Famous TLS error

[asmith]

Hello,

I'm so new on this and I've been spending hours to get this working which result in a nice headache
I found this tutorial and followed it exactly as it is:
http://library.linode.com/networking/op ... 0.04-lucid

This is my server conf file:

Code: Select all

port 11194
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret

dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS 10.8.0.1"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log         openvpn.log
verb 3

I changed the port because I thought my isp is blocking 1194 port.

This is my client conf (on windows xp sp3)

Code: Select all

client
dev tun
proto tcp
remote *my_ip* 11194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert user1.crt
key user1.key
comp-lzo
verb 3

This is the log in my client: (a few attempts)
http://privatepaste.com/fcf61db074

Also the client was on and I went out of room for some mins, then I came back and it was connected. But I couldn't browse the web. I disconnected it and tried to connect again and it gave me the TLS error again. Unfortunately I don't have that log. But in the current log, on line 121 and 122 I seem to have VERIFY OK, but no success there too.

I tried with udp first but I was getting "connection reset by peer" error, and I changed it to TCP and opened port 11194 in iptables with this:

Code: Select all

-A INPUT -p tcp -m tcp --dport 11194 -j ACCEPT

Thanks for your time.
(I replaced my server ip address with *my_ip*.)

[janjust]

what does the server log show when the client connects? what happens if you increase the verbosity to 5 (on the server) ?
TLS handshake errors are either certificate errors (which should show up on either client or server side) OR they are firewall errors (which can be troubleshooted using 'iptables -j LOG ' on the server.

[asmith]

I changed verbose on the server to 5. Deleted the current openvpn.log on the server. Restarted the server and tried connecting. This is the new client log:

http://privatepaste.com/d933e11e00

And this is the server log: (changed client ip to *my_client_ip*)

http://privatepaste.com/7649d7c605

I've turned windows xp firewall off and there's no anti-virus running atm.
By running 'iptables -j LOG' I get this:

Code: Select all

iptables v1.3.8: no command specified
Try `iptables -h' or 'iptables --help' for more information.

I'm using Ubuntu 8.04 as server btw.

[janjust]

that is odd - both client and server logs show that the connection was not established properly at all, which points at either a firewalling issue or a general TCP connectivity problem.

By running 'iptables -j LOG' I get this:

I was assuming that you were familiar with 'iptables' syntax. What I meant was something like

Code: Select all

iptables -I INPUT -p tcp -m tcp --dport 11194 -j LOG

this will log all connection attempts on TCP port 11194.

[asmith]

I put that syntax for logging, then I tried again. This time It connected but I couldn't browse the web through my lan. and I pressed "reconnected" and it went back to TLS error.

This is the client log for this new try:
http://www.privatepaste.com/b88cbc7fac

This is the server log: (user1 = makhmakh)
http://privatepaste.com/acfe46a7f7

Is the iptables log in /var/log/messages? and how do you cancel logging 11194 port?
I have a feeling that my client ISP has something to do with this.

[janjust]

the new server log shows interesting info:

first of all, you have tons of

MULTI: bad source address from client [192.168.1.10]

warnings; these *may* be harmless but you might want to look into them; is 192.168.1.10 the LAN IP address of the VPN client?

second of all, the warning

*my_client_ip*:11827 WARNING: Bad encapsulated packet length from peer (18245), which must be > 0 and <= 1544 -- please ensure that --tun-mtu or --link-mtu is equal on both peers

suggests that the traffic is being tampered with - as you said, you suspect your ISP; can you reach the VPN server using SSH?

[asmith]

1. Yes, the IP address of the VPN client LAN is 192.168.1.10
Those bad source address from client are when I tried to open up some page via client browser to see if it is working. (when it said it connected)
2. Yes, I can connect to VPN server via SSH.

[janjust]

1. Yes, the IP address of the VPN client LAN is 192.168.1.10
Those bad source address from client are when I tried to open up some page via client browser to see if it is working. (when it said it connected)

hmmm , something funny is going on with routing then; your client should be using the LAN address to connect over the VPN.

2. Yes, I can connect to VPN server via SSH.

ah, then you can consider bypassing the ISP by
1) ssh to your vpn server using

Code: Select all

ssh -D 1080 <remote-server>

2) add 'socks-proxy' support to your openvpn client config using

Code: Select all

socks-proxy 127.0.0.1 1080

this will ensure OpenVPN connects (in tcp mode) via the SSH SOCKS tunnel to your vpn server.

[asmith]

I'm really sorry. I didn't get this part:

Code: Select all

ssh -D 1080 <remote-server>

Where should It go?
atm I use Putty to connect to my ubuntu server. (the VPN server)

[janjust]

configure PuTTY to use Tunneling, add a Dynamic port 1080; included is a sample for port 2000.
Open this PuTTY session, make sure it remains alive , then connect OpenVPN.

[asmith]

1.
Yea it connected. I tried twice in a row and both connected successfully. But after connection still I can't browse any website. My browsers always stays at "Looking up http://www.google.com ..." and then it fails. As soon as it connects, my internet becomes unavailable and can do nothing until I disconnect it. Are there any client configurations I have missed?

This is my client log:
http://privatepaste.com/de27ae02ea

This is my server log:
http://privatepaste.com/8733f540f3

2.
So back to the connection problem, it seems my ISP is doing something to openvpn. How many ways are there to mess with openvpn? I mean is it possible for change some settings like port (which I already did) in openvpn and bypass it? It seems they are blocking openvpn in a way but I have no idea how they are doing this.
Again, I don't feel comfortable opening up PuTTY each time I wanna connect specially what if I want to give username and pass to somebody else beside me?

3. How do you disable iptables log?
The one we did by this command:

Code: Select all

iptables -I INPUT -p tcp -m tcp --dport 11194 -j LOG

Thank you for carrying on with me.At least we made some progress

[janjust]

first of all, I assume

Code: Select all

makhmakh/127.0.1.1:35333

means you've sanitized your server log file....

as for your questions:
* try adding

Code: Select all

route <server-IP> 255.255.255.255 net_gateway

to the client config file , where <server-IP> is the public IP address of your VPN server

* providers can monitor for OpenVPN traffic, which has an easily discernible signature; they can then block the traffic or mess in many other ways with it. Some cheapo home routers are also known to do this (but that's a bug )

* first make sure the VPN works via SSH; then at least you know your VPN setup is correct. As for always having to set up an SSH tunnel: that's not very practical, indeed, but you don't have to give out the password to other - you can use SSH public/private keys for that (but that is off topic for this forum).