First openvpn install TLS Error: TLS key negotiation failed

[killerhertz]

I'm trying to configure my home vpn for the first time.

My setup is as follows:

Home gateway: 192.168.0.1
Home gateway DHCP assignment range: 192.168.0.4-192.168.0.255
VPN server ip: 192.168.0.2

I realize that the gateway subnet is very common, but I'm unable to change it with my ISP's provided router. Perhaps I can hack the firmware at a later date.

Here's my server configuration file:

Code: Select all

dev tun
proto udp
port 11194

# Paths to keys and certs
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/pit.crt
key /etc/openvpn/easy-rsa/keys/pit.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem

# Configure server mode and supply VPN subnet for client addresses
;server 192.168.0.0 255.255.255.0 # server starts
;server 192.168.0.2 255.255.255.0 # server fails to start
server 4.44.4.0 255.255.255.0 # server?

ifconfig-pool-persist ipp.txt
keepalive 10 120
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn
verb 6
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
comp-lzo

Client configuration:

Code: Select all

client
comp-lzo
nobind
persist-key
persist-tun
auth-user-pass
dev tun
tun-mtu 1500
remote *dynamic.dns.net 11194
proto udp
ca "ca.crt"
cert "client.crt"
key "client.key"
mssfix
route-method exe
verb 3
cipher BF-CBC

The latest out of the appended log:

Code: Select all

# cat /var/log/openvpn
Thu May 22 14:15:31 2014 us=398482 OpenVPN 2.2.1 arm-linux-gnueabihf [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Oct 12 2013
Thu May 22 14:15:31 2014 us=400412 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Thu May 22 14:15:31 2014 us=400684 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu May 22 14:15:31 2014 us=441277 Diffie-Hellman initialized with 1024 bit key
Thu May 22 14:15:31 2014 us=453916 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu May 22 14:15:31 2014 us=454386 Socket Buffers: R=[163840->131072] S=[163840->131072]
Thu May 22 14:15:31 2014 us=455971 ROUTE default_gateway=192.168.0.1
Thu May 22 14:15:31 2014 us=463485 TUN/TAP device tun0 opened
Thu May 22 14:15:31 2014 us=463870 TUN/TAP TX queue length set to 100
Thu May 22 14:15:31 2014 us=464108 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu May 22 14:15:31 2014 us=464496 /sbin/ifconfig tun0 4.44.4.1 pointopoint 4.44.4.2 mtu 1500
Thu May 22 14:15:31 2014 us=489642 /sbin/route add -net 4.44.4.0 netmask 255.255.255.0 gw 4.44.4.2
Thu May 22 14:15:31 2014 us=507312 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Thu May 22 14:15:31 2014 us=534918 UDPv4 link local (bound): [undef]
Thu May 22 14:15:31 2014 us=535404 UDPv4 link remote: [undef]
Thu May 22 14:15:31 2014 us=535636 MULTI: multi_init called, r=256 v=256
Thu May 22 14:15:31 2014 us=536644 IFCONFIG POOL: base=4.44.4.4 size=62, ipv6=0
Thu May 22 14:15:31 2014 us=536960 IFCONFIG POOL LIST
Thu May 22 14:15:31 2014 us=537414 Initialization Sequence Completed
Thu May 22 14:18:01 2014 us=249600 MULTI: multi_create_instance called
Thu May 22 14:18:01 2014 us=250324 12.34.56.78:5129 Re-using SSL/TLS context
Thu May 22 14:18:01 2014 us=250879 12.34.56.78:5129 LZO compression initialized
Thu May 22 14:18:01 2014 us=253097 12.34.56.78:5129 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu May 22 14:18:01 2014 us=253412 12.34.56.78:5129 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Thu May 22 14:18:01 2014 us=254241 12.34.56.78:5129 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Thu May 22 14:18:01 2014 us=254552 12.34.56.78:5129 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Thu May 22 14:18:01 2014 us=254979 12.34.56.78:5129 Local Options hash (VER=V4): '530fdded'
Thu May 22 14:18:01 2014 us=255254 12.34.56.78:5129 Expected Remote Options hash (VER=V4): '41690919'
Thu May 22 14:18:01 2014 us=255805 12.34.56.78:5129 UDPv4 READ [14] from [AF_INET]12.34.56.78:5129: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Thu May 22 14:18:01 2014 us=256093 12.34.56.78:5129 TLS: Initial packet from [AF_INET]12.34.56.78:5129, sid=02682d6d 36363e30
Thu May 22 14:18:01 2014 us=256534 12.34.56.78:5129 UDPv4 WRITE [26] to [AF_INET]12.34.56.78:5129: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=0 DATA len=0

...

Thu May 22 14:18:34 2014 us=668687 12.34.56.78:5129 UDPv4 WRITE [114] to [AF_INET]12.34.56.78:5129: P_CONTROL_V1 kid=0 [ ] pid=23 DATA len=100
Thu May 22 14:18:35 2014 us=722837 12.34.56.78:5129 UDPv4 WRITE [114] to [AF_INET]12.34.56.78:5129: P_CONTROL_V1 kid=0 [ ] pid=24 DATA len=100
Thu May 22 14:19:01 2014 us=717626 12.34.56.78:5129 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu May 22 14:19:01 2014 us=717949 12.34.56.78:5129 TLS Error: TLS handshake failed
Thu May 22 14:19:01 2014 us=718879 12.34.56.78:5129 SIGUSR1[soft,tls-error] received, client-instance restarting

I have UDP port forwarding on 11194 enabled on my gateway for the VPN to my server. I have a similar rule for SSH and that works just fine, so I know that mechanism *should* work.

Ideas?

[killerhertz]

As your client is 12.34.56.78 are we to presume this is a test network ?

Correct. It's another location. I actually replaced the ip address with that for privacy.