tls hand shake problem - please help

[TinCanTech]

Do you trust banks as well ?!?!?

[300000]

if you need everything to buy you need to ask banks , from small to big so the banks will know all your money you got, no matter who you are , they will record all active spending on all items you bought and spent. Can you bring the whole 500000 pounds cash and buy the house is that ok? or you need to pay over the bank? ask yourself that question first and like or not you still give all info to the bank anyway.

[TinCanTech]

Microsoft control and set up the standard for the world on business world

Microshaft STOLE practically everything they are known for.

That business use Microshaft was a hasty decision, made by people who did not understand what they were getting into.

if you need everything to buy you need to ask banks

Because the financial service industry is nothing more than a massive con-trick to put people into debt. Because that is the only way banks make money.

Getting back to the OP's problem:

While the online scanner restults are completely inconclusive, the server log posted does show that no packets are received by the server. So, probably port-forwarding or firewall is misconfigured.

[Pippin]

Getting back to the OP's problem:

Exactly, off topic can go into ... off topic

Thanks.

[goldduo]

in order to help you find out it working or not let do post scant first just type into search PortQryUI - User Interface and download it from Microsoft website

my results said "UDP port 1962 (unknown service): LISTENING or FILTERED"

[goldduo]

While the online scanner restults are completely inconclusive, the server log posted does show that no packets are received by the server. So, probably port-forwarding or firewall is misconfigured.

when i posted the server log, i did not start the client vpn connection. so shouldn't it show no packets received?

[goldduo]

i exit the openvpn server, same tls error.
i disabled the windows firewall rule for 1962, same tls error;
i create a new rule to block the port 1962, still same tls error.
is it safe to say that there is something wrong with my client setup?
here is the client log:

Code: Select all

2021-01-10 19:46:10 OpenVPN 2.5.0 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 28 2020
2021-01-10 19:46:10 Windows version 10.0 (Windows 10 or greater) 64bit
2021-01-10 19:46:10 library versions: OpenSSL 1.1.1h  22 Sep 2020, LZO 2.10
Enter Management Password:
2021-01-10 19:46:10 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
2021-01-10 19:46:10 Need hold release from management interface, waiting...
2021-01-10 19:46:10 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
2021-01-10 19:46:10 MANAGEMENT: CMD 'state on'
2021-01-10 19:46:10 MANAGEMENT: CMD 'log all on'
2021-01-10 19:46:10 MANAGEMENT: CMD 'echo all on'
2021-01-10 19:46:10 MANAGEMENT: CMD 'bytecount 5'
2021-01-10 19:46:10 MANAGEMENT: CMD 'hold off'
2021-01-10 19:46:10 MANAGEMENT: CMD 'hold release'
2021-01-10 19:46:10 MANAGEMENT: CMD 'password [...]'
2021-01-10 19:46:10 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2021-01-10 19:46:10 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2021-01-10 19:46:10 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2021-01-10 19:46:10 TCP/UDP: Preserving recently used remote address: [AF_INET]*.*.*.*:1962
2021-01-10 19:46:10 Socket Buffers: R=[65536->65536] S=[65536->65536]
2021-01-10 19:46:10 UDPv4 link local: (not bound)
2021-01-10 19:46:10 UDPv4 link remote: [AF_INET]*.*.*.*:1962
2021-01-10 19:46:10 MANAGEMENT: >STATE:1610325970,WAIT,,,,,,
2021-01-10 19:47:10 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2021-01-10 19:47:10 TLS Error: TLS handshake failed

anything wrong there?

[TinCanTech]

i exit the openvpn server, same tls error.

You need the server to be running if you want to connect to it .. it's not magic.

[goldduo]

in the client.ovpn config file, there are 4 markers: <ca>, <cert>, <key>, and <tls-auth>
<tls-auth> should have the contents of ta.key?
what should be in <cert>? is it the contents of server.crt? or client.crt?
how about <key>? is it from server.key or client.key?

[goldduo]

my understanding is the <cert> and <key> markers are not required if i specify file paths to client.crt and client.key.

so to connect, the client sends ca.crt, asking for specific ip and port number. the server recognizes the ca.crt, and knows that this is a client. now how does that server authenticate the client? it automatically reaches into the default relative path openvpn\easy-rsa\pki to grab and compare the client.crt, and client.key?

[TinCanTech]

The server has already loaded the X509 files which it requires.

Inlining a file is the same as loading it via a file name.

[goldduo]

i did in command prompt: netstat -nba | findstr "LISTEN" and did not see anything listening on port 1962?

[TinCanTech]

UDP does not "LISTEN"

Try the OpenVPN howto.

[300000]

Turn your firewall and try it first .you are so confident to do but it not work untill you can connect first and if you keep doing what you think is right it not work for you