I have an issue with a VPN client ("Client 1") which doesn't connect to an OpenVPN server I built when connecting from a very specific network ("Network 1"). The error is related to "TLS Error: TLS key negotiation failed to occur"
Initially it worked perfectly for weeks, but it then suddenly stopped.
In order to debug the problem I tested
- using 3 accounts I created: "Client 1", "Client 2" and "Client 3"
- on three networks: "Network 1" (ADSL), "Network 2" (ADSL) and "Network 3" (mobile phone 4G)
- on three Windows 10x64 laptops: "L1", "L2" and "L3", and one Android phone, "A1"
- using two other VPN accounts connecting to foreign countries on the same protocol (UDP) and port (1194), "Foreign 1" and "Foreign 2".
Purpose: I want to use "Client 1" (either on "L1" or "L2") and on "Network 1"
What I did until now (I'll use the terms "PASS" for functioning properly and "FAIL" for not working):
-1) Testing "Client 1", "Client 2" and "Client 3" on "Network 2" = PASS, then testing "Client 1", "Client 2" and "Client 3" on "Network 1" = FAIL
-2) Testing "Foreign 1" and "Foreign 2" on "Network 2" = PASS, then testing "Foreign 1" and "Foreign 2" on "Network 1" = PASS (yes, PASS)
-3) Changing OpenVPN on "L1" to 2.4.8 from 2.5.0, then testing "Client 1", "Client 2" and "Client 3" on "Network 1" = FAIL
-4) Changing the DNS two times on "L1", then testing "Client 1", "Client 2" and "Client 3" on "Network 1" = FAIL. The OpenVPN connection log shows that it properly finds the public IP of the OpenVPN server.
-5) Changing the DNS on "Network 1" then using "L1" and "L2" to test "Client 1", "Client 2" and "Client 3" on "Network 1" = FAIL. The OpenVPN connection log shows that it properly finds the public IP of the OpenVPN server.
-6) Using "A1" then testing "Client 1", "Client 2" and "Client 3" on "Network 1" = FAIL
-7) Using "A1" then testing "Client 1", "Client 2" and "Client 3" on "Network 3" = PASS; "Network 3" is a 4G connection on the Android phone.
-8) Changing the "Network 1" subnet and then using "L1" to test "Client 1", "Client 2" and "Client 3" = FAIL
-9) Changing the modem on "Network 1" then using "L1" to test "Client 1", "Client 2" and "Client 3" = FAIL
-10) Setting OpenVPN to connect through a Tor proxy then testing "Client 1", "Client 2" and "Client 3" on "Network 2" = PASS, then testing "Client 1", "Client 2" and "Client 3" on "Network 1" = FAIL
What other tests should I do as I have no more ideas ?
A client config looks like this:
Client config
client
dev tun
remote IP 1194 udp
float
nobind
# Certificate Authority cert
<ca>
-----BEGIN CERTIFICATE-----
#############################
-----END CERTIFICATE-----
</ca>
# Client cert
<cert>
-----BEGIN CERTIFICATE-----
#############################
-----END CERTIFICATE-----
</cert>
# Client private key
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
#############################
-----END ENCRYPTED PRIVATE KEY-----
</key>
remote-cert-tls server
cipher AES-256-GCM
auth SHA256
tls-client
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
#############################
-----END OpenVPN Static key V1-----
</tls-auth>
key-direction 1
tls-version-min 1.2
comp-lzo
resolv-retry infinite
keepalive 15 120
persist-key
persist-tun
mute-replay-warnings
verb 5
mute 20
