TLS Errors

[NasKar]

I'm running openvpn in a Freenas jail and getting these errors in my server log:
TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed
Any idea how to fix them?

View Originalopenvpn.log

Fri Feb 10 17:37:50 2017 us=397853 174.205.4.201:8085 Local Options hash (VER=V4): '162b04de'
Fri Feb 10 17:37:50 2017 us=397867 174.205.4.201:8085 Expected Remote Options hash (VER=V4): '9e7066d2'
Fri Feb 10 17:37:50 2017 us=397888 174.205.4.201:8085 TLS: Initial packet from [AF_INET]174.205.4.201:8085, sid=ee968243 5ab1043c
Fri Feb 10 17:37:54 2017 us=333981 174.205.4.201:8085 VERIFY OK: depth=1, CN=NasKar NAS CA
Fri Feb 10 17:37:54 2017 us=334336 174.205.4.201:8085 VERIFY OK: depth=0, CN=NasKar
Fri Feb 10 17:37:57 2017 us=397616 MULTI: multi_create_instance called
Fri Feb 10 17:37:57 2017 us=397712 174.205.4.201:8095 Re-using SSL/TLS context
Fri Feb 10 17:37:57 2017 us=397748 174.205.4.201:8095 LZO compression initialized
Fri Feb 10 17:37:57 2017 us=397851 174.205.4.201:8095 Control Channel MTU parms [ L:1558 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Fri Feb 10 17:37:57 2017 us=397879 174.205.4.201:8095 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:143 ET:0 EL:3 AF:3/1 ]
Fri Feb 10 17:37:57 2017 us=397920 174.205.4.201:8095 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Fri Feb 10 17:37:57 2017 us=397936 174.205.4.201:8095 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Fri Feb 10 17:37:57 2017 us=397963 174.205.4.201:8095 Local Options hash (VER=V4): '162b04de'
Fri Feb 10 17:37:57 2017 us=397986 174.205.4.201:8095 Expected Remote Options hash (VER=V4): '9e7066d2'
Fri Feb 10 17:37:57 2017 us=398023 174.205.4.201:8095 TLS: Initial packet from [AF_INET]174.205.4.201:8095, sid=ceb60f33 4ab6ca47
Fri Feb 10 17:38:02 2017 us=374766 174.205.4.201:8095 VERIFY OK: depth=1, CN=NasKar NAS CA
Fri Feb 10 17:38:02 2017 us=375121 174.205.4.201:8095 VERIFY OK: depth=0, CN=NasKar
Fri Feb 10 17:38:05 2017 us=437943 MULTI: multi_create_instance called
Fri Feb 10 17:38:05 2017 us=438019 174.205.4.201:8078 Re-using SSL/TLS context
Fri Feb 10 17:38:05 2017 us=438043 174.205.4.201:8078 LZO compression initialized
Fri Feb 10 17:38:05 2017 us=438120 174.205.4.201:8078 Control Channel MTU parms [ L:1558 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Fri Feb 10 17:38:05 2017 us=438135 174.205.4.201:8078 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:143 ET:0 EL:3 AF:3/1 ]
Fri Feb 10 17:38:05 2017 us=438161 174.205.4.201:8078 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Fri Feb 10 17:38:05 2017 us=438170 174.205.4.201:8078 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Fri Feb 10 17:38:05 2017 us=438185 174.205.4.201:8078 Local Options hash (VER=V4): '162b04de'
Fri Feb 10 17:38:05 2017 us=438198 174.205.4.201:8078 Expected Remote Options hash (VER=V4): '9e7066d2'
Fri Feb 10 17:38:05 2017 us=438221 174.205.4.201:8078 TLS: Initial packet from [AF_INET]174.205.4.201:8078, sid=e008598a 47ce6979
Fri Feb 10 17:38:10 2017 us=112128 174.205.4.201:8091 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Feb 10 17:38:10 2017 us=112184 174.205.4.201:8091 TLS Error: TLS handshake failed
Fri Feb 10 17:38:10 2017 us=112274 174.205.4.201:8091 SIGUSR1[soft,tls-error] received, client-instance restarting
Fri Feb 10 17:38:10 2017 us=583225 174.205.4.201:8078 VERIFY OK: depth=1, CN=NasKar NAS CA
Fri Feb 10 17:38:10 2017 us=583568 174.205.4.201:8078 VERIFY OK: depth=0, CN=NasKar

View Originalopenvpn.conf

port 10011
proto udp
dev tun
ca ca.crt
cert openvpn-server.crt #Server public key
key openvpn-server.key #Server private key
dh dh.pem #Diffie-Hellman parameters
server 172.16.8.0 255.255.255.0 #Purple network
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0" #Yellow network
tls-auth ta.key 0
#crl-verify crl.pem
keepalive 10 120
cipher AES-256-CBC
group nobody
user nobody
comp-lzo
persist-key
persist-tun
verb 4
log /var/openvpn.log
push 'dhcp-option NTP 129.6.15.30'

View Originaliphone.conf

client
dev tun
proto udp
remote external.ddns.net 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert NasKar.crt
key NasKar.key
remote-cert-tls server
cipher AES-256-CBC
tls-auth ta.key 1
#dhcp-option DNS 0.0.0.0
#redirect-gateway def1
comp-lzo
verb 3

View Originaliphone.log

2017-02-10 18:48:39 OS Event: SLEEP
2017-02-10 18:48:39 EVENT: PAUSE
2017-02-10 19:14:35 OS Event: WAKEUP
2017-02-10 19:14:38 RESUME TEST: Internet:ReachableViaWWAN/WR t------
2017-02-10 19:14:38 EVENT: RESUME
2017-02-10 19:14:38 EVENT: RECONNECTING
2017-02-10 19:14:38 EVENT: RESOLVE
2017-02-10 19:14:38 Contacting external.IP:443 via UDP
2017-02-10 19:14:38 EVENT: WAIT
2017-02-10 19:14:38 SetTunnelSocket returned 1
2017-02-10 19:14:38 Connecting to [external.ddns.net]:443 (external.IP) via UDPv4
2017-02-10 19:14:38 EVENT: CONNECTING
2017-02-10 19:14:38 Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client
2017-02-10 19:14:38 Creds: UsernameEmpty/PasswordEmpty
2017-02-10 19:14:38 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 1.1.1-212
IV_VER=3.1.2
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO=1
IV_AUTO_SESS=1

2017-02-10 19:14:38 VERIFY OK: depth=1
cert. version : 3
serial number : F3:0A:FE:BA:C2:A2:E0:80
issuer name : CN=NasKar NAS CA
subject name : CN=NasKar NAS CA
issued on : 2016-10-18 22:38:52
expires on : 2026-10-16 22:38:52
signed using : RSA with SHA-256
RSA key size : 4096 bits
basic constraints : CA=true
key usage : Key Cert Sign, CRL Sign

2017-02-10 19:14:38 VERIFY OK: depth=0
cert. version : 3
serial number : 01
issuer name : CN=NasKar NAS CA
subject name : CN=openvpn-server
issued on : 2016-10-18 22:41:18
expires on : 2026-10-16 22:41:18
signed using : RSA with SHA-256
RSA key size : 4096 bits
basic constraints : CA=false
key usage : Digital Signature, Key Encipherment
ext key usage : TLS Web Server Authentication

2017-02-10 19:14:39 SSL Handshake: TLSv1.0/TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
2017-02-10 19:14:39 Session is ACTIVE
2017-02-10 19:14:39 EVENT: GET_CONFIG
2017-02-10 19:14:39 Sending PUSH_REQUEST to server...
2017-02-10 19:14:39 OPTIONS:
0 [route] [192.168.1.0] [255.255.255.0]
1 [dhcp-option] [NTP] [129.6.15.30]
2 [route] [172.16.8.1]
3 [topology] [net30]
4 [ping] [10]
5 [ping-restart] [120]
6 [ifconfig] [172.16.8.6] [172.16.8.5]

2017-02-10 19:14:39 PROTOCOL OPTIONS:
cipher: AES-256-CBC
digest: SHA1
compress: LZO
peer ID: -1
2017-02-10 19:14:39 EVENT: ASSIGN_IP
2017-02-10 19:14:39 Unknown pushed DHCP option: [dhcp-option] [NTP] [129.6.15.30]
2017-02-10 19:14:39 Connected via tun
2017-02-10 19:14:39 LZO-ASYM init swap=0 asym=0
2017-02-10 19:14:39 EVENT: CONNECTED @external.ddns.net:443 (external.IP) via /UDPv4 on tun/172.16.8.6/ gw=[172.16.8.5/]
2017-02-10 19:14:39 SetStatus Connected

[willieaames]

Another possible cause is that the windows firewall is blocking access for the openvpn.exe binary. You may need to whitelist (add it to the "Exceptions" list) it for OpenVPN to work.