Hi All, I will confess I have a love/hate relationship with this tool. Free, so useful, and so hard to configure. For the purposes of this post, my clients and servers are all windows (a mix of win10 and win11, windows server 2019). I had connections working until recently, and the crts are expiring. I've tried all sorts of things like changing the expire date via cli with no joy. As of now, I'm trying to use Easy-RSA 3.x to create new keys. So arguably, my windows firewall settings, my network firewall settings are good to go, my server IP is the same. But I'm getting the dreaded "TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)" and "TLS Error: TLS handshake failed" errors.
I've uninstalled and re-installed OpenVPN-2.6.8-I001-amd64 with easy-rsa on my laptop and remote server (windows server 2019 in this case), and for good measure restarted the open vpn services (windows).
Using "https://community.openvpn.net/openvpn/w ... nVPN-Howto" and following the "Producing your complete PKI on the CA machine section " section, I launch Easy-RSA.bat, run
./easyrsa init-pki
./easyrsa build-ca (entered pass phrase I want to use, and common name)
./easyrsa build-server-full server (entered pass phrase I want to use, and a different common name)
./easyrsa build-client-full client (entered pass phrase I want to use, used common name for client)
./easyrsa gen-dh (may be this doesn't work with creating on the CA machine?)
Over secure connection, copied to my laptop ca.crt. client.crt. and client.key.
Server.ovpn is in C:\Program Files\OpenVPN\config-auto (I tried C:\Program Files\OpenVPN\config" too but no better). My server.ovpn is:
port xxxx
proto udp
dev tun
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\issued\\server.crt"
key "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\private\\server.key"
dh "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\dh.pem"
server 10.50.8.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
My Client.ovpn is:
client
dev tun
proto udp
remote xxx.xxx.xxx.xxx 1196
resolv-retry infinite
nobind
persist-key
persist-tun
auth-nocache
remote-cert-tls server
ca "c:\\openvpn\\easy-rsa\\keys\\ca.crt"
cert "c:\\openvpn\\easy-rsa\\keys\\client.crt"
key "c:\\openvpn\\easy-rsa\\client.key"
comp-lzo
verb 3
....I try to connect, it thinks for a minute and I get:
Wed Jan 10 14:40:11 2024 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Jan 10 14:40:11 2024 TLS Error: TLS handshake failed
I've tried disabling and enabling the windows firewall, no difference and checked that 1196 is open on the remote network firewall, and the connection being forward to the server on the remote network firewall.
What gives? I want to use this tool, but can afford the hrs/days I spend on setting it up again when it stops working.
Suggestions really appreciated. Thx.
Openvpn TLS key negotiation failed
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
senrabdet
- OpenVpn Newbie
- Posts: 6
- Joined: Sun Apr 18, 2021 4:12 pm
-
senrabdet
- OpenVpn Newbie
- Posts: 6
- Joined: Sun Apr 18, 2021 4:12 pm
Openvpn TLS key negotiation failed
PS does anyone have any evidence this might be an ISP or a windows update problem? My thinking here many of these connections were working, and then stop and if nothing else has changed other than windows updates or whatever the ISP's are doing...a thin hypothesis but hoping to put it out there.
-
senrabdet
- OpenVpn Newbie
- Posts: 6
- Joined: Sun Apr 18, 2021 4:12 pm
Openvpn TLS key negotiation failed
Any suggestions? Again my environment is all windows (I've got Openvpn to work recently from a windows box to remote Ubuntu machine but am stuck trying to get windows to windows to work). I have tried generating all the crts and keys on a CA machine, including signing. I am not trying to use the Easy-TLS stuff. I've tried connecting over a lAN with windows firewall off (presumably to rule out peripheral firewall being a problem) and checked port settings on windows and peripheral firewall and port forwarding on the peripheral firewall when trying to connect remotely.
Q is the problem that I'm trying to create all of the crts and keys on the CA server, sign them there? As said, I recently got this all working for a windows machine to connect to a remote Ubuntu machine creating all the crts and keys on the ubuntu machine. That's not following the instructions of creating them on separate machines and "importing them". That approach seems like overkill for my purposes, but am I skipping steps that I can't skip?
Again, the commands I'm using on the CA server are (I'm using nopass for testing to rule out password problems but wouldn't want to do that in production)
https://community.openvpn.net/openvpn/w ... nVPN-Howto
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-req server nopass
./easyrsa gen-req client nopass
./easyrsa show-req server
./easyrsa show-req client
./easyrsa sign-req server server
./easyrsa sign-req client client
./easyrsa gen-dh
My server.ovpn is in C:\Users\User\OpenVPN\config\server and is:
port 1194
proto udp
dev tap
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\issued\\server.crt"
key "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\private\\server.key"
dh "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\dh.pem"
remote-cert-tls server
server 10.50.8.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 5
My client.ovpn is:
client
dev tap
proto udp
remote xxx.xxx.xxx.xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca "j:\\openvpn\\easy-rsa\\keys\\user\\ca.crt"
cert "j:\\openvpn\\easy-rsa\\keys\\user\\client.crt"
key "j:\\openvpn\\easy-rsa\\keys\\user\\client.key"
comp-lzo
verb 5
Error on the client side:
WWWWW2024-01-18 08:10:26 us=375000 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2024-01-18 08:10:26 us=375000 TLS Error: TLS handshake failed
At the moment, despite my server.ovpn being verb 5, my server.log is blank.
Q is the problem that I'm trying to create all of the crts and keys on the CA server, sign them there? As said, I recently got this all working for a windows machine to connect to a remote Ubuntu machine creating all the crts and keys on the ubuntu machine. That's not following the instructions of creating them on separate machines and "importing them". That approach seems like overkill for my purposes, but am I skipping steps that I can't skip?
Again, the commands I'm using on the CA server are (I'm using nopass for testing to rule out password problems but wouldn't want to do that in production)
https://community.openvpn.net/openvpn/w ... nVPN-Howto
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-req server nopass
./easyrsa gen-req client nopass
./easyrsa show-req server
./easyrsa show-req client
./easyrsa sign-req server server
./easyrsa sign-req client client
./easyrsa gen-dh
My server.ovpn is in C:\Users\User\OpenVPN\config\server and is:
port 1194
proto udp
dev tap
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\issued\\server.crt"
key "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\private\\server.key"
dh "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\dh.pem"
remote-cert-tls server
server 10.50.8.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 5
My client.ovpn is:
client
dev tap
proto udp
remote xxx.xxx.xxx.xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca "j:\\openvpn\\easy-rsa\\keys\\user\\ca.crt"
cert "j:\\openvpn\\easy-rsa\\keys\\user\\client.crt"
key "j:\\openvpn\\easy-rsa\\keys\\user\\client.key"
comp-lzo
verb 5
Error on the client side:
WWWWW2024-01-18 08:10:26 us=375000 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2024-01-18 08:10:26 us=375000 TLS Error: TLS handshake failed
At the moment, despite my server.ovpn being verb 5, my server.log is blank.
-
vpncek
- OpenVpn Newbie
- Posts: 1
- Joined: Sat Jul 06, 2024 6:27 pm
Openvpn TLS key negotiation failed
Hi ... did you ever figure this out? I'm having a similar issue.
-
Fill
- OpenVpn Newbie
- Posts: 1
- Joined: Sat Nov 16, 2024 7:37 pm
Re: Openvpn TLS key negotiation failed
The same issue... but more exciting ))
It's pretty old OpenVPN installation which works pretty fine for 9 years:
It's used by few clients: 1 MS Win 10 PC, few android phones and few linux-based laptops.
But few days ago Windows had some updates installed... That's all. Now it is not able to establish connection:
I tried to upgrade openvpn client, add exceptions into firewall rules, totally disable firewall, etc. The interesting thing is, that client's ovpn file still works from linux laptop and android phone - so it's smth with Win PC itself. I'm totally missed with 
It's pretty old OpenVPN installation which works pretty fine for 9 years:
Code: Select all
/etc/openvpn# openvpn --version
OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jan 9 2019
library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
Compile time defines: enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=yes enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_maintainer_mode=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_win32_dll=yes enable_x509_alt_username=yes with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='${prefix}/lib/openvpn' with_sysroot=no
But few days ago Windows had some updates installed... That's all. Now it is not able to establish connection:
Code: Select all
... billions lines of logs...
2024-11-16 21:01:10 us=406000 OpenVPN 2.6.12 [git:v2.6.12/038a94bae57a446c] Windows [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Jul 18 2024
2024-11-16 21:01:10 us=406000 Windows version 10.0 (Windows 10 or greater), amd64 executable
2024-11-16 21:01:10 us=406000 library versions: OpenSSL 3.3.1 4 Jun 2024, LZO 2.10
2024-11-16 21:01:10 us=406000 DCO version: 1.2.1
2024-11-16 21:01:10 us=406000 WE_INIT maxevents=1 flags=0x00000002
2024-11-16 21:01:10 us=406000 WE_INIT maxevents=1 capacity=2
2024-11-16 21:01:10 us=406000 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
2024-11-16 21:01:10 us=406000 Need hold release from management interface, waiting...
... another billions of lines ...
2024-11-16 21:02:11 us=203000 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2024-11-16 21:02:11 us=203000 TLS Error: TLS handshake failed
... few another Gb of logs ...