TLS Error: TLS key negotiation failed to occur within 60 sec

[ScKaSx444]

Hi All,

Setup:

Server - Diskstation 410 running Linux (using port forwarding from router 4666 -> 1194)
Client - Windows Laptop (running OpenVPN GUI)

I followed the OpenVPN guide here: http://openvpn.net/index.php/open-sourc ... howto.html

In this my first attempt at a VPN network I get the following error when trying to connect, "TLS Error: TLS key negotiation failed to occur within 60 sec". I looked up the error and it is related t network connectivity and I tried all the solutions:

- checked IP address and port number
- forwarding rule on server
- firewall

They all seemed to check out, so now I am stuck. Any ideas?

Thanks!

[janjust]

please post the client and server config files as well;

a TLS key negotiation failure is usually caused by a firewall blocking things, or by a port misconfiguration; try switching to tcp mode to see if that helps - some cheapo routers have problems forwarding UDP traffic correctly in both directions.

[maikcat]

hi there,

you can also run openvpn to listen on port 4666 (to avoid Port redirection).

Michael

[ScKaSx444]

Thanks for the reply guys.

Here are my server and client configs, please let me know if you see an obvious problem:

Server.conf

Code: Select all

#
# Sample OpenVPN configuration file for
# office using SSL/TLS mode and RSA certificates/keys.
#
# '#' or ';' may be used to delimit comments.

# Use a dynamic tun device.
# For Linux 2.2 or non-Linux OSes,
# you may want to use an explicit
# unit number such as "tun1".
# OpenVPN also supports virtual
# ethernet "tap" devices.
dev tun
; dev tap

# Choose an uncommon local subnet for the virtual VPN end points.
# 10.1.0.1 is the local side of the VPN endpoint (slug side)
# 10.1.0.2 is the remote side of the VPN endpoint (client side)
# For tun mode use ifconfig 10.1.0.1 10.1.0.2
# For tap mode use ifconfig 10.1.0.1 255.255.255.0
ifconfig 10.1.0.1 10.1.0.2
; ifconfig 10.1.0.1 255.255.255.0
; server 10.1.0.1 255.255.255.0

# Our up script will establish routes once the VPN is alive.
# Running scripts need the script-security set to 2.
script-security 2
up ./openvpn.up

# Push the 'server subnet route' to the clients
; push "route 192.168.1.11 255.255.255.0"

# Push the WINS server to the clients - if we have a Samba WINS server.
; push "dhcp-option WINS 192.168.1.77"

# Server Static Key
# (For security run - chmod 600 /opt/etc/openvpn/static.key)
; secret static.key
secret keys

# In SSL/TLS key exchange, Office will
# assume server role and Home
# will assume client role.
; tls-server
tls-server

# Diffie-Hellman Parameters (tls-server only)
; dh dh1024.pem
dh dh2048.pem

# CIPHER ALGORITHM
; cipher AES-256-CBC

# HASH FUNCTION ALGORITHM
; auth MD5

# Certificate Authority file
; ca my-ca.crt
ca certs/ca.crt

# Our certificate/public key
; cert slug-certificate.crt
cert certs/server.crt

# Our private key
; key slug-certificate.key
key keys/server.key

# OpenVPN 2.0 uses UDP port 1194 by default
# (official port assignment by iana.org 11/04).
# OpenVPN 1.x uses UDP port 5000 by default.
# Each OpenVPN tunnel must use
# a different port number.
# lport or rport can be used
# to denote different ports
# for local and remote.
; port 4666 
port 1194 

# Downgrade UID and GID to
# "nobody" after initialization
# for extra security.
; user nobody
; group nobody
user nobody
# The directory can be empty
# OpenVPN process limitation
chroot /opt/etc/openvpn/

# If you built OpenVPN with
# LZO compression, uncomment
# out the following line.
comp-lzo

# Send a UDP ping to remote once
# every 15 seconds to keep
# stateful firewall connection
# alive.  Uncomment this
# out if you are using a stateful
# firewall.
; ping 15

# Uncomment this section for a more reliable detection when a system
# loses its connection.  For example, dial-ups or laptops that
# travel to other locations.
; ping 15
; ping-restart 45
; ping-timer-rem
persist-tun
persist-key

# Verbosity level.
# 0 -- quiet except for fatal errors.
# 1 -- mostly quiet, but display non-fatal network errors.
# 3 -- medium output, good for normal operation.
# 9 -- verbose, good for troubleshooting
verb 3

# Log files
log-append /opt/var/log/openvpn/openvpn.log
; status /opt/var/log/openvpn/status.log

#  Inactivity timeout
; inactive            45
keepalive 10 60

Client.conf

##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tun
;dev tap

ifconfig 10.1.0.2 10.1.0.1

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote my.domain.com 4666
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca certs/ca.crt
cert certs/client_1.crt
key keys/client_1.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
cipher AES-256-CBC

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
log-append openvpn.log
verb 3

# Silence repeating messages
;mute 20

In the mean time I will test 'proto tcp' to see if it is a router problem.

Cheers!

P.S. how can I configure OpenVPN to listen on other ports???

[janjust]

please remove all commented lines (lines starting with # or ; ) before posting;

please comment out the line

secret keys

and restart the server.

You can change the port on which the server is listening using

Code: Select all

port 4446

(comment out the line 'port 1194').

[ScKaSx444]

Thanks for all the help, here are the current server and client files:

Server.conf:

Code: Select all

dev tun

ifconfig 10.1.0.1 10.1.0.2

script-security 2
up ./openvpn.up

;secret keys

tls-server

dh dh2048.pem

ca certs/ca.crt

cert certs/server.crt

key keys/server.key

port 1194 

user nobody
chroot /opt/etc/openvpn/

comp-lzo

persist-tun
persist-key

verb 3

log-append /opt/var/log/openvpn/openvpn.log

keepalive 10 60

Client.conf:

Code: Select all

client

dev tun

ifconfig 10.1.0.2 10.1.0.1

proto udp

remote my.domain.com 4666 

resolv-retry infinite

nobind

persist-key
persist-tun

ca certs/ca.crt
cert certs/client_1.crt
key keys/client_1.key

ns-cert-type server

cipher AES-256-CBC 

comp-lzo

log-append openvpn.log
verb 3

Also, how do I restart the OpenVPN server from the command line? Is it just

Code: Select all

openvpn some_new_config_file.conf

????

I tried restarting in this way and I still get a TLS error?

Cheers

[janjust]

you're mixing a point-to-point setup (ifconfig 10.1.0.1 10.1.0.2) with a client/server setup (certificates, keys, etc). Try this for the server config

Code: Select all

dev tun
tls-server
server 10.1.0.0 255.255.255.0
dh dh2048.pem
ca certs/ca.crt
cert certs/server.crt
key keys/server.key
port 1194
user nobody
comp-lzo
persist-tun
persist-key
keepalive 10 60
verb 3
log-append /opt/var/log/openvpn/openvpn.log
script-security 2
up ./openvpn.up

your client setup does not look like a windows setup file at all.

[ScKaSx444]

Thanks for all the help janjust:

-First of all, am I restarting the server correctly from the command line? Can I just run 'openvpn new.conf' and have it restart?

-Secondly how is my windows client setup different? I am using the OpenVPN GUI from my Windows laptop and the instructions were to alter/use the MyOpenVPN.conf file which is located in c:/Program Files/OpenVPN/config/ and this is what I posted previously.

Here is the GUI's output while trying to connect:

Code: Select all

Wed May 25 13:39:39 2011 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
Wed May 25 13:39:39 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Wed May 25 13:39:39 2011 WARNING: using --pull/--client and --ifconfig together is probably not what you want
Wed May 25 13:39:39 2011 LZO compression initialized
Wed May 25 13:39:39 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed May 25 13:39:40 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed May 25 13:39:40 2011 Local Options hash (VER=V4): '41690919'
Wed May 25 13:39:40 2011 Expected Remote Options hash (VER=V4): '530fdded'
Wed May 25 13:39:40 2011 UDPv4 link local: [undef]
Wed May 25 13:39:40 2011 UDPv4 link remote: 75.147.130.9:4884
Wed May 25 13:40:40 2011 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed May 25 13:40:40 2011 TLS Error: TLS handshake failed
Wed May 25 13:40:40 2011 TCP/UDP: Closing socket
Wed May 25 13:40:40 2011 SIGUSR1[soft,tls-error] received, process restarting
Wed May 25 13:40:40 2011 Restart pause, 2 second(s)
Wed May 25 13:40:42 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Wed May 25 13:40:42 2011 Re-using SSL/TLS context

Thanks!