I am using DDNS and have Pihole setup on the Pi as well, I wan't to use PiHole to allow me to give the PLCs a hostname to connect to easier.
I also have setup port forwarding and static routes on my router that the PI is connected to
I was able to create a cloud connexa account and drop in the .OVPN files into the PLCS and my laptop and connect to each device, so all of the ports are open for my devices, I believe it's an issue with the PI
Illustration of network
0000000000000000000000000000000000000000000------- PLC@ 192.168.3.1
000000000000000000000000000000000000000000/
00000000000000000000000000000000000000000/
0000000000000000000000000000000000000000/
Laptop 192.168.2.1 ----------> Pi@ 192.168.1.1 -------------- PLC@ 192.168.4.1
0000000000000000000000000000000000000000\
00000000000000000000000000000000000000000\
000000000000000000000000000000000000000000\
0000000000000000000000000000000000000000000------- PLC@ 192.168.5.1
Server info:
Server
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/raspberry_***.crt
key /etc/openvpn/easy-rsa/pki/private/raspberry_***.key
dh none
ecdh-curve prime256v1
topology subnet
server 10.160.200.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 10.160.200.1"
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
client-config-dir /etc/openvpn/ccd
keepalive 15 120
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user openvpn
group openvpn
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
#duplicate-cn
# Generated for use by PiVPN.io[/oconf=]
Client info:
client
dev tun
proto udp
remote ***.duckdns.org 1194
resolv-retry infinite
nobind
remote-cert-tls server
tls-version-min 1.2
verify-x509-name raspberry_0c2fd00d-ea72-461a-b4e5-d72acd0435f1 name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
<ca>
-----BEGIN CERTIFICATE-----
***
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
***
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
***
-----END PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
***
-----END OpenVPN Static key V1-----
</tls-crypt>[/oconf=]
[/quote]
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/raspberry_***.crt
key /etc/openvpn/easy-rsa/pki/private/raspberry_***.key
dh none
ecdh-curve prime256v1
topology subnet
server 10.160.200.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 10.160.200.1"
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
client-config-dir /etc/openvpn/ccd
keepalive 15 120
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user openvpn
group openvpn
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
#duplicate-cn
# Generated for use by PiVPN.io[/oconf=]
Client info:
Client
client
dev tun
proto udp
remote ***.duckdns.org 1194
resolv-retry infinite
nobind
remote-cert-tls server
tls-version-min 1.2
verify-x509-name raspberry_0c2fd00d-ea72-461a-b4e5-d72acd0435f1 name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
<ca>
-----BEGIN CERTIFICATE-----
***
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
***
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
***
-----END PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
***
-----END OpenVPN Static key V1-----
</tls-crypt>[/oconf=]
[/quote]