All,
As described in the title, I managed to build OpenVPN linked to LibreSSL 2.1.2 on CentOS 7. When I download and run the OpenVPN client, I noticed that it is built with OpenSSL 1.0.1j.
I am getting the following error in client logs:
TLS Error: TLS key negotiation failed to occur within 60 seconds
TLS Error: TLS handshake failed
On the server side, the server can see the client (ran tcpdump, saw pings, openvpn packets) but the server never moved pass beyond "Initialization Sequence Complete" in the logs. Given above client log and server log, what could be causing not to negotiate?
Of course, my usual suspects are the following:
1) One is linked to LibreSSL while the other OpenSSL. But this should NOT cause incompatibility problem. Else, how can these guys build OpenVPN on OpenBSD 5.6 (defaults to LibreSSL), http://www.openbsdsupport.org/openvpn-o ... pplication?
2) CentOS 7. To be candid, I am surprise they even call it Linux. For i.e, removing builtin OpenSSL crashed entire system. I managed to install LibreSSL as alt library but bumped into and solved a handful of problems. And don't try to compile the kernel coz they'll have you signed your life away in terms of warnings. It seems fragile.
Thanks in advance!
Server Built w LibreSSL - Client Built w OpenSSL
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
Nayk0105
- OpenVpn Newbie
- Posts: 2
- Joined: Wed Jan 21, 2015 6:23 pm
-
Nayk0105
- OpenVpn Newbie
- Posts: 2
- Joined: Wed Jan 21, 2015 6:23 pm
Re: Server Built w LibreSSL - Client Built w OpenSSL
Ok, problem is solved. Here it what I did in case others are in the same boat.
That error is almost always due to what is described here,
http://openvpn.net/index.php/open-sourc ... ivity.html
In my case, it still is although I checked it before posting my original post.
The cause is due to my usual suspect #2, CentOS 7. There are iptables rules set up by default after you install it. Nothing is wrong and I expect that. What I didn't expect is even after issuing
# systemctl stop firewalld
# systemctl mask firewalld
# systemctl stop iptables
, CentOS 7 will still *filtering* traffic. Since iptables operate in networking stack which is lower than app stack where OpenVPN operates, the server never see anything and thus never show anything beyond "Initialization Sequence Complete".
To fix it, you flush all the rules in iptables by directly issuing
# iptables -F
# iptables -X
and doing
# iptables -L
should show you only 3 chains with ACCEPT as the default rule. Why would they put the useless firewalld and controlling through systemctl is beyond me.
I also want to confirm the following combos work:
LibreSSL 2.12 (linked as an alt library in my OpenVPN 2.3.6 server) <===> works with OpenSSL 1.0.1j built into my PC OpenVPN client
LibreSSL 2.12 <===> works with PolarSSL 1.3.8 built into my iPhone's OpenVPN Connect 1.0.5 app
LibreSSL 2.12 <===> works with PolarSSL 1.3.7 built into Samsung Galaxy's OpenVPN Connect Android 1.1.14 app
I do bump into one problem with PolarSSL where LibreSSL/OpenSSL generates private keys in PKCS 5 format which is not understood by PolarSSL. The fix is to convert existing key(s) to RSA format.
Hope that helps!
That error is almost always due to what is described here,
http://openvpn.net/index.php/open-sourc ... ivity.html
In my case, it still is although I checked it before posting my original post.
The cause is due to my usual suspect #2, CentOS 7. There are iptables rules set up by default after you install it. Nothing is wrong and I expect that. What I didn't expect is even after issuing
# systemctl stop firewalld
# systemctl mask firewalld
# systemctl stop iptables
, CentOS 7 will still *filtering* traffic. Since iptables operate in networking stack which is lower than app stack where OpenVPN operates, the server never see anything and thus never show anything beyond "Initialization Sequence Complete".
To fix it, you flush all the rules in iptables by directly issuing
# iptables -F
# iptables -X
and doing
# iptables -L
should show you only 3 chains with ACCEPT as the default rule. Why would they put the useless firewalld and controlling through systemctl is beyond me.
I also want to confirm the following combos work:
LibreSSL 2.12 (linked as an alt library in my OpenVPN 2.3.6 server) <===> works with OpenSSL 1.0.1j built into my PC OpenVPN client
LibreSSL 2.12 <===> works with PolarSSL 1.3.8 built into my iPhone's OpenVPN Connect 1.0.5 app
LibreSSL 2.12 <===> works with PolarSSL 1.3.7 built into Samsung Galaxy's OpenVPN Connect Android 1.1.14 app
I do bump into one problem with PolarSSL where LibreSSL/OpenSSL generates private keys in PKCS 5 format which is not understood by PolarSSL. The fix is to convert existing key(s) to RSA format.
Hope that helps!