OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

TLS Handshake Failed (w/ and w/out router)

https://forums.openvpn.net/viewtopic.php?t=8086

Page 1 of 1

TLS Handshake Failed (w/ and w/out router)

Posted: Mon May 09, 2011 10:05 pm
by openm
I just set-up an OpenVPN server on my new VPS with the below configurations. My goal is to use this VPN to secure all traffic from my home computer, which is behind a router. My Tunnelblick client log demonstrates the problem I seem to be having, a TLS handshake failure. I tried connecting both with and without (direct connection to modem) my router, client logs for both are provided.

I'm wondering if it might be as simple as a port problem on my server, but I'm still green with respect to linux. It's a fresh install of Ubuntu and from what I can gather there is no default port blocking turned on.

Server configuration:

Code: Select all

ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key      
dh /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem      
server 10.8.0.0 255.255.255.0         
client-config-dir ccd
client-to-client                        
keepalive 10 120                     
time period.
tls-auth /etc/openvpn/easy-rsa/2.0/keys/ta.key 0         
cipher AES-256-CBC
max-clients 5
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 4                                 
mute 10                             
management localhost 7505        
crl-verify crl.pem
Client configuration:

Code: Select all

client
dev tun
proto udp
remote XX.XX.XX.XX 1194
resolv-retry infinite
nobind
persist-key
persist-tun

ca ca.crt
cert user.crt
key user.key

ns-cert-type server
tls-auth ta.key 1
cipher AES-256-CBC
verb 4
Here is the client log when I connect with the router:

Code: Select all

2011-05-10 00:27:05 *Tunnelblick: OS X 10.6.7; Tunnelblick 3.1.7 (build 2190.2413); OpenVPN 2.1.4
2011-05-10 00:27:07 *Tunnelblick: Attempting connection with BlueMarlin; Set nameserver = 1; monitoring connection
2011-05-10 00:27:07 *Tunnelblick: /Applications/Tunnelblick.app/Contents/Resources/openvpnstart start BlueMarlin.tblk 1337 1 0 0 0 49
2011-05-10 00:27:07 us=353041 Current Parameter Settings:
2011-05-10 00:27:07 us=353275   config = '/Users/Kropotkin/Library/Application Support/Tunnelblick/Configurations/BlueMarlin.tblk/Contents/Resources/config.ovpn'
2011-05-10 00:27:07 us=353289   mode = 0
2011-05-10 00:27:07 us=353301   show_ciphers = DISABLED
2011-05-10 00:27:07 us=353312   show_digests = DISABLED
2011-05-10 00:27:07 us=353323   show_engines = DISABLED
2011-05-10 00:27:07 us=353334   genkey = DISABLED
2011-05-10 00:27:07 us=353345   key_pass_file = '[UNDEF]'
2011-05-10 00:27:07 us=353362   show_tls_ciphers = DISABLED
2011-05-10 00:27:07 us=353374 Connection profiles [default]:
2011-05-10 00:27:07 us=353385   proto = udp
2011-05-10 00:27:07 us=353396   local = '[UNDEF]'
2011-05-10 00:27:07 us=353407   local_port = 0
2011-05-10 00:27:07 us=353418   remote = 'XX.XX.XX.XX'
2011-05-10 00:27:07 us=353429   remote_port = 1194
2011-05-10 00:27:07 us=353440   remote_float = DISABLED
2011-05-10 00:27:07 us=353451   bind_defined = DISABLED
2011-05-10 00:27:07 us=353462   bind_local = DISABLED
2011-05-10 00:27:07 us=353473   connect_retry_seconds = 5
2011-05-10 00:27:07 us=353484   connect_timeout = 10
2011-05-10 00:27:07 us=353495   connect_retry_max = 0
2011-05-10 00:27:07 us=353506   socks_proxy_server = '[UNDEF]'
2011-05-10 00:27:07 us=353517   socks_proxy_port = 0
2011-05-10 00:27:07 us=353528   socks_proxy_retry = DISABLED
2011-05-10 00:27:07 us=353539 Connection profiles END
2011-05-10 00:27:07 us=353550   remote_random = DISABLED
2011-05-10 00:27:07 us=353561   ipchange = '[UNDEF]'
2011-05-10 00:27:07 us=353572   dev = 'tun'
2011-05-10 00:27:07 us=353583   dev_type = '[UNDEF]'
2011-05-10 00:27:07 us=353594   dev_node = '[UNDEF]'
2011-05-10 00:27:07 us=353605   lladdr = '[UNDEF]'
2011-05-10 00:27:07 us=353616   topology = 1
2011-05-10 00:27:07 us=353626   tun_ipv6 = DISABLED
2011-05-10 00:27:07 us=353643   ifconfig_local = '[UNDEF]'
2011-05-10 00:27:07 us=353654   ifconfig_remote_netmask = '[UNDEF]'
2011-05-10 00:27:07 us=353665   ifconfig_noexec = DISABLED
2011-05-10 00:27:07 us=353676   ifconfig_nowarn = DISABLED
2011-05-10 00:27:07 us=353690   shaper = 0
2011-05-10 00:27:07 us=353701   tun_mtu = 1500
2011-05-10 00:27:07 us=353713   tun_mtu_defined = ENABLED
2011-05-10 00:27:07 us=353724   link_mtu = 1500
2011-05-10 00:27:07 us=353735   link_mtu_defined = DISABLED
2011-05-10 00:27:07 us=353746   tun_mtu_extra = 0
2011-05-10 00:27:07 us=353757   tun_mtu_extra_defined = DISABLED
2011-05-10 00:27:07 us=353768   fragment = 0
2011-05-10 00:27:07 us=353779   mtu_discover_type = -1
2011-05-10 00:27:07 us=353790   mtu_test = 0
2011-05-10 00:27:07 us=353801   mlock = DISABLED
2011-05-10 00:27:07 us=353812   keepalive_ping = 0
2011-05-10 00:27:07 us=353823   keepalive_timeout = 0
2011-05-10 00:27:07 us=353834   inactivity_timeout = 0
2011-05-10 00:27:07 us=353845   ping_send_timeout = 0
2011-05-10 00:27:07 us=353856   ping_rec_timeout = 0
2011-05-10 00:27:07 us=353867   ping_rec_timeout_action = 0
2011-05-10 00:27:07 us=353878   ping_timer_remote = DISABLED
2011-05-10 00:27:07 us=353889   remap_sigusr1 = 0
2011-05-10 00:27:07 us=353900   explicit_exit_notification = 0
2011-05-10 00:27:07 us=353911   persist_tun = ENABLED
2011-05-10 00:27:07 us=353922   persist_local_ip = DISABLED
2011-05-10 00:27:07 us=353933   persist_remote_ip = DISABLED
2011-05-10 00:27:07 us=353944   persist_key = ENABLED
2011-05-10 00:27:07 us=353955   mssfix = 1450
2011-05-10 00:27:07 us=353965   passtos = DISABLED
2011-05-10 00:27:07 us=353977   resolve_retry_seconds = 1000000000
2011-05-10 00:27:07 us=353987   username = '[UNDEF]'
2011-05-10 00:27:07 us=353998   groupname = '[UNDEF]'
2011-05-10 00:27:07 us=354009   chroot_dir = '[UNDEF]'
2011-05-10 00:27:07 us=354020   cd_dir = '/Users/Kropotkin/Library/Application Support/Tunnelblick/Configurations/BlueMarlin.tblk/Contents/Resources'
2011-05-10 00:27:07 us=354049   writepid = '[UNDEF]'
2011-05-10 00:27:07 us=354062   up_script = '/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d'
2011-05-10 00:27:07 us=354073   down_script = '/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d'
2011-05-10 00:27:07 us=354084   down_pre = DISABLED
2011-05-10 00:27:07 us=354095   up_restart = ENABLED
2011-05-10 00:27:07 us=354106   up_delay = DISABLED
2011-05-10 00:27:07 us=354117   daemon = ENABLED
2011-05-10 00:27:07 us=354128   inetd = 0
2011-05-10 00:27:07 us=354138   log = ENABLED
2011-05-10 00:27:07 us=354150   suppress_timestamps = DISABLED
2011-05-10 00:27:07 us=354161   nice = 0
2011-05-10 00:27:07 us=354172   verbosity = 6
2011-05-10 00:27:07 us=354182   mute = 0
2011-05-10 00:27:07 us=354193   gremlin = 0
2011-05-10 00:27:07 us=354204   status_file = '[UNDEF]'
2011-05-10 00:27:07 us=354215   status_file_version = 1
2011-05-10 00:27:07 us=354226   status_file_update_freq = 60
2011-05-10 00:27:07 us=354237   occ = ENABLED
2011-05-10 00:27:07 us=354248   rcvbuf = 65536
2011-05-10 00:27:07 us=354259   sndbuf = 65536
2011-05-10 00:27:07 us=354270   sockflags = 0
2011-05-10 00:27:07 us=354281   fast_io = DISABLED
2011-05-10 00:27:07 us=354292   lzo = 0
2011-05-10 00:27:07 us=354303   route_script = '[UNDEF]'
2011-05-10 00:27:07 us=354314   route_default_gateway = '[UNDEF]'
2011-05-10 00:27:07 us=354325   route_default_metric = 0
2011-05-10 00:27:07 us=354336   route_noexec = DISABLED
2011-05-10 00:27:07 us=354347   route_delay = 0
2011-05-10 00:27:07 us=354358   route_delay_window = 30
2011-05-10 00:27:07 us=354369   route_delay_defined = DISABLED
2011-05-10 00:27:07 us=354380   route_nopull = DISABLED
2011-05-10 00:27:07 us=354391   route_gateway_via_dhcp = DISABLED
2011-05-10 00:27:07 us=354402   max_routes = 100
2011-05-10 00:27:07 us=354414   allow_pull_fqdn = DISABLED
2011-05-10 00:27:07 us=354425   management_addr = '127.0.0.1'
2011-05-10 00:27:07 us=354437   management_port = 1337
2011-05-10 00:27:07 us=354448   management_user_pass = '[UNDEF]'
2011-05-10 00:27:07 us=354460   management_log_history_cache = 250
2011-05-10 00:27:07 us=354472   management_echo_buffer_size = 100
2011-05-10 00:27:07 us=354483   management_write_peer_info_file = '[UNDEF]'
2011-05-10 00:27:07 us=354495   management_client_user = '[UNDEF]'
2011-05-10 00:27:07 us=354506   management_client_group = '[UNDEF]'
2011-05-10 00:27:07 us=354518   management_flags = 6
2011-05-10 00:27:07 us=354530   shared_secret_file = '[UNDEF]'
2011-05-10 00:27:07 us=354541   key_direction = 2
2011-05-10 00:27:07 us=354553   ciphername_defined = ENABLED
2011-05-10 00:27:07 us=354564   ciphername = 'AES-256-CBC'
2011-05-10 00:27:07 us=354575   authname_defined = ENABLED
2011-05-10 00:27:07 us=354587   authname = 'SHA1'
2011-05-10 00:27:07 us=354598   prng_hash = 'SHA1'
2011-05-10 00:27:07 us=354610   prng_nonce_secret_len = 16
2011-05-10 00:27:07 us=354621   keysize = 0
2011-05-10 00:27:07 us=354632   engine = DISABLED
2011-05-10 00:27:07 us=354644   replay = ENABLED
2011-05-10 00:27:07 us=354659   mute_replay_warnings = DISABLED
2011-05-10 00:27:07 us=354671   replay_window = 64
2011-05-10 00:27:07 us=354682   replay_time = 15
2011-05-10 00:27:07 us=354693   packet_id_file = '[UNDEF]'
2011-05-10 00:27:07 us=354705   use_iv = ENABLED
2011-05-10 00:27:07 us=354716   test_crypto = DISABLED
2011-05-10 00:27:07 us=354728   tls_server = DISABLED
2011-05-10 00:27:07 us=354739   tls_client = ENABLED
2011-05-10 00:27:07 us=354751   key_method = 2
2011-05-10 00:27:07 us=354765   ca_file = 'ca.crt'
2011-05-10 00:27:07 us=354777   ca_path = '[UNDEF]'
2011-05-10 00:27:07 us=354802   dh_file = '[UNDEF]'
2011-05-10 00:27:07 us=354814   cert_file = 'user.crt'
2011-05-10 00:27:07 us=354826   priv_key_file = 'user.key'
2011-05-10 00:27:07 us=354837   pkcs12_file = '[UNDEF]'
2011-05-10 00:27:07 us=354848   cipher_list = '[UNDEF]'
2011-05-10 00:27:07 us=354860   tls_verify = '[UNDEF]'
2011-05-10 00:27:07 us=354871   tls_remote = '[UNDEF]'
2011-05-10 00:27:07 us=354883   crl_file = '[UNDEF]'
2011-05-10 00:27:07 us=354894   ns_cert_type = 64
2011-05-10 00:27:07 us=354905   remote_cert_ku[i] = 0
2011-05-10 00:27:07 us=354917   remote_cert_ku[i] = 0
2011-05-10 00:27:07 us=354928   remote_cert_ku[i] = 0
2011-05-10 00:27:07 us=354939   remote_cert_ku[i] = 0
2011-05-10 00:27:07 us=354951   remote_cert_ku[i] = 0
2011-05-10 00:27:07 us=354962   remote_cert_ku[i] = 0
2011-05-10 00:27:07 us=354973   remote_cert_ku[i] = 0
2011-05-10 00:27:07 us=354984   remote_cert_ku[i] = 0
2011-05-10 00:27:07 us=354995   remote_cert_ku[i] = 0
2011-05-10 00:27:07 us=355006   remote_cert_ku[i] = 0
2011-05-10 00:27:07 us=355018   remote_cert_ku[i] = 0
2011-05-10 00:27:07 us=355029   remote_cert_ku[i] = 0
2011-05-10 00:27:07 us=355040   remote_cert_ku[i] = 0
2011-05-10 00:27:07 us=355051   remote_cert_ku[i] = 0
2011-05-10 00:27:07 us=355062   remote_cert_ku[i] = 0
2011-05-10 00:27:07 us=355073   remote_cert_ku[i] = 0
2011-05-10 00:27:07 us=355085   remote_cert_eku = '[UNDEF]'
2011-05-10 00:27:07 us=355096   tls_timeout = 2
2011-05-10 00:27:07 us=355108   renegotiate_bytes = 0
2011-05-10 00:27:07 us=355119   renegotiate_packets = 0
2011-05-10 00:27:07 us=355131   renegotiate_seconds = 3600
2011-05-10 00:27:07 us=355142   handshake_window = 60
2011-05-10 00:27:07 us=355154   transition_window = 3600
2011-05-10 00:27:07 us=355165   single_session = DISABLED
2011-05-10 00:27:07 us=355176   push_peer_info = DISABLED
2011-05-10 00:27:07 us=355188   tls_exit = DISABLED
2011-05-10 00:27:07 us=355199   tls_auth_file = 'ta.key'
2011-05-10 00:27:07 us=355211   pkcs11_protected_authentication = DISABLED
2011-05-10 00:27:07 us=355222   pkcs11_protected_authentication = DISABLED
2011-05-10 00:27:07 us=355234   pkcs11_protected_authentication = DISABLED
2011-05-10 00:27:07 us=355246   pkcs11_protected_authentication = DISABLED
2011-05-10 00:27:07 us=355257   pkcs11_protected_authentication = DISABLED
2011-05-10 00:27:07 us=355269   pkcs11_protected_authentication = DISABLED
2011-05-10 00:27:07 us=355280   pkcs11_protected_authentication = DISABLED
2011-05-10 00:27:07 us=355292   pkcs11_protected_authentication = DISABLED
2011-05-10 00:27:07 us=355303   pkcs11_protected_authentication = DISABLED
2011-05-10 00:27:07 us=355315   pkcs11_protected_authentication = DISABLED
2011-05-10 00:27:07 us=355326   pkcs11_protected_authentication = DISABLED
2011-05-10 00:27:07 us=355338   pkcs11_protected_authentication = DISABLED
2011-05-10 00:27:07 us=355349   pkcs11_protected_authentication = DISABLED
2011-05-10 00:27:07 us=355361   pkcs11_protected_authentication = DISABLED
2011-05-10 00:27:07 us=355372   pkcs11_protected_authentication = DISABLED
2011-05-10 00:27:07 us=355384   pkcs11_protected_authentication = DISABLED
2011-05-10 00:27:07 us=355396   pkcs11_private_mode = 00000000
2011-05-10 00:27:07 us=355408   pkcs11_private_mode = 00000000
2011-05-10 00:27:07 us=355419   pkcs11_private_mode = 00000000
2011-05-10 00:27:07 us=355431   pkcs11_private_mode = 00000000
2011-05-10 00:27:07 us=355442   pkcs11_private_mode = 00000000
2011-05-10 00:27:07 us=355454   pkcs11_private_mode = 00000000
2011-05-10 00:27:07 us=355466   pkcs11_private_mode = 00000000
2011-05-10 00:27:07 us=355477   pkcs11_private_mode = 00000000
2011-05-10 00:27:07 us=355489   pkcs11_private_mode = 00000000
2011-05-10 00:27:07 us=355514   pkcs11_private_mode = 00000000
2011-05-10 00:27:07 us=355526   pkcs11_private_mode = 00000000
2011-05-10 00:27:07 us=355537   pkcs11_private_mode = 00000000
2011-05-10 00:27:07 us=355549   pkcs11_private_mode = 00000000
2011-05-10 00:27:07 us=355561   pkcs11_private_mode = 00000000
2011-05-10 00:27:07 us=355572   pkcs11_private_mode = 00000000
2011-05-10 00:27:07 us=355584   pkcs11_private_mode = 00000000
2011-05-10 00:27:07 us=355595   pkcs11_cert_private = DISABLED
2011-05-10 00:27:07 us=355607   pkcs11_cert_private = DISABLED
2011-05-10 00:27:07 us=355618   pkcs11_cert_private = DISABLED
2011-05-10 00:27:07 us=355630   pkcs11_cert_private = DISABLED
2011-05-10 00:27:07 us=355641   pkcs11_cert_private = DISABLED
2011-05-10 00:27:07 us=355652   pkcs11_cert_private = DISABLED
2011-05-10 00:27:07 us=355664   pkcs11_cert_private = DISABLED
2011-05-10 00:27:07 us=355675   pkcs11_cert_private = DISABLED
2011-05-10 00:27:07 us=355686   pkcs11_cert_private = DISABLED
2011-05-10 00:27:07 us=355698   pkcs11_cert_private = DISABLED
2011-05-10 00:27:07 us=355709   pkcs11_cert_private = DISABLED
2011-05-10 00:27:07 us=355720   pkcs11_cert_private = DISABLED
2011-05-10 00:27:07 us=355732   pkcs11_cert_private = DISABLED
2011-05-10 00:27:07 us=355743   pkcs11_cert_private = DISABLED
2011-05-10 00:27:07 us=355755   pkcs11_cert_private = DISABLED
2011-05-10 00:27:07 us=355766   pkcs11_cert_private = DISABLED
2011-05-10 00:27:07 us=355778   pkcs11_pin_cache_period = -1
2011-05-10 00:27:07 us=355789   pkcs11_id = '[UNDEF]'
2011-05-10 00:27:07 us=355801   pkcs11_id_management = DISABLED
2011-05-10 00:27:07 us=355820   server_network = 0.0.0.0
2011-05-10 00:27:07 us=355839   server_netmask = 0.0.0.0
2011-05-10 00:27:07 us=355851   server_bridge_ip = 0.0.0.0
2011-05-10 00:27:07 us=355864   server_bridge_netmask = 0.0.0.0
2011-05-10 00:27:07 us=355876   server_bridge_pool_start = 0.0.0.0
2011-05-10 00:27:07 us=355889   server_bridge_pool_end = 0.0.0.0
2011-05-10 00:27:07 us=355900   ifconfig_pool_defined = DISABLED
2011-05-10 00:27:07 us=355913   ifconfig_pool_start = 0.0.0.0
2011-05-10 00:27:07 us=355925   ifconfig_pool_end = 0.0.0.0
2011-05-10 00:27:07 us=355937   ifconfig_pool_netmask = 0.0.0.0
2011-05-10 00:27:07 us=355948   ifconfig_pool_persist_filename = '[UNDEF]'
2011-05-10 00:27:07 us=355960   ifconfig_pool_persist_refresh_freq = 600
2011-05-10 00:27:07 us=355971   n_bcast_buf = 256
2011-05-10 00:27:07 us=355983   tcp_queue_limit = 64
2011-05-10 00:27:07 us=355994   real_hash_size = 256
2011-05-10 00:27:07 us=356005   virtual_hash_size = 256
2011-05-10 00:27:07 us=356016   client_connect_script = '[UNDEF]'
2011-05-10 00:27:07 us=356028   learn_address_script = '[UNDEF]'
2011-05-10 00:27:07 us=356039   client_disconnect_script = '[UNDEF]'
2011-05-10 00:27:07 us=356051   client_config_dir = '[UNDEF]'
2011-05-10 00:27:07 us=356062   ccd_exclusive = DISABLED
2011-05-10 00:27:07 us=356073   tmp_dir = '[UNDEF]'
2011-05-10 00:27:07 us=356085   push_ifconfig_defined = DISABLED
2011-05-10 00:27:07 us=356097   push_ifconfig_local = 0.0.0.0
2011-05-10 00:27:07 us=356110   push_ifconfig_remote_netmask = 0.0.0.0
2011-05-10 00:27:07 us=356121   enable_c2c = DISABLED
2011-05-10 00:27:07 us=356132   duplicate_cn = DISABLED
2011-05-10 00:27:07 us=356143   cf_max = 0
2011-05-10 00:27:07 us=356155   cf_per = 0
2011-05-10 00:27:07 us=356166   max_clients = 1024
2011-05-10 00:27:07 us=356177   max_routes_per_client = 256
2011-05-10 00:27:07 us=356188   auth_user_pass_verify_script = '[UNDEF]'
2011-05-10 00:27:07 us=356200   auth_user_pass_verify_script_via_file = DISABLED
2011-05-10 00:27:07 us=356211   ssl_flags = 0
2011-05-10 00:27:07 us=356222   port_share_host = '[UNDEF]'
2011-05-10 00:27:07 us=356234   port_share_port = 0
2011-05-10 00:27:07 us=356258   client = ENABLED
2011-05-10 00:27:07 us=356270   pull = ENABLED
2011-05-10 00:27:07 us=356281   auth_user_pass_file = '[UNDEF]'
2011-05-10 00:27:07 us=356298 OpenVPN 2.1.4 i386-apple-darwin10.7.1 [SSL] [LZO2] [PKCS11] built on Mar  1 2011
2011-05-10 00:27:07 us=356437 MANAGEMENT: TCP Socket listening on 127.0.0.1:1337
2011-05-10 00:27:07 us=357178 Need hold release from management interface, waiting...
2011-05-10 00:27:07 us=491075 MANAGEMENT: Client connected from 127.0.0.1:1337
2011-05-10 00:27:07 us=542148 MANAGEMENT: CMD 'pid'
2011-05-10 00:27:07 us=542472 MANAGEMENT: CMD 'state on'
2011-05-10 00:27:07 us=542530 MANAGEMENT: CMD 'state'
2011-05-10 00:27:07 us=542628 MANAGEMENT: CMD 'hold release'
2011-05-10 00:27:07 us=542918 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2011-05-10 00:27:07 us=544590 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
2011-05-10 00:27:07 us=544624 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2011-05-10 00:27:07 us=544641 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2011-05-10 00:27:07 us=544770 Control Channel MTU parms [ L:1557 D:166 EF:66 EB:0 ET:0 EL:0 ]
2011-05-10 00:27:07 us=544843 Socket Buffers: R=[42080->65536] S=[9216->65536]
2011-05-10 00:27:07 us=544863 Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:4 ET:0 EL:0 ]
2011-05-10 00:27:07 us=544891 Local Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
2011-05-10 00:27:07 us=544904 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
2011-05-10 00:27:07 us=544928 Local Options hash (VER=V4): 'ed844052'
2011-05-10 00:27:07 us=544946 Expected Remote Options hash (VER=V4): '8a244582'
2011-05-10 00:27:07 us=544970 UDPv4 link local: [undef]
2011-05-10 00:27:07 us=544986 UDPv4 link remote: XX.XX.XX.XX:1194
2011-05-10 00:27:07 us=545039 MANAGEMENT: >STATE:1305001627,WAIT,,,
2011-05-10 00:27:07 us=545139 UDPv4 WRITE [42] to XX.XX.XX.XX:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #1 ] [ ] pid=0 DATA len=0
2011-05-10 00:27:07 *Tunnelblick: openvpnstart: /Applications/Tunnelblick.app/Contents/Resources/openvpn --cd /Users/Kropotkin/Library/Application Support/Tunnelblick/Configurations/BlueMarlin.tblk/Contents/Resources --daemon --management 127.0.0.1 1337 --config /Users/Kropotkin/Library/Application Support/Tunnelblick/Configurations/BlueMarlin.tblk/Contents/Resources/config.ovpn --log /Library/Application Support/Tunnelblick/Logs/-SUsers-SKropotkin-SLibrary-SApplication Support-STunnelblick-SConfigurations-SBlueMarlin.tblk-SContents-SResources-Sconfig.ovpn.1_0_0_0_49.1337.openvpn.log --management-query-passwords --management-hold --script-security 2 --up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d --up-restart
2011-05-10 00:27:09 us=800801 UDPv4 WRITE [42] to XX.XX.XX.XX:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ ] pid=0 DATA len=0
2011-05-10 00:27:13 us=184329 UDPv4 WRITE [42] to XX.XX.XX.XX:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #3 ] [ ] pid=0 DATA len=0
2011-05-10 00:27:21 us=979885 UDPv4 WRITE [42] to XX.XX.XX.XX:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #4 ] [ ] pid=0 DATA len=0
2011-05-10 00:27:37 us=791197 UDPv4 WRITE [42] to XX.XX.XX.XX:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #5 ] [ ] pid=0 DATA len=0
2011-05-10 00:28:08 us=89762 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2011-05-10 00:28:08 us=89864 TLS Error: TLS handshake failed
2011-05-10 00:28:08 us=90108 TCP/UDP: Closing socket
2011-05-10 00:28:08 us=90230 SIGUSR1[soft,tls-error] received, process restarting
2011-05-10 00:28:08 us=90302 MANAGEMENT: >STATE:1305001688,RECONNECTING,tls-error,,
2011-05-10 00:28:08 us=99879 MANAGEMENT: CMD 'hold release'
2011-05-10 00:28:08 us=100221 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2011-05-10 00:28:08 us=100256 Re-using SSL/TLS context
2011-05-10 00:28:08 us=100319 Control Channel MTU parms [ L:1557 D:166 EF:66 EB:0 ET:0 EL:0 ]
2011-05-10 00:28:08 us=100384 Socket Buffers: R=[42080->65536] S=[9216->65536]
2011-05-10 00:28:08 us=100414 Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:4 ET:0 EL:0 ]
2011-05-10 00:28:08 us=100451 Local Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
2011-05-10 00:28:08 us=100519 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
2011-05-10 00:28:08 us=100549 Local Options hash (VER=V4): 'ed844052'
2011-05-10 00:28:08 us=100576 Expected Remote Options hash (VER=V4): '8a244582'
2011-05-10 00:28:08 us=100606 UDPv4 link local: [undef]
2011-05-10 00:28:08 us=100629 UDPv4 link remote: XX.XX.XX.XX:1194
2011-05-10 00:28:08 us=100671 MANAGEMENT: >STATE:1305001688,WAIT,,,
2011-05-10 00:28:08 us=100801 UDPv4 WRITE [42] to XX.XX.XX.XX:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #1 ] [ ] pid=0 DATA len=0
2011-05-10 00:28:10 us=209236 UDPv4 WRITE [42] to XX.XX.XX.XX:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ ] pid=0 DATA len=0
2011-05-10 00:28:10 us=879114 event_wait : Interrupted system call (code=4)
2011-05-10 00:28:10 us=879281 TCP/UDP: Closing socket
2011-05-10 00:28:10 us=879324 SIGTERM[hard,] received, process exiting
2011-05-10 00:28:10 us=879348 MANAGEMENT: >STATE:1305001690,EXITING,SIGTERM,,
2011-05-10 00:28:11 *Tunnelblick: Flushed the DNS cache
The client log for attempted connection w/out router (direct connection to modem) can be found here: http://pastebin.com/0JESxdsY

Re: TLS Handshake Failed (w/ and w/out router)

Posted: Tue May 10, 2011 8:37 am
by janjust
the direct connection to the modem (i.e. the pastebin log) shows that there is some exchange of information between client and server.
the first log shows no response from the server at all.

what does the server log show? try adding 'log-append /var/log/openvpn.log', restart the server, then reconnect the client. Post the openvpn.log file on pastebin.

Re: TLS Handshake Failed (w/ and w/out router)

Posted: Tue May 10, 2011 11:12 am
by openm

Code: Select all


Tue May 10 06:21:47 2011 us=203266 Current Parameter Settings:
Tue May 10 06:21:47 2011 us=203385   config = '/etc/openvpn/server.conf'
Tue May 10 06:21:47 2011 us=203399   mode = 1
Tue May 10 06:21:47 2011 us=203410   persist_config = DISABLED
Tue May 10 06:21:47 2011 us=203421   persist_mode = 1
Tue May 10 06:21:47 2011 us=203432   show_ciphers = DISABLED
Tue May 10 06:21:47 2011 us=203442   show_digests = DISABLED
Tue May 10 06:21:47 2011 us=203453   show_engines = DISABLED
Tue May 10 06:21:47 2011 us=203463   genkey = DISABLED
Tue May 10 06:21:47 2011 us=203474   key_pass_file = '[UNDEF]'
Tue May 10 06:21:47 2011 us=203489 NOTE: --mute triggered...
Tue May 10 06:21:47 2011 us=203521 248 variation(s) on previous 10 message(s) suppressed by --mute
Tue May 10 06:21:47 2011 us=203537 OpenVPN 2.1_rc11 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Mar  9 2009
Tue May 10 06:21:47 2011 us=204059 RESOLVE: NOTE: localhost resolves to 2 addresses, choosing one by random
Tue May 10 06:21:47 2011 us=204142 MANAGEMENT: TCP Socket listening on 127.0.0.1:7505
Tue May 10 06:21:47 2011 us=204333 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue May 10 06:21:47 2011 us=216901 Diffie-Hellman initialized with 2048 bit key
Tue May 10 06:21:47 2011 us=217668 /usr/bin/openssl-vulnkey -q -b 2048 -m <modulus omitted>
Tue May 10 06:21:47 2011 us=385131 Control Channel Authentication: using '/etc/openvpn/easy-rsa/2.0/keys/ta.key' as a OpenVPN static key file
Tue May 10 06:21:47 2011 us=385201 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue May 10 06:21:47 2011 us=385217 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue May 10 06:21:47 2011 us=385255 TLS-Auth MTU parms [ L:1557 D:166 EF:66 EB:0 ET:0 EL:0 ]
Tue May 10 06:21:47 2011 us=385461 ROUTE default_gateway=212.117.167.1
Tue May 10 06:21:47 2011 us=388492 TUN/TAP device tun0 opened
Tue May 10 06:21:47 2011 us=388552 TUN/TAP TX queue length set to 100
Tue May 10 06:21:47 2011 us=388597 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Tue May 10 06:21:47 2011 us=396222 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Tue May 10 06:21:47 2011 us=408037 Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:4 ET:0 EL:0 ]
Tue May 10 06:21:47 2011 us=409791 GID set to nobody
Tue May 10 06:21:47 2011 us=409973 UID set to nobody
Tue May 10 06:21:47 2011 us=410031 Socket Buffers: R=[124928->131072] S=[124928->131072]
Tue May 10 06:21:47 2011 us=410060 UDPv4 link local (bound): [undef]:1194
Tue May 10 06:21:47 2011 us=410083 UDPv4 link remote: [undef]
Tue May 10 06:21:47 2011 us=410111 MULTI: multi_init called, r=256 v=256
Tue May 10 06:21:47 2011 us=410220 IFCONFIG POOL: base=10.8.0.4 size=62
Tue May 10 06:21:47 2011 us=410273 Initialization Sequence Completed
Tue May 10 06:21:52 2011 us=280045 MULTI: multi_create_instance called
Tue May 10 06:21:52 2011 us=280108 YY.YY.YY.YY:60416 Re-using SSL/TLS context
Tue May 10 06:21:52 2011 us=280478 YY.YY.YY.YY:60416 Control Channel MTU parms [ L:1557 D:166 EF:66 EB:0 ET:0 EL:0 ]
Tue May 10 06:21:52 2011 us=280497 YY.YY.YY.YY:60416 Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:4 ET:0 EL:0 ]
Tue May 10 06:21:52 2011 us=280615 YY.YY.YY.YY:60416 Local Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Tue May 10 06:21:52 2011 us=280629 YY.YY.YY.YY:60416 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Tue May 10 06:21:52 2011 us=280670 YY.YY.YY.YY:60416 Local Options hash (VER=V4): '8a244582'
Tue May 10 06:21:52 2011 us=280688 YY.YY.YY.YY:60416 Expected Remote Options hash (VER=V4): 'ed844052'
Tue May 10 06:21:52 2011 us=280763 YY.YY.YY.YY:60416 TLS: Initial packet from YY.YY.YY.YY:60416, sid=43d27b04 9323c2c6
Tue May 10 06:21:54 2011 us=397290 YY.YY.YY.YY:60416 CRL: cannot read: crl.pem: No such file or directory (errno=2)
Tue May 10 06:21:54 2011 us=397348 YY.YY.YY.YY:60416 Exiting
Fixed the CRL issue and now the connection is working perfectly!

Re: TLS Handshake Failed (w/ and w/out router)

Posted: Tue May 10, 2011 11:22 am
by openm
Spoke to soon; had to add

Code: Select all

push "redirect-gateway def1"


to the server.conf to get the type of connection I'm looking for, and when I do that and restart the server, then connect with Tunnelblick again, everything is connected by I'm unable to surf the internet.

Re: TLS Handshake Failed (w/ and w/out router)

Posted: Tue May 10, 2011 11:48 am
by janjust
make sure ip forwarding is enabled on the server :

Code: Select all

echo 1 > /proc/sys/net/ipv4/ip_forward
(note: if this works you need to make it permanent by editing /etc/sysctl.conf)

Also, set up masquerading so that the traffic is returned correctly:

Code: Select all

iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE

Re: TLS Handshake Failed (w/ and w/out router)

Posted: Tue May 10, 2011 8:59 pm
by openm
For some reason iptables wasn't installed, despite Ubuntu coming with it default. In any case, I installed it and did what you advised; everything is working perfectly now. I edited /etc/sysctl.conf w/

Code: Select all

net.ipv4.conf.default.forwarding=1

Re: TLS Handshake Failed (w/ and w/out router)

Posted: Tue May 10, 2011 10:18 pm
by openm
Although, while I'm here, if you have any idea why I would be getting an error trying to connect to a third server via FTP while on the VPN connection, I'd be all ears...

This is the log output of the client I use:

Code: Select all

Connection 1

Transmit 4.1.1 (x86_64) Session Transcript [Version 10.6.7 (Build 10J869)] (5/10/11 6:14 PM)
LibNcFTP 3.2.3 (July 23, 2009) compiled for UNIX
220: Welcome to SERVER FTP service.
Connected to SERVER.
Cmd: USER slice2
331: Please specify the password.
Cmd: PASS PASSWORD
230: Login successful.
Cmd: TYPE A
200: Switching to ASCII mode.
Logged in to SERVER as USER.
Cmd: SYST
215: UNIX Type: L8
Cmd: FEAT
211: Features:
      EPRT
      EPSV
      MDTM
      PASV
      REST STREAM
      SIZE
      TVFS
      UTF8
     End
Cmd: OPTS UTF8 ON
200: Always in UTF8 mode.
Cmd: PWD
257: "/home/slice2"
Cmd: PORT 10,8,0,6,249,46
500: Illegal PORT command.
Cmd: PORT 10,8,0,6,249,47
500: Illegal PORT command.
Cmd: PORT 10,8,0,6,249,48
500: Illegal PORT command.
Cmd: PORT 10,8,0,6,249,49
500: Illegal PORT command.
Disconnecting from server…
Cmd: QUIT
221: Goodbye.

Re: TLS Handshake Failed (w/ and w/out router)

Posted: Tue May 10, 2011 10:47 pm
by janjust
the return address is the VPN IP, which the FTP server does not know about. In most cases you can circumvent this by using PASSIVE (PASV) mode.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/