TLS Handshake Failure

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
atclaus
OpenVpn Newbie
Posts: 8
Joined: Mon Dec 31, 2018 5:44 pm

TLS Handshake Failure

Post by atclaus » Mon Dec 31, 2018 6:00 pm

I am stuck!

I had an OpenVPN server running on Raspbian, but wanted to clear it and start from scratch.

Code: Select all

service openvpn stop
apt purge openvpn easy-rsa
rm -r /etc/openvpn

apt install openvpn easy-rsa
Thought that should give me a fresh and clean install, but I cannot help but think that there is something leftover because I get the below error. I have repeated the above steps a couple times along with a reboot. I want to use TLS shared keys and mins (like I have on another device), but have not specified that on this device to just try to get it to work.

Server version:

Code: Select all

OpenVPN 2.4.0 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18 2017
Client version:

Code: Select all

OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018

Code: Select all

Mon Dec 31 12:42:13 2018 us=182425 Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Mon Dec 31 12:42:13 2018 us=182425 MANAGEMENT: >STATE:1546278133,RESOLVE,,,,,,
Mon Dec 31 12:42:13 2018 us=193609 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Mon Dec 31 12:42:13 2018 us=193609 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
Mon Dec 31 12:42:13 2018 us=193609 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
Mon Dec 31 12:42:13 2018 us=193609 TCP/UDP: Preserving recently used remote address: [AF_INET]142.197.236.76:32921
Mon Dec 31 12:42:13 2018 us=193609 Socket Buffers: R=[65536->65536] S=[65536->65536]
Mon Dec 31 12:42:13 2018 us=193609 UDP link local: (not bound)
Mon Dec 31 12:42:13 2018 us=193609 UDP link remote: [AF_INET]IP:port
Mon Dec 31 12:42:13 2018 us=193609 MANAGEMENT: >STATE:1546278133,WAIT,,,,,,
Mon Dec 31 12:43:13 2018 us=472804 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Dec 31 12:43:13 2018 us=472804 TLS Error: TLS handshake failed
Mon Dec 31 12:43:13 2018 us=472804 TCP/UDP: Closing socket
Mon Dec 31 12:43:13 2018 us=472804 SIGUSR1[soft,tls-error] received, process restarting
Mon Dec 31 12:43:13 2018 us=472804 MANAGEMENT: >STATE:1546278193,RECONNECTING,tls-error,,,,,
Mon Dec 31 12:43:13 2018 us=472804 Restart pause, 5 second(s)
Mon Dec 31 12:43:18 2018 us=522711 Re-using SSL/TLS context
earlier in the log I get:

Code: Select all

Mon Dec 31 12:42:12 2018 us=435856   remote_cert_eku = 'TLS Web Server Authentication'
...
Mon Dec 31 12:42:12 2018 us=435856   tls_timeout = 2
...
Mon Dec 31 12:42:12 2018 us=435856   tls_exit = DISABLED
Mon Dec 31 12:42:12 2018 us=435856   tls_auth_file = '[UNDEF]'
Mon Dec 31 12:42:12 2018 us=435856   tls_crypt_file = '[UNDEF]'
...
Server.conf (same as other devices that work)

Code: Select all

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh4096.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
;tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
explicit-exit-notify 1
OVPN config file

Code: Select all

client
dev tun
proto udp
remote custom.hopto.org port
resolv-retry infinite
nobind
group nogroup
persist-key
persist-tun
;ca ca.crt
;cert client.crt
;key client.key
remote-cert-tls server
;tls-auth ta.key 1
cipher AES-256-CBC
verb 5
<ca>
ca.crt contents
</ca>
<cert>
client.crt
</cert>
<key>
client.key
</key>
Thanks!

atclaus
OpenVpn Newbie
Posts: 8
Joined: Mon Dec 31, 2018 5:44 pm

Re: TLS Handshake Failure

Post by atclaus » Mon Dec 31, 2018 6:42 pm

I seem to get the same error regardless of what port I put in the ovpn file. I have the router set up to forward a certain port to the DHCP reserved for the Pi on 1193 and another to that same IP on 22 for SSH. SSH works, but VPN fails

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5484
Joined: Fri Jun 03, 2016 1:17 pm

Re: TLS Handshake Failure

Post by TinCanTech » Mon Dec 31, 2018 7:00 pm

Did you notice how you did not post your server log .. ?

atclaus
OpenVpn Newbie
Posts: 8
Joined: Mon Dec 31, 2018 5:44 pm

Re: TLS Handshake Failure

Post by atclaus » Mon Dec 31, 2018 7:04 pm

I just uncommented the

Code: Select all

log-append  openvpn.log
in the server.conf but on trying to connect no log is created.

atclaus
OpenVpn Newbie
Posts: 8
Joined: Mon Dec 31, 2018 5:44 pm

[SOLVED] Re: TLS Handshake Failure

Post by atclaus » Sat Jan 05, 2019 7:26 pm

not sure why this was behaving as such, but another reboot did it.... know I tried it, but should have again before posting. Thanks

bigjohns97
OpenVpn Newbie
Posts: 6
Joined: Wed Jan 03, 2018 3:10 am

Re: TLS Handshake Failure

Post by bigjohns97 » Mon Jan 07, 2019 8:19 pm

you don't happen to be running PiHole on this same OS are you?

Post Reply