Page MenuHomeVyOS Platform

OpenVPN with/without VRF not working (NordVPN)
Open, Requires assessmentPublicBUG

Description

Hi,

I'm running vyos rolling-release and trying to implement a openvpn tunnel through nordvpn.
the tunnel interface is comming up but no traffic is going through (not even connected network).

Difference between VRF and not VRF is only the following:
pulled routes will work without VRF.
pulled routes with VRF can't be set cause next-hop gateway is invalid in "ip route add" command.

I try with TCP and UDP, no difference whatsoever.

I have another OpenVPN Tunnel Interface that's working totally fine but it seems NordVPN Servers using different configuration and pulling more than usual.

VyOS Version

Version:          VyOS 1.4-rolling-202105091233
Release Train:    sagitta

Built by:         [email protected]
Built on:         Mon 10 May 2021 01:17 UTC
Build UUID:       16e2a31e-3c5f-439f-a83b-a4f53e323948
Build Commit ID:  de6089c11d73f2

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest

Hardware vendor:  QEMU
Hardware model:   Standard PC (Q35 + ICH9, 2009)
Hardware S/N:     
Hardware UUID:    03af5309-80d8-4dea-ab69-bee239b95706

Copyright:        VyOS maintainers and contributors

Interface Config

authentication {
    password XXXXXX
    username XXXXX
}
device-type tun
encryption {
    cipher aes256
}
hash sha512
ipv6 {
    disable-forwarding
}
mode client
openvpn-option client
openvpn-option "resolv-retry infinite"
openvpn-option remote-random
openvpn-option nobind
openvpn-option "tun-mtu 1500"
openvpn-option "tun-mtu-extra 32"
openvpn-option "mssfix 1450"
openvpn-option persist-key
openvpn-option persist-tun
openvpn-option "ping 15"
openvpn-option "ping-restart 0"
openvpn-option ping-timer-rem
openvpn-option "reneg-sec 0"
openvpn-option "comp-lzo no"
openvpn-option "remote-cert-tls server"
openvpn-option "auth-user-pass /config/auth/nordvpn/nordvpnauth.txt"
openvpn-option "verb 3"
openvpn-option pull
openvpn-option fast-io
openvpn-option "cipher AES-256-CBC"
openvpn-option "auth SHA512"
openvpn-option "key-direction 1"
openvpn-option "--dev vtun2"
openvpn-option route-nopull
openvpn-option "proto tcp"
openvpn-option "remote 152.89.162.251 443"
persistent-tunnel
protocol tcp-active
remote-address 152.89.162.251
remote-host 152.89.162.251
remote-port 443
tls {
    auth-file /config/auth/nordvpn/nordvpn_shared.key
    ca-cert-file /config/auth/nordvpn/nordvpn_ca.crt
}
vrf NordVPN

Routing Table for VRF NordVPN

Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
       F - PBR, f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup

VRF NordVPN:
S>* 0.0.0.0/0 [1/0] is directly connected, vtun2, weight 1, 00:07:51
K * 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), 01w6d03h
C>* 10.7.1.0/24 is directly connected, vtun2, 00:07:51
S>* 152.89.162.251/32 [1/0] is directly connected, pppoe0 (vrf default), weight 1, 00:21:50

VRF Config

protocols {
    static {
        route 0.0.0.0/0 {
            interface vtun2 {
            }
        }
        route 152.89.162.251/32 {
            interface pppoe0 {
                vrf default
            }
        }
    }
}
table 100

Log-File

May 31 14:20:59 tony vyos-configd[674]: Received message: {"type": "node", "data": "VYOS_TAGNODE_VALUE=vtun2/usr/libexec/vyos/conf_mode/interfaces-openvpn.py"}
May 31 14:20:59 tony openvpn-vtun2[22382]: DEPRECATED OPTION: --compat-names, please update your configuration. This will be removed in OpenVPN 2.5.
May 31 14:20:59 tony openvpn-vtun2[22382]: WARNING: file '/config/auth/nordvpn/nordvpn_shared.key' is group or others accessible
May 31 14:20:59 tony openvpn-vtun2[22382]: WARNING: file '/config/auth/nordvpn/nordvpnauth.txt' is group or others accessible
May 31 14:20:59 tony openvpn-vtun2[22382]: OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
May 31 14:20:59 tony openvpn-vtun2[22382]: library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
May 31 14:20:59 tony openvpn-vtun2[22382]: WARNING: --ping should normally be used with --ping-restart or --ping-exit
May 31 14:20:59 tony openvpn-vtun2[22382]: NOTE: --fast-io is disabled since we are not using UDP
May 31 14:20:59 tony openvpn-vtun2[22382]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
May 31 14:20:59 tony openvpn-vtun2[22382]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
May 31 14:20:59 tony openvpn-vtun2[22382]: TCP/UDP: Preserving recently used remote address: [AF_INET]152.89.162.251:443
May 31 14:20:59 tony openvpn-vtun2[22382]: Socket Buffers: R=[1048576->1048576] S=[1048576->1048576]
May 31 14:20:59 tony openvpn-vtun2[22382]: Attempting to establish TCP connection with [AF_INET]152.89.162.251:443 [nonblock]
May 31 14:21:00 tony openvpn-vtun2[22382]: TCP connection established with [AF_INET]152.89.162.251:443
May 31 14:21:00 tony openvpn-vtun2[22382]: TCP_CLIENT link local: (not bound)
May 31 14:21:00 tony openvpn-vtun2[22382]: TCP_CLIENT link remote: [AF_INET]152.89.162.251:443
May 31 14:21:00 tony openvpn-vtun2[22382]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
May 31 14:21:00 tony openvpn-vtun2[22382]: TLS: Initial packet from [AF_INET]152.89.162.251:443, sid=7b345daf 05f91b65
May 31 14:21:00 tony openvpn-vtun2[22382]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
May 31 14:21:00 tony openvpn-vtun2[22382]: VERIFY OK: depth=2, /C=PA/O=NordVPN/CN=NordVPN_Root_CA
May 31 14:21:00 tony openvpn-vtun2[22382]: VERIFY OK: depth=1, /C=PA/O=NordVPN/CN=NordVPN_CA5
May 31 14:21:00 tony openvpn-vtun2[22382]: VERIFY KU OK
May 31 14:21:00 tony openvpn-vtun2[22382]: Validating certificate extended key usage
May 31 14:21:00 tony openvpn-vtun2[22382]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
May 31 14:21:00 tony openvpn-vtun2[22382]: VERIFY EKU OK
May 31 14:21:00 tony openvpn-vtun2[22382]: VERIFY OK: depth=0, /CN=ch259.nordvpn.com
May 31 14:21:02 tony openvpn-vtun2[22382]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA
May 31 14:21:02 tony openvpn-vtun2[22382]: [ch259.nordvpn.com] Peer Connection Initiated with [AF_INET]152.89.162.251:443
May 31 14:21:03 tony openvpn-vtun2[22382]: SENT CONTROL [ch259.nordvpn.com]: 'PUSH_REQUEST' (status=1)
May 31 14:21:03 tony openvpn-vtun2[22382]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 
524288,explicit-exit-notify,comp-lzo no,route-gateway 10.7.1.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.7.1.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
May 31 14:21:03 tony openvpn-vtun2[22382]: Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
May 31 14:21:03 tony openvpn-vtun2[22382]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
May 31 14:21:03 tony openvpn-vtun2[22382]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
May 31 14:21:03 tony openvpn-vtun2[22382]: OPTIONS IMPORT: timers and/or timeouts modified
May 31 14:21:03 tony openvpn-vtun2[22382]: OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp
May 31 14:21:03 tony openvpn-vtun2[22382]: OPTIONS IMPORT: compression parms modified
May 31 14:21:03 tony openvpn-vtun2[22382]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
May 31 14:21:03 tony openvpn-vtun2[22382]: Socket Buffers: R=[1048576->1048576] S=[1048576->1048576]
May 31 14:21:03 tony openvpn-vtun2[22382]: OPTIONS IMPORT: --ifconfig/up options modified
May 31 14:21:03 tony openvpn-vtun2[22382]: OPTIONS IMPORT: route-related options modified
May 31 14:21:03 tony openvpn-vtun2[22382]: OPTIONS IMPORT: peer-id set
May 31 14:21:03 tony openvpn-vtun2[22382]: OPTIONS IMPORT: adjusting link_mtu to 1659
May 31 14:21:03 tony openvpn-vtun2[22382]: OPTIONS IMPORT: data channel crypto options modified
May 31 14:21:03 tony openvpn-vtun2[22382]: Data Channel: using negotiated cipher 'AES-256-GCM'
May 31 14:21:03 tony openvpn-vtun2[22382]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
May 31 14:21:03 tony openvpn-vtun2[22382]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
May 31 14:21:03 tony openvpn-vtun2[22382]: TUN/TAP device vtun2 opened
May 31 14:21:03 tony openvpn-vtun2[22382]: TUN/TAP TX queue length set to 100
May 31 14:21:03 tony openvpn-vtun2[22382]: /usr/libexec/vyos/system/unpriv-ip link set dev vtun2 up mtu 1500
May 31 14:21:03 tony openvpn-vtun2[22382]: /usr/libexec/vyos/system/unpriv-ip addr add dev vtun2 10.7.1.2/24 broadcast 10.7.1.255
May 31 14:21:03 tony openvpn-vtun2[22382]: GID set to openvpn
May 31 14:21:03 tony openvpn-vtun2[22382]: UID set to openvpn
May 31 14:21:03 tony openvpn-vtun2[22382]: Initialization Sequence Completed

Cheers

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.4-rolling-202105091233
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

@mTx87 Do you have a working example in Linux?
Maybe it also needs OpenVPN >= 2.5.0
https://blog.sdn.clinic/2018/12/openvpn-and-vrfs/

@Viacheslav
I can spin up a working example without VRF.

So here we go debian 10.

openvpn.conf

client
dev tun
proto udp
remote x.x.x.x 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
comp-lzo no
route-nopull

remote-cert-tls server

auth-user-pass .auth
verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512

<ca>
-----BEGIN CERTIFICATE-----
xxxx
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
xxxx
-----END OpenVPN Static key V1-----
</tls-auth>

script-security 2
up /etc/openvpn/update-resolv-conf

down /etc/openvpn/update-resolv-conf

ip a & ping result

[email protected]:/etc/openvpn$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether ea:46:0b:d6:5a:1f brd ff:ff:ff:ff:ff:ff
    inet 10.32.10.182/24 brd 10.32.10.255 scope global dynamic ens18
       valid_lft 66922sec preferred_lft 66922sec
    inet6 fe80::e846:bff:fed6:5a1f/64 scope link 
       valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none 
    inet 10.8.2.7/24 brd 10.8.2.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::5ae3:9ec:3295:fd33/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever
[email protected]:/etc/openvpn$ ping 10.8.2.1
PING 10.8.2.1 (10.8.2.1) 56(84) bytes of data.
64 bytes from 10.8.2.1: icmp_seq=1 ttl=64 time=27.6 ms
64 bytes from 10.8.2.1: icmp_seq=2 ttl=64 time=27.8 ms
^C
--- 10.8.2.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 3ms
rtt min/avg/max/mdev = 27.565/27.706/27.848/0.218 ms

ip route printout

[email protected]:/etc/openvpn$ ip route
default via 10.32.10.254 dev ens18 
10.8.2.0/24 dev tun0 proto kernel scope link src 10.8.2.7 
10.32.10.0/24 dev ens18 proto kernel scope link src 10.32.10.182

now the same for vyos.

vyos config

[email protected]# show interfaces openvpn vtun2
 authentication {
     password xxxx
     username xxxx
 }
 device-type tun
 encryption {
     cipher aes256
 }
 hash sha512
 ipv6 {
     disable-forwarding
 }
 mode client
 openvpn-option "dev vtun2"
 openvpn-option "resolv-retry infinite"
 openvpn-option remote-random
 openvpn-option nobind
 openvpn-option "tun-mtu 1500"
 openvpn-option "tun-mtu-extra 32"
 openvpn-option "mssfix 1450"
 openvpn-option persist-key
 openvpn-option "ping 15"
 openvpn-option "ping-restart 0"
 openvpn-option ping-timer-rem
 openvpn-option "reneg-sec 0"
 openvpn-option "comp-lzo no"
 openvpn-option route-nopull
 openvpn-option "remote-cert-tls server"
 openvpn-option "auth-user-pass /config/auth/nordvpn/.auth"
 openvpn-option "verb 3"
 openvpn-option pull
 openvpn-option fast-io
 openvpn-option "key-direction 1"
 openvpn-option "script-security 2"
 openvpn-option "up /etc/openvpn/update-resolv-conf"
 openvpn-option "down /etc/openvpn/update-resolv-conf"
 persistent-tunnel
 protocol udp
 remote-host x.x.x.x
 remote-port 1194
 tls {
     auth-file /config/auth/nordvpn/shared.key
     ca-cert-file /config/auth/nordvpn/ca.crt
 }

ip a & ping result

14: vtun2: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 100
    link/none 
    inet 10.8.0.2/24 brd 10.8.0.255 scope global vtun2
       valid_lft forever preferred_lft forever

[email protected]# ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
^C
--- 10.8.0.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 5ms

ip route printout

[email protected]# ip route
default nhid 82 dev pppoe0 proto static metric 20 
10.8.0.0/24 dev vtun2 proto kernel scope link src 10.8.0.2 
10.10.10.0/24 dev eth0 proto kernel scope link src 10.10.10.21 
10.13.13.0/24 dev wg01 proto kernel scope link src 10.13.13.2 
10.32.10.0/24 dev eth1.10 proto kernel scope link src 10.32.10.252 
10.32.20.0/24 dev eth1.20 proto kernel scope link src 10.32.20.252 
10.32.30.0/24 dev eth1.30 proto kernel scope link src 10.32.30.252 
10.32.40.0/24 dev eth1.40 proto kernel scope link src 10.32.40.252 
10.32.50.0/24 dev eth1.50 proto kernel scope link src 10.32.50.252

sh ip route printout

[email protected]# run sh ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
       F - PBR, f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup

S>* 0.0.0.0/0 [1/0] is directly connected, pppoe0, weight 1, 00:53:18
C>* 10.8.0.0/24 is directly connected, vtun2, 00:00:57
C * 10.10.10.0/24 is directly connected, eth0, 00:55:54
C>* 10.10.10.0/24 is directly connected, eth0, 01:10:41
C * 10.32.10.0/24 is directly connected, eth1.10, 00:55:54
C>* 10.32.10.0/24 is directly connected, eth1.10, 01:10:03
C * 10.32.20.0/24 is directly connected, eth1.20, 00:55:54
C>* 10.32.20.0/24 is directly connected, eth1.20, 01:10:03
C * 10.32.30.0/24 is directly connected, eth1.30, 00:55:54
C>* 10.32.30.0/24 is directly connected, eth1.30, 01:10:03
C * 10.32.40.0/24 is directly connected, eth1.40, 00:55:54
C>* 10.32.40.0/24 is directly connected, eth1.40, 01:10:03
C * 10.32.50.0/24 is directly connected, eth1.50, 00:55:54
C>* 10.32.50.0/24 is directly connected, eth1.50, 01:10:03

openvpn log

Jun  1 10:27:31 tony systemd[1]: [email protected]: Succeeded.
Jun  1 10:27:31 tony openvpn-vtun2[11885]: DEPRECATED OPTION: --compat-names, please update your configuration. This will be removed in OpenVPN 2.5.
Jun  1 10:27:31 tony openvpn-vtun2[11885]: WARNING: file '/config/auth/nordvpn/shared.key' is group or others accessible
Jun  1 10:27:31 tony openvpn-vtun2[11885]: WARNING: file '/config/auth/nordvpn/.auth' is group or others accessible
Jun  1 10:27:31 tony openvpn-vtun2[11885]: OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Jun  1 10:27:31 tony openvpn-vtun2[11885]: library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Jun  1 10:27:31 tony openvpn-vtun2[11885]: WARNING: --ping should normally be used with --ping-restart or --ping-exit
Jun  1 10:27:31 tony openvpn-vtun2[11885]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun  1 10:27:31 tony openvpn-vtun2[11885]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Jun  1 10:27:31 tony openvpn-vtun2[11885]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Jun  1 10:27:31 tony openvpn-vtun2[11885]: TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
Jun  1 10:27:31 tony openvpn-vtun2[11885]: Socket Buffers: R=[6711296->6711296] S=[6711296->6711296]
Jun  1 10:27:31 tony openvpn-vtun2[11885]: UDP link local: (not bound)
Jun  1 10:27:31 tony openvpn-vtun2[11885]: UDP link remote: [AF_INET]x.x.x.x:1194
Jun  1 10:27:31 tony openvpn-vtun2[11885]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Jun  1 10:27:31 tony openvpn-vtun2[11885]: TLS: Initial packet from [AF_INET]x.x.x.x:1194, sid=c909539a 6686493e
Jun  1 10:27:31 tony openvpn-vtun2[11885]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jun  1 10:27:31 tony openvpn-vtun2[11885]: VERIFY OK: depth=2, /C=PA/O=NordVPN/CN=NordVPN_Root_CA
Jun  1 10:27:31 tony openvpn-vtun2[11885]: VERIFY OK: depth=1, /C=PA/O=NordVPN/CN=NordVPN_CA5
Jun  1 10:27:31 tony openvpn-vtun2[11885]: VERIFY KU OK
Jun  1 10:27:31 tony openvpn-vtun2[11885]: Validating certificate extended key usage
Jun  1 10:27:31 tony openvpn-vtun2[11885]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Jun  1 10:27:31 tony openvpn-vtun2[11885]: VERIFY EKU OK
Jun  1 10:27:31 tony openvpn-vtun2[11885]: VERIFY OK: depth=0, /CN=ch276.nordvpn.com
Jun  1 10:27:31 tony openvpn-vtun2[11885]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA
Jun  1 10:27:31 tony openvpn-vtun2[11885]: [ch276.nordvpn.com] Peer Connection Initiated with [AF_INET]37.120.137.3:1194
Jun  1 10:27:32 tony openvpn-vtun2[11885]: SENT CONTROL [ch276.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Jun  1 10:27:32 tony openvpn-vtun2[11885]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 
524288,explicit-exit-notify,comp-lzo no,route-gateway 10.8.0.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Jun  1 10:27:32 tony openvpn-vtun2[11885]: Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Jun  1 10:27:32 tony openvpn-vtun2[11885]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Jun  1 10:27:32 tony openvpn-vtun2[11885]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Jun  1 10:27:32 tony openvpn-vtun2[11885]: OPTIONS IMPORT: timers and/or timeouts modified
Jun  1 10:27:32 tony openvpn-vtun2[11885]: OPTIONS IMPORT: explicit notify parm(s) modified
Jun  1 10:27:32 tony openvpn-vtun2[11885]: OPTIONS IMPORT: compression parms modified
Jun  1 10:27:32 tony openvpn-vtun2[11885]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Jun  1 10:27:32 tony openvpn-vtun2[11885]: Socket Buffers: R=[6711296->1048576] S=[6711296->1048576]
Jun  1 10:27:32 tony openvpn-vtun2[11885]: OPTIONS IMPORT: --ifconfig/up options modified
Jun  1 10:27:32 tony openvpn-vtun2[11885]: OPTIONS IMPORT: route-related options modified
Jun  1 10:27:32 tony openvpn-vtun2[11885]: OPTIONS IMPORT: peer-id set
Jun  1 10:27:32 tony openvpn-vtun2[11885]: OPTIONS IMPORT: adjusting link_mtu to 1657
Jun  1 10:27:32 tony openvpn-vtun2[11885]: OPTIONS IMPORT: data channel crypto options modified
Jun  1 10:27:32 tony openvpn-vtun2[11885]: Data Channel: using negotiated cipher 'AES-256-GCM'
Jun  1 10:27:32 tony openvpn-vtun2[11885]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jun  1 10:27:32 tony openvpn-vtun2[11885]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jun  1 10:27:32 tony openvpn-vtun2[11885]: TUN/TAP device vtun2 opened
Jun  1 10:27:32 tony openvpn-vtun2[11885]: TUN/TAP TX queue length set to 100
Jun  1 10:27:32 tony openvpn-vtun2[11885]: /usr/libexec/vyos/system/unpriv-ip link set dev vtun2 up mtu 1500
Jun  1 10:27:32 tony openvpn-vtun2[11885]: /usr/libexec/vyos/system/unpriv-ip addr add dev vtun2 10.8.0.2/24 broadcast 10.8.0.255
Jun  1 10:27:32 tony openvpn-vtun2[11885]: /etc/openvpn/update-resolv-conf vtun2 1500 1585 10.8.0.2 255.255.255.0 init
Jun  1 10:27:32 tony openvpn-vtun2[11885]: GID set to openvpn
Jun  1 10:27:32 tony openvpn-vtun2[11885]: UID set to openvpn
Jun  1 10:27:32 tony openvpn-vtun2[11885]: Initialization Sequence Completed

There is no firewall zone/policy attached to the specified interface.
when not passing set openvpn-option "dev vtun2" the openvpn log will have multiple fails regarding "ip addr add dev" cause it's trying to use "tun0" instead of the "vtun2" interface.

any suggestions?

There is an example of a working configuration:

set interfaces openvpn vtun10 authentication password xxxxxx
set interfaces openvpn vtun10 authentication username xxxxxx
set interfaces openvpn vtun10 device-type 'tun'
set interfaces openvpn vtun10 encryption cipher 'aes256'
set interfaces openvpn vtun10 hash 'sha512'
set interfaces openvpn vtun10 mode 'client'
set interfaces openvpn vtun10 openvpn-option '--config /config/auth/nord/included_config.conf'
set interfaces openvpn vtun10 persistent-tunnel
set interfaces openvpn vtun10 protocol 'udp'
set interfaces openvpn vtun10 remote-host 'xxx.xxx.218.155'
set interfaces openvpn vtun10 remote-port '1194'
set interfaces openvpn vtun10 tls ca-cert-file xxxxxx

cat /config/auth/nord/included_config.conf

resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
comp-lzo no

remote-cert-tls server
verb 3
pull
fast-io

key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxx...
-----END OpenVPN Static key V1-----
</tls-auth>

Ping:

[email protected]# run ping 10.8.1.1
PING 10.8.1.1 (10.8.1.1) 56(84) bytes of data.
64 bytes from 10.8.1.1: icmp_seq=1 ttl=64 time=9.89 ms
64 bytes from 10.8.1.1: icmp_seq=2 ttl=64 time=10.2 ms
^C
--- 10.8.1.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 3ms
rtt min/avg/max/mdev = 9.894/10.038/10.183/0.175 ms

Show ip route:

[email protected]:~$ show ip route kernel 
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
       F - PBR, f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup

K>* 0.0.0.0/1 [0/0] via 10.8.3.1, vtun10, 00:02:40
K>* x.x.x.x5/32 [0/0] via 192.168.122.1, eth0, 00:02:40
K>* 128.0.0.0/1 [0/0] via 10.8.3.1, vtun10, 00:02:40