I'll take a stab at it.
Do the clients have a DNS added to them manually during your setup? You may want to "Advertise DNS" to YES.
The part about Diversion etc, has me scratching my head? Did you install Stubby too ?
edit: Missed your yes stubby above ...
Did you re run the stubby setup, I seem to recall it needing to be run again after adding a VPN.
Thanks for stabbing
I will try change Advertise DNS to Yes.
edit: it didnt help unfortunely
During Stubby setup it says it cant find any active OpenVPN Connections, even though i am connected with my cellphone via 4g - maybe try to drop stubby for dnscrypt installer?
OpenVPN runs on "server2" if thats any hint
Some screens if it helps;
OpenVPN:
https://i.imgur.com/1nAok7V.png
DHCP:
https://i.imgur.com/tXYkSuj.png
WAN:
https://i.imgur.com/3w77FQI.png
Log from router:
Mar 5 07:46:46 ovpn-server2[964]: 94.191.130.80 TLS: Initial packet from [AF_INET6]::ffff:94.191.130.80:5749, sid=6aa6b043 b305a968
Mar 5 07:46:46 ovpn-server2[964]: 94.191.130.80 peer info: IV_GUI_VER=net.openvpn.connect.ios_3.0.2-894
Mar 5 07:46:46 ovpn-server2[964]: 94.191.130.80 peer info: IV_VER=3.2
Mar 5 07:46:46 ovpn-server2[964]: 94.191.130.80 peer info: IV_PLAT=ios
Mar 5 07:46:46 ovpn-server2[964]: 94.191.130.80 peer info: IV_NCP=2
Mar 5 07:46:46 ovpn-server2[964]: 94.191.130.80 peer info: IV_TCPNL=1
Mar 5 07:46:46 ovpn-server2[964]: 94.191.130.80 peer info: IV_PROTO=2
Mar 5 07:46:46 ovpn-server2[964]: 94.191.130.80 peer info: IV_LZO_STUB=1
Mar 5 07:46:46 ovpn-server2[964]: 94.191.130.80 peer info: IV_COMP_STUB=1
Mar 5 07:46:46 ovpn-server2[964]: 94.191.130.80 peer info: IV_COMP_STUBv2=1
Mar 5 07:46:46 ovpn-server2[964]: 94.191.130.80 peer info: IV_BS64DL=1
Mar 5 07:46:47 ovpn-server2[964]: 94.191.130.80 PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Mar 5 07:46:47 ovpn-server2[964]: 94.191.130.80 TLS: Username/Password authentication succeeded for username 'superfon' [CN SET]
Mar 5 07:46:47 ovpn-server2[964]: 94.191.130.80 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384
Mar 5 07:46:47 ovpn-server2[964]: 94.191.130.80 [superfon] Peer Connection Initiated with [AF_INET6]::ffff:94.191.130.80:5749
Mar 5 07:46:47 ovpn-server2[964]: superfon/94.191.130.80 MULTI_sva: pool returned IPv4=10.16.0.2, IPv6=(Not enabled)
Mar 5 07:46:47 ovpn-server2[964]: superfon/94.191.130.80 MULTI: Learn: 10.16.0.2 -> superfon/94.191.130.80
Mar 5 07:46:47 ovpn-server2[964]: superfon/94.191.130.80 MULTI: primary virtual IP for superfon/94.191.130.80: 10.16.0.2
Mar 5 07:46:47 ovpn-server2[964]: superfon/94.191.130.80 PUSH: Received control message: 'PUSH_REQUEST'
Mar 5 07:46:47 ovpn-server2[964]: superfon/94.191.130.80 SENT CONTROL [superfon]: 'PUSH_REPLY,route 10.20.30.0 255.255.255.0 vpn_gateway 500,redirect-gateway def1,route-gateway 10.16.0.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.16.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Mar 5 07:46:47 ovpn-server2[964]: superfon/94.191.130.80 Data Channel: using negotiated cipher 'AES-256-GCM'
Mar 5 07:46:47 ovpn-server2[964]: superfon/94.191.130.80 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mar 5 07:46:47 ovpn-server2[964]: superfon/94.191.130.80 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mar 5 07:47:19 ovpn-server2[964]: superfon/94.191.130.80 SIGTERM[soft,remote-exit] received, client-instance exiting
And log from the client, iOS:
2019-03-05 07:46:46 Contacting [xxxxxxxxx]:1195/UDP via UDP
2019-03-05 07:46:46 EVENT: WAIT
2019-03-05 07:46:46 Connecting to [xxxxxxxxx]:1195 (xxxxxxxxx) via UDPv4
2019-03-05 07:46:46 EVENT: CONNECTING
2019-03-05 07:46:46 Tunnel Options:V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client
2019-03-05 07:46:46 Creds: Username/Password
2019-03-05 07:46:46 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 3.0.2-894
IV_VER=3.2
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_BS64DL=1
2019-03-05 07:46:46 VERIFY OK : depth=0
cert. version : 3
serial number : 01
issuer name : C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC68U, emailAddress=me@myhost.mydomain
subject name : C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC68U, emailAddress=me@myhost.mydomain
issued on : 2019-03-04 18:29:40
expires on : 2029-03-01 18:29:40
signed using : RSA with SHA-256
RSA key size : 1024 bits
basic constraints : CA=false
cert. type : SSL Server
key usage : Digital Signature, Key Encipherment
ext key usage : TLS Web Server Authentication
2019-03-05 07:46:47 SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
2019-03-05 07:46:47 Session is ACTIVE
2019-03-05 07:46:47 EVENT: GET_CONFIG
2019-03-05 07:46:47 Sending PUSH_REQUEST to server...
2019-03-05 07:46:47 OPTIONS:
0 [route] [10.20.30.0] [255.255.255.0] [vpn_gateway] [500]
1 [redirect-gateway] [def1]
2 [route-gateway] [10.16.0.1]
3 [topology] [subnet]
4 [ping] [15]
5 [ping-restart] [60]
6 [ifconfig] [10.16.0.2] [255.255.255.0]
7 [peer-id] [0]
8 [cipher] [AES-256-GCM]
2019-03-05 07:46:47 PROTOCOL OPTIONS:
cipher: AES-256-GCM
digest: SHA1
compress: COMP_STUB
peer ID: 0
2019-03-05 07:46:47 EVENT: ASSIGN_IP
2019-03-05 07:46:47 NIP: preparing TUN network settings
2019-03-05 07:46:47 NIP: init TUN network settings with endpoint: xxxxxxxxx
2019-03-05 07:46:47 NIP: adding IPv4 address to network settings 10.16.0.2/255.255.255.0
2019-03-05 07:46:47 NIP: adding (included) IPv4 route 10.16.0.0/24
2019-03-05 07:46:47 NIP: adding (included) IPv4 route 10.20.30.0/24
2019-03-05 07:46:47 NIP: redirecting all IPv4 traffic to TUN interface
2019-03-05 07:46:47 NIP: adding DNS 8.8.8.8
2019-03-05 07:46:47 NIP: adding DNS 8.8.4.4
2019-03-05 07:46:47 Connected via NetworkExtensionTUN
2019-03-05 07:46:47 LZO-ASYM init swap=0 asym=1
2019-03-05 07:46:47 Comp-stub init swap=1
2019-03-05 07:46:47 EVENT: CONNECTED superfon@xxxxxxxxx:1195 (213.112.237.251) via /UDPv4 on NetworkExtensionTUN/10.16.0.2/ gw=[/]
Changed public ip for xxxxxxxxx
Thanks