Please help "TLS failed:TLS handshake failed"

[Anson0]

Problem:TLS failed:TLS handshake failed,
Client:Ubuntu 14.04LTS 64bit
VPS Server:Debian 7 32bit,OPENVZ

Server.conf:

Client.conf:

Server.log

Client.log


I am a novice to vpn,it is already over 2 weeks since I purchased VPS service,but I still fail to build my openvpn,I donot know how to debug this problem,and even donot know where to start,please guide me solve my problem,any help will certainly be appreciated.

[maikcat]

for testing disable your servers firewall.

Michael.

[Anson0]

Both my server and client had already removed the iptables rules,and ufw is disabled,
iptables -L output:

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

[maikcat]

the connection refused messages indicate that traffic is dropped...

Michael.

[Anson0]

Then what is the solution,please

[maikcat]

traffic is dropped,
switch to tcp and check if this changes anything.

Michael.

[Anson0]

In client.conf&server.conf,after change to use Proto tcp&dev tap,still fail to work,here below is log for your information
server.log:
client.log:

[john56477]

The Problem is the Chinese GFW

You need to install a special version of openvpn with a patch. On both the Client and Server side.
This patch introduces a scramble, so the GFW inspection does not see its openvpn.

Without patch, Currently, The Chinese Government also try to
establish another connection, presume to try and install exploit
or break-in. You need to be aware of this.


There are few ways to install patched openvpn,
CentOS
======
Auto install script for Centos 6/6.5 (post made for 2.3.2)
http://lowendtalk.com/discussion/23555/ ... ler-script

Debian/Ubuntu
===========
Install from source code (post made for 2.3.4)
http://vpnchinaopenvz.wordpress.com/201 ... or-ubuntu/

Install from deb package for Debian or Ubuntu
http://vpnchinaopenvz.wordpress.com/201 ... ng-sbuild/
http://vpnchinaopenvz.wordpress.com/201 ... version-2/

[Anson0]

Michael,Morning!What is your opinion,do you agree with John?

[Anson0]

Michael,Morning!What is your opinion,do you agree with John?

[Anson0]

Michael,I would like try your solution,hope you can find out what is the problem cause.

[maikcat]

your Ip's come from china so yes john's suggestion might work for you..

Michael.

[Anson0]

Hi Michael,thanks anyway.But I donot think I would like to try john's solution.
Previously,about 2 days ago,I was trying to post this problem in "Configuration" section,but still not find my post on that section,it seems my post was not passing your filter,which probably because I have this active post of same topic in this section,could you plz advise how can I successfully post this topic in "Configuration" section,there seems more active,maybe i can find suitable solution?

[maikcat]

i saw the second post you made and i disaproved it since i was answering this one.

just move it under configuration section.

Michael.

[john56477]

Fair enough, actually you don't need to install a new special openvpn,
you can use standard openvpn and route it via SSH or stunnel, or any other encrypted tunnel
one limitation is, it only works for TCP, does not work for UDP.

in client script add (if ssh listen port is 8080)
socks-proxy localhost 8080

change to TCP on both server and client (and restart server)
proto TCP
;proto UDP

Also, the International Connections out of China are hopeless,
I hear, often the only time to get proper connection
to US is between 2 AM and 7 AM Chinese time.

Before you try and connect, Check that there is actual
bandwidth connection.
Use site http://www.speedtest.net/ and pick a server in the
country where the VPS is. If the test result is less than
.3 mpbs download, its not the GFW, its just poor international network.

[Anson0]

Michael,that is very kind of you,thanks for moving my post under "Configuration"section.I am reading openvpn introduction,hope to get the principal how the openvpn works.Happy Black Friday!

[Anson0]

Michael,that is very kind of you,thanks for moving my post under "Configuration"section.I am reading openvpn introduction,hope to get the principal how the openvpn works.Happy Black Friday!

[Anson0]

Michael,could you please advise why 1194 port is not open in client,and how to enable this port in client?And for the server,why 1194 port is listening 0.0.0.0,I think it should listening on my server address?

[maikcat]

Michael,could you please advise why 1194 port is not open in client

why the port should be open in your CLIENT????

And for the server,why 1194 port is listening 0.0.0.0,I think it should listening on my server address?

did you use the local directive on your config?
by default openvpn listens on ALL available interfaces.

Michael.

[Anson0]

Michael,thank you very much for clarification,I was wrongly thinking both server and client should open port 1194.
And now,i also now server 1194 port listening on 0.0.0.0 is normal.Your post is of great help to me.Thanks again.