Synology TLS Error

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
jctheeng
OpenVpn Newbie
Posts: 5
Joined: Thu Jul 08, 2021 12:26 am

Synology TLS Error

Post by jctheeng » Thu Jul 08, 2021 2:38 am

Hi,

We have a Synology NAS. We have a working L2TP VPN which I need to replace with OpenVPN because I need split tunnel capability. The current VPN connection kicks everyone off every so often and it is very problematic. I have done the OpenVPN set up in the VPN Server package of the Synology. (L2TP ip on 10.2.0.0... and OpenVPN ip on 10.8.0.0....) I have exported the OpenVPN file. When I open the config file to edit the IP address everything is in just a couples lines so I have added hard returns where I believe they should go and un-commented the lines I believe need to be fixed. I tried to use the client config file from https://github.com/OpenVPN/openvpn/tree ... nfig-files but it feels like it is a little old and some of the info in my config file didn't seem to be in the github version.
Client config file

Code: Select all

dev tun

tls-client


remote ##.###.##.### 1194

# The "float" tells OpenVPN to accept authenticated packets from any address,

# not only the address which was specified in the --remote option.

# This is useful when you are connecting to a peer which holds a dynamic address

# such as a dial-in user or DHCP client.

# (Please refer to the manual of OpenVPN for more information.)


float


# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.

# It means the VPN connection will firstly connect to the VPN Server

# and then to the internet.

# (Please refer to the manual of OpenVPN for more information.)


#redirect-gateway def1


# dhcp-option DNS: To set primary domain name server address.

# Repeat this option to set secondary DNS server addresses.


#dhcp-option DNS DNS_IP_ADDRESS

pull


# If you want to connect by Server's IPv6 address, you should use

# "proto udp6" in UDP mode or "proto tcp6-client" in TCP mode

proto udp

script-security 2



comp-lzo


reneg-sec 0


cipher AES-256-CBC

auth SHA512

auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
stuff
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
more stuff
-----END CERTIFICATE-----

</ca>

Sorry for all the # lines but if that is where my problem is than you gotta see that too.


Here is my client side log:

Code: Select all

Wed Jul 07 18:08:43 2021 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Wed Jul 07 18:08:43 2021 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Wed Jul 07 18:08:43 2021 OpenVPN 2.5.2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 21 2021
Wed Jul 07 18:08:43 2021 Windows version 6.1 (Windows 7) 64bit
Wed Jul 07 18:08:43 2021 library versions: OpenSSL 1.1.1k  25 Mar 2021, LZO 2.10
Wed Jul 07 18:08:50 2021 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed Jul 07 18:08:50 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]_ip_:1194
Wed Jul 07 18:08:50 2021 UDP link local (bound): [AF_INET][undef]:1194
Wed Jul 07 18:08:50 2021 UDP link remote: [AF_INET]_ip_:1194
Wed Jul 07 18:09:50 2021 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Jul 07 18:09:50 2021 TLS Error: TLS handshake failed
Wed Jul 07 18:09:50 2021 SIGUSR1[soft,tls-error] received, process restarting
Wed Jul 07 18:09:55 2021 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed Jul 07 18:09:55 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]_ip_:1194
Wed Jul 07 18:09:55 2021 UDP link local (bound): [AF_INET][undef]:1194
Wed Jul 07 18:09:55 2021 UDP link remote: [AF_INET]_ip_:1194
Wed Jul 07 18:10:55 2021 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Jul 07 18:10:55 2021 TLS Error: TLS handshake failed
Wed Jul 07 18:10:55 2021 SIGUSR1[soft,tls-error] received, process restarting
Wed Jul 07 18:11:00 2021 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
...
Wed Jul 07 19:05:21 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]_ip_:1194
Wed Jul 07 19:05:21 2021 UDP link local (bound): [AF_INET][undef]:1194
Wed Jul 07 19:05:21 2021 UDP link remote: [AF_INET]_ip_:1194
Wed Jul 07 19:06:21 2021 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Jul 07 19:06:21 2021 TLS Error: TLS handshake failed
Wed Jul 07 19:06:21 2021 SIGUSR1[soft,tls-error] received, process restarting
I don't know how to get my Server config without logging in with SSH. Port forwarding for SSH has not been set up in the router so I can't do that from here.

Every search I have done for TLS Error has come up with the solution being "oh, I just had to do my port forwarding on my router..."
UDP 1194 port has been forwarded on the router.

Please help!!! I have read lots of posts and lots of forums and watched YouTube videos and done google searches. What am I missing?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Synology TLS Error

Post by TinCanTech » Thu Jul 08, 2021 12:28 pm

You MUST read your server log.

jctheeng
OpenVpn Newbie
Posts: 5
Joined: Thu Jul 08, 2021 12:26 am

Re: Synology TLS Error

Post by jctheeng » Thu Jul 08, 2021 3:11 pm

The log just says stopped and started.


Information 2021/07/07 18:47:12 L2TP Jessyca Connected from [_ip_] as [10.2.0.1].
Information 2021/07/07 18:45:22 L2TP Jessyca Disconnected from [_ip_] as [10.2.0.1].
Information 2021/07/07 17:48:55 L2TP Jessyca Connected from [_ip_] as [10.2.0.1].
Information 2021/07/07 17:47:09 L2TP Jessyca Disconnected from [_ip_] as [10.2.0.1].
Information 2021/07/07 17:00:24 OpenVPN SYSTEM Server was started.
Information 2021/07/07 17:00:23 OpenVPN SYSTEM Server was stopped.
Information 2021/07/07 16:50:38 L2TP Jessyca Connected from [_ip_] as [10.2.0.1].

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Synology TLS Error

Post by TinCanTech » Thu Jul 08, 2021 5:29 pm

That is not your openvpn log file.

See --log in the manual.

jctheeng
OpenVpn Newbie
Posts: 5
Joined: Thu Jul 08, 2021 12:26 am

Re: Synology TLS Error

Post by jctheeng » Fri Jul 09, 2021 1:11 am

I am very grateful for your help!
I've been reading through the manual. I believe the server log is located at /var/log/messages? Is there a way to get to that without SSH? The synology gui hides all that stuff. I don't have the port forwarding for SSH set up on the router and I will not be there to do it until next week. Are there alternatives?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Synology TLS Error

Post by TinCanTech » Fri Jul 09, 2021 1:22 am

There is no alternative .. you MUST read your server openvpn-log to determine if there was an error.

jctheeng
OpenVpn Newbie
Posts: 5
Joined: Thu Jul 08, 2021 12:26 am

Re: Synology TLS Error

Post by jctheeng » Fri Jul 09, 2021 2:18 am

I understand that I must read it. Is there an alternative way to get to it?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Synology TLS Error

Post by TinCanTech » Fri Jul 09, 2021 12:08 pm

Maybe you can use magic ..

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Synology TLS Error

Post by openvpn_inc » Sat Jul 10, 2021 12:28 pm

jctheeng wrote:
Fri Jul 09, 2021 1:11 am
I've been reading through the manual. I believe the server log is located at /var/log/messages? Is there a way to get to that without SSH? The synology gui hides all that stuff. I don't have the port forwarding for SSH set up on the router and I will not be there to do it until next week. Are there alternatives?
Sorry, I am not familiar with the Synology NAS. The syslog files location can and does vary by OS/distro, so you'll probably do better asking about SSH alternatives in a Synology forum.

Wish I could help, regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

jctheeng
OpenVpn Newbie
Posts: 5
Joined: Thu Jul 08, 2021 12:26 am

Re: Synology TLS Error

Post by jctheeng » Tue Jul 13, 2021 3:38 pm

openvpn_inc wrote:
Sat Jul 10, 2021 12:28 pm
Sorry, I am not familiar with the Synology NAS. The syslog files location can and does vary by OS/distro, so you'll probably do better asking about SSH alternatives in a Synology forum.
I was able to establish the SSH connection and look at the /var/log/messages file but it doesn't seem to contain much info.

Code: Select all

2021-07-13T07:31:25-07:00 SnowBall gateway_change hook event: NEW 192.168.4.1 on eth0
2021-07-13T07:31:25-07:00 SnowBall gateway_change hook event: DEL 192.168.4.1 on eth0
2021-07-13T07:31:25-07:00 SnowBall gateway_change hook event: NEW 192.168.4.1 on eth0
2021-07-13T07:31:25-07:00 SnowBall if_link_down hook event: ppp301
2021-07-13T07:33:03-07:00 SnowBall pppd[18003]: Overriding mtu 1500 to 1400
2021-07-13T07:33:03-07:00 SnowBall pppd[18003]: Overriding mru 1500 to mtu value 1400
2021-07-13T07:33:03-07:00 SnowBall pppd[18003]: Unsupported protocol 'Compression Control Protocol' (0x80fd) received
2021-07-13T07:33:05-07:00 SnowBall if_link_up hook event: ppp301
2021-07-13T07:33:05-07:00 SnowBall ipv6_change hook event: ppp301 ->fe80::211:32ff:fed4:ea62 10
2021-07-13T07:33:05-07:00 SnowBall ipv4_change hook event: ppp301 none->10.2.0.0
2021-07-13T07:33:06-07:00 SnowBall ipv4_change hook event: ppp301 10.2.0.0->none
2021-07-13T07:33:08-07:00 SnowBall ipv4_change hook event: ppp301 none->10.2.0.0
2021-07-13T07:33:08-07:00 SnowBall gateway_change hook event: NEW 0.0.0.0 on ppp301
2021-07-13T08:09:42-07:00 SnowBall pppd[21371]: Couldn't allocate PPP unit 301 as it is already in use, try PPP unit 3022021-07-13T08:09:42-07:00 SnowBall pppd[21371]: Couldn't allocate PPP unit 302 as it is already in use, try PPP unit 3032021-07-13T08:09:42-07:00 SnowBall pppd[21371]: Overriding mtu 1500 to 1400
2021-07-13T08:09:42-07:00 SnowBall pppd[21371]: Overriding mru 1500 to mtu value 1400
2021-07-13T08:09:42-07:00 SnowBall pppd[21371]: Unsupported protocol 'Compression Control Protocol' (0x80fd) received
2021-07-13T08:09:46-07:00 SnowBall ipv4_change hook event: ppp303 none->10.2.0.0
2021-07-13T08:09:47-07:00 SnowBall ipv4_change hook event: ppp303 10.2.0.0->none
2021-07-13T08:09:47-07:00 SnowBall ipv4_change hook event: ppp303 none->10.2.0.0
2021-07-13T08:09:47-07:00 SnowBall if_link_up hook event: ppp303
2021-07-13T08:09:48-07:00 SnowBall gateway_change hook event: NEW 0.0.0.0 on ppp303
What am I looking for? How do I find the server .opvn config file? Everything I find when I search for those things just points to the OpenVPN GUI for Synology.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Synology TLS Error

Post by TinCanTech » Tue Jul 13, 2021 4:00 pm

That is not your openvpn log file.

Openvpn uses --log file to send the log to.

Where your NAS sends it is a mystery ..

Post Reply