Hank21 wrote

1. Does your OpenVPN Server require the Client to enter the account password?
2. If not, please provide a screenshot of your configuration file, it will help us to locate the issue.
3. Can you try using the OpenVPN GUI directly to see if it can connect successfully?

 

Best Regards!

 

 

  @Hank21 

1. No, only client certificate. Username/password is not required

2.

3. The same configuration file works fine with OpenVPN client (from mobile and from desktop)

  @TamirK 

 

I had the same problem with OpenVPN client on router, to make it work I had to install server with backward compatibility to old clients.
it was a separate choice when I installed the OpenVPN server.

What were exact options you've used in the config to make it works. I've tried to change from cipher AES-256-CBC to option cipher 'AES-256-CBC' and on server to data-ciphers-fallback - the issue remains the same. It seemed like TP-Link not even tries to connect. At least I cannot see any failed attempts in the server log.

  @TamirK 

 

this is server config, as you can see I have disabled some things, I use push route on client config so I do not have to route all traffic in the OpenVPN tunnel

 

dev tun
proto udp
port 1195
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/OpenVPN_b2656eb2-75bb-4594-a0e4-e8ee88e3ddf5.crt
key /etc/openvpn/easy-rsa/pki/private/OpenVPN_b2656eb2-75bb-4594-a0e4-e8ee88e3ddf5.key
dh /etc/openvpn/easy-rsa/pki/dh2048.pem
topology subnet
server 10.74.10.0 255.255.255.0
# Set your primary domain name server address for clients
##push "dhcp-option DNS 1.1.1.1"
##push "dhcp-option DNS 1.0.0.1"
# Prevent DNS leaks on Windows
##push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
##push "redirect-gateway def1"
client-to-client
client-config-dir /etc/openvpn/ccd
keepalive 15 120
remote-cert-tls client
tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-CBC
auth SHA256
user openvpn
group openvpn
persist-key
persist-tun
 

 

 

@Hank21 I am not sure about one particual setting in the configuration dialog, so I'd like to double confirm

"Local Network" for tunnels set to DHCP LAN range (192.168.0.0/15), since this is what appears in the documentation "Select the network on the local side of the VPN tunnel. The VPN policy will be only applied to the selected local network.". Assuming my local network is 192.168.0.0/15, I want all clients to be able to use this tunnel.

This is different from the similar setting in other VPN types, where there is "Remote Subnet" setting should be defined.

How client on LAN side (OpenVPN client for site-to-site config) knows how when route to the remote network via VPN?

So, were you be able to figure out what is wrong? Or at least lead me to the possible things to check?

  @TamirK 

 

Do you ask me? as I wrote earlier, there is not much you can do with the router configuration, I had to install OpenVPN server with compatibility to old clients.
I run OpenVPN on an Ubuntu box, now I can connect both ER7206 and ER605 without any problems to this server,

 

As with you, there was also nothing in the log that indicated any traffic before I did this

 

The router configuration is quite simple and impossible to make mistakes

This is exactly what I do, but it does not work. I am not sure what "OpenVPN server with compatibility to old clients" means. What are specific settings that made it works for you on server?

  @TamirK 

 

do not remember the whole installation process, but I had to uninstall OpenVPN server and reinstall the whole server. there was a choice during installation that I could use old client mode, ver 2.2 as I remember.

You almost have to try by yourself, I had the same problem as you for a long time but it worked when I reinstalled the OpenVPN on server.

 

Ubuntu is quick to install so it's quick to set up a new device in LAB to test a bit with OpenVPN.

I do not have many more tips other than that you have to try a little LAB to make it work.