config = DISABLED
Tue Nov 21 18:46:01 2017 us=592218   persist_mode = 1
Tue Nov 21 18:46:01 2017 us=592223   show_ciphers = DISABLED
Tue Nov 21 18:46:01 2017 us=592228   show_digests = DISABLED
Tue Nov 21 18:46:01 2017 us=592232   show_engines = DISABLED
Tue Nov 21 18:46:01 2017 us=592237   genkey = DISABLED
Tue Nov 21 18:46:01 2017 us=592244   key_pass_file = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=592251   show_tls_ciphers = DISABLED
Tue Nov 21 18:46:01 2017 us=592256   connect_retry_max = 0
Tue Nov 21 18:46:01 2017 us=592262 Connection profiles [0]:
Tue Nov 21 18:46:01 2017 us=592270   proto = udp
Tue Nov 21 18:46:01 2017 us=592277   local = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=592284   local_port = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=592292   remote = 'mik2.duckdns.org'
Tue Nov 21 18:46:01 2017 us=592299   remote_port = '1194'
Tue Nov 21 18:46:01 2017 us=592306   remote_float = DISABLED
Tue Nov 21 18:46:01 2017 us=592313   bind_defined = DISABLED
Tue Nov 21 18:46:01 2017 us=592320   bind_local = DISABLED
Tue Nov 21 18:46:01 2017 us=592327   bind_ipv6_only = DISABLED
Tue Nov 21 18:46:01 2017 us=592334   connect_retry_seconds = 5
Tue Nov 21 18:46:01 2017 us=592341   connect_timeout = 120
Tue Nov 21 18:46:01 2017 us=592348   socks_proxy_server = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=592355   socks_proxy_port = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=592362   tun_mtu = 1500
Tue Nov 21 18:46:01 2017 us=592369   tun_mtu_defined = ENABLED
Tue Nov 21 18:46:01 2017 us=592376   link_mtu = 1500
Tue Nov 21 18:46:01 2017 us=592383   link_mtu_defined = DISABLED
Tue Nov 21 18:46:01 2017 us=592391   tun_mtu_extra = 0
Tue Nov 21 18:46:01 2017 us=592398   tun_mtu_extra_defined = DISABLED
Tue Nov 21 18:46:01 2017 us=592405   mtu_discover_type = -1
Tue Nov 21 18:46:01 2017 us=592414   fragment = 0
Tue Nov 21 18:46:01 2017 us=592423   mssfix = 1450
Tue Nov 21 18:46:01 2017 us=592430   explicit_exit_notification = 0
Tue Nov 21 18:46:01 2017 us=592437 Connection profiles END
Tue Nov 21 18:46:01 2017 us=592443   remote_random = DISABLED
Tue Nov 21 18:46:01 2017 us=592450   ipchange = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=592456   dev = 'tun_turris'
Tue Nov 21 18:46:01 2017 us=592463   dev_type = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=592469   dev_node = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=592475   lladdr = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=592480   topology = 1
Tue Nov 21 18:46:01 2017 us=592486   ifconfig_local = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=592492   ifconfig_remote_netmask = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=592497   ifconfig_noexec = DISABLED
Tue Nov 21 18:46:01 2017 us=592505   ifconfig_nowarn = DISABLED
Tue Nov 21 18:46:01 2017 us=592510   ifconfig_ipv6_local = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=592516   ifconfig_ipv6_netbits = 0
Tue Nov 21 18:46:01 2017 us=592522   ifconfig_ipv6_remote = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=592528   shaper = 0
Tue Nov 21 18:46:01 2017 us=592534   mtu_test = 0
Tue Nov 21 18:46:01 2017 us=592540   mlock = DISABLED
Tue Nov 21 18:46:01 2017 us=592545   keepalive_ping = 0
Tue Nov 21 18:46:01 2017 us=592551   keepalive_timeout = 0
Tue Nov 21 18:46:01 2017 us=592558   inactivity_timeout = 0
Tue Nov 21 18:46:01 2017 us=592564   ping_send_timeout = 0
Tue Nov 21 18:46:01 2017 us=592569   ping_rec_timeout = 0
Tue Nov 21 18:46:01 2017 us=592576   ping_rec_timeout_action = 0
Tue Nov 21 18:46:01 2017 us=592581   ping_timer_remote = DISABLED
Tue Nov 21 18:46:01 2017 us=592587   remap_sigusr1 = 0
Tue Nov 21 18:46:01 2017 us=592593   persist_tun = ENABLED
Tue Nov 21 18:46:01 2017 us=592599   persist_local_ip = DISABLED
Tue Nov 21 18:46:01 2017 us=592604   persist_remote_ip = DISABLED
Tue Nov 21 18:46:01 2017 us=592610   persist_key = ENABLED
Tue Nov 21 18:46:01 2017 us=592616   passtos = DISABLED
Tue Nov 21 18:46:01 2017 us=592622   resolve_retry_seconds = 1000000000
Tue Nov 21 18:46:01 2017 us=592627   resolve_in_advance = DISABLED
Tue Nov 21 18:46:01 2017 us=592633   username = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=592639   groupname = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=592644   chroot_dir = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=592651   cd_dir = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=592656   writepid = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=592662   up_script = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=592668   down_script = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=592673   down_pre = DISABLED
Tue Nov 21 18:46:01 2017 us=592679   up_restart = DISABLED
Tue Nov 21 18:46:01 2017 us=592685   up_delay = DISABLED
Tue Nov 21 18:46:01 2017 us=592691   daemon = DISABLED
Tue Nov 21 18:46:01 2017 us=592697   inetd = 0
Tue Nov 21 18:46:01 2017 us=592703   log = DISABLED
Tue Nov 21 18:46:01 2017 us=592708   suppress_timestamps = DISABLED
Tue Nov 21 18:46:01 2017 us=592714   machine_readable_output = DISABLED
Tue Nov 21 18:46:01 2017 us=592720   nice = 0
Tue Nov 21 18:46:01 2017 us=592726   verbosity = 5
Tue Nov 21 18:46:01 2017 us=592732   mute = 0
Tue Nov 21 18:46:01 2017 us=592738   gremlin = 0
Tue Nov 21 18:46:01 2017 us=592743   status_file = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=592749   status_file_version = 1
Tue Nov 21 18:46:01 2017 us=592755   status_file_update_freq = 60
Tue Nov 21 18:46:01 2017 us=592760   occ = ENABLED
Tue Nov 21 18:46:01 2017 us=592766   rcvbuf = 0
Tue Nov 21 18:46:01 2017 us=592772   sndbuf = 0
Tue Nov 21 18:46:01 2017 us=592777   mark = 0
Tue Nov 21 18:46:01 2017 us=592783   sockflags = 0
Tue Nov 21 18:46:01 2017 us=592789   fast_io = DISABLED
Tue Nov 21 18:46:01 2017 us=592795   comp.alg = 2
Tue Nov 21 18:46:01 2017 us=592801   comp.flags = 1
Tue Nov 21 18:46:01 2017 us=592807   route_script = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=592813   route_default_gateway = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=592819   route_default_metric = 0
Tue Nov 21 18:46:01 2017 us=592825   route_noexec = DISABLED
Tue Nov 21 18:46:01 2017 us=592831   route_delay = 0
Tue Nov 21 18:46:01 2017 us=592838   route_delay_window = 30
Tue Nov 21 18:46:01 2017 us=592843   route_delay_defined = DISABLED
Tue Nov 21 18:46:01 2017 us=592849   route_nopull = DISABLED
Tue Nov 21 18:46:01 2017 us=592854   route_gateway_via_dhcp = DISABLED
Tue Nov 21 18:46:01 2017 us=592860   allow_pull_fqdn = DISABLED
Tue Nov 21 18:46:01 2017 us=592867   management_addr = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=592872   management_port = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=592877   management_user_pass = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=592883   management_log_history_cache = 250
Tue Nov 21 18:46:01 2017 us=592890   management_echo_buffer_size = 100
Tue Nov 21 18:46:01 2017 us=592896   management_write_peer_info_file = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=592902   management_client_user = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=592908   management_client_group = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=592914   management_flags = 0
Tue Nov 21 18:46:01 2017 us=592920   shared_secret_file = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=592926   key_direction = 0
Tue Nov 21 18:46:01 2017 us=592932   ciphername = 'BF-CBC'
Tue Nov 21 18:46:01 2017 us=592938   ncp_enabled = ENABLED
Tue Nov 21 18:46:01 2017 us=592944   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
Tue Nov 21 18:46:01 2017 us=592950   authname = 'SHA1'
Tue Nov 21 18:46:01 2017 us=592956   prng_hash = 'SHA1'
Tue Nov 21 18:46:01 2017 us=592962   prng_nonce_secret_len = 16
Tue Nov 21 18:46:01 2017 us=592967   keysize = 0
Tue Nov 21 18:46:01 2017 us=592973   engine = DISABLED
Tue Nov 21 18:46:01 2017 us=592979   replay = ENABLED
Tue Nov 21 18:46:01 2017 us=592985   mute_replay_warnings = ENABLED
Tue Nov 21 18:46:01 2017 us=592992   replay_window = 64
Tue Nov 21 18:46:01 2017 us=592997   replay_time = 15
Tue Nov 21 18:46:01 2017 us=593003   packet_id_file = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=593009   use_iv = ENABLED
Tue Nov 21 18:46:01 2017 us=593015   test_crypto = DISABLED
Tue Nov 21 18:46:01 2017 us=593021   tls_server = DISABLED
Tue Nov 21 18:46:01 2017 us=593026   tls_client = ENABLED
Tue Nov 21 18:46:01 2017 us=593032   key_method = 2
Tue Nov 21 18:46:01 2017 us=593038   ca_file = '[[INLINE]]'
Tue Nov 21 18:46:01 2017 us=593044   ca_path = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=593050   dh_file = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=593056   cert_file = '[[INLINE]]'
Tue Nov 21 18:46:01 2017 us=593062   extra_certs_file = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=593068   priv_key_file = '[[INLINE]]'
Tue Nov 21 18:46:01 2017 us=593074   pkcs12_file = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=593079   cipher_list = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=593085   tls_verify = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=593091   tls_export_cert = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=593097   verify_x509_type = 0
Tue Nov 21 18:46:01 2017 us=593103   verify_x509_name = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=593109   crl_file = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=593115   ns_cert_type = 0
Tue Nov 21 18:46:01 2017 us=593121   remote_cert_ku[i] = 65535
Tue Nov 21 18:46:01 2017 us=593127   remote_cert_ku[i] = 0
Tue Nov 21 18:46:01 2017 us=593133   remote_cert_ku[i] = 0
Tue Nov 21 18:46:01 2017 us=593152   remote_cert_ku[i] = 0
Tue Nov 21 18:46:01 2017 us=593158   remote_cert_ku[i] = 0
Tue Nov 21 18:46:01 2017 us=593165   remote_cert_ku[i] = 0
Tue Nov 21 18:46:01 2017 us=593170   remote_cert_ku[i] = 0
Tue Nov 21 18:46:01 2017 us=593176   remote_cert_ku[i] = 0
Tue Nov 21 18:46:01 2017 us=593182   remote_cert_ku[i] = 0
Tue Nov 21 18:46:01 2017 us=593188   remote_cert_ku[i] = 0
Tue Nov 21 18:46:01 2017 us=593194   remote_cert_ku[i] = 0
Tue Nov 21 18:46:01 2017 us=593199   remote_cert_ku[i] = 0
Tue Nov 21 18:46:01 2017 us=593205   remote_cert_ku[i] = 0
Tue Nov 21 18:46:01 2017 us=593211   remote_cert_ku[i] = 0
Tue Nov 21 18:46:01 2017 us=593216   remote_cert_ku[i] = 0
Tue Nov 21 18:46:01 2017 us=593222   remote_cert_ku[i] = 0
Tue Nov 21 18:46:01 2017 us=593229   remote_cert_eku = 'TLS Web Server Authentication'
Tue Nov 21 18:46:01 2017 us=593234   ssl_flags = 0
Tue Nov 21 18:46:01 2017 us=593240   tls_timeout = 2
Tue Nov 21 18:46:01 2017 us=593246   renegotiate_bytes = -1
Tue Nov 21 18:46:01 2017 us=593252   renegotiate_packets = 0
Tue Nov 21 18:46:01 2017 us=593258   renegotiate_seconds = 3600
Tue Nov 21 18:46:01 2017 us=593264   handshake_window = 60
Tue Nov 21 18:46:01 2017 us=593269   transition_window = 3600
Tue Nov 21 18:46:01 2017 us=593275   single_session = DISABLED
Tue Nov 21 18:46:01 2017 us=593281   push_peer_info = DISABLED
Tue Nov 21 18:46:01 2017 us=593286   tls_exit = DISABLED
Tue Nov 21 18:46:01 2017 us=593292   tls_auth_file = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=593299   tls_crypt_file = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=593304   pkcs11_protected_authentication = DISABLED
Tue Nov 21 18:46:01 2017 us=593310   pkcs11_protected_authentication = DISABLED
Tue Nov 21 18:46:01 2017 us=593316   pkcs11_protected_authentication = DISABLED
Tue Nov 21 18:46:01 2017 us=593322   pkcs11_protected_authentication = DISABLED
Tue Nov 21 18:46:01 2017 us=593328   pkcs11_protected_authentication = DISABLED
Tue Nov 21 18:46:01 2017 us=593334   pkcs11_protected_authentication = DISABLED
Tue Nov 21 18:46:01 2017 us=593340   pkcs11_protected_authentication = DISABLED
Tue Nov 21 18:46:01 2017 us=593346   pkcs11_protected_authentication = DISABLED
Tue Nov 21 18:46:01 2017 us=593352   pkcs11_protected_authentication = DISABLED
Tue Nov 21 18:46:01 2017 us=593358   pkcs11_protected_authentication = DISABLED
Tue Nov 21 18:46:01 2017 us=593364   pkcs11_protected_authentication = DISABLED
Tue Nov 21 18:46:01 2017 us=593370   pkcs11_protected_authentication = DISABLED
Tue Nov 21 18:46:01 2017 us=593376   pkcs11_protected_authentication = DISABLED
Tue Nov 21 18:46:01 2017 us=593381   pkcs11_protected_authentication = DISABLED
Tue Nov 21 18:46:01 2017 us=593386   pkcs11_protected_authentication = DISABLED
Tue Nov 21 18:46:01 2017 us=593392   pkcs11_protected_authentication = DISABLED
Tue Nov 21 18:46:01 2017 us=593397   pkcs11_private_mode = 00000000
Tue Nov 21 18:46:01 2017 us=593403   pkcs11_private_mode = 00000000
Tue Nov 21 18:46:01 2017 us=593408   pkcs11_private_mode = 00000000
Tue Nov 21 18:46:01 2017 us=593413   pkcs11_private_mode = 00000000
Tue Nov 21 18:46:01 2017 us=593418   pkcs11_private_mode = 00000000
Tue Nov 21 18:46:01 2017 us=593424   pkcs11_private_mode = 00000000
Tue Nov 21 18:46:01 2017 us=593429   pkcs11_private_mode = 00000000
Tue Nov 21 18:46:01 2017 us=593434   pkcs11_private_mode = 00000000
Tue Nov 21 18:46:01 2017 us=593440   pkcs11_private_mode = 00000000
Tue Nov 21 18:46:01 2017 us=593445   pkcs11_private_mode = 00000000
Tue Nov 21 18:46:01 2017 us=593450   pkcs11_private_mode = 00000000
Tue Nov 21 18:46:01 2017 us=593455   pkcs11_private_mode = 00000000
Tue Nov 21 18:46:01 2017 us=593461   pkcs11_private_mode = 00000000
Tue Nov 21 18:46:01 2017 us=593466   pkcs11_private_mode = 00000000
Tue Nov 21 18:46:01 2017 us=593471   pkcs11_private_mode = 00000000
Tue Nov 21 18:46:01 2017 us=593476   pkcs11_private_mode = 00000000
Tue Nov 21 18:46:01 2017 us=593481   pkcs11_cert_private = DISABLED
Tue Nov 21 18:46:01 2017 us=593487   pkcs11_cert_private = DISABLED
Tue Nov 21 18:46:01 2017 us=593492   pkcs11_cert_private = DISABLED
Tue Nov 21 18:46:01 2017 us=593497   pkcs11_cert_private = DISABLED
Tue Nov 21 18:46:01 2017 us=593502   pkcs11_cert_private = DISABLED
Tue Nov 21 18:46:01 2017 us=593508   pkcs11_cert_private = DISABLED
Tue Nov 21 18:46:01 2017 us=593513   pkcs11_cert_private = DISABLED
Tue Nov 21 18:46:01 2017 us=593518   pkcs11_cert_private = DISABLED
Tue Nov 21 18:46:01 2017 us=593523   pkcs11_cert_private = DISABLED
Tue Nov 21 18:46:01 2017 us=593529   pkcs11_cert_private = DISABLED
Tue Nov 21 18:46:01 2017 us=593534   pkcs11_cert_private = DISABLED
Tue Nov 21 18:46:01 2017 us=593539   pkcs11_cert_private = DISABLED
Tue Nov 21 18:46:01 2017 us=593544   pkcs11_cert_private = DISABLED
Tue Nov 21 18:46:01 2017 us=593550   pkcs11_cert_private = DISABLED
Tue Nov 21 18:46:01 2017 us=593555   pkcs11_cert_private = DISABLED
Tue Nov 21 18:46:01 2017 us=593560   pkcs11_cert_private = DISABLED
Tue Nov 21 18:46:01 2017 us=593565   pkcs11_pin_cache_period = -1
Tue Nov 21 18:46:01 2017 us=593571   pkcs11_id = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=593576   pkcs11_id_management = DISABLED
Tue Nov 21 18:46:01 2017 us=593583   server_network = 0.0.0.0
Tue Nov 21 18:46:01 2017 us=593589   server_netmask = 0.0.0.0
Tue Nov 21 18:46:01 2017 us=593599   server_network_ipv6 = ::
Tue Nov 21 18:46:01 2017 us=593604   server_netbits_ipv6 = 0
Tue Nov 21 18:46:01 2017 us=593610   server_bridge_ip = 0.0.0.0
Tue Nov 21 18:46:01 2017 us=593616   server_bridge_netmask = 0.0.0.0
Tue Nov 21 18:46:01 2017 us=593622   server_bridge_pool_start = 0.0.0.0
Tue Nov 21 18:46:01 2017 us=593627   server_bridge_pool_end = 0.0.0.0
Tue Nov 21 18:46:01 2017 us=593632   ifconfig_pool_defined = DISABLED
Tue Nov 21 18:46:01 2017 us=593638   ifconfig_pool_start = 0.0.0.0
Tue Nov 21 18:46:01 2017 us=593644   ifconfig_pool_end = 0.0.0.0
Tue Nov 21 18:46:01 2017 us=593650   ifconfig_pool_netmask = 0.0.0.0
Tue Nov 21 18:46:01 2017 us=593655   ifconfig_pool_persist_filename = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=593660   ifconfig_pool_persist_refresh_freq = 600
Tue Nov 21 18:46:01 2017 us=593666   ifconfig_ipv6_pool_defined = DISABLED
Tue Nov 21 18:46:01 2017 us=593672   ifconfig_ipv6_pool_base = ::
Tue Nov 21 18:46:01 2017 us=593677   ifconfig_ipv6_pool_netbits = 0
Tue Nov 21 18:46:01 2017 us=593682   n_bcast_buf = 256
Tue Nov 21 18:46:01 2017 us=593687   tcp_queue_limit = 64
Tue Nov 21 18:46:01 2017 us=593693   real_hash_size = 256
Tue Nov 21 18:46:01 2017 us=593698   virtual_hash_size = 256
Tue Nov 21 18:46:01 2017 us=593703   client_connect_script = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=593709   learn_address_script = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=593714   client_disconnect_script = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=593719   client_config_dir = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=593724   ccd_exclusive = DISABLED
Tue Nov 21 18:46:01 2017 us=593729   tmp_dir = '/tmp'
Tue Nov 21 18:46:01 2017 us=593740   push_ifconfig_defined = DISABLED
Tue Nov 21 18:46:01 2017 us=593746   push_ifconfig_local = 0.0.0.0
Tue Nov 21 18:46:01 2017 us=593752   push_ifconfig_remote_netmask = 0.0.0.0
Tue Nov 21 18:46:01 2017 us=593757   push_ifconfig_ipv6_defined = DISABLED
Tue Nov 21 18:46:01 2017 us=593763   push_ifconfig_ipv6_local = ::/0
Tue Nov 21 18:46:01 2017 us=593769   push_ifconfig_ipv6_remote = ::
Tue Nov 21 18:46:01 2017 us=593775   enable_c2c = DISABLED
Tue Nov 21 18:46:01 2017 us=593781   duplicate_cn = DISABLED
Tue Nov 21 18:46:01 2017 us=593786   cf_max = 0
Tue Nov 21 18:46:01 2017 us=593791   cf_per = 0
Tue Nov 21 18:46:01 2017 us=593797   max_clients = 1024
Tue Nov 21 18:46:01 2017 us=593803   max_routes_per_client = 256
Tue Nov 21 18:46:01 2017 us=593809   auth_user_pass_verify_script = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=593815   auth_user_pass_verify_script_via_file = DISABLED
Tue Nov 21 18:46:01 2017 us=593821   auth_token_generate = DISABLED
Tue Nov 21 18:46:01 2017 us=593826   auth_token_lifetime = 0
Tue Nov 21 18:46:01 2017 us=593832   port_share_host = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=593838   port_share_port = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=593843   client = ENABLED
Tue Nov 21 18:46:01 2017 us=593848   pull = ENABLED
Tue Nov 21 18:46:01 2017 us=593854   auth_user_pass_file = '[UNDEF]'
Tue Nov 21 18:46:01 2017 us=593862 OpenVPN 2.4.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul  3 2017
Tue Nov 21 18:46:01 2017 us=593874 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Tue Nov 21 18:46:01 2017 us=594355 LZO compression initializing
Tue Nov 21 18:46:01 2017 us=594439 Control Channel MTU parms [ L:1622 D:1 EF:38 EB:0 ET:0 EL:3 ]
Tue Nov 21 18:46:01 2017 us=794439 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Tue Nov 21 18:46:01 2017 us=794533 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Tue Nov 21 18:46:01 2017 us=794562 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Tue Nov 21 18:46:01 2017 us=794599 TCP/UDP: Preserving recently used remote address: [AF_INET]21X.XXX.XXX.XXX:1194
Tue Nov 21 18:46:01 2017 us=794646 Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue Nov 21 18:46:01 2017 us=794674 UDP link local: (not bound)
Tue Nov 21 18:46:01 2017 us=794703 UDP link remote: [AF_INET]21X.XXX.XXX.XXX:1194
WWWW^CTue Nov 21 18:46:27 2017 us=197930 event_wait : Interrupted system call (code=4)
Tue Nov 21 18:46:27 2017 us=198231 TCP/UDP: Closing socket
Tue Nov 21 18:46:27 2017 us=198292 SIGINT[hard,] received, process exiting

##Server tcpdump###

tcpdump -i eth1 host 15X.XXX.XXX.XXX
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
18:46:02.312397 IP 10.0.0.52.1194 > 15X.XXX.XXX.XXX.55245: UDP, length 26
18:46:03.977655 IP 10.0.0.52.1194 > 15X.XXX.XXX.XXX.55245: UDP, length 22
18:46:04.981760 IP 10.0.0.52.1194 > 15X.XXX.XXX.XXX.55245: UDP, length 14
18:46:08.137246 IP 10.0.0.52.1194 > 15X.XXX.XXX.XXX.55245: UDP, length 26

##mwan3 trubleshooting

Software versions : 

OpenWrt - OpenWrt omnia 15.05 r47055
LuCI - git-17.212.24321-49c3edd

mwan3 - 2.0-2
mwan3-luci - 1.4-4

Output of "cat /etc/config/mwan3" : 

config rule 'vpn'
	option src_port '1194'
	option sticky '1'
	option timeout '1000000'
	option use_policy 'wan2_only'
	option proto 'udp'

config rule 'default'
	option proto 'all'
	option sticky '0'
	option dest_ip '0.0.0.0/0'
	option use_policy 'wan_wan2'

config interface 'wan'
	option count '1'
	option timeout '10'
	option interval '60'
	option reliability '1'
	option enabled '1'
	option down '5'
	option up '3'
	list track_ip '8.8.8.8'
	list track_ip '10.0.0.1'

config policy 'wan_only'
	option last_resort 'unreachable'
	list use_member 'wan_m1_w1'

config policy 'wan2_only'
	option last_resort 'unreachable'
	list use_member 'wan2_m1_w1'

config policy 'balanced'
	option last_resort 'unreachable'
	list use_member 'wan_m1_w2'
	list use_member 'wan2_m1_w2'

config policy 'wan_wan2'
	list use_member 'wan_m1_w1'
	list use_member 'wan2_m2_w2'
	option last_resort 'unreachable'

config policy 'wan2_wan'
	option last_resort 'unreachable'
	list use_member 'wan2_m1_w1'
	list use_member 'wan_m2_w2'

config member 'wan_m1_w1'
	option interface 'wan'
	option metric '1'
	option weight '1'

config member 'wan2_m2_w2'
	option interface 'Lte'
	option metric '2'
	option weight '2'

config member 'wan2_m1_w1'
	option interface 'Lte'
	option metric '1'
	option weight '1'

config member 'wan_m1_w2'
	option interface 'wan'
	option metric '1'
	option weight '2'

config member 'wan2_m1_w2'
	option metric '1'
	option weight '2'
	option interface 'Lte'

config member 'wan_m2_w2'
	option interface 'wan'
	option metric '2'
	option weight '2'

config interface 'Lte'
	option enabled '1'
	list track_ip '8.8.8.8'
	list track_ip '8.8.4.4'
	option reliability '1'
	option count '1'
	option timeout '10'
	option interval '30'
	option down '5'
	option up '2'

Output of "cat /etc/config/network" : 

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd50:197b:87c3::/48'

config interface 'lan'
	option force_link '1'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option delegate '0'
	option _orig_ifname 'eth0 eth2 wlan0 radio1.network1'
	option _orig_bridge 'true'
	option ifname 'eth0 eth2'
	option ipaddr '10.0.10.1'

config interface 'wan'
	option _orig_ifname 'eth1'
	option _orig_bridge 'false'
	option ipv6 'auto'
	option metric '10'
	option proto 'static'
	option netmask '255.255.255.0'
	option ifname 'eth1'
	option ipaddr '10.0.0.52'
	option gateway '10.0.0.1'

config interface 'wan6'
	option ifname '@wan'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6'

config interface 'Lte'
	option proto '3g'
	option ipv6 'auto'
	option metric '20'
	option peerdns '0'
	option dns '8.8.4.4 8.8.8.8'
	option delegate '0'
	option service 'umts'
	option device '/dev/ttyUSB2'
	option apn 'gint'

config route
	option interface 'lan'
	option target '192.168.10.0'
	option netmask '255.255.255.0'
	option metric '0'
	option gateway '10.0.10.199'

config interface 'vpn_turris'
	option ifname 'tun_turris'
	option proto 'none'
	option auto '1'

config interface 'guest_turris'
	option enabled '0'
	option type 'bridge'
	option ifname 'guest_turris_0'
	option proto 'static'
	option ipaddr '10.111.222.1'
	option netmask '255.255.255.0'
	option bridge_empty '1'

Output of "ifconfig" : 

3g-Lte    Link encap:Point-to-Point Protocol  
          inet addr:2XX.XXX.XXX.XXX  P-t-P:10.64.64.64  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:218143 errors:0 dropped:0 overruns:0 frame:0
          TX packets:566720 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3 
          RX bytes:13914631 (13.2 MiB)  TX bytes:777675699 (741.6 MiB)

br-lan    Link encap:Ethernet  HWaddr D8:58:D7:00:30:36  
          inet addr:10.0.10.1  Bcast:10.0.10.255  Mask:255.255.255.0
          inet6 addr: fe80::da58:d7ff:fe00:3036/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:357022 errors:0 dropped:0 overruns:0 frame:0
          TX packets:727195 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:767416314 (731.8 MiB)  TX bytes:786592698 (750.1 MiB)

eth0      Link encap:Ethernet  HWaddr D8:58:D7:00:30:36  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7899 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:532 
          RX bytes:0 (0.0 B)  TX bytes:805330 (786.4 KiB)
          Interrupt:37 

eth1      Link encap:Ethernet  HWaddr D8:58:D7:00:30:37  
          inet addr:10.0.0.52  Bcast:10.0.0.255  Mask:255.255.255.0
          inet6 addr: fe80::da58:d7ff:fe00:3037/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:36071475 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12279719 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:532 
          RX bytes:47850965646 (44.5 GiB)  TX bytes:1395822267 (1.2 GiB)
          Interrupt:38 

eth2      Link encap:Ethernet  HWaddr D8:58:D7:00:30:38  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7896 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:532 
          RX bytes:0 (0.0 B)  TX bytes:805056 (786.1 KiB)
          Interrupt:40 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:131065 errors:0 dropped:0 overruns:0 frame:0
          TX packets:131065 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:10805290 (10.3 MiB)  TX bytes:10805290 (10.3 MiB)

tun_turris Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.111.111.1  P-t-P:10.111.111.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

vethOAM9XR Link encap:Ethernet  HWaddr FE:0A:E8:08:DD:3F  
          inet6 addr: fe80::fc0a:e8ff:fe08:dd3f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:357022 errors:0 dropped:0 overruns:0 frame:0
          TX packets:725505 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:772414622 (736.6 MiB)  TX bytes:786424442 (749.9 MiB)

Output of "route -n" : 

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.0.0.1        0.0.0.0         UG    10     0        0 eth1
0.0.0.0         10.64.64.64     0.0.0.0         UG    20     0        0 3g-Lte
10.0.0.0        0.0.0.0         255.255.255.0   U     10     0        0 eth1
10.0.10.0       0.0.0.0         255.255.255.0   U     0      0        0 br-lan
10.64.64.64     0.0.0.0         255.255.255.255 UH    0      0        0 3g-Lte
10.111.111.0    10.111.111.2    255.255.255.0   UG    0      0        0 tun_turris
10.111.111.2    0.0.0.0         255.255.255.255 UH    0      0        0 tun_turris
192.168.10.0    10.0.10.199     255.255.255.0   UG    0      0        0 br-lan

Output of "ip rule show" : 

0:	from all lookup local 
1001:	from all iif eth1 lookup main 
1002:	from all iif 3g-Lte lookup main 
2001:	from all fwmark 0x100/0xff00 lookup 1 
2002:	from all fwmark 0x200/0xff00 lookup 2 
2253:	from all fwmark 0xfd00/0xff00 blackhole
2254:	from all fwmark 0xfe00/0xff00 unreachable
32766:	from all lookup main 
32767:	from all lookup default

Output of "ip route list table 1-250" : 

1
default via 10.0.0.1 dev eth1 
2
default via 10.64.64.64 dev 3g-Lte

Firewall default output policy (must be ACCEPT) : 

ACCEPT

Output of "iptables -L -t mangle -v -n" : 

Chain PREROUTING (policy ACCEPT 32M packets, 42G bytes)
 pkts bytes target     prot opt in     out     source               destination         
  36M   48G mwan3_hook  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  32M   42G fwmark     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain INPUT (policy ACCEPT 31M packets, 41G bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 1063K packets, 1541M bytes)
 pkts bytes target     prot opt in     out     source               destination         
1063K 1541M mssfix     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 11M packets, 1074M bytes)
 pkts bytes target     prot opt in     out     source               destination         
  12M 1234M mwan3_hook  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain POSTROUTING (policy ACCEPT 12M packets, 2615M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain fwmark (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain mssfix (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   16   960 TCPMSS     tcp  --  *      3g-Lte  0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 /* wan (mtu_fix) */ TCPMSS clamp to PMTU

Chain mwan3_connected (2 references)
 pkts bytes target     prot opt in     out     source               destination         
 510K   84M MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set mwan3_connected dst MARK or 0xff00

Chain mwan3_hook (2 references)
 pkts bytes target     prot opt in     out     source               destination         
  49M   49G CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK restore mask 0xff00
 309K   24M mwan3_ifaces_in  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00
 301K   23M mwan3_connected  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00
 271K   21M mwan3_ifaces_out  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00
  381 28376 mwan3_rules  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00
  49M   49G CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK save mask 0xff00
1136K  879M mwan3_connected  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match ! 0xff00/0xff00

Chain mwan3_iface_in_Lte (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  3g-Lte *       0.0.0.0/0            0.0.0.0/0            match-set mwan3_connected src mark match 0x0/0xff00 /* default */ MARK or 0xff00
  813 55725 MARK       all  --  3g-Lte *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00 /* Lte */ MARK xset 0x200/0xff00

Chain mwan3_iface_in_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 6998  435K MARK       all  --  eth1   *       0.0.0.0/0            0.0.0.0/0            match-set mwan3_connected src mark match 0x0/0xff00 /* default */ MARK or 0xff00
    4  1403 MARK       all  --  eth1   *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00 /* wan */ MARK xset 0x100/0xff00

Chain mwan3_iface_out_Lte (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 3834  322K MARK       all  --  *      *       2XX.XXX.XXX.XXX       0.0.0.0/0            mark match 0x0/0xff00 /* Lte */ MARK xset 0x200/0xff00

Chain mwan3_iface_out_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 266K   21M MARK       all  --  *      *       10.0.0.52            0.0.0.0/0            mark match 0x0/0xff00 /* wan */ MARK xset 0x100/0xff00

Chain mwan3_ifaces_in (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 309K   24M mwan3_iface_in_wan  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00
 261K   20M mwan3_iface_in_Lte  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00

Chain mwan3_ifaces_out (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 271K   21M mwan3_iface_out_wan  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00
 4029  336K mwan3_iface_out_Lte  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00

Chain mwan3_policy_balanced (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00 statistic mode random probability 0.50000000000 /* Lte 2 4 */ MARK xset 0x200/0xff00
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00 /* wan 2 2 */ MARK xset 0x100/0xff00

Chain mwan3_policy_wan2_only (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00 /* Lte 1 1 */ MARK xset 0x200/0xff00

Chain mwan3_policy_wan2_wan (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00 /* Lte 1 1 */ MARK xset 0x200/0xff00

Chain mwan3_policy_wan_only (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00 /* wan 1 1 */ MARK xset 0x100/0xff00

Chain mwan3_policy_wan_wan2 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  195 14436 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00 /* wan 1 1 */ MARK xset 0x100/0xff00

Chain mwan3_rule_vpn (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00 MARK xset 0x200/0xff00
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x200/0xff00 ! match-set mwan3_sticky_vpn src,src MARK and 0xffff00ff
    0     0 mwan3_policy_wan2_only  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00
    0     0 SET        all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match ! 0xfc00/0xfc00 del-set mwan3_sticky_vpn src,src
    0     0 SET        all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match ! 0xfc00/0xfc00 add-set mwan3_sticky_vpn src,src

Chain mwan3_rules (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 mwan3_rule_vpn  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport sports 1194 multiport dports 0:65535 mark match 0x0/0xff00 /* vpn */
  195 14436 mwan3_policy_wan_wan2  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00 /* default */

#105

If you use ‘verb 6’, OpenVPN will log all messages sent or received. It might be helpful to set ‘verb 6’ on both the client and server while troubleshooting a connection problem.

From the logs you have posted, I think probably the client sends its first message; the server receives it and responds; and for some reason the response goes astray and does not reach the client process. So I think you are right - the immediate problem has to do with routing and/or firewall configuration. Perhaps another contributor can help you better than me with those.

I could make two suggestions though. Configure both firewalls (server and client) to log dropped packets. And try first to get it working with the simplest possible configuration: temporarily remove the added complexity of LTE and the 2nd WAN interface, until you achieve successful connection via the hardwired WAN.


#106

Hi, is there a way how to see connected VPN users? Before i had OpenVPN configured manually by my own and VPN users were using same DHCP server like normaln users. Therefore even VPN users i saw in DHCP list. Now i tried this new easy setup functionalit, works pretty well, but uses separated subnet. Which is OK for me, but now i do not see these VPN clients on the router in GUI. Is there some way, where to see in web GUI, except command line in ssh?

Thanks.

Pavel


#107

I managed to connect to the vpn server by commenting out the nobindoption in the client config and adding --float to the command at the client. With the --float option, the client accepts the packets from an ip other than the one configured in the client config.

But I was not able yet to set mwan3 or iptable at the server so to respond from the same external interface.


#108

Hi mate,
i am using OpenVPN Connect 1.1.27 (build96) (OpenVPN core 3.1.2 android arm64) with no issues. There is slight difference between 2.3.x and 2.4.x branches of “openVPN” client vs server. I faced some issues even on "win"client when having 2.2.x and trying to connect to 2.4.x server.


#109

Hello,

how can I delete revoked users from list?


OpenVPN client not generated
#112

I did some manual changes in openvpn config file and after that, I cannot use openVPN plugin in foris. I am able to delete / generate CA, but when I execute “Použít konfiguraci”, I get error "Nepodařilo se povolit konfiguraci OpenVPN serveru. " Any advise how to make this plugin working again ? Thansk!


#113

I tried enabling the OpenVPN server via the Foris interface, but I could not get the connection up from the outside.

The default firewall configuration applied by the Foris interface was:

config zone 'vpn_turris'
        option name 'vpn_turris'
    	option input 'ACCEPT'
    	option output 'ACCEPT'
        option forward 'REJECT'
    	option masq '1'
    	option enabled '1'
    	list network 'vpn_turris'

The answer from the Turris Omnia was then:
20:01:56.942594 IP x.x.x.x > x.x.x.x: ICMP x.x.x.x udp port 1194 unreachable, length 50

In order to get a connection I had to change the firewall configuration for the ‘vpn_turris’ zone to accept forwarding:
option forward 'ACCEPT'

Is this a bug in the Foris OpenVPN plugin, or have I missed something?


#114

I have made first openvpn configuration via forris. I have same experience. I made all proces (sucessfuly according to forris interface) and when I connected from endpoint via forris provided config.

I am all the time in connecting phase and restarting then in openvpn gui. Pretty bad.