TLS Handshake Failure

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
atclaus
OpenVpn Newbie
Posts: 9
Joined: Mon Dec 31, 2018 5:44 pm

TLS Handshake Failure

Post by atclaus » Mon Dec 31, 2018 6:00 pm

I am stuck!

I had an OpenVPN server running on Raspbian, but wanted to clear it and start from scratch.

Code: Select all

service openvpn stop
apt purge openvpn easy-rsa
rm -r /etc/openvpn

apt install openvpn easy-rsa
Thought that should give me a fresh and clean install, but I cannot help but think that there is something leftover because I get the below error. I have repeated the above steps a couple times along with a reboot. I want to use TLS shared keys and mins (like I have on another device), but have not specified that on this device to just try to get it to work.

Server version:

Code: Select all

OpenVPN 2.4.0 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18 2017
Client version:

Code: Select all

OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018

Code: Select all

Mon Dec 31 12:42:13 2018 us=182425 Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Mon Dec 31 12:42:13 2018 us=182425 MANAGEMENT: >STATE:1546278133,RESOLVE,,,,,,
Mon Dec 31 12:42:13 2018 us=193609 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Mon Dec 31 12:42:13 2018 us=193609 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
Mon Dec 31 12:42:13 2018 us=193609 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
Mon Dec 31 12:42:13 2018 us=193609 TCP/UDP: Preserving recently used remote address: [AF_INET]142.197.236.76:32921
Mon Dec 31 12:42:13 2018 us=193609 Socket Buffers: R=[65536->65536] S=[65536->65536]
Mon Dec 31 12:42:13 2018 us=193609 UDP link local: (not bound)
Mon Dec 31 12:42:13 2018 us=193609 UDP link remote: [AF_INET]IP:port
Mon Dec 31 12:42:13 2018 us=193609 MANAGEMENT: >STATE:1546278133,WAIT,,,,,,
Mon Dec 31 12:43:13 2018 us=472804 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Dec 31 12:43:13 2018 us=472804 TLS Error: TLS handshake failed
Mon Dec 31 12:43:13 2018 us=472804 TCP/UDP: Closing socket
Mon Dec 31 12:43:13 2018 us=472804 SIGUSR1[soft,tls-error] received, process restarting
Mon Dec 31 12:43:13 2018 us=472804 MANAGEMENT: >STATE:1546278193,RECONNECTING,tls-error,,,,,
Mon Dec 31 12:43:13 2018 us=472804 Restart pause, 5 second(s)
Mon Dec 31 12:43:18 2018 us=522711 Re-using SSL/TLS context
earlier in the log I get:

Code: Select all

Mon Dec 31 12:42:12 2018 us=435856   remote_cert_eku = 'TLS Web Server Authentication'
...
Mon Dec 31 12:42:12 2018 us=435856   tls_timeout = 2
...
Mon Dec 31 12:42:12 2018 us=435856   tls_exit = DISABLED
Mon Dec 31 12:42:12 2018 us=435856   tls_auth_file = '[UNDEF]'
Mon Dec 31 12:42:12 2018 us=435856   tls_crypt_file = '[UNDEF]'
...
Server.conf (same as other devices that work)

Code: Select all

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh4096.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
;tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
explicit-exit-notify 1
OVPN config file

Code: Select all

client
dev tun
proto udp
remote custom.hopto.org port
resolv-retry infinite
nobind
group nogroup
persist-key
persist-tun
;ca ca.crt
;cert client.crt
;key client.key
remote-cert-tls server
;tls-auth ta.key 1
cipher AES-256-CBC
verb 5
<ca>
ca.crt contents
</ca>
<cert>
client.crt
</cert>
<key>
client.key
</key>
Thanks!

atclaus
OpenVpn Newbie
Posts: 9
Joined: Mon Dec 31, 2018 5:44 pm

Re: TLS Handshake Failure

Post by atclaus » Mon Dec 31, 2018 6:42 pm

I seem to get the same error regardless of what port I put in the ovpn file. I have the router set up to forward a certain port to the DHCP reserved for the Pi on 1193 and another to that same IP on 22 for SSH. SSH works, but VPN fails

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: TLS Handshake Failure

Post by TinCanTech » Mon Dec 31, 2018 7:00 pm

Did you notice how you did not post your server log .. ?

atclaus
OpenVpn Newbie
Posts: 9
Joined: Mon Dec 31, 2018 5:44 pm

Re: TLS Handshake Failure

Post by atclaus » Mon Dec 31, 2018 7:04 pm

I just uncommented the

Code: Select all

log-append  openvpn.log
in the server.conf but on trying to connect no log is created.

atclaus
OpenVpn Newbie
Posts: 9
Joined: Mon Dec 31, 2018 5:44 pm

[SOLVED] Re: TLS Handshake Failure

Post by atclaus » Sat Jan 05, 2019 7:26 pm

not sure why this was behaving as such, but another reboot did it.... know I tried it, but should have again before posting. Thanks

bigjohns97
OpenVpn Newbie
Posts: 6
Joined: Wed Jan 03, 2018 3:10 am

Re: TLS Handshake Failure

Post by bigjohns97 » Mon Jan 07, 2019 8:19 pm

you don't happen to be running PiHole on this same OS are you?

Post Reply