[Solved] CentOS 8 - TLS handshake failed

This forum is for all inquiries relating to the installation of OpenVPN from source and with binaries.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please visit (and READ) the OpenVPN HowTo http://openvpn.net/howto prior to asking any questions in here!
Post Reply
ikfredje
OpenVpn Newbie
Posts: 3
Joined: Sun Jan 19, 2020 9:26 am

[Solved] CentOS 8 - TLS handshake failed

Post by ikfredje » Sun Jan 19, 2020 9:27 am

I've been struggling with this for a couple of days now and I cannot seem to find a answer so far.
I've ins talled a fresh CentOS 8 and added the openvpn functionality as follows:

Code: Select all

# dnf install openvpn
# yum install openvpn-devel.x86_64 
# yum install NetworkManager-openvpn.x86_64 NetworkManager-openvpn-gnome.x86_64
Then in the NetworkManager UI I added the necessary information and certificates. I've thoroughly checked several times that this information is correct and the same as a working setup on Centos 7.6. I've checked that is is not a firewall issue by temporarily disabling the firewall.

I finally found the following log entries:

Code: Select all

$ journalctl -u NetworkManager --no-pager

Jan 18 11:55:03 maxwell NetworkManager[981]: <info>  [1579344903.4589] audit: op="connection-activate" uuid="20378b68-9764-4f31-96a5-79200779a57e" name="lpprma-at-home" pid=2238 uid=1000 result="success"
Jan 18 11:55:03 maxwell NetworkManager[981]: <info>  [1579344903.4681] vpn-connection[0x560936696100,20378b68-9764-4f31-96a5-79200779a57e,"lpprma-at-home",0]: Started the VPN service, PID 6461
Jan 18 11:55:03 maxwell NetworkManager[981]: <info>  [1579344903.4881] vpn-connection[0x560936696100,20378b68-9764-4f31-96a5-79200779a57e,"lpprma-at-home",0]: Saw the service appear; activating connection
Jan 18 11:55:03 maxwell NetworkManager[981]: <info>  [1579344903.5011] vpn-connection[0x560936696100,20378b68-9764-4f31-96a5-79200779a57e,"lpprma-at-home",0]: VPN plugin: state changed: starting (3)
Jan 18 11:55:03 maxwell NetworkManager[981]: <info>  [1579344903.5011] vpn-connection[0x560936696100,20378b68-9764-4f31-96a5-79200779a57e,"lpprma-at-home",0]: VPN connection: (ConnectInteractive) reply received
Jan 18 11:55:03 maxwell nm-openvpn[6465]: WARNING: file '<edited>.pem' is group or others accessible
Jan 18 11:55:03 maxwell nm-openvpn[6465]: OpenVPN 2.4.8 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov  1 2019
Jan 18 11:55:03 maxwell nm-openvpn[6465]: library versions: OpenSSL 1.1.1 FIPS  11 Sep 2018, LZO 2.08
Jan 18 11:55:03 maxwell nm-openvpn[6465]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Jan 18 11:55:03 maxwell nm-openvpn[6465]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 18 11:55:03 maxwell nm-openvpn[6465]: TCP/UDP: Preserving recently used remote address: [AF_INET]<ip address edited>:1194
Jan 18 11:55:03 maxwell nm-openvpn[6465]: UDP link local: (not bound)
Jan 18 11:55:03 maxwell nm-openvpn[6465]: UDP link remote: [AF_INET]<ip address edited>:1194
Jan 18 11:55:03 maxwell nm-openvpn[6465]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Jan 18 11:55:03 maxwell nm-openvpn[6465]: TLS error: Unsupported protocol. This typically indicates that client and server have no common TLS version enabled. This can be caused by mismatched tls-version-min and tls-version-max options on client and server. If your OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 1.0 to the client configuration to use TLS 1.0+ instead of TLS 1.0 only
Jan 18 11:55:03 maxwell nm-openvpn[6465]: OpenSSL: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
Jan 18 11:55:03 maxwell nm-openvpn[6465]: TLS_ERROR: BIO read tls_read_plaintext error
Jan 18 11:55:03 maxwell nm-openvpn[6465]: TLS Error: TLS object -> incoming plaintext read error
Jan 18 11:55:03 maxwell nm-openvpn[6465]: TLS Error: TLS handshake failed
Jan 18 11:55:03 maxwell nm-openvpn[6465]: SIGUSR1[soft,tls-error] received, process restarting
So it would appear that the client (CentOS 8) and the server do not have a common cypher to use. When I check on the VPN server I try to connect to (using the working CentOS 7.6 openvpn), I can see that although it is a somewhat dated server, TLSv1.2 should be available which I thought was still OK to use. (I forgot where I found to check this).

Code: Select all

$ openssl ciphers -v 'TLSv1.2' | grep AES
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-DSS-AES256-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA256
ADH-AES256-GCM-SHA384   TLSv1.2 Kx=DH       Au=None Enc=AESGCM(256) Mac=AEAD
ADH-AES256-SHA256       TLSv1.2 Kx=DH       Au=None Enc=AES(256)  Mac=SHA256
ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-RSA-AES256-SHA384  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256)  Mac=SHA384
ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA384
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-DSS-AES128-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA256
ADH-AES128-GCM-SHA256   TLSv1.2 Kx=DH       Au=None Enc=AESGCM(128) Mac=AEAD
ADH-AES128-SHA256       TLSv1.2 Kx=DH       Au=None Enc=AES(128)  Mac=SHA256
ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-RSA-AES128-SHA256  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128)  Mac=SHA256
ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA256
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
When I do the same on the CentOS 8 client, I get:

Code: Select all

$ openssl ciphers -v 'TLSv1.2' | grep AES
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
TLS_AES_128_CCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESCCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-CCM8 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM8(256) Mac=AEAD
ECDHE-ECDSA-AES256-CCM  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM(256) Mac=AEAD
DHE-RSA-AES256-CCM8     TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM8(256) Mac=AEAD
DHE-RSA-AES256-CCM      TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM(256) Mac=AEAD
ADH-AES256-GCM-SHA384   TLSv1.2 Kx=DH       Au=None Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-CCM8 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM8(128) Mac=AEAD
ECDHE-ECDSA-AES128-CCM  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM(128) Mac=AEAD
DHE-RSA-AES128-CCM8     TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM8(128) Mac=AEAD
DHE-RSA-AES128-CCM      TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM(128) Mac=AEAD
ADH-AES128-GCM-SHA256   TLSv1.2 Kx=DH       Au=None Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-DSS-AES256-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA256
ADH-AES256-SHA256       TLSv1.2 Kx=DH       Au=None Enc=AES(256)  Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-DSS-AES128-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA256
ADH-AES128-SHA256       TLSv1.2 Kx=DH       Au=None Enc=AES(128)  Mac=SHA256
RSA-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESGCM(256) Mac=AEAD
DHE-PSK-AES256-CCM8     TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESCCM8(256) Mac=AEAD
DHE-PSK-AES256-CCM      TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESCCM(256) Mac=AEAD
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES256-CCM8             TLSv1.2 Kx=RSA      Au=RSA  Enc=AESCCM8(256) Mac=AEAD
AES256-CCM              TLSv1.2 Kx=RSA      Au=RSA  Enc=AESCCM(256) Mac=AEAD
PSK-AES256-GCM-SHA384   TLSv1.2 Kx=PSK      Au=PSK  Enc=AESGCM(256) Mac=AEAD
PSK-AES256-CCM8         TLSv1.2 Kx=PSK      Au=PSK  Enc=AESCCM8(256) Mac=AEAD
PSK-AES256-CCM          TLSv1.2 Kx=PSK      Au=PSK  Enc=AESCCM(256) Mac=AEAD
RSA-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESGCM(128) Mac=AEAD
DHE-PSK-AES128-CCM8     TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESCCM8(128) Mac=AEAD
DHE-PSK-AES128-CCM      TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESCCM(128) Mac=AEAD
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES128-CCM8             TLSv1.2 Kx=RSA      Au=RSA  Enc=AESCCM8(128) Mac=AEAD
AES128-CCM              TLSv1.2 Kx=RSA      Au=RSA  Enc=AESCCM(128) Mac=AEAD
PSK-AES128-GCM-SHA256   TLSv1.2 Kx=PSK      Au=PSK  Enc=AESGCM(128) Mac=AEAD
PSK-AES128-CCM8         TLSv1.2 Kx=PSK      Au=PSK  Enc=AESCCM8(128) Mac=AEAD
PSK-AES128-CCM          TLSv1.2 Kx=PSK      Au=PSK  Enc=AESCCM(128) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
Both list have may cyphers in common ... :

Code: Select all

 ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
 DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(256) Mac=AEAD
 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
 ADH-AES256-GCM-SHA384   TLSv1.2 Kx=DH       Au=None Enc=AESGCM(256) Mac=AEAD
 ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
 DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(128) Mac=AEAD
 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
 ADH-AES128-GCM-SHA256   TLSv1.2 Kx=DH       Au=None Enc=AESGCM(128) Mac=AEAD
 ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
 ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
 DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
 DHE-DSS-AES256-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA256
 ADH-AES256-SHA256       TLSv1.2 Kx=DH       Au=None Enc=AES(256)  Mac=SHA256
 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
 ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
 DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
 DHE-DSS-AES128-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA256
 ADH-AES128-SHA256       TLSv1.2 Kx=DH       Au=None Enc=AES(128)  Mac=SHA256
 AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
 AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
 AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
 AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
So, I'm not sure what is going on. Can someone help me with this ? Many thanks.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: cannot connect to openvpn server TLS handshake failed

Post by TinCanTech » Sun Jan 19, 2020 1:04 pm


ikfredje
OpenVpn Newbie
Posts: 3
Joined: Sun Jan 19, 2020 9:26 am

Re: cannot connect to openvpn server TLS handshake failed

Post by ikfredje » Tue Jan 21, 2020 6:13 pm

Hi,
Apologies for the delay in coming back to this ...
If I understood correctly I need to post the follwing information:

The server configuration:
server

# cat /etc/openvpn/<edited>.conf

# EBox OpenVPN 2.0 config file for server lpprma


# Which local IP address should OpenVPN
# listen on? (optional)



multihome


# Which TCP/UDP port should OpenVPN listen on?

port 1194


# TCP or UDP server?

proto udp



# virtual device

dev tap0


# SSL/TLS root certificate (ca), certificate

# (cert), and private key (key).

ca '/var/lib/zentyal/CA/cacert.pem'


cert '/var/lib/zentyal/CA/certs/<edited>.pem'


key '/var/lib/zentyal/CA/private/<edited>.pem'
# This file should be kept secret

# check peer certificate against certificate revokation list

crl-verify /var/lib/zentyal/CA/crl/latest.pem


# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
#dh /etc/openvpn/dh1024.pem

dh /etc/openvpn/ebox-dh1024.pem


# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
server <edited ip range>

# Maintain a record of client <-> virtual IP address
# associations in this file.
ifconfig-pool-persist '/etc/openvpn/<edited>.txt'


# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN
;push "redirect-gateway"


# Uncomment this directive to allow different
# clients to be able to "see" each other.



# The keepalive directive causes ping-like
# messages to be sent back and forth over
keepalive 10 120


# client certificate common name authentication

tls-remote <edited>


# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
;tls-auth ta.key 0 # This file is secret

# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES

# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo

# The maximum number of concurrently connected
# clients we want to allow.
;max-clients 100

# group and user for the OpenVPN
# daemon's privileges after initialization.

user nobody


group nogroup


# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun

# Write the PID file for compatibility with Ubuntu init.d script

writepid /var/run/openvpn.<edited>.pid


# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status '/var/log/openvpn/<edited>.log'

# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it. Use one
# or the other (but not both).
log-append '/var/log/openvpn/<edited>.log'

# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3

# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20


client-config-dir /etc/openvpn/lpprma.d/client-config.d


push "route <edited ip range>"




The working CentOS 7.6 client config:
client

[connection]
id=<edited connection id>
uuid=3958e11d-8c41-4975-bfdb-6a92beb973cd
type=vpn
autoconnect=false
permissions=user:<edited user>:;
timestamp=1579112805

[vpn]
ca=<edited cacert.pem>
cert=<edited cert.pem>
cert-pass-flags=0
comp-lzo=adaptive
connection-type=tls
dev-type=tap
key=<edited key.pem>
remote=<edited ip address>
service-type=org.freedesktop.NetworkManager.openvpn

[ipv4]
dns=8.8.8.8;
dns-search=
method=auto
never-default=true
route1=<edited ip range 1>
route2=<edited ip range 2>

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
method=ignore


and the failing CentOS 8 client config (which is exacly as the Cenos 7.6 except for the uuid and (missing) timestamp fields)
client

[connection]
id=<edited connection id>
uuid=20378b68-9764-4f31-96a5-79200779a57e
type=vpn
autoconnect=false
permissions=user:<edited user>:;

[vpn]
ca=<edited cacert.pem>
cert=<edited cert.pem>
cert-pass-flags=0
comp-lzo=adaptive
connection-type=tls
dev-type=tap
key=<edited key.pem>
remote=<edited ip address>
service-type=org.freedesktop.NetworkManager.openvpn

[ipv4]
dns=8.8.8.8;
dns-search=
method=auto
never-default=true
route1=<edited ip range 1>
route2=<edited ip range 2>

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
method=ignore


Not sure what to do about the log files ... I've put "verb 4' in the client config but I do not seem to see any difference in the log file as posted in the initial post. Maybe I an not looking at the correct log file: guidance would be welcome.

Thanks.

ikfredje
OpenVpn Newbie
Posts: 3
Joined: Sun Jan 19, 2020 9:26 am

[SOLVED] cannot connect to openvpn server TLS handshake failed

Post by ikfredje » Wed Jan 22, 2020 7:45 pm

One the CentOS forum https://forums.centos.org/viewtopic.php ... 30#p307877 a user prompted me to look at the parameter MinProtocol in the file /etc/crypto-policies/back-ends/opensslcnf.config.

However MinProtocol was already set to TLSv1.2 but looking at the Ciphersuites line I noticed that none of the ciphers appeared in the server's list. So I added ":AES256-GCM-SHA384" (which appears in the server's cipher list) to the end of the line and now it works !

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: cannot connect to openvpn server TLS handshake failed

Post by TinCanTech » Fri Jan 24, 2020 6:56 pm

Thanks for letting us know 8-)

kroko
OpenVpn Newbie
Posts: 1
Joined: Tue Mar 24, 2020 8:07 pm

Re: [Solved] CentOS 8 - TLS handshake failed

Post by kroko » Tue Mar 24, 2020 8:10 pm

On Centos 8 you can use this command to relax your encryption settings:

Code: Select all

update-crypto-policies --set LEGACY
more info here: https://access.redhat.com/documentation ... -hardening

Post Reply