OpenVPN startup fails

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
NiQ
OpenVpn Newbie
Posts: 4
Joined: Thu Sep 09, 2010 8:26 pm

OpenVPN startup fails

Post by NiQ » Thu Sep 09, 2010 8:40 pm

Hi,
After several months of using OpenVPN without any problems, for the past few days I'm unable to connect to the VPN server. As far as I know, no configuration change has occurred to I'm kinda clueless about this.
The server is OpenVPN version 2.0.9 mipsel-linux running on WRT54GL/OpenWRT router.
The client is OpenVPN version 2.1_rc19 i686-pc-mingw32 running on Windows Server 2003.
(I'm aware of the version differences, note that they used to work!)

Attempting to start the client yields the following result:

Code: Select all

Thu Sep 09 23:35:29 2010 OpenVPN 2.1_rc19 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Jul 16 2009
Thu Sep 09 23:35:29 2010 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Thu Sep 09 23:35:29 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Sep 09 23:35:29 2010 LZO compression initialized
Thu Sep 09 23:35:29 2010 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
Thu Sep 09 23:35:29 2010 Control Channel MTU parms [ L:1458 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Sep 09 23:35:29 2010 Data Channel MTU parms [ L:1458 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Sep 09 23:35:29 2010 Local Options hash (VER=V4): '4355902f'
Thu Sep 09 23:35:29 2010 Expected Remote Options hash (VER=V4): 'fa437c7c'
Thu Sep 09 23:35:29 2010 Socket Buffers: R=[8192->8192] S=[8192->8192]
Thu Sep 09 23:35:29 2010 UDPv4 link local: [undef]
Thu Sep 09 23:35:29 2010 UDPv4 link remote: <ip_addr>:<port>
Thu Sep 09 23:35:29 2010 TLS: Initial packet from <ip_addr>:<port>, sid=ec5f36b4 31904bcf
Thu Sep 09 23:35:32 2010 VERIFY OK: depth=1, <cert_details>
Thu Sep 09 23:35:32 2010 VERIFY OK: depth=0, <ca_details>
Thu Sep 09 23:36:29 2010 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Sep 09 23:36:29 2010 TLS Error: TLS handshake failed
Thu Sep 09 23:36:29 2010 TCP/UDP: Closing socket
Thu Sep 09 23:36:29 2010 SIGUSR1[soft,tls-error] received, process restarting
Thu Sep 09 23:36:29 2010 Restart pause, 2 second(s)
Thu Sep 09 23:36:31 2010 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Thu Sep 09 23:36:31 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Sep 09 23:36:31 2010 Re-using SSL/TLS context
Thu Sep 09 23:36:31 2010 LZO compression initialized
Thu Sep 09 23:36:31 2010 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
Thu Sep 09 23:36:31 2010 Control Channel MTU parms [ L:1458 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Sep 09 23:36:31 2010 Data Channel MTU parms [ L:1458 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Sep 09 23:36:31 2010 Local Options hash (VER=V4): '4355902f'
Thu Sep 09 23:36:31 2010 Expected Remote Options hash (VER=V4): 'fa437c7c'
Thu Sep 09 23:36:31 2010 Socket Buffers: R=[8192->8192] S=[8192->8192]
Thu Sep 09 23:36:31 2010 UDPv4 link local: [undef]
Thu Sep 09 23:36:31 2010 UDPv4 link remote: <ip_addr>:<port>
Thu Sep 09 23:36:31 2010 TLS: Initial packet from <ip_addr>:<port>, sid=ac1db48f 8b6b8602
Thu Sep 09 23:36:32 2010 VERIFY OK: depth=1, <cert_details>
Thu Sep 09 23:36:32 2010 VERIFY OK: depth=0, <ca_details>
It just keeps reporting negotiation failures every minute.
Any ideas?

Thanks!

NiQ
OpenVpn Newbie
Posts: 4
Joined: Thu Sep 09, 2010 8:26 pm

Re: OpenVPN startup fails

Post by NiQ » Thu Sep 09, 2010 9:14 pm

OK, I'm an idiot.
Checked the logs on the server, noticed an invalid certificate error. Apparently the router's clock was set to 2009, thus deeming the client certificate to be "not yet valid".
Residential gateways apparently don't have anything that maintains their clocks when they're off, so it's necessary to set their time via ntp when booted for certificate authentication to work properly.
Maybe it'll help someone who has similar problems.

Post Reply