[solved] openvpn connection no longer working, tls error

archtom · 2013-02-16 12:06:54

Hey!

I have a strange problem. The same setup was working for months, nothing changed. Perhaps it`s due to an update and you guys can help me. I can`t establish a vpn connection to our openvpn server any more.

I`m using tunnelblick as vpn client to connect from my mac to the office. It hangs at "waiting for response from server". I`m not an expert, but as I understand the tls handshake fails. I googled around and tried everything suggested, but no success.

I haven`t used it since the latest openvpn package update, perhaps it has something to do with that?

I found this, too, but it didn`t help either:
http://openvpn.net/index.php/open-sourc … ivity.html

This is the client log:

2013-02-16 11:17:06 MANAGEMENT: >STATE:1361009826,WAIT,,,
2013-02-16 11:18:06 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2013-02-16 11:18:06 TLS Error: TLS handshake failed
2013-02-16 11:18:06 TCP/UDP: Closing socket
2013-02-16 11:18:06 SIGUSR1[soft,tls-error] received, process restarting
2013-02-16 11:18:06 MANAGEMENT: >STATE:1361009886,RECONNECTING,tls-error,,
2013-02-16 11:18:06 MANAGEMENT: CMD 'hold release'

and this is the server log (verbose 5):

Sat Feb 16 11:38:08 2013 us=118721 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sat Feb 16 11:38:08 2013 us=133716 Diffie-Hellman initialized with 2048 bit key
Sat Feb 16 11:38:08 2013 us=134619 Control Channel Authentication: using '/etc/openvpn/keys/ta.key' as a OpenVPN static key file
Sat Feb 16 11:38:08 2013 us=134677 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Feb 16 11:38:08 2013 us=134707 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Feb 16 11:38:08 2013 us=134745 TLS-Auth MTU parms [ L:1590 D:166 EF:66 EB:0 ET:0 EL:0 ]
Sat Feb 16 11:38:08 2013 us=134808 Socket Buffers: R=[212992->131072] S=[212992->131072]
Sat Feb 16 11:38:08 2013 us=135268 TUN/TAP device tap0 opened
Sat Feb 16 11:38:08 2013 us=135370 TUN/TAP TX queue length set to 100
Sat Feb 16 11:38:08 2013 us=135572 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Sat Feb 16 11:38:08 2013 us=137116 UDPv4 link local (bound): [undef]
Sat Feb 16 11:38:08 2013 us=137832 UDPv4 link remote: [undef]
Sat Feb 16 11:38:08 2013 us=137870 MULTI: multi_init called, r=256 v=256
Sat Feb 16 11:38:08 2013 us=138013 IFCONFIG POOL: base=192.168.1.220 size=10, ipv6=0
Sat Feb 16 11:38:08 2013 us=138087 Initialization Sequence Completed
Sat Feb 16 11:38:22 2013 us=273924 MULTI: multi_create_instance called
Sat Feb 16 11:38:22 2013 us=274097 192.168.1.4:1194 Re-using SSL/TLS context
Sat Feb 16 11:38:22 2013 us=274189 192.168.1.4:1194 LZO compression initialized
Sat Feb 16 11:38:22 2013 us=274539 192.168.1.4:1194 Control Channel MTU parms [ L:1590 D:166 EF:66 EB:0 ET:0 EL:0 ]
Sat Feb 16 11:38:22 2013 us=274643 192.168.1.4:1194 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Sat Feb 16 11:38:22 2013 us=274701 192.168.1.4:1194 Local Options String: 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Sat Feb 16 11:38:22 2013 us=274717 192.168.1.4:1194 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Sat Feb 16 11:38:22 2013 us=274745 192.168.1.4:1194 Local Options hash (VER=V4): 'c5677ab3'
Sat Feb 16 11:38:22 2013 us=274765 192.168.1.4:1194 Expected Remote Options hash (VER=V4): 'a7133b47'
RSat Feb 16 11:38:22 2013 us=275000 192.168.1.4:1194 TLS: Initial packet from [AF_INET]192.168.1.4:1194 (via [AF_INET]192.168.1.205%br0), sid=e46fc8e5 4b4327b5
WSat Feb 16 11:38:22 2013 us=275121 192.168.1.4:1194 write UDPv4: Invalid argument (code=22)
RWSat Feb 16 11:38:24 2013 us=597178 192.168.1.4:1194 write UDPv4: Invalid argument (code=22)
RWSat Feb 16 11:38:28 2013 us=80376 192.168.1.4:1194 write UDPv4: Invalid argument (code=22)
RWSat Feb 16 11:38:36 2013 us=360017 192.168.1.4:1194 write UDPv4: Invalid argument (code=22)
WSat Feb 16 11:38:52 2013 us=266108 192.168.1.4:1194 write UDPv4: Invalid argument (code=22)
RWSat Feb 16 11:38:52 2013 us=284681 192.168.1.4:1194 write UDPv4: Invalid argument (code=22)
RSat Feb 16 11:39:22 2013 us=604136 192.168.1.4:1194 TLS: new session incoming connection from [AF_INET]192.168.1.4:1194 (via [AF_INET]192.168.1.205%br0)
Sat Feb 16 11:39:22 2013 us=604198 192.168.1.4:1194 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Feb 16 11:39:22 2013 us=604219 192.168.1.4:1194 TLS Error: TLS handshake failed

This is the server config. It`s located in /etc/openvpn/openvpn_server.conf and the server starts fine with systemctl start openvpn@openvpn_server.service.

mode server
dev tap0
multihome
server-bridge 192.168.1.205 255.255.255.0 192.168.1.220 192.168.1.229
client-to-client

proto udp
port 1194
comp-lzo

persist-tun
persist-key
keepalive 10 120

 ca /etc/openvpn/keys/ca.crt
 dh /etc/openvpn/keys/dh2048.pem
 cert /etc/openvpn/keys/archvpn.crt
 key /etc/openvpn/keys/archvpn.key
 tls-auth /etc/openvpn/keys/ta.key 0
 tls-server

verb 3
cipher AES-128-CBC

log      /etc/openvpn/openvpn.log

This is the client config:

client
remote myserver.dyndns.org 1194
dev tap0

proto udp
port 1194
comp-lzo
ca ca.crt 
cert tom.crt 
key tom.key

persist-tun
persist-key
resolv-retry infinite
keepalive 10 120

tls-auth ta.key 1
tls-client
ns-cert-type server

verb 3
cipher AES-128-CBC
float

What I checked and tried so far:
0 did a lot of reading

1 modules are loaded in /etc/modules-load.d/openvpn.conf
tun
bridge

2 netcfg config starts tap and network config

/etc/conf.d/netcfg
NETWORKS=(openvpn_tap office_lan_openvpn)

/etc/network.d/openvpn_tap
INTERFACE='tap0'
CONNECTION='tuntap'
MODE='tap'
USER='nobody'
GROUP='nobody'

/etc/network.d/office_lan_openvpn
INTERFACE="br0"
CONNECTION="bridge"
DESCRIPTION="Ethernet/OpenVPN bridge"
BRIDGE_INTERFACES="eth0 tap0"
IP="static"
ADDR="192.168.1.205"
GATEWAY="192.168.2.1"
DNS=("192.168.1.1")

3 checked firewall port, even disabled iptables

4 port forwarding in fritzbox is active

5 all other connections from outside are working (http, ftp)

6 certificates and keys should be fine, they were working in the past with the same setup

Hope someone can help me, I really need my connection back… If anything else is needed just let me know.

Last edited by archtom (2013-02-16 16:08:21)

archtom · 2013-02-16 16:07:37

I solved it

I did more reading and it seemed to be a problem in the config files, anything else could be pretty much excluded.

I started with fresh config files referring to the german wiki (it`s different) from .org. Since it was working with this I started to track the problem down. In the end I had to delete the

multihome

option in the server config. Everything seems fine now! Thanks for everyone that read it. Perhaps it helps someone in the future.

Arch Linux

#1 2013-02-16 12:06:54

[solved] openvpn connection no longer working, tls error

#2 2013-02-16 16:07:37

Re: [solved] openvpn connection no longer working, tls error

Board footer