New BB Code [oconf] for Openvpn TLS key negotiation failed

[senrabdet]

Hi All, I will confess I have a love/hate relationship with this tool. Free, so useful, and so hard to configure. For the purposes of this post, my clients and servers are all windows (a mix of win10 and win11, windows server 2019). I had connections working until recently, and the crts are expiring. I've tried all sorts of things like changing the expire date via cli with no joy. As of now, I'm trying to use Easy-RSA 3.x to create new keys. So arguably, my windows firewall settings, my network firewall settings are good to go, my server IP is the same. But I'm getting the dreaded "TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)" and "TLS Error: TLS handshake failed" errors.

I've uninstalled and re-installed OpenVPN-2.6.8-I001-amd64 with easy-rsa on my laptop and remote server (windows server 2019 in this case), and for good measure restarted the open vpn services (windows).

Using "https://community.openvpn.net/openvpn/w ... nVPN-Howto" and following the "Producing your complete PKI on the CA machine section " section, I launch Easy-RSA.bat, run

./easyrsa init-pki
./easyrsa build-ca (entered pass phrase I want to use, and common name)
./easyrsa build-server-full server (entered pass phrase I want to use, and a different common name)
./easyrsa build-client-full client (entered pass phrase I want to use, used common name for client)
./easyrsa gen-dh (may be this doesn't work with creating on the CA machine?)

Over secure connection, copied to my laptop ca.crt. client.crt. and client.key.

Server.ovpn is in C:\Program Files\OpenVPN\config-auto (I tried C:\Program Files\OpenVPN\config" too but no better). My server.ovpn is:

port xxxx
proto udp
dev tun
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\issued\\server.crt"
key "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\private\\server.key"
dh "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\dh.pem"
server 10.50.8.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

My Client.ovpn is:

client
dev tun
proto udp
remote xxx.xxx.xxx.xxx 1196
resolv-retry infinite
nobind
persist-key
persist-tun
auth-nocache
remote-cert-tls server
ca "c:\\openvpn\\easy-rsa\\keys\\ca.crt"
cert "c:\\openvpn\\easy-rsa\\keys\\client.crt"
key "c:\\openvpn\\easy-rsa\\client.key"
comp-lzo
verb 3

....I try to connect, it thinks for a minute and I get:

Wed Jan 10 14:40:11 2024 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Jan 10 14:40:11 2024 TLS Error: TLS handshake failed

I've tried disabling and enabling the windows firewall, no difference and checked that 1196 is open on the remote network firewall, and the connection being forward to the server on the remote network firewall.

What gives? I want to use this tool, but can afford the hrs/days I spend on setting it up again when it stops working.

Suggestions really appreciated. Thx.

[senrabdet]

PS does anyone have any evidence this might be an ISP or a windows update problem? My thinking here many of these connections were working, and then stop and if nothing else has changed other than windows updates or whatever the ISP's are doing...a thin hypothesis but hoping to put it out there.

[senrabdet]

Any suggestions? Again my environment is all windows (I've got Openvpn to work recently from a windows box to remote Ubuntu machine but am stuck trying to get windows to windows to work). I have tried generating all the crts and keys on a CA machine, including signing. I am not trying to use the Easy-TLS stuff. I've tried connecting over a lAN with windows firewall off (presumably to rule out peripheral firewall being a problem) and checked port settings on windows and peripheral firewall and port forwarding on the peripheral firewall when trying to connect remotely.

Q is the problem that I'm trying to create all of the crts and keys on the CA server, sign them there? As said, I recently got this all working for a windows machine to connect to a remote Ubuntu machine creating all the crts and keys on the ubuntu machine. That's not following the instructions of creating them on separate machines and "importing them". That approach seems like overkill for my purposes, but am I skipping steps that I can't skip?

Again, the commands I'm using on the CA server are (I'm using nopass for testing to rule out password problems but wouldn't want to do that in production)
https://community.openvpn.net/openvpn/w ... nVPN-Howto

./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-req server nopass
./easyrsa gen-req client nopass
./easyrsa show-req server
./easyrsa show-req client
./easyrsa sign-req server server
./easyrsa sign-req client client
./easyrsa gen-dh

My server.ovpn is in C:\Users\User\OpenVPN\config\server and is:
port 1194
proto udp
dev tap
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\issued\\server.crt"
key "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\private\\server.key"
dh "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\dh.pem"
remote-cert-tls server
server 10.50.8.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 5

My client.ovpn is:
client
dev tap
proto udp
remote xxx.xxx.xxx.xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca "j:\\openvpn\\easy-rsa\\keys\\user\\ca.crt"
cert "j:\\openvpn\\easy-rsa\\keys\\user\\client.crt"
key "j:\\openvpn\\easy-rsa\\keys\\user\\client.key"
comp-lzo
verb 5

Error on the client side:
WWWWW2024-01-18 08:10:26 us=375000 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2024-01-18 08:10:26 us=375000 TLS Error: TLS handshake failed

At the moment, despite my server.ovpn being verb 5, my server.log is blank.