2

this is my first post here, hope I made correct formating

I've set up an openvpn server on an openVZ VPS. struggling for 2 days but connection always failed by:

TLS Error: TLS key negotiation failed to occur within 60 seconds
TLS Error: TLS handshake failed

firewalls (iptables on server flushed, win firewall disabled) both sides has valid IPs and there should be nothing blocking traffic in between.

all the possible solutions I tried but with no luck: -I installed a vm locally, setup the openvpn server and client,created server and client keys and configuration files, connected successfully. then transferred configurations and keys to the VPS and client, change IP settings. still the TLS error

-I tried reversing the connection, set up the openVPN server on my client machine, and client on the server machine. still the same error message.

  • tried to higher the log level to 6 and this is the logs:

Log:

us=142536 LZO compression initialized
us=142627 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
us=142682 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
us=142727 Local Options String: 'V4,dev-type tun,link-m tu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher-CBC,auth SHA1,keysi  ze 128,tls-auth,key-method 2,tls-client'
us=142747 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
us=142773 Local Options hash (VER=V4): '504e774e'
us=142793 Expected Remote Options hash (VER=V4): '14168603'
us=142815 Socket Buffers: R=[137216->131072] S=[137216 131072]
us=142833 UDPv4 link local: [undef]
us=142849 UDPv4 link remote: 94.183.120.141:1194
us=142902 UDPv4 WRITE [42] to 94.183.120.141:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #1 ] [ ] pid=0 DATA len=0

. .

Thu Oct 21 18:40:14 2010 us=131626 UDPv4 WRITE [42] to 94.183.120.141:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #28 ] [ ] pid=0 DATA len=0
Thu Oct 21 18:40:16 2010 us=519518 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
us=519578 TLS Error: TLS handshake failed
us=519661 TCP/UDP: Closing socket

I think it would be a kind of network problem, MTU related. how can I identify where is the error I'm really frustrated, any suggestion please?

Michal Sokolowski
  • 1,471
  • 1
  • 11
  • 24
chakoshi
  • 49
  • 1
  • 2
  • 6

2 Answers2

5

The warning

TLS Error: TLS key negotiation failed to occur within 60 seconds 
TLS Error: TLS handshake failed

is in 99% of the cases causing by (UDP) packets not arriving from client to server or vice versa. Check routers and firewalls that lie between the client and server and also try switching to 'proto tcp' to see if that helps - some cheapo routers don't correctly forward UDP packets.

HTH.

JJK

janjust
  • 592
  • 2
  • 5
0

You may want to try connecting without any type of TLS or encryption first. This will at least help you determine exactly what is wrong, eliminating keys as a problem. I would also do tcpdumps on both sides to see if traffic is hitting one side and maybe not able to come back due to a route problem.

  • thank you for answering. I tried no encryption and no auth by using "cipher none" and "auth none", the problem not solved. is it enough to use this two options and comment out the tls-auth or I should do other things? – chakoshi Oct 21 '10 at 17:11
  • I would think that would do it. Are you getting the same error as before or a different one? Last time I had TLS timeout problems I didn't have my server.conf and client.conf files correct. Such as the right IP, udp or tcp, port number, etc. Also did tcpdump tell you anything? –  Oct 21 '10 at 18:35
  • yes the error was exactly the same. and I tried to monitor the network traffic on the client using wireshark, the odd thing is that udp packets sent to the openVPN server but no udp packets received at server! I tried to change to TCP, but even there the connection cant be stablished with the same error. I've spend 30 hours on this! and tried any thing I can think of! can you suggest a way to ensure packets (udp/tcp) can travel from server to my client correctly? – chakoshi Oct 21 '10 at 18:49
  • Well if the udp packets aren't getting to the server at all, then obviously you either have the wrong IP in the client.conf, routing problems, or some type of firewall issue. Can you talk to the server at all from the client, like via ping or RDP? If you can verify the client.conf is right, and you can do other types of network traffic between the client and server, that will basically narrow it down to some sort of firewall issue imo. –  Oct 21 '10 at 19:48
  • yes, I've been doing all these through an ssh session to the server. I can ping other systems including my client through that. also for getting sure that the problem is not my configuration, I installed OpenVPN Access server (commercial version that they provide), following the steps they provide, finally the client can't connect again! I'm afraid that my country internet filtering facilities some how disabled these connections (dont know if it's possible) – chakoshi Oct 21 '10 at 19:59
  • I'm not worried about your config at all until you at least see those udp packets hit the server and try to connect. If you can ssh from the "client" to the "server", then it almost has to be a firewall type rule somewhere along the line. Local firewall? Corporate firewall? ISP blocking the port? Have you tried different ports? –  Oct 21 '10 at 20:06
  • I do tried other ports, but no success. as I've tried from two different network sand encountered the error I can only guess the possible blocking happened at (1)vps server provider (2)my country internet gateway! – chakoshi Oct 21 '10 at 20:18