New BB Code [oconf] for Openvpn TLS key negotiation failed
Posted: Wed Jan 10, 2024 7:45 pm
Hi All, I will confess I have a love/hate relationship with this tool. Free, so useful, and so hard to configure. For the purposes of this post, my clients and servers are all windows (a mix of win10 and win11, windows server 2019). I had connections working until recently, and the crts are expiring. I've tried all sorts of things like changing the expire date via cli with no joy. As of now, I'm trying to use Easy-RSA 3.x to create new keys. So arguably, my windows firewall settings, my network firewall settings are good to go, my server IP is the same. But I'm getting the dreaded "TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)" and "TLS Error: TLS handshake failed" errors.
I've uninstalled and re-installed OpenVPN-2.6.8-I001-amd64 with easy-rsa on my laptop and remote server (windows server 2019 in this case), and for good measure restarted the open vpn services (windows).
Using "https://community.openvpn.net/openvpn/w ... nVPN-Howto" and following the "Producing your complete PKI on the CA machine section " section, I launch Easy-RSA.bat, run
./easyrsa init-pki
./easyrsa build-ca (entered pass phrase I want to use, and common name)
./easyrsa build-server-full server (entered pass phrase I want to use, and a different common name)
./easyrsa build-client-full client (entered pass phrase I want to use, used common name for client)
./easyrsa gen-dh (may be this doesn't work with creating on the CA machine?)
Over secure connection, copied to my laptop ca.crt. client.crt. and client.key.
Server.ovpn is in C:\Program Files\OpenVPN\config-auto (I tried C:\Program Files\OpenVPN\config" too but no better). My server.ovpn is:
port xxxx
proto udp
dev tun
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\issued\\server.crt"
key "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\private\\server.key"
dh "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\dh.pem"
server 10.50.8.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
My Client.ovpn is:
client
dev tun
proto udp
remote xxx.xxx.xxx.xxx 1196
resolv-retry infinite
nobind
persist-key
persist-tun
auth-nocache
remote-cert-tls server
ca "c:\\openvpn\\easy-rsa\\keys\\ca.crt"
cert "c:\\openvpn\\easy-rsa\\keys\\client.crt"
key "c:\\openvpn\\easy-rsa\\client.key"
comp-lzo
verb 3
....I try to connect, it thinks for a minute and I get:
Wed Jan 10 14:40:11 2024 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Jan 10 14:40:11 2024 TLS Error: TLS handshake failed
I've tried disabling and enabling the windows firewall, no difference and checked that 1196 is open on the remote network firewall, and the connection being forward to the server on the remote network firewall.
What gives? I want to use this tool, but can afford the hrs/days I spend on setting it up again when it stops working.
Suggestions really appreciated. Thx.
I've uninstalled and re-installed OpenVPN-2.6.8-I001-amd64 with easy-rsa on my laptop and remote server (windows server 2019 in this case), and for good measure restarted the open vpn services (windows).
Using "https://community.openvpn.net/openvpn/w ... nVPN-Howto" and following the "Producing your complete PKI on the CA machine section " section, I launch Easy-RSA.bat, run
./easyrsa init-pki
./easyrsa build-ca (entered pass phrase I want to use, and common name)
./easyrsa build-server-full server (entered pass phrase I want to use, and a different common name)
./easyrsa build-client-full client (entered pass phrase I want to use, used common name for client)
./easyrsa gen-dh (may be this doesn't work with creating on the CA machine?)
Over secure connection, copied to my laptop ca.crt. client.crt. and client.key.
Server.ovpn is in C:\Program Files\OpenVPN\config-auto (I tried C:\Program Files\OpenVPN\config" too but no better). My server.ovpn is:
port xxxx
proto udp
dev tun
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\issued\\server.crt"
key "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\private\\server.key"
dh "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\dh.pem"
server 10.50.8.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
My Client.ovpn is:
client
dev tun
proto udp
remote xxx.xxx.xxx.xxx 1196
resolv-retry infinite
nobind
persist-key
persist-tun
auth-nocache
remote-cert-tls server
ca "c:\\openvpn\\easy-rsa\\keys\\ca.crt"
cert "c:\\openvpn\\easy-rsa\\keys\\client.crt"
key "c:\\openvpn\\easy-rsa\\client.key"
comp-lzo
verb 3
....I try to connect, it thinks for a minute and I get:
Wed Jan 10 14:40:11 2024 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Jan 10 14:40:11 2024 TLS Error: TLS handshake failed
I've tried disabling and enabling the windows firewall, no difference and checked that 1196 is open on the remote network firewall, and the connection being forward to the server on the remote network firewall.
What gives? I want to use this tool, but can afford the hrs/days I spend on setting it up again when it stops working.
Suggestions really appreciated. Thx.