I have same problem
(I omitted some values and replaced them with ...)
Server config:
Code: Select all
port ...
proto udp
dev tun0
ca ...
cert ...
key ...
dh ...
tls-auth ... 0
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
user ovpn_serv
group ovpn_serv
verb 5
client config:
Code: Select all
client
dev tun
proto udp
remote ... ...
remote ... ...
resolv-retry infinite
nobind
user openvpn
group openvpn
persist-key
persist-tun
ca ...
cert ...
key ...
tls-auth ... 1
ns-cert-type server
verb 3
Log on server:
Code: Select all
Sep 01 15:19:46 server openvpn[1745]: Mon Sep 1 15:19:46 2014 us=22521 147.251.45.226:53630 SIGUSR1[soft,tls-error] received, client-instance restarting
Sep 01 15:20:11 server openvpn[1745]: Mon Sep 1 15:20:11 2014 us=343704 147.251.45.226:47053 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sep 01 15:20:11 server openvpn[1745]: Mon Sep 1 15:20:11 2014 us=343775 147.251.45.226:47053 TLS Error: TLS handshake failed
Sep 01 15:20:11 server openvpn[1745]: Mon Sep 1 15:20:11 2014 us=343959 147.251.45.226:47053 SIGUSR1[soft,tls-error] received, client-instance restarting
Sep 01 15:20:15 server openvpn[1745]: Mon Sep 1 15:20:15 2014 us=905218 MULTI: multi_create_instance called
Sep 01 15:20:15 server openvpn[1745]: Mon Sep 1 15:20:15 2014 us=905333 147.251.45.226:43971 Re-using SSL/TLS context
Sep 01 15:20:15 server openvpn[1745]: Mon Sep 1 15:20:15 2014 us=905489 147.251.45.226:43971 Control Channel MTU parms [ L:1541 D:166 EF:66 EB:0 ET:0 EL:0 ]
Sep 01 15:20:15 server openvpn[1745]: Mon Sep 1 15:20:15 2014 us=905522 147.251.45.226:43971 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Sep 01 15:20:15 server openvpn[1745]: Mon Sep 1 15:20:15 2014 us=905588 147.251.45.226:43971 Local Options String: 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Sep 01 15:20:15 server openvpn[1745]: Mon Sep 1 15:20:15 2014 us=905609 147.251.45.226:43971 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Sep 01 15:20:15 server openvpn[1745]: Mon Sep 1 15:20:15 2014 us=905648 147.251.45.226:43971 Local Options hash (VER=V4): 'a2e2498c'
Sep 01 15:20:15 server openvpn[1745]: Mon Sep 1 15:20:15 2014 us=905683 147.251.45.226:43971 Expected Remote Options hash (VER=V4): '70f5b3af'
Sep 01 15:20:15 server openvpn[1745]: RMon Sep 1 15:20:15 2014 us=905747 147.251.45.226:43971 TLS: Initial packet from [AF_INET]147.251.45.226:43971, sid=af1709c5 32db0c3d
Sep 01 15:20:42 server openvpn[1745]: WRRWRWRWWWWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWWWWWWWWWWWWWMon Sep 1 15:20:42 2014 us=134582 MULTI: multi_create_instance called
Sep 01 15:20:42 server openvpn[1745]: Mon Sep 1 15:20:42 2014 us=134703 147.251.45.226:49238 Re-using SSL/TLS context
Sep 01 15:20:42 server openvpn[1745]: Mon Sep 1 15:20:42 2014 us=134861 147.251.45.226:49238 Control Channel MTU parms [ L:1541 D:166 EF:66 EB:0 ET:0 EL:0 ]
Sep 01 15:20:42 server openvpn[1745]: Mon Sep 1 15:20:42 2014 us=134895 147.251.45.226:49238 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Sep 01 15:20:42 server openvpn[1745]: Mon Sep 1 15:20:42 2014 us=134991 147.251.45.226:49238 Local Options String: 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Sep 01 15:20:42 server openvpn[1745]: Mon Sep 1 15:20:42 2014 us=135016 147.251.45.226:49238 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Sep 01 15:20:42 server openvpn[1745]: Mon Sep 1 15:20:42 2014 us=135055 147.251.45.226:49238 Local Options hash (VER=V4): 'a2e2498c'
Sep 01 15:20:42 server openvpn[1745]: Mon Sep 1 15:20:42 2014 us=135090 147.251.45.226:49238 Expected Remote Options hash (VER=V4): '70f5b3af'
Sep 01 15:20:42 server openvpn[1745]: RMon Sep 1 15:20:42 2014 us=135153 147.251.45.226:49238 TLS: Initial packet from [AF_INET]147.251.45.226:49238, sid=0cb1cf07 7c2b36a5
Sep 01 15:21:15 server openvpn[1745]: WRRWRWRWWWWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWWWWWWWWWWWWWWWWWWWWMon Sep 1 15:21:15 2014 us=915284 147.251.45.226:43971 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sep 01 15:21:15 server openvpn[1745]: Mon Sep 1 15:21:15 2014 us=915355 147.251.45.226:43971 TLS Error: TLS handshake failed
Log on client:
Code: Select all
Sep 01 15:12:43 x220 openvpn[28800]: Mon Sep 1 15:12:43 2014 UDPv4 link local: [undef]
Sep 01 15:12:43 x220 openvpn[28800]: Mon Sep 1 15:12:43 2014 UDPv4 link remote: [AF_INET] <...>
Sep 01 15:12:43 x220 openvpn[28800]: Mon Sep 1 15:12:43 2014 TLS: Initial packet from [AF_INET] <...>, sid=f47688f7 8e130a59
Sep 01 15:12:43 x220 openvpn[28800]: Mon Sep 1 15:12:43 2014 VERIFY OK: depth=1, CN=Easy-RSA CA
Sep 01 15:12:43 x220 openvpn[28800]: Mon Sep 1 15:12:43 2014 VERIFY nsCertType ERROR: CN=server, require nsCertType=SERVER
Sep 01 15:12:43 x220 openvpn[28800]: Mon Sep 1 15:12:43 2014 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sep 01 15:12:43 x220 openvpn[28800]: Mon Sep 1 15:12:43 2014 TLS Error: TLS object -> incoming plaintext read error
Sep 01 15:12:43 x220 openvpn[28800]: Mon Sep 1 15:12:43 2014 TLS Error: TLS handshake failed
Sep 01 15:12:43 x220 openvpn[28800]: Mon Sep 1 15:12:43 2014 SIGUSR1[soft,tls-error] received, process restarting
Sep 01 15:12:43 x220 openvpn[28800]: Mon Sep 1 15:12:43 2014 Restart pause, 2 second(s)
Both computers are running NixOS linux x86_64, OpenVPN 2.3.4, and keys were generated by easyrsa3 (this might be the cause).
The server key contains following X509v3 extensions:
Code: Select all
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
<...>
X509v3 Authority Key Identifier:
keyid:<...>
DirName:/CN=Easy-RSA CA
serial:<...>
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment