You are not logged in.

#1 2013-02-16 12:06:54

archtom
Member
Registered: 2011-05-04
Posts: 42

[solved] openvpn connection no longer working, tls error

Hey!

I have a strange problem. The same setup was working for months, nothing changed. Perhaps it`s due to an update and you guys can help me. I can`t establish a vpn connection to our openvpn server any more.

I`m using tunnelblick as vpn client to connect from my mac to the office. It hangs at "waiting for response from server". I`m not an expert, but as I understand the tls handshake fails. I googled around and tried everything suggested, but no success.

I haven`t used it since the latest openvpn package update, perhaps it has something to do with that?

I found this, too, but it didn`t help either:
http://openvpn.net/index.php/open-sourc … ivity.html

This is the client log:

2013-02-16 11:17:06 MANAGEMENT: >STATE:1361009826,WAIT,,,
2013-02-16 11:18:06 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2013-02-16 11:18:06 TLS Error: TLS handshake failed
2013-02-16 11:18:06 TCP/UDP: Closing socket
2013-02-16 11:18:06 SIGUSR1[soft,tls-error] received, process restarting
2013-02-16 11:18:06 MANAGEMENT: >STATE:1361009886,RECONNECTING,tls-error,,
2013-02-16 11:18:06 MANAGEMENT: CMD 'hold release'

and this is the server log (verbose 5):

Sat Feb 16 11:38:08 2013 us=118721 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sat Feb 16 11:38:08 2013 us=133716 Diffie-Hellman initialized with 2048 bit key
Sat Feb 16 11:38:08 2013 us=134619 Control Channel Authentication: using '/etc/openvpn/keys/ta.key' as a OpenVPN static key file
Sat Feb 16 11:38:08 2013 us=134677 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Feb 16 11:38:08 2013 us=134707 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Feb 16 11:38:08 2013 us=134745 TLS-Auth MTU parms [ L:1590 D:166 EF:66 EB:0 ET:0 EL:0 ]
Sat Feb 16 11:38:08 2013 us=134808 Socket Buffers: R=[212992->131072] S=[212992->131072]
Sat Feb 16 11:38:08 2013 us=135268 TUN/TAP device tap0 opened
Sat Feb 16 11:38:08 2013 us=135370 TUN/TAP TX queue length set to 100
Sat Feb 16 11:38:08 2013 us=135572 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Sat Feb 16 11:38:08 2013 us=137116 UDPv4 link local (bound): [undef]
Sat Feb 16 11:38:08 2013 us=137832 UDPv4 link remote: [undef]
Sat Feb 16 11:38:08 2013 us=137870 MULTI: multi_init called, r=256 v=256
Sat Feb 16 11:38:08 2013 us=138013 IFCONFIG POOL: base=192.168.1.220 size=10, ipv6=0
Sat Feb 16 11:38:08 2013 us=138087 Initialization Sequence Completed
Sat Feb 16 11:38:22 2013 us=273924 MULTI: multi_create_instance called
Sat Feb 16 11:38:22 2013 us=274097 192.168.1.4:1194 Re-using SSL/TLS context
Sat Feb 16 11:38:22 2013 us=274189 192.168.1.4:1194 LZO compression initialized
Sat Feb 16 11:38:22 2013 us=274539 192.168.1.4:1194 Control Channel MTU parms [ L:1590 D:166 EF:66 EB:0 ET:0 EL:0 ]
Sat Feb 16 11:38:22 2013 us=274643 192.168.1.4:1194 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Sat Feb 16 11:38:22 2013 us=274701 192.168.1.4:1194 Local Options String: 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Sat Feb 16 11:38:22 2013 us=274717 192.168.1.4:1194 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Sat Feb 16 11:38:22 2013 us=274745 192.168.1.4:1194 Local Options hash (VER=V4): 'c5677ab3'
Sat Feb 16 11:38:22 2013 us=274765 192.168.1.4:1194 Expected Remote Options hash (VER=V4): 'a7133b47'
RSat Feb 16 11:38:22 2013 us=275000 192.168.1.4:1194 TLS: Initial packet from [AF_INET]192.168.1.4:1194 (via [AF_INET]192.168.1.205%br0), sid=e46fc8e5 4b4327b5
WSat Feb 16 11:38:22 2013 us=275121 192.168.1.4:1194 write UDPv4: Invalid argument (code=22)
RWSat Feb 16 11:38:24 2013 us=597178 192.168.1.4:1194 write UDPv4: Invalid argument (code=22)
RWSat Feb 16 11:38:28 2013 us=80376 192.168.1.4:1194 write UDPv4: Invalid argument (code=22)
RWSat Feb 16 11:38:36 2013 us=360017 192.168.1.4:1194 write UDPv4: Invalid argument (code=22)
WSat Feb 16 11:38:52 2013 us=266108 192.168.1.4:1194 write UDPv4: Invalid argument (code=22)
RWSat Feb 16 11:38:52 2013 us=284681 192.168.1.4:1194 write UDPv4: Invalid argument (code=22)
RSat Feb 16 11:39:22 2013 us=604136 192.168.1.4:1194 TLS: new session incoming connection from [AF_INET]192.168.1.4:1194 (via [AF_INET]192.168.1.205%br0)
Sat Feb 16 11:39:22 2013 us=604198 192.168.1.4:1194 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Feb 16 11:39:22 2013 us=604219 192.168.1.4:1194 TLS Error: TLS handshake failed

This is the server config. It`s located in /etc/openvpn/openvpn_server.conf and the server starts fine with systemctl start openvpn@openvpn_server.service.

mode server
dev tap0
multihome
server-bridge 192.168.1.205 255.255.255.0 192.168.1.220 192.168.1.229
client-to-client

proto udp
port 1194
comp-lzo

persist-tun
persist-key
keepalive 10 120

 ca /etc/openvpn/keys/ca.crt
 dh /etc/openvpn/keys/dh2048.pem
 cert /etc/openvpn/keys/archvpn.crt
 key /etc/openvpn/keys/archvpn.key
 tls-auth /etc/openvpn/keys/ta.key 0
 tls-server

verb 3
cipher AES-128-CBC

log      /etc/openvpn/openvpn.log

This is the client config:

client
remote myserver.dyndns.org 1194
dev tap0

proto udp
port 1194
comp-lzo
ca ca.crt 
cert tom.crt 
key tom.key

persist-tun
persist-key
resolv-retry infinite
keepalive 10 120

tls-auth ta.key 1
tls-client
ns-cert-type server

verb 3
cipher AES-128-CBC
float

What I checked and tried so far:
0    did a lot of reading

1    modules are loaded in /etc/modules-load.d/openvpn.conf
tun
bridge

2 netcfg config starts tap and network config

/etc/conf.d/netcfg
NETWORKS=(openvpn_tap office_lan_openvpn)

/etc/network.d/openvpn_tap
INTERFACE='tap0'
CONNECTION='tuntap'
MODE='tap'
USER='nobody'
GROUP='nobody'

/etc/network.d/office_lan_openvpn
INTERFACE="br0"
CONNECTION="bridge"
DESCRIPTION="Ethernet/OpenVPN bridge"
BRIDGE_INTERFACES="eth0 tap0"
IP="static"
ADDR="192.168.1.205"
GATEWAY="192.168.2.1"
DNS=("192.168.1.1")

3    checked firewall port, even disabled iptables

4    port forwarding in fritzbox is active

5    all other connections from outside are working (http, ftp)

6    certificates and keys should be fine, they were working in the past with the same setup

Hope someone can help me, I really need my connection back… If anything else is needed just let me know.

Last edited by archtom (2013-02-16 16:08:21)

Offline

#2 2013-02-16 16:07:37

archtom
Member
Registered: 2011-05-04
Posts: 42

Re: [solved] openvpn connection no longer working, tls error

I solved it wink

I did more reading and it seemed to be a problem in the config files, anything else could be pretty much excluded.

I started with fresh config files referring to the german wiki (it`s different) from .org. Since it was working with this I started to track the problem down. In the end I had to delete the

multihome

option in the server config. Everything seems fine now! Thanks for everyone that read it. Perhaps it helps someone in the future.

Offline

Board footer

Powered by FluxBB