-
kelsini
- OpenVPN User
- Posts: 23
- Joined: Mon Apr 11, 2016 10:11 pm
Unable to connect with Openvpn server (TLS Error)
Hello members, i have recently installed a openvpn server on my ARCH 4.4.5-1 i686 GNU/Linux home machine.
Aparently the server is running OK as the output show:
My server config:
Code: Select all
port 1194
proto udp
dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/homeserver.crt
key /etc/openvpn/certs/homeserver.key
dh /etc/openvpn/certs/dh2048.pem
tls-auth /etc/openvpn/certs/ta.key 0
server 192.168.88.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-to-client
keepalive 1800 4000
cipher DES-EDE3-CBC # Triple-DES
comp-lzo
max-clients 2
user nobody
group nobody
persist-key
persist-tun
#log /var/log/openvpn.log
#status /var/log/openvpn-status.log
verb 5
mute 20
#client-config-dir ccd
and the client config:
Code: Select all
client
remote
ca /root/easy-rsa/keys/ca.crt
cert /root/easy-rsa/keys/kelsinni.crt
key /root/easy-rsa/keys/kelsinni.key
cipher DES-EDE3-CBC
comp-lzo yes
dev tun
proto udp
tls-auth /root/easy-rsa/keys/ta.key 1
nobind
auth-nocache
script-security 2
persist-key
persist-tun
user nobody
group nogroup
When i try to connect my server with my android phone (with openvpn for android app installed) with the respective imported keys and cert (ca.crt; kelsinni.crt; kelsinni.key) i got always the same TLS error:
I have double checked all the configs but still got this same error all the times…can anyone please give me a tip about the source of this problem?
Thanks in advance for all the help given…
-
Traffic
- OpenVPN Protagonist
- Posts: 4071
- Joined: Sat Aug 09, 2014 11:24 am
Re: Unable to connect with Openvpn server (TLS Error)
Post
by Traffic » Tue Apr 12, 2016 2:50 pm
Try —comp-lzo yes in your server as well ..
-
kelsini
- OpenVPN User
- Posts: 23
- Joined: Mon Apr 11, 2016 10:11 pm
Re: Unable to connect with Openvpn server (TLS Error)
Post
by kelsini » Tue Apr 12, 2016 6:47 pm
Traffic wrote:Try —comp-lzo yes in your server as well ..
Hello…first of all thanks for your reply.
I have changed my server config as you said…
…
client-to-client
keepalive 1800 4000cipher DES-EDE3-CBC # Triple-DES
comp-lzo yesmax-clients 2
user nobody
group nobody
…
…but still getting the exact same error when trying to access my server with my smartphone…
-
Traffic
- OpenVPN Protagonist
- Posts: 4071
- Joined: Sat Aug 09, 2014 11:24 am
Re: Unable to connect with Openvpn server (TLS Error)
Post
by Traffic » Tue Apr 12, 2016 7:23 pm
Please post your complete server log showing the failure (remove private data)
-
kelsini
- OpenVPN User
- Posts: 23
- Joined: Mon Apr 11, 2016 10:11 pm
Re: Unable to connect with Openvpn server (TLS Error)
Post
by kelsini » Tue Apr 12, 2016 9:34 pm
Traffic wrote:Please post your complete server log showing the failure (remove private data)
Here it is:
Code: Select all
2016-04-12 22:12:23 compilação oficial 0.6.50 running on lge LG-D855 (MSM8974), Android 5.0 (LRX21R.A1445306351) API 21, ABI armeabi-v7a, (lge/g3_global_com/g3:5.0/LRX21R.A1445306351/1445306351:user/release-keys)
2016-04-12 22:12:23 A preparar a configuração...
2016-04-12 22:12:23 started Socket Thread
2016-04-12 22:12:24 Current Parameter Settings:
2016-04-12 22:12:24 config = '/data/data/de.blinkt.openvpn/cache/android.conf'
2016-04-12 22:12:24 mode = 0
2016-04-12 22:12:24 show_ciphers = DISABLED
2016-04-12 22:12:24 show_digests = DISABLED
2016-04-12 22:12:24 show_engines = DISABLED
2016-04-12 22:12:24 genkey = DISABLED
2016-04-12 22:12:24 key_pass_file = '[UNDEF]'
2016-04-12 22:12:24 show_tls_ciphers = DISABLED
2016-04-12 22:12:24 connect_retry_max = 5
2016-04-12 22:12:24 Connection profiles [0]:
2016-04-12 22:12:24 proto = udp
2016-04-12 22:12:24 local = '[UNDEF]'
2016-04-12 22:12:24 local_port = '1194'
2016-04-12 22:12:24 remote = 'XXXXXXXXX (My DNS)'
2016-04-12 22:12:24 remote_port = '1194'
2016-04-12 22:12:24 remote_float = DISABLED
2016-04-12 22:12:24 bind_defined = DISABLED
2016-04-12 22:12:24 bind_local = ENABLED
2016-04-12 22:12:24 bind_ipv6_only = DISABLED
2016-04-12 22:12:24 connect_retry_seconds = 5
2016-04-12 22:12:24 connect_timeout = 240
2016-04-12 22:12:24 socks_proxy_server = '[UNDEF]'
2016-04-12 22:12:24 socks_proxy_port = '[UNDEF]'
2016-04-12 22:12:24 socks_proxy_retry = DISABLED
2016-04-12 22:12:24 tun_mtu = 1500
2016-04-12 22:12:24 tun_mtu_defined = ENABLED
2016-04-12 22:12:24 link_mtu = 1500
2016-04-12 22:12:24 link_mtu_defined = DISABLED
2016-04-12 22:12:24 tun_mtu_extra = 0
2016-04-12 22:12:24 tun_mtu_extra_defined = DISABLED
2016-04-12 22:12:24 mtu_discover_type = -1
2016-04-12 22:12:24 fragment = 0
2016-04-12 22:12:24 mssfix = 1450
2016-04-12 22:12:24 explicit_exit_notification = 0
2016-04-12 22:12:24 Connection profiles END
2016-04-12 22:12:24 remote_random = DISABLED
2016-04-12 22:12:24 ipchange = '[UNDEF]'
2016-04-12 22:12:24 dev = 'tun'
2016-04-12 22:12:24 dev_type = '[UNDEF]'
2016-04-12 22:12:24 dev_node = '[UNDEF]'
2016-04-12 22:12:24 lladdr = '[UNDEF]'
2016-04-12 22:12:24 topology = 1
2016-04-12 22:12:24 tun_ipv6 = DISABLED
2016-04-12 22:12:24 ifconfig_local = '[UNDEF]'
2016-04-12 22:12:24 ifconfig_remote_netmask = '[UNDEF]'
2016-04-12 22:12:24 ifconfig_noexec = DISABLED
2016-04-12 22:12:24 ifconfig_nowarn = ENABLED
2016-04-12 22:12:24 ifconfig_ipv6_local = '[UNDEF]'
2016-04-12 22:12:24 ifconfig_ipv6_netbits = 0
2016-04-12 22:12:24 ifconfig_ipv6_remote = '[UNDEF]'
2016-04-12 22:12:24 shaper = 0
2016-04-12 22:12:24 mtu_test = 0
2016-04-12 22:12:24 mlock = DISABLED
2016-04-12 22:12:24 keepalive_ping = 0
2016-04-12 22:12:24 keepalive_timeout = 0
2016-04-12 22:12:24 inactivity_timeout = 0
2016-04-12 22:12:24 ping_send_timeout = 0
2016-04-12 22:12:24 ping_rec_timeout = 0
2016-04-12 22:12:24 ping_rec_timeout_action = 0
2016-04-12 22:12:24 ping_timer_remote = DISABLED
2016-04-12 22:12:24 remap_sigusr1 = 0
2016-04-12 22:12:24 persist_tun = DISABLED
2016-04-12 22:12:24 persist_local_ip = DISABLED
2016-04-12 22:12:24 persist_remote_ip = DISABLED
2016-04-12 22:12:24 persist_key = DISABLED
2016-04-12 22:12:24 passtos = DISABLED
2016-04-12 22:12:24 resolve_retry_seconds = 60
2016-04-12 22:12:24 resolve_in_advance = DISABLED
2016-04-12 22:12:24 username = '[UNDEF]'
2016-04-12 22:12:24 groupname = '[UNDEF]'
2016-04-12 22:12:24 chroot_dir = '[UNDEF]'
2016-04-12 22:12:24 cd_dir = '[UNDEF]'
2016-04-12 22:12:24 writepid = '[UNDEF]'
2016-04-12 22:12:24 up_script = '[UNDEF]'
2016-04-12 22:12:24 down_script = '[UNDEF]'
2016-04-12 22:12:24 down_pre = DISABLED
2016-04-12 22:12:24 up_restart = DISABLED
2016-04-12 22:12:24 up_delay = DISABLED
2016-04-12 22:12:24 daemon = DISABLED
2016-04-12 22:12:24 inetd = 0
2016-04-12 22:12:24 log = DISABLED
2016-04-12 22:12:24 suppress_timestamps = DISABLED
2016-04-12 22:12:24 machine_readable_output = ENABLED
2016-04-12 22:12:24 nice = 0
2016-04-12 22:12:24 verbosity = 4
2016-04-12 22:12:24 mute = 0
2016-04-12 22:12:24 gremlin = 0
2016-04-12 22:12:24 status_file = '[UNDEF]'
2016-04-12 22:12:24 status_file_version = 1
2016-04-12 22:12:24 status_file_update_freq = 60
2016-04-12 22:12:24 occ = ENABLED
2016-04-12 22:12:24 rcvbuf = 0
2016-04-12 22:12:24 sndbuf = 0
2016-04-12 22:12:24 sockflags = 0
2016-04-12 22:12:24 fast_io = DISABLED
2016-04-12 22:12:24 comp.alg = 2
2016-04-12 22:12:24 comp.flags = 1
2016-04-12 22:12:24 route_script = '[UNDEF]'
2016-04-12 22:12:24 route_default_gateway = '[UNDEF]'
2016-04-12 22:12:24 route_default_metric = 0
2016-04-12 22:12:24 route_noexec = DISABLED
2016-04-12 22:12:24 route_delay = 0
2016-04-12 22:12:24 route_delay_window = 30
2016-04-12 22:12:24 route_delay_defined = DISABLED
2016-04-12 22:12:24 route_nopull = DISABLED
2016-04-12 22:12:24 route_gateway_via_dhcp = DISABLED
2016-04-12 22:12:24 allow_pull_fqdn = DISABLED
2016-04-12 22:12:24 route 0.0.0.0/0.0.0.0/vpn_gateway/nil
2016-04-12 22:12:24 management_addr = '/data/data/de.blinkt.openvpn/cache/mgmtsocket'
2016-04-12 22:12:24 management_port = 'unix'
2016-04-12 22:12:24 management_user_pass = '[UNDEF]'
2016-04-12 22:12:24 management_log_history_cache = 250
2016-04-12 22:12:24 management_echo_buffer_size = 100
2016-04-12 22:12:24 management_write_peer_info_file = '[UNDEF]'
2016-04-12 22:12:24 management_client_user = '[UNDEF]'
2016-04-12 22:12:24 management_client_group = '[UNDEF]'
2016-04-12 22:12:24 management_flags = 4390
2016-04-12 22:12:24 shared_secret_file = '[UNDEF]'
2016-04-12 22:12:24 key_direction = 0
2016-04-12 22:12:24 ciphername_defined = ENABLED
2016-04-12 22:12:24 ciphername = 'BF-CBC'
2016-04-12 22:12:24 authname_defined = ENABLED
2016-04-12 22:12:24 authname = 'SHA1'
2016-04-12 22:12:24 prng_hash = 'SHA1'
2016-04-12 22:12:24 prng_nonce_secret_len = 16
2016-04-12 22:12:24 keysize = 0
2016-04-12 22:12:24 engine = DISABLED
2016-04-12 22:12:24 replay = ENABLED
2016-04-12 22:12:24 mute_replay_warnings = DISABLED
2016-04-12 22:12:24 replay_window = 64
2016-04-12 22:12:24 replay_time = 15
2016-04-12 22:12:24 packet_id_file = '[UNDEF]'
2016-04-12 22:12:24 use_iv = ENABLED
2016-04-12 22:12:24 test_crypto = DISABLED
2016-04-12 22:12:24 tls_server = DISABLED
2016-04-12 22:12:24 tls_client = ENABLED
2016-04-12 22:12:24 key_method = 2
2016-04-12 22:12:24 ca_file = '[[INLINE]]'
2016-04-12 22:12:24 ca_path = '[UNDEF]'
2016-04-12 22:12:24 dh_file = '[UNDEF]'
2016-04-12 22:12:24 cert_file = '[[INLINE]]'
2016-04-12 22:12:24 extra_certs_file = '[UNDEF]'
2016-04-12 22:12:24 priv_key_file = '[[INLINE]]'
2016-04-12 22:12:24 pkcs12_file = '[UNDEF]'
2016-04-12 22:12:24 cipher_list = '[UNDEF]'
2016-04-12 22:12:24 tls_verify = '[UNDEF]'
2016-04-12 22:12:24 tls_export_cert = '[UNDEF]'
2016-04-12 22:12:24 verify_x509_type = 2
2016-04-12 22:12:24 verify_x509_name = 'XXXXXXXXX (My DNS)'
2016-04-12 22:12:24 crl_file = '[UNDEF]'
2016-04-12 22:12:24 ns_cert_type = 0
2016-04-12 22:12:24 remote_cert_ku[i] = 0
2016-04-12 22:12:24 remote_cert_ku[i] = 0
2016-04-12 22:12:24 remote_cert_ku[i] = 0
2016-04-12 22:12:24 remote_cert_ku[i] = 0
2016-04-12 22:12:24 remote_cert_ku[i] = 0
2016-04-12 22:12:24 remote_cert_ku[i] = 0
2016-04-12 22:12:24 remote_cert_ku[i] = 0
2016-04-12 22:12:24 remote_cert_ku[i] = 0
2016-04-12 22:12:24 remote_cert_ku[i] = 0
2016-04-12 22:12:24 remote_cert_ku[i] = 0
2016-04-12 22:12:24 remote_cert_ku[i] = 0
2016-04-12 22:12:24 remote_cert_ku[i] = 0
2016-04-12 22:12:24 remote_cert_ku[i] = 0
2016-04-12 22:12:24 remote_cert_ku[i] = 0
2016-04-12 22:12:24 remote_cert_ku[i] = 0
2016-04-12 22:12:24 remote_cert_ku[i] = 0
2016-04-12 22:12:24 remote_cert_eku = '[UNDEF]'
2016-04-12 22:12:24 ssl_flags = 0
2016-04-12 22:12:24 tls_timeout = 2
2016-04-12 22:12:24 renegotiate_bytes = 0
2016-04-12 22:12:24 renegotiate_packets = 0
2016-04-12 22:12:24 renegotiate_seconds = 3600
2016-04-12 22:12:24 handshake_window = 60
2016-04-12 22:12:24 transition_window = 3600
2016-04-12 22:12:24 single_session = DISABLED
2016-04-12 22:12:24 push_peer_info = DISABLED
2016-04-12 22:12:24 tls_exit = DISABLED
2016-04-12 22:12:24 tls_auth_file = '[UNDEF]'
2016-04-12 22:12:24 client = ENABLED
2016-04-12 22:12:24 pull = ENABLED
2016-04-12 22:12:24 auth_user_pass_file = '[UNDEF]'
2016-04-12 22:12:24 OpenVPN 2.4-icsopenvpn [git:icsopenvpn-a6eda60c1e79b5c9] android-14-armeabi-v7a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH] [IPv6] built on Mar 9 2016
2016-04-12 22:12:24 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.09
2016-04-12 22:12:24 MANAGEMENT: Connected to management server at /data/data/de.blinkt.openvpn/cache/mgmtsocket
2016-04-12 22:12:24 MANAGEMENT: CMD 'hold release'
2016-04-12 22:12:24 MANAGEMENT: CMD 'proxy NONE'
2016-04-12 22:12:24 MANAGEMENT: CMD 'bytecount 2'
2016-04-12 22:12:24 MANAGEMENT: CMD 'state on'
2016-04-12 22:12:24 Estado da rede: CONNECTED to WIFI "FON_ZON_FREE_INTERNET"
2016-04-12 22:12:25 LZO compression initializing
2016-04-12 22:12:25 Control Channel MTU parms [ L:1542 D:1212 EF:38 EB:0 ET:0 EL:3 ]
2016-04-12 22:12:25 MANAGEMENT: >STATE:1460495545,RESOLVE,,,,,,
2016-04-12 22:12:25 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:393 ET:0 EL:3 ]
2016-04-12 22:12:25 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
2016-04-12 22:12:25 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
2016-04-12 22:12:25 TCP/UDP: Preserving recently used remote address: [AF_INET]89.114.238.189:1194
2016-04-12 22:12:25 Socket Buffers: R=[163840->163840] S=[163840->163840]
2016-04-12 22:12:25 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2016-04-12 22:12:25 UDP link local (bound): [AF_INET][undef]:1194
2016-04-12 22:12:25 UDP link remote: [AF_INET]89.114.238.189:1194
2016-04-12 22:12:25 MANAGEMENT: >STATE:1460495545,WAIT,,,,,,
2016-04-12 22:13:25 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2016-04-12 22:13:25 TLS Error: TLS handshake failed
2016-04-12 22:13:25 TCP/UDP: Closing s
-
Traffic
- OpenVPN Protagonist
- Posts: 4071
- Joined: Sat Aug 09, 2014 11:24 am
Re: Unable to connect with Openvpn server (TLS Error)
Post
by Traffic » Tue Apr 12, 2016 10:15 pm
kelsini wrote:
Traffic wrote:Please post your complete server log showing the failure (remove private data)
Here it is:
Code: Select all
2016-04-12 22:12:23 compilação oficial 0.6.50 running on lge LG-D855 (MSM8974), Android 5.0 (LRX21R.A1445306351) API 21, ABI armeabi-v7a, (lge/g3_global_com/g3:5.0/LRX21R.A1445306351/1445306351:user/release-keys) 2016-04-12 22:12:24 config = '/data/data/de.blinkt.openvpn/cache/android.conf' 2016-04-12 22:12:24 remote = 'XXXXXXXXX (My DNS)' 2016-04-12 22:12:24 remote_port = '1194' 2016-04-12 22:13:25 TCP/UDP: Closing s
-
kelsini
- OpenVPN User
- Posts: 23
- Joined: Mon Apr 11, 2016 10:11 pm
Re: Unable to connect with Openvpn server (TLS Error)
Post
by kelsini » Tue Apr 12, 2016 11:11 pm
I have notice that ‘de.blinkt.openvpn’ wasnt for sure correct but…i went on the smartphone openvpn for android app and change the «search domain» on «DNS AND IP» tab form ‘de.blinkt.openvpn’ to my DNS…
The most strange is that after this change the log still give me that ‘de.blinkt.openvpn’ DNS…and the same TLS error…
Code: Select all
2016-04-13 00:04:02 compilação oficial 0.6.50 running on lge LG-D855 (MSM8974), Android 5.0 (LRX21R.A1445306351) API 21, ABI armeabi-v7a, (lge/g3_global_com/g3:5.0/LRX21R.A1445306351/1445306351:user/release-keys)
2016-04-13 00:04:02 A preparar a configuração...
2016-04-13 00:04:02 started Socket Thread
2016-04-13 00:04:02 Current Parameter Settings:
2016-04-13 00:04:02 config = '/data/data/de.blinkt.openvpn/cache/android.conf'
2016-04-13 00:04:02 mode = 0
2016-04-13 00:04:02 show_ciphers = DISABLED
2016-04-13 00:04:02 show_digests = DISABLED
2016-04-13 00:04:02 show_engines = DISABLED
2016-04-13 00:04:02 genkey = DISABLED
2016-04-13 00:04:02 key_pass_file = '[UNDEF]'
2016-04-13 00:04:02 show_tls_ciphers = DISABLED
2016-04-13 00:04:02 connect_retry_max = 5
2016-04-13 00:04:02 Connection profiles [0]:
2016-04-13 00:04:02 proto = udp
2016-04-13 00:04:02 local = '[UNDEF]'
2016-04-13 00:04:02 local_port = '1194'
2016-04-13 00:04:02 remote = 'XXXXXX (MY DNS)'
2016-04-13 00:04:02 remote_port = '1194'
2016-04-13 00:04:02 remote_float = DISABLED
2016-04-13 00:04:02 bind_defined = DISABLED
2016-04-13 00:04:02 bind_local = ENABLED
2016-04-13 00:04:02 bind_ipv6_only = DISABLED
2016-04-13 00:04:02 connect_retry_seconds = 5
2016-04-13 00:04:02 connect_timeout = 240
2016-04-13 00:04:02 socks_proxy_server = '[UNDEF]'
2016-04-13 00:04:02 socks_proxy_port = '[UNDEF]'
2016-04-13 00:04:02 socks_proxy_retry = DISABLED
2016-04-13 00:04:02 tun_mtu = 1500
2016-04-13 00:04:02 tun_mtu_defined = ENABLED
2016-04-13 00:04:02 link_mtu = 1500
2016-04-13 00:04:02 link_mtu_defined = DISABLED
2016-04-13 00:04:02 tun_mtu_extra = 0
2016-04-13 00:04:02 tun_mtu_extra_defined = DISABLED
2016-04-13 00:04:02 mtu_discover_type = -1
2016-04-13 00:04:02 fragment = 0
2016-04-13 00:04:02 mssfix = 1450
2016-04-13 00:04:02 explicit_exit_notification = 0
2016-04-13 00:04:02 Connection profiles END
2016-04-13 00:04:02 remote_random = DISABLED
2016-04-13 00:04:02 ipchange = '[UNDEF]'
2016-04-13 00:04:02 dev = 'tun'
2016-04-13 00:04:02 dev_type = '[UNDEF]'
2016-04-13 00:04:02 dev_node = '[UNDEF]'
2016-04-13 00:04:02 lladdr = '[UNDEF]'
2016-04-13 00:04:02 topology = 1
2016-04-13 00:04:02 tun_ipv6 = DISABLED
2016-04-13 00:04:02 ifconfig_local = '[UNDEF]'
2016-04-13 00:04:02 ifconfig_remote_netmask = '[UNDEF]'
2016-04-13 00:04:02 ifconfig_noexec = DISABLED
2016-04-13 00:04:02 ifconfig_nowarn = ENABLED
2016-04-13 00:04:02 ifconfig_ipv6_local = '[UNDEF]'
2016-04-13 00:04:02 ifconfig_ipv6_netbits = 0
2016-04-13 00:04:02 ifconfig_ipv6_remote = '[UNDEF]'
2016-04-13 00:04:02 shaper = 0
2016-04-13 00:04:02 mtu_test = 0
2016-04-13 00:04:02 mlock = DISABLED
2016-04-13 00:04:02 keepalive_ping = 0
2016-04-13 00:04:02 keepalive_timeout = 0
2016-04-13 00:04:02 inactivity_timeout = 0
2016-04-13 00:04:02 ping_send_timeout = 0
2016-04-13 00:04:02 ping_rec_timeout = 0
2016-04-13 00:04:02 ping_rec_timeout_action = 0
2016-04-13 00:04:02 ping_timer_remote = DISABLED
2016-04-13 00:04:02 remap_sigusr1 = 0
2016-04-13 00:04:02 persist_tun = DISABLED
2016-04-13 00:04:02 persist_local_ip = DISABLED
2016-04-13 00:04:02 persist_remote_ip = DISABLED
2016-04-13 00:04:02 persist_key = DISABLED
2016-04-13 00:04:02 passtos = DISABLED
2016-04-13 00:04:02 resolve_retry_seconds = 60
2016-04-13 00:04:02 resolve_in_advance = DISABLED
2016-04-13 00:04:02 username = '[UNDEF]'
2016-04-13 00:04:02 groupname = '[UNDEF]'
2016-04-13 00:04:02 chroot_dir = '[UNDEF]'
2016-04-13 00:04:02 cd_dir = '[UNDEF]'
2016-04-13 00:04:02 writepid = '[UNDEF]'
2016-04-13 00:04:02 up_script = '[UNDEF]'
2016-04-13 00:04:02 down_script = '[UNDEF]'
2016-04-13 00:04:02 down_pre = DISABLED
2016-04-13 00:04:02 up_restart = DISABLED
2016-04-13 00:04:02 up_delay = DISABLED
2016-04-13 00:04:02 daemon = DISABLED
2016-04-13 00:04:02 inetd = 0
2016-04-13 00:04:02 log = DISABLED
2016-04-13 00:04:02 suppress_timestamps = DISABLED
2016-04-13 00:04:02 machine_readable_output = ENABLED
2016-04-13 00:04:02 nice = 0
2016-04-13 00:04:02 verbosity = 4
2016-04-13 00:04:02 mute = 0
2016-04-13 00:04:02 gremlin = 0
2016-04-13 00:04:02 status_file = '[UNDEF]'
2016-04-13 00:04:02 status_file_version = 1
2016-04-13 00:04:02 status_file_update_freq = 60
2016-04-13 00:04:02 occ = ENABLED
2016-04-13 00:04:02 rcvbuf = 0
2016-04-13 00:04:02 Estado da rede: CONNECTED to WIFI "FON_ZON_FREE_INTERNET"
2016-04-13 00:04:02 sndbuf = 0
2016-04-13 00:04:02 sockflags = 0
2016-04-13 00:04:02 fast_io = DISABLED
2016-04-13 00:04:02 comp.alg = 2
2016-04-13 00:04:02 comp.flags = 1
2016-04-13 00:04:02 route_script = '[UNDEF]'
2016-04-13 00:04:02 route_default_gateway = '[UNDEF]'
2016-04-13 00:04:02 route_default_metric = 0
2016-04-13 00:04:02 route_noexec = DISABLED
2016-04-13 00:04:02 route_delay = 0
2016-04-13 00:04:02 route_delay_window = 30
2016-04-13 00:04:02 route_delay_defined = DISABLED
2016-04-13 00:04:02 route_nopull = DISABLED
2016-04-13 00:04:02 route_gateway_via_dhcp = DISABLED
2016-04-13 00:04:02 allow_pull_fqdn = DISABLED
2016-04-13 00:04:02 route 0.0.0.0/0.0.0.0/vpn_gateway/nil
2016-04-13 00:04:02 management_addr = '/data/data/de.blinkt.openvpn/cache/mgmtsocket'
2016-04-13 00:04:02 management_port = 'unix'
2016-04-13 00:04:02 management_user_pass = '[UNDEF]'
2016-04-13 00:04:02 management_log_history_cache = 250
2016-04-13 00:04:02 management_echo_buffer_size = 100
2016-04-13 00:04:02 management_write_peer_info_file = '[UNDEF]'
2016-04-13 00:04:02 management_client_user = '[UNDEF]'
2016-04-13 00:04:02 management_client_group = '[UNDEF]'
2016-04-13 00:04:02 management_flags = 4390
2016-04-13 00:04:02 shared_secret_file = '[UNDEF]'
2016-04-13 00:04:02 key_direction = 0
2016-04-13 00:04:02 ciphername_defined = ENABLED
2016-04-13 00:04:02 ciphername = 'BF-CBC'
2016-04-13 00:04:02 authname_defined = ENABLED
2016-04-13 00:04:02 authname = 'SHA1'
2016-04-13 00:04:02 prng_hash = 'SHA1'
2016-04-13 00:04:02 prng_nonce_secret_len = 16
2016-04-13 00:04:02 keysize = 0
2016-04-13 00:04:02 engine = DISABLED
2016-04-13 00:04:02 replay = ENABLED
2016-04-13 00:04:02 mute_replay_warnings = DISABLED
2016-04-13 00:04:02 replay_window = 64
2016-04-13 00:04:02 replay_time = 15
2016-04-13 00:04:02 packet_id_file = '[UNDEF]'
2016-04-13 00:04:02 use_iv = ENABLED
2016-04-13 00:04:02 test_crypto = DISABLED
2016-04-13 00:04:02 tls_server = DISABLED
2016-04-13 00:04:02 tls_client = ENABLED
2016-04-13 00:04:02 key_method = 2
2016-04-13 00:04:02 ca_file = '[[INLINE]]'
2016-04-13 00:04:02 ca_path = '[UNDEF]'
2016-04-13 00:04:02 dh_file = '[UNDEF]'
2016-04-13 00:04:02 cert_file = '[[INLINE]]'
2016-04-13 00:04:02 extra_certs_file = '[UNDEF]'
2016-04-13 00:04:02 priv_key_file = '[[INLINE]]'
2016-04-13 00:04:02 pkcs12_file = '[UNDEF]'
2016-04-13 00:04:02 cipher_list = '[UNDEF]'
2016-04-13 00:04:02 tls_verify = '[UNDEF]'
2016-04-13 00:04:02 tls_export_cert = '[UNDEF]'
2016-04-13 00:04:02 verify_x509_type = 0
2016-04-13 00:04:02 verify_x509_name = '[UNDEF]'
2016-04-13 00:04:02 crl_file = '[UNDEF]'
2016-04-13 00:04:02 ns_cert_type = 0
2016-04-13 00:04:02 remote_cert_ku[i] = 0
2016-04-13 00:04:02 remote_cert_ku[i] = 0
2016-04-13 00:04:02 remote_cert_ku[i] = 0
2016-04-13 00:04:02 remote_cert_ku[i] = 0
2016-04-13 00:04:02 remote_cert_ku[i] = 0
2016-04-13 00:04:02 remote_cert_ku[i] = 0
2016-04-13 00:04:02 remote_cert_ku[i] = 0
2016-04-13 00:04:02 remote_cert_ku[i] = 0
2016-04-13 00:04:02 remote_cert_ku[i] = 0
2016-04-13 00:04:02 remote_cert_ku[i] = 0
2016-04-13 00:04:02 remote_cert_ku[i] = 0
2016-04-13 00:04:02 remote_cert_ku[i] = 0
2016-04-13 00:04:02 remote_cert_ku[i] = 0
2016-04-13 00:04:02 remote_cert_ku[i] = 0
2016-04-13 00:04:02 remote_cert_ku[i] = 0
2016-04-13 00:04:02 remote_cert_ku[i] = 0
2016-04-13 00:04:02 remote_cert_eku = '[UNDEF]'
2016-04-13 00:04:02 ssl_flags = 0
2016-04-13 00:04:02 tls_timeout = 2
2016-04-13 00:04:02 renegotiate_bytes = 0
2016-04-13 00:04:02 renegotiate_packets = 0
2016-04-13 00:04:02 renegotiate_seconds = 3600
2016-04-13 00:04:02 handshake_window = 60
2016-04-13 00:04:02 transition_window = 3600
2016-04-13 00:04:02 single_session = DISABLED
2016-04-13 00:04:02 push_peer_info = DISABLED
2016-04-13 00:04:02 tls_exit = DISABLED
2016-04-13 00:04:02 tls_auth_file = '[UNDEF]'
2016-04-13 00:04:02 client = ENABLED
2016-04-13 00:04:02 pull = ENABLED
2016-04-13 00:04:02 auth_user_pass_file = '[UNDEF]'
2016-04-13 00:04:02 OpenVPN 2.4-icsopenvpn [git:icsopenvpn-a6eda60c1e79b5c9] android-14-armeabi-v7a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH] [IPv6] built on Mar 9 2016
2016-04-13 00:04:02 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.09
2016-04-13 00:04:02 MANAGEMENT: Connected to management server at /data/data/de.blinkt.openvpn/cache/mgmtsocket
2016-04-13 00:04:02 MANAGEMENT: CMD 'hold release'
2016-04-13 00:04:02 MANAGEMENT: CMD 'bytecount 2'
2016-04-13 00:04:02 MANAGEMENT: CMD 'proxy NONE'
2016-04-13 00:04:02 MANAGEMENT: CMD 'state on'
2016-04-13 00:04:03 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2016-04-13 00:04:03 LZO compression initializing
2016-04-13 00:04:03 Control Channel MTU parms [ L:1542 D:1212 EF:38 EB:0 ET:0 EL:3 ]
2016-04-13 00:04:03 MANAGEMENT: >STATE:1460502243,RESOLVE,,,,,,
2016-04-13 00:04:03 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:393 ET:0 EL:3 ]
2016-04-13 00:04:03 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
2016-04-13 00:04:03 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
2016-04-13 00:04:03 TCP/UDP: Preserving recently used remote address: [AF_INET]89.114.238.189:1194
2016-04-13 00:04:03 Socket Buffers: R=[163840->163840] S=[163840->163840]
2016-04-13 00:04:03 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2016-04-13 00:04:03 UDP link local (bound): [AF_INET][undef]:1194
2016-04-13 00:04:03 UDP link remote: [AF_INET]89.114.238.189:1194
2016-04-13 00:04:03 MANAGEMENT: >STATE:1460502243,WAIT,,,,,,
2016-04-13 00:05:03 TLS Error: TLS key negotiation failed to occur within 60
I cant see in any other tab or any option where that ‘de.blinkt.openvpn’ is mentioned again…
-
Traffic
- OpenVPN Protagonist
- Posts: 4071
- Joined: Sat Aug 09, 2014 11:24 am
Re: Unable to connect with Openvpn server (TLS Error)
Post
by Traffic » Tue Apr 12, 2016 11:25 pm
Please post your Server log …
-
kelsini
- OpenVPN User
- Posts: 23
- Joined: Mon Apr 11, 2016 10:11 pm
Re: Unable to connect with Openvpn server (TLS Error)
Post
by kelsini » Wed Apr 13, 2016 9:24 pm
Traffic wrote:Please post your Server log …
cd /var/log/
dir
btmp faillog journal lastlog old openvpn.log pacman.log wtmp
I think you are asking openvpn.log…here it is:
Code: Select all
Wed Apr 13 22:17:25 2016 us=95312 Current Parameter Settings:
Wed Apr 13 22:17:25 2016 us=95601 config = '/etc/openvpn/homeserver-vpn.conf'
Wed Apr 13 22:17:25 2016 us=95680 mode = 1
Wed Apr 13 22:17:25 2016 us=95744 persist_config = DISABLED
Wed Apr 13 22:17:25 2016 us=95808 persist_mode = 1
Wed Apr 13 22:17:25 2016 us=95868 show_ciphers = DISABLED
Wed Apr 13 22:17:25 2016 us=95927 show_digests = DISABLED
Wed Apr 13 22:17:25 2016 us=95987 show_engines = DISABLED
Wed Apr 13 22:17:25 2016 us=96047 genkey = DISABLED
Wed Apr 13 22:17:25 2016 us=96105 key_pass_file = '[UNDEF]'
Wed Apr 13 22:17:25 2016 us=96167 show_tls_ciphers = DISABLED
Wed Apr 13 22:17:25 2016 us=96229 Connection profiles [default]:
Wed Apr 13 22:17:25 2016 us=96290 proto = udp
Wed Apr 13 22:17:25 2016 us=96349 local = '[UNDEF]'
Wed Apr 13 22:17:25 2016 us=96410 local_port = 1194
Wed Apr 13 22:17:25 2016 us=98947 remote = '[UNDEF]'
Wed Apr 13 22:17:25 2016 us=99502 remote_port = 1194
Wed Apr 13 22:17:25 2016 us=99567 remote_float = DISABLED
Wed Apr 13 22:17:25 2016 us=99615 bind_defined = DISABLED
Wed Apr 13 22:17:25 2016 us=99661 bind_local = ENABLED
Wed Apr 13 22:17:25 2016 us=99708 NOTE: --mute triggered...
Wed Apr 13 22:17:25 2016 us=99770 213 variation(s) on previous 20 message(s) suppressed by --mute
Wed Apr 13 22:17:25 2016 us=99817 OpenVPN 2.3.10 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Mar 14 2016
Wed Apr 13 22:17:25 2016 us=99895 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.09
Wed Apr 13 22:17:25 2016 us=115220 Diffie-Hellman initialized with 2048 bit key
Wed Apr 13 22:17:25 2016 us=139828 Control Channel Authentication: using '/etc/openvpn/certs/ta.key' as a OpenVPN static key file
Wed Apr 13 22:17:25 2016 us=139975 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Apr 13 22:17:25 2016 us=140056 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Apr 13 22:17:25 2016 us=140147 TLS-Auth MTU parms [ L:1542 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Wed Apr 13 22:17:25 2016 us=140259 Socket Buffers: R=[163840->163840] S=[163840->163840]
Wed Apr 13 22:17:25 2016 us=140534 ROUTE: default_gateway=UNDEF
Wed Apr 13 22:17:25 2016 us=245008 TUN/TAP device tun0 opened
Wed Apr 13 22:17:25 2016 us=245172 TUN/TAP TX queue length set to 100
Wed Apr 13 22:17:25 2016 us=245265 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Apr 13 22:17:25 2016 us=245379 /usr/bin/ip link set dev tun0 up mtu 1500
Wed Apr 13 22:17:25 2016 us=271194 /usr/bin/ip addr add dev tun0 local 192.168.88.1 peer 192.168.88.2
Wed Apr 13 22:17:25 2016 us=278962 /usr/bin/ip route add 192.168.88.0/24 via 192.168.88.2
Wed Apr 13 22:17:25 2016 us=285863 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:143 ET:0 EL:3 AF:3/1 ]
Wed Apr 13 22:17:25 2016 us=286998 GID set to nobody
Wed Apr 13 22:17:25 2016 us=287116 UID set to nobody
Wed Apr 13 22:17:25 2016 us=287181 UDPv4 link local (bound): [undef]
Wed Apr 13 22:17:25 2016 us=292745 UDPv4 link remote: [undef]
Wed Apr 13 22:17:25 2016 us=292865 MULTI: multi_init called, r=256 v=256
Wed Apr 13 22:17:25 2016 us=292997 IFCONFIG POOL: base=192.168.88.4 size=62, ipv6=0
Wed Apr 13 22:17:25 2016 us=293098 IFCONFIG POOL LIST
Wed Apr 13 22:17:25 2016 us=293241 Initialization Sequence Completed
-
Traffic
- OpenVPN Protagonist
- Posts: 4071
- Joined: Sat Aug 09, 2014 11:24 am
Re: Unable to connect with Openvpn server (TLS Error)
Post
by Traffic » Wed Apr 13, 2016 9:30 pm
Your server log does not show any connection attempts:
kelsini wrote:Wed Apr 13 22:17:25 2016 us=293241 Initialization Sequence Completed
Traffic wrote:Please post your Server log
Showing the connection attempt from your client ..
-
kelsini
- OpenVPN User
- Posts: 23
- Joined: Mon Apr 11, 2016 10:11 pm
Re: Unable to connect with Openvpn server (TLS Error)
Post
by kelsini » Wed Apr 13, 2016 9:54 pm
Here it is again:
Code: Select all
Wed Apr 13 22:53:10 2016 us=937880 Current Parameter Settings:
Wed Apr 13 22:53:10 2016 us=938186 config = '/etc/openvpn/homeserver-vpn.conf'
Wed Apr 13 22:53:10 2016 us=938261 mode = 1
Wed Apr 13 22:53:10 2016 us=938326 persist_config = DISABLED
Wed Apr 13 22:53:10 2016 us=938390 persist_mode = 1
Wed Apr 13 22:53:10 2016 us=938453 show_ciphers = DISABLED
Wed Apr 13 22:53:10 2016 us=938515 show_digests = DISABLED
Wed Apr 13 22:53:10 2016 us=938719 show_engines = DISABLED
Wed Apr 13 22:53:10 2016 us=938789 genkey = DISABLED
Wed Apr 13 22:53:10 2016 us=938851 key_pass_file = '[UNDEF]'
Wed Apr 13 22:53:10 2016 us=938915 show_tls_ciphers = DISABLED
Wed Apr 13 22:53:10 2016 us=938976 Connection profiles [default]:
Wed Apr 13 22:53:10 2016 us=939039 proto = udp
Wed Apr 13 22:53:10 2016 us=939101 local = '[UNDEF]'
Wed Apr 13 22:53:10 2016 us=939164 local_port = 1194
Wed Apr 13 22:53:10 2016 us=939230 remote = '[UNDEF]'
Wed Apr 13 22:53:10 2016 us=939293 remote_port = 1194
Wed Apr 13 22:53:10 2016 us=939356 remote_float = DISABLED
Wed Apr 13 22:53:10 2016 us=939417 bind_defined = DISABLED
Wed Apr 13 22:53:10 2016 us=939480 bind_local = ENABLED
Wed Apr 13 22:53:10 2016 us=939542 NOTE: --mute triggered...
Wed Apr 13 22:53:10 2016 us=939625 213 variation(s) on previous 20 message(s) suppressed by --mute
Wed Apr 13 22:53:10 2016 us=939689 OpenVPN 2.3.10 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Mar 14 2016
Wed Apr 13 22:53:10 2016 us=939789 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.09
Wed Apr 13 22:53:10 2016 us=948982 Diffie-Hellman initialized with 2048 bit key
Wed Apr 13 22:53:10 2016 us=958396 Control Channel Authentication: using '/etc/openvpn/certs/ta.key' as a OpenVPN static key file
Wed Apr 13 22:53:10 2016 us=958536 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Apr 13 22:53:10 2016 us=958612 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Apr 13 22:53:10 2016 us=958697 TLS-Auth MTU parms [ L:1542 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Wed Apr 13 22:53:10 2016 us=958803 Socket Buffers: R=[163840->163840] S=[163840->163840]
Wed Apr 13 22:53:10 2016 us=959092 ROUTE: default_gateway=UNDEF
Wed Apr 13 22:53:10 2016 us=990694 TUN/TAP device tun0 opened
Wed Apr 13 22:53:10 2016 us=990870 TUN/TAP TX queue length set to 100
Wed Apr 13 22:53:10 2016 us=991685 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Apr 13 22:53:10 2016 us=991837 /usr/bin/ip link set dev tun0 up mtu 1500
Wed Apr 13 22:53:11 2016 us=23502 /usr/bin/ip addr add dev tun0 local 192.168.88.1 peer 192.168.88.2
Wed Apr 13 22:53:11 2016 us=31611 /usr/bin/ip route add 192.168.88.0/24 via 192.168.88.2
Wed Apr 13 22:53:11 2016 us=36078 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:143 ET:0 EL:3 AF:3/1 ]
Wed Apr 13 22:53:11 2016 us=41551 GID set to nobody
Wed Apr 13 22:53:11 2016 us=41668 UID set to nobody
Wed Apr 13 22:53:11 2016 us=41730 UDPv4 link local (bound): [undef]
Wed Apr 13 22:53:11 2016 us=41784 UDPv4 link remote: [undef]
Wed Apr 13 22:53:11 2016 us=41847 MULTI: multi_init called, r=256 v=256
Wed Apr 13 22:53:11 2016 us=41962 IFCONFIG POOL: base=192.168.88.4 size=62, ipv6=0
Wed Apr 13 22:53:11 2016 us=42062 IFCONFIG POOL LIST
Wed Apr 13 22:53:11 2016 us=42199 Initialization Sequence Completed
Wed Apr 13 22:53:13 2016 us=125058 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]89.180.151.187:54074
Wed Apr 13 22:53:14 2016 us=864777 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]89.180.151.187:54074
Wed Apr 13 22:53:19 2016 us=540852 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]89.180.151.187:54074
-
Traffic
- OpenVPN Protagonist
- Posts: 4071
- Joined: Sat Aug 09, 2014 11:24 am
Re: Unable to connect with Openvpn server (TLS Error)
Post
by Traffic » Wed Apr 13, 2016 10:53 pm
kelsini wrote:Wed Apr 13 22:53:13 2016 us=125058 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]89.180.151.187:54074
This most probably means that you have corrupted your tls-auth ta.key while importing it to you phone .. or possibly imported the wrong file. Try again. make sure the file is exactly the same.
You may have to use inline config: https://community.openvpn.net/openvpn/wiki/IOSinline
FYI: you do not have to call the file ta.key .. you can rename it to anything more memorable.
-
kelsini
- OpenVPN User
- Posts: 23
- Joined: Mon Apr 11, 2016 10:11 pm
Re: Unable to connect with Openvpn server (TLS Error)
Post
by kelsini » Thu Apr 14, 2016 10:40 am
Traffic wrote:
kelsini wrote:Wed Apr 13 22:53:13 2016 us=125058 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]89.180.151.187:54074
This most probably means that you have corrupted your tls-auth ta.key while importing it to you phone .. or possibly imported the wrong file. Try again. make sure the file is exactly the same.
You may have to use inline config: https://community.openvpn.net/openvpn/wiki/IOSinline
FYI: you do not have to call the file ta.key .. you can rename it to anything more memorable.
I have 2 folders where keys and certs are…
in /root/easy-rsa/keys/
01.pem dh2048.pem index.txt ipp.txt serial
02.pem homeserver.crt index.txt.attr kelsinni.crt serial.old
ca.crt homeserver.csr index.txt.attr.old kelsinni.csr ta.key
ca.key homeserver.key index.txt.old kelsinni.key
and in /etc/openvpn/certs/
ca.crt dh2048.pem homeserver.key
ca.key homeserver.crt ta.key
The keys that i copied to my android were the client certificate (kelsinni.crt), client certificate key (kelsinni.key) and the CA certificate (ca.crt) all locate on /root/easy-rsa/keys/
The app openvpn for android only asks these 3 files CA certificate, Client certificate and Client certificate key…nothing about ta.key:
Im going to copy again the files to the android…
-
Traffic
- OpenVPN Protagonist
- Posts: 4071
- Joined: Sat Aug 09, 2014 11:24 am
Re: Unable to connect with Openvpn server (TLS Error)
Post
by Traffic » Thu Apr 14, 2016 12:19 pm
kelsini wrote:The app openvpn for android only asks these 3 files CA certificate, Client certificate and Client certificate key…nothing about ta.key
Then you must disable —tls-auth on the server ..
-
kelsini
- OpenVPN User
- Posts: 23
- Joined: Mon Apr 11, 2016 10:11 pm
Re: Unable to connect with Openvpn server (TLS Error)
Post
by kelsini » Thu Apr 14, 2016 2:21 pm
Traffic wrote:
kelsini wrote:The app openvpn for android only asks these 3 files CA certificate, Client certificate and Client certificate key…nothing about ta.key
Then you must disable —tls-auth on the server ..
Well…finally i think i got a sucefull connection
Code: Select all
Thu Apr 14 15:06:34 2016 us=45204 Current Parameter Settings:
Thu Apr 14 15:06:34 2016 us=45471 config = '/etc/openvpn/homeserver-vpn.conf'
Thu Apr 14 15:06:34 2016 us=45567 mode = 1
Thu Apr 14 15:06:34 2016 us=45652 persist_config = DISABLED
Thu Apr 14 15:06:34 2016 us=45732 persist_mode = 1
Thu Apr 14 15:06:34 2016 us=45813 show_ciphers = DISABLED
Thu Apr 14 15:06:34 2016 us=45888 show_digests = DISABLED
Thu Apr 14 15:06:34 2016 us=45958 show_engines = DISABLED
Thu Apr 14 15:06:34 2016 us=46018 genkey = DISABLED
Thu Apr 14 15:06:34 2016 us=46077 key_pass_file = '[UNDEF]'
Thu Apr 14 15:06:34 2016 us=46136 show_tls_ciphers = DISABLED
Thu Apr 14 15:06:34 2016 us=46194 Connection profiles [default]:
Thu Apr 14 15:06:34 2016 us=46253 proto = udp
Thu Apr 14 15:06:34 2016 us=46312 local = '[UNDEF]'
Thu Apr 14 15:06:34 2016 us=46381 local_port = 1194
Thu Apr 14 15:06:34 2016 us=46461 remote = '[UNDEF]'
Thu Apr 14 15:06:34 2016 us=46542 remote_port = 1194
Thu Apr 14 15:06:34 2016 us=46619 remote_float = DISABLED
Thu Apr 14 15:06:34 2016 us=46700 bind_defined = DISABLED
Thu Apr 14 15:06:34 2016 us=46772 bind_local = ENABLED
Thu Apr 14 15:06:34 2016 us=46842 NOTE: --mute triggered...
Thu Apr 14 15:06:34 2016 us=46920 213 variation(s) on previous 20 message(s) suppressed by --mute
Thu Apr 14 15:06:34 2016 us=46980 OpenVPN 2.3.10 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Mar 14 2016
Thu Apr 14 15:06:34 2016 us=47077 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.09
Thu Apr 14 15:06:34 2016 us=88916 Diffie-Hellman initialized with 2048 bit key
Thu Apr 14 15:06:34 2016 us=100742 TLS-Auth MTU parms [ L:1542 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Thu Apr 14 15:06:34 2016 us=100907 Socket Buffers: R=[163840->163840] S=[163840->163840]
Thu Apr 14 15:06:34 2016 us=101191 ROUTE: default_gateway=UNDEF
Thu Apr 14 15:06:34 2016 us=126690 TUN/TAP device tun0 opened
Thu Apr 14 15:06:34 2016 us=127009 TUN/TAP TX queue length set to 100
Thu Apr 14 15:06:34 2016 us=127125 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Apr 14 15:06:34 2016 us=127237 /usr/bin/ip link set dev tun0 up mtu 1500
Thu Apr 14 15:06:34 2016 us=160313 /usr/bin/ip addr add dev tun0 local 192.168.88.1 peer 192.168.88.2
Thu Apr 14 15:06:34 2016 us=163614 /usr/bin/ip route add 192.168.88.0/24 via 192.168.88.2
Thu Apr 14 15:06:34 2016 us=167431 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:143 ET:0 EL:3 AF:3/1 ]
Thu Apr 14 15:06:34 2016 us=168865 GID set to nobody
Thu Apr 14 15:06:34 2016 us=168975 UID set to nobody
Thu Apr 14 15:06:34 2016 us=169037 UDPv4 link local (bound): [undef]
Thu Apr 14 15:06:34 2016 us=169092 UDPv4 link remote: [undef]
Thu Apr 14 15:06:34 2016 us=169156 MULTI: multi_init called, r=256 v=256
Thu Apr 14 15:06:34 2016 us=169670 IFCONFIG POOL: base=192.168.88.4 size=62, ipv6=0
Thu Apr 14 15:06:34 2016 us=204863 ifconfig_pool_read(), in='kelsinni,192.168.88.4', TODO: IPv6
Thu Apr 14 15:06:34 2016 us=204970 succeeded -> ifconfig_pool_set()
Thu Apr 14 15:06:34 2016 us=205030 IFCONFIG POOL LIST
Thu Apr 14 15:06:34 2016 us=205087 kelsinni,192.168.88.4
Thu Apr 14 15:06:34 2016 us=205223 Initialization Sequence Completed
Thu Apr 14 15:14:04 2016 us=962812 MULTI: multi_create_instance called
Thu Apr 14 15:14:04 2016 us=963100 89.180.149.129:58052 Re-using SSL/TLS context
Thu Apr 14 15:14:04 2016 us=963251 89.180.149.129:58052 LZO compression initialized
Thu Apr 14 15:14:04 2016 us=963656 89.180.149.129:58052 Control Channel MTU parms [ L:1542 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Thu Apr 14 15:14:04 2016 us=963752 89.180.149.129:58052 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:143 ET:0 EL:3 AF:3/1 ]
Thu Apr 14 15:14:04 2016 us=963901 89.180.149.129:58052 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher DES-EDE3-CBC,auth SHA1,keysize 192,key-method 2,tls-server'
Thu Apr 14 15:14:04 2016 us=963965 89.180.149.129:58052 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher DES-EDE3-CBC,auth SHA1,keysize 192,key-method 2,tls-client'
Thu Apr 14 15:14:04 2016 us=964100 89.180.149.129:58052 Local Options hash (VER=V4): '974bef3f'
Thu Apr 14 15:14:04 2016 us=964192 89.180.149.129:58052 Expected Remote Options hash (VER=V4): '827c9ed0'
RThu Apr 14 15:14:04 2016 us=964398 89.180.149.129:58052 TLS: Initial packet from [AF_INET]89.180.149.129:58052, sid=9cc8d214 1064ccf7
WRRWWWRRRWRThu Apr 14 15:14:05 2016 us=454820 89.180.149.129:58052 VERIFY OK: depth=1, C=PT, ST=LX, L=LX, O=SV, OU=MY, CN=HOME, name=SERVER, emailAddress=MYEMAIL
Thu Apr 14 15:14:05 2016 us=457938 89.180.149.129:58052 VERIFY OK: depth=0, C=PT, ST=LX, L=LX, O=SV, OU=MY, CN=kelsinni, name=server, emailAddress=MYEMAIL
WRWRThu Apr 14 15:14:05 2016 us=702731 89.180.149.129:58052 WARNING: 'cipher' is used inconsistently, local='cipher DES-EDE3-CBC', remote='cipher BF-CBC'
Thu Apr 14 15:14:05 2016 us=702866 89.180.149.129:58052 WARNING: 'keysize' is used inconsistently, local='keysize 192', remote='keysize 128'
Thu Apr 14 15:14:05 2016 us=703748 89.180.149.129:58052 Data Channel Encrypt: Cipher 'DES-EDE3-CBC' initialized with 192 bit key
Thu Apr 14 15:14:05 2016 us=703887 89.180.149.129:58052 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Apr 14 15:14:05 2016 us=703971 89.180.149.129:58052 Data Channel Decrypt: Cipher 'DES-EDE3-CBC' initialized with 192 bit key
Thu Apr 14 15:14:05 2016 us=704049 89.180.149.129:58052 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
WRThu Apr 14 15:14:05 2016 us=740252 89.180.149.129:58052 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Thu Apr 14 15:14:05 2016 us=740379 89.180.149.129:58052 [kelsinni] Peer Connection Initiated with [AF_INET]89.180.149.129:58052
Thu Apr 14 15:14:05 2016 us=740488 kelsinni/89.180.149.129:58052 MULTI_sva: pool returned IPv4=192.168.88.6, IPv6=(Not enabled)
Thu Apr 14 15:14:05 2016 us=740672 kelsinni/89.180.149.129:58052 MULTI: Learn: 192.168.88.6 -> kelsinni/89.180.149.129:58052
Thu Apr 14 15:14:05 2016 us=740733 kelsinni/89.180.149.129:58052 MULTI: primary virtual IP for kelsinni/89.180.149.129:58052: 192.168.88.6
RThu Apr 14 15:14:06 2016 us=974533 kelsinni/89.180.149.129:58052 PUSH: Received control message: 'PUSH_REQUEST'
Thu Apr 14 15:14:06 2016 us=974632 kelsinni/89.180.149.129:58052 send_push_reply(): safe_cap=940
Thu Apr 14 15:14:06 2016 us=974906 kelsinni/89.180.149.129:58052 SENT CONTROL [kelsinni]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 192.168.88.0 255.255.255.0,topology net30,ping$
WWR
The problem now its i have no internet access on my cellphone after the connection…i dont know if it has to be with that IP 192.168.88.6 that is showed on the log…because its out of range of my internal LAN IP range (192.168.1.xxx)
-
kelsini
- OpenVPN User
- Posts: 23
- Joined: Mon Apr 11, 2016 10:11 pm
Re: Unable to connect with Openvpn server (TLS Error)
Post
by kelsini » Fri Apr 15, 2016 12:09 pm
I think i had already did that when the instalation of the openvpn in my Arch Linux…
Below is my server config:
It have already that push «redirect-gateway» line…
Code: Select all
port 1194
proto udp
dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/homeserver.crt
key /etc/openvpn/certs/homeserver.key
dh /etc/openvpn/certs/dh2048.pem
#tls-auth /etc/openvpn/certs/ta.key 0
server 192.168.88.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-to-client
keepalive 1800 4000
cipher DES-EDE3-CBC # Triple-DES
comp-lzo yes
max-clients 2
user nobody
group nobody
persist-key
persist-tun
log /var/log/openvpn.log
#status /var/log/openvpn-status.log
verb 5
mute 20
#client-config-dir ccd
About iptables the commands that i have used were:
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A INPUT -i tap+ -j ACCEPT
iptables -A FORWARD -i tap+ -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.88.0/24 -o enp4s0 -j MASQUERADE
There is any missing line or command that i should place?
Thanks again
-
kelsini
- OpenVPN User
- Posts: 23
- Joined: Mon Apr 11, 2016 10:11 pm
Re: Unable to connect with Openvpn server (TLS Error)
Post
by kelsini » Mon Apr 18, 2016 9:36 am
I have already compared my configs with that «HOWTO: Routing all client traffic (including web-traffic) through the VPN» and made a few changes to try get internet access but all the times i got no luck…to be honest im now on a dead end and cannot see what should i change to pass this issue
Any tip would be very grateful…
Thks
-
Traffic
- OpenVPN Protagonist
- Posts: 4071
- Joined: Sat Aug 09, 2014 11:24 am
Re: Unable to connect with Openvpn server (TLS Error)
Post
by Traffic » Mon Apr 18, 2016 11:42 am
This looks wrong:
Traffic wrote:iptables -t nat -A POSTROUTING -s 192.168.88.0/24 -o enp4s0 -j MASQUERADE
Try: iptables -t nat -A POSTROUTING -s 192.168.88.0/24 -o enp0s4 -j MASQUERADE
If that does not work try this:
Code: Select all
iptables -t nat -A POSTROUTING -s 192.168.88.0/24 -j SNAT --to-source 12.34.56.78
replace 12.34.56.78 with the server public IP ..
-
kelsini
- OpenVPN User
- Posts: 23
- Joined: Mon Apr 11, 2016 10:11 pm
Re: Unable to connect with Openvpn server (TLS Error)
Post
by kelsini » Mon Apr 18, 2016 1:12 pm
Traffic wrote:This looks wrong:
Traffic wrote:iptables -t nat -A POSTROUTING -s 192.168.88.0/24 -o enp4s0 -j MASQUERADE
Try: iptables -t nat -A POSTROUTING -s 192.168.88.0/24 -o enp0s4 -j MASQUERADE
If that does not work try this:
Code: Select all
iptables -t nat -A POSTROUTING -s 192.168.88.0/24 -j SNAT --to-source 12.34.56.78
replace 12.34.56.78 with the server public IP ..
First of all thanks once more for your reply…
My wired network device is enp4s0…so i assume that the line that i had (iptables -t nat -A POSTROUTING -s 192.168.88.0/24 -o enp4s0 -j MASQUERADE) was ok…
I tried to insert the rule that you said:
iptables -t nat -A POSTROUTING -s 192.168.88.0/24 -j SNAT —to-source ***.***.***.*** (my home IP)
but unfortunatly despite the connection with the server is established after a couple of seconds…still cannot access the internet with it…
Содержание
- OpenVPN Support Forum
- TLS Error at working connection
- TLS Error at working connection
- Re: TLS Error at working connection
- Re: TLS Error at working connection
- Re: TLS Error at working connection
- Re: TLS Error at working connection
- Re: TLS Error at working connection
- Re: TLS Error at working connection
- Re: TLS Error at working connection
- OpenVPN Support Forum
- Unable to connect with Openvpn server (TLS Error)
- Unable to connect with Openvpn server (TLS Error)
- Re: Unable to connect with Openvpn server (TLS Error)
- Re: Unable to connect with Openvpn server (TLS Error)
- Re: Unable to connect with Openvpn server (TLS Error)
- Re: Unable to connect with Openvpn server (TLS Error)
- Re: Unable to connect with Openvpn server (TLS Error)
- Re: Unable to connect with Openvpn server (TLS Error)
- Re: Unable to connect with Openvpn server (TLS Error)
- Re: Unable to connect with Openvpn server (TLS Error)
- Re: Unable to connect with Openvpn server (TLS Error)
- Re: Unable to connect with Openvpn server (TLS Error)
- Re: Unable to connect with Openvpn server (TLS Error)
- Re: Unable to connect with Openvpn server (TLS Error)
- OpenVPN Support Forum
- tls-crypt not working with OpenVPN Connect/Android?
- tls-crypt not working with OpenVPN Connect/Android?
- Re: tls-crypt not working with OpenVPN Connect/Android?
- FAQ regarding OpenVPN Connect Android
- Some common errors and solutions
- error parsing certificate : X509 — The date tag or value is invalid
- certificate verification failed : x509 — certificate verification failed, e.g. crl, ca or signature check failed
- digest_error: NONE: not usable
- SSL — Processing of the ServerKeyExchange handshake message failed
- BIO read tls_read_plaintext error: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
- Other client error messages
- MD5 signature algorithm support
- How to get started with OpenVPN Connect
- Is OpenVPN Connect for Android vulnerable to Heartbleed?
- Are CRLs (certificate revocation lists) supported?
- I am having trouble importing my .ovpn file.
- 1. All files must be in the same directory
- 2. Check formatting and size
- 3. Use the unified format for OpenVPN profiles
- Where are the support forums for OpenVPN Connect?
- Is IPv6 supported?
- Why does OpenVPN Connect show two notification icons when connected?
- Can I disable the connection notification sound?
- How can I maximize battery life?
- Can I control the VPN from outside the app?
- How can I ensure that the VPN stays continuously connected?
- Why does the VPN disconnect when I make or receive a voice call?
- Given that mobile devices are easily lost or stolen, how best to secure VPN profiles against compromise if the device falls into the wrong hands?
- Is it safe to save passwords?
- Why is the save password switch sometimes disabled?
- How can I use OpenVPN Connect with profiles that lack a client certificate/key?
- Why does the app not support TAP-style tunnels?
- Are there any OpenVPN directives not supported by the app?
- Can I have multiple profiles?
- How do I delete or rename a profile?
- Can I have multiple proxies?
- How do I edit or delete a proxy?
- How do I use a client certificate and private key from the Android Keychain?
- When I try to import a PKCS#12 file, why am I being asked for a password?
- Why doesn’t the PKCS#12 file in my OpenVPN configuration file work the same as on desktop systems?
- How do I set up my profile for server failover?
OpenVPN Support Forum
Community Support Forum
TLS Error at working connection
TLS Error at working connection
Post by Yacudzer » Tue Apr 28, 2020 9:04 pm
Re: TLS Error at working connection
Post by TinCanTech » Tue Apr 28, 2020 9:27 pm
Re: TLS Error at working connection
Post by Yacudzer » Tue May 05, 2020 4:43 pm
example config for clients:
client
remote vpn.myvpnserveraddress.su 443
cipher aes-256-cbc
auth sha256
dev tun
proto udp
tls-client
key-direction 1
pull
——BEGIN OpenVPN Static key V1——
— skipped —
——END OpenVPN Static key V1——
What other information needed?
Re: TLS Error at working connection
Post by TinCanTech » Tue May 05, 2020 6:11 pm
Re: TLS Error at working connection
Post by Yacudzer » Tue May 05, 2020 6:36 pm
Re: TLS Error at working connection
Post by Yacudzer » Thu May 07, 2020 11:03 am
Re: TLS Error at working connection
Post by TinCanTech » Thu May 07, 2020 12:07 pm
If you post complete logs they would probably show that the client times out due to some network error.
These are the sort of problems you can get with UDP.
Openvpn recovered from the error without compromising your security.
You can either live with it, which is what I do or you can use TCP.
There is not much else you can do, except find out what is wrong with your network
and that is not going to be easy.
Re: TLS Error at working connection
Post by Yacudzer » Thu May 07, 2020 1:19 pm
Источник
OpenVPN Support Forum
Community Support Forum
Unable to connect with Openvpn server (TLS Error)
Unable to connect with Openvpn server (TLS Error)
Post by kelsini » Tue Apr 12, 2016 12:17 pm
Hello members, i have recently installed a openvpn server on my ARCH 4.4.5-1 i686 GNU/Linux home machine.
Aparently the server is running OK as the output show:
My server config:
When i try to connect my server with my android phone (with openvpn for android app installed) with the respective imported keys and cert (ca.crt; kelsinni.crt; kelsinni.key) i got always the same TLS error:
I have double checked all the configs but still got this same error all the times. can anyone please give me a tip about the source of this problem?
Thanks in advance for all the help given.
Re: Unable to connect with Openvpn server (TLS Error)
Post by Traffic » Tue Apr 12, 2016 2:50 pm
Re: Unable to connect with Openvpn server (TLS Error)
Post by kelsini » Tue Apr 12, 2016 6:47 pm
.
client-to-client
keepalive 1800 4000
cipher DES-EDE3-CBC # Triple-DES
comp-lzo yes
user nobody
group nobody
.
Re: Unable to connect with Openvpn server (TLS Error)
Post by Traffic » Tue Apr 12, 2016 7:23 pm
Re: Unable to connect with Openvpn server (TLS Error)
Post by kelsini » Tue Apr 12, 2016 9:34 pm
Re: Unable to connect with Openvpn server (TLS Error)
Post by Traffic » Tue Apr 12, 2016 10:15 pm
Re: Unable to connect with Openvpn server (TLS Error)
Post by kelsini » Tue Apr 12, 2016 11:11 pm
I have notice that ‘de.blinkt.openvpn’ wasnt for sure correct but. i went on the smartphone openvpn for android app and change the «search domain» on «DNS AND IP» tab form ‘de.blinkt.openvpn’ to my DNS.
The most strange is that after this change the log still give me that ‘de.blinkt.openvpn’ DNS. and the same TLS error.
Re: Unable to connect with Openvpn server (TLS Error)
Post by Traffic » Tue Apr 12, 2016 11:25 pm
Re: Unable to connect with Openvpn server (TLS Error)
Post by kelsini » Wed Apr 13, 2016 9:24 pm
cd /var/log/
dir
btmp faillog journal lastlog old openvpn.log pacman.log wtmp
I think you are asking openvpn.log. here it is:
Re: Unable to connect with Openvpn server (TLS Error)
Post by Traffic » Wed Apr 13, 2016 9:30 pm
Re: Unable to connect with Openvpn server (TLS Error)
Post by kelsini » Wed Apr 13, 2016 9:54 pm
Re: Unable to connect with Openvpn server (TLS Error)
Post by Traffic » Wed Apr 13, 2016 10:53 pm
This most probably means that you have corrupted your tls-auth ta.key while importing it to you phone .. or possibly imported the wrong file. Try again. make sure the file is exactly the same.
FYI: you do not have to call the file ta.key .. you can rename it to anything more memorable.
Re: Unable to connect with Openvpn server (TLS Error)
Post by kelsini » Thu Apr 14, 2016 10:40 am
This most probably means that you have corrupted your tls-auth ta.key while importing it to you phone .. or possibly imported the wrong file. Try again. make sure the file is exactly the same.
FYI: you do not have to call the file ta.key .. you can rename it to anything more memorable.
I have 2 folders where keys and certs are.
in /root/easy-rsa/keys/
01.pem dh2048.pem index.txt ipp.txt serial
02.pem homeserver.crt index.txt.attr kelsinni.crt serial.old
ca.crt homeserver.csr index.txt.attr.old kelsinni.csr ta.key
ca.key homeserver.key index.txt.old kelsinni.key
and in /etc/openvpn/certs/
ca.crt dh2048.pem homeserver.key
ca.key homeserver.crt ta.key
The keys that i copied to my android were the client certificate (kelsinni.crt), client certificate key (kelsinni.key) and the CA certificate (ca.crt) all locate on /root/easy-rsa/keys/
The app openvpn for android only asks these 3 files CA certificate, Client certificate and Client certificate key. nothing about ta.key:
Im going to copy again the files to the android.
Источник
OpenVPN Support Forum
Community Support Forum
tls-crypt not working with OpenVPN Connect/Android?
tls-crypt not working with OpenVPN Connect/Android?
Post by vpnhuman » Thu Jul 06, 2017 1:52 am
Hi all, posted this in the Android/OpenVPN Connect form, no answers.
I’ve googled this and searched these fourms, and wanted to confirm with others: it appears OpenVPN Connect on Android 1.1.17 does not connect when using the new «tls-auth» option. I’ve tried the exact same client configuration file on windows, linux, and the OpenVPN for Android app and they all connect correctly. So the issue seems to be OpenVPN Connect.
Can anyone else confirm?
The server error message (from two different android devices, one on android 6 and one on android 7, both using OpenVPN Connect) is:
tls-crypt unwrap error: packet too short
TLS Error: tls-crypt unwrapping failed from [AF_INET]x.x.x.x:34258
Running ovpn server on linux, startup message and configs below
OpenVPN 2.4.3 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jun 23 2017
library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.08
Sat Jun 24 13:06:30 2017 TUN/TAP device tun0 opened
Sat Jun 24 13:06:30 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat Jun 24 13:06:30 2017 /sbin/ifconfig tun0 x.x.x.x pointopoint x.x.x.y mtu 1500
Sat Jun 24 13:06:30 2017 UDPv4 link local (bound): [AF_INET][undef]:1194
Sat Jun 24 13:06:30 2017 UDPv4 link remote: [AF_UNSPEC]
Sat Jun 24 13:06:30 2017 GID set to nobody
Sat Jun 24 13:06:30 2017 UID set to nobody
Sat Jun 24 13:06:30 2017 Initialization Sequence Completed
server.conf
[oconf=]
port 1194
proto udp4
dev tun0
server x.x.x.x 255.255.255.0
client-to-client
push «dhcp-option DNS y.y.y.y»
push «redirect-gateway»
keepalive 10 60
user nobody
group nobody
persist-key
persist-tun
auth SHA512
cipher AES-256-GCM
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
ncp-disable
——BEGIN OpenVPN Static key V1——
——END OpenVPN Static key V1——
ca ca.crt
cert server.crt
key server.key
dh dh4096.pem
client.conf
[oconf=]
remote x.x.x.y 1194
client
dev tun0
proto udp
cipher AES-256-GCM
auth SHA512
——BEGIN OpenVPN Static key V1——
——END OpenVPN Static key V1——
ca ca.crt
cert client.crt
key client.key
[/oconf]
Re: tls-crypt not working with OpenVPN Connect/Android?
Post by TinCanTech » Thu Jul 06, 2017 12:46 pm
Openvpn-Connect-Android does not support —tls-crypt.
Источник
FAQ regarding OpenVPN Connect Android
Some common errors and solutions
The following are common error messages and information about them.
error parsing certificate : X509 — The date tag or value is invalid
This error message occurs with a faulty certificate. Refer to this detailed forum post for more info.
certificate verification failed : x509 — certificate verification failed, e.g. crl, ca or signature check failed
This error message occurs when a certificate can’t be verified properly. Certificate verification failure can occur, for example, if you are using an MD5-signed certificate. With an MD5-signed certificate, the security level is so low that the authenticity of the certificate can’t by any reasonable means be assured. In other words, it could very well be a fake certificate. The solution is to use a certificate not signed with MD5 but with SHA256 or better. Refer to the MD5 signature algorithm support section for more information.
digest_error: NONE: not usable
This error message occurs if you specify auth none and also tls-auth in your client profile. This happens because tls-auth needs an auth digest, but it isn’t specified. To resolve the error, remove the tls-auth directive. It’s not possible to enable it with auth none enabled.
SSL — Processing of the ServerKeyExchange handshake message failed
This error message likely occurs when using older versions of OpenVPN/OpenSSL on the server-side. Some users have solved this issue by updating their OpenVPN and OpenSSL software on the server-side.
BIO read tls_read_plaintext error: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
This error message relates to cipher suites. You can usually remedy this by going to the app settings in OpenVPN Connect and checking the box for AES-CBC Cipher Algorithm.
Other client error messages
MD5 signature algorithm support
We recommend not using MD5 as an algorithm for a signing certificate due to its possible insecurity. For example, time-standard home computer equipment takes about eight hours to falsify a certificate signed using MD5 as an algorithm. Using MD5 means it’s possible to fake the identity of the server. This opens up to a risk for a man-in-the-middle attack. Such an attack leads to the interception of data communication.
You should only support the use of MD5 for older equipment.
We pushed out a security and functionality upgrade of OpenVPN Connect for Android in November 2017 and discovered that many people’s devices still used MD5-signed certificates.
We recommend converting to a setup with SHA256-signed certificates for any installations that still use MD5-signed certificates. If the devices in use don’t support this option, we recommend updating the device to add the function or replacing the device completely.
For your reference, we have a list of deprecated options and ciphers here: https://community.openvpn.net/openvpn/wiki/DeprecatedOptions
Refer to these links for more information about MD5 signatures:
To determine if you are using an MD5 type certificate, use this command with openssl as your testing tool:
Example result if the certificate is using MD5:
If you see this result on the CA certificate or client certificate, we recommend converting to a proper, securely signed certificate set that uses at least SHA256 or better.
OpenVPN Access Server doesn’t use MD5-certificate signatures.
For open-source OpenVPN users or users with a third-party device that includes OpenVPN functionality using MD5-type certificates, you should investigate the option to update the software on your device or change the signature algorithm type, if possible.
The default settings of a program like EasyRSA 3, used by open-source OpenVPN for generating client certificates and keys, are pretty secure and will generate certificates that are not signed with MD5.
How to get started with OpenVPN Connect
To use OpenVPN Connect, you must have an OpenVPN profile that connects to a VPN server. OpenVPN profiles are files with the extension .ovpn.
To import a profile, do one of the following:
- If you have a .ovpn profile, copy the profile and any files it references to a folder or SD card on your device. Ensure you copy all files to the same folder. Launch OpenVPN Connect, tap the menu icon, tap Import Profile, and tap File. Select the .ovpn profile from the folder location.
- If you need to connect with OpenVPN Access Server, import the profile directly from Access Server: launch OpenVPN Connect, tap the menu icon, tap Import Profile, and enter the URL for the Access Server Client UI.
If you need to connect with OpenVPN Cloud, import the profile directly from your private Cloud service: launch OpenVPN Connect, tap the menu icon, tap Import Profile, and enter your OpenVPN Cloud URL.
Is OpenVPN Connect for Android vulnerable to Heartbleed?
No—all versions of OpenVPN Connect for Android use the OpenSSL library, which is immune to Heartbleed.
Are CRLs (certificate revocation lists) supported?
Yes, OpenVPN Connect supports certificate revocation lists (CRLs) as of Android version 1.1.14.
To use a CRL, you must add it to the .ovpn profile:
You can concatenate multiple CRLs together within the crl-verify block above.
If you are importing a .ovpn file that references an external CRL file such as crl-verify crl.pem make sure to drop the file crl.pem into the same place as the .ovpn file during import so the profile parser can access it.
I am having trouble importing my .ovpn file.
The following pointers can help with importing .ovpn files:
1. All files must be in the same directory
When you import a .ovpn file, ensure that all files referenced by the .ovpn file, such as ca, cert, and key files, are in the same directory on the device as the .ovpn file.
2. Check formatting and size
Profiles must be UTF-8 (or ASCII) and under 256 KB in size.
3. Use the unified format for OpenVPN profiles
Consider using the unified format for OpenVPN profiles which allows all certs and keys to be embedded into the .ovpn file. This simplifies OpenVPN configuration management because it integrates all elements of the configuration into a single file.
For example, a traditional OpenVPN profile might specify certs and keys as follows: ca ca.crt cert client.crt key client.key tls-auth ta.key 1. You can convert this usage to unified form by pasting the content of the certificate and key files directly into the OpenVPN profile as follows using an XML-like syntax:
——BEGIN CERTIFICATE—— MIIBszCCARygAwIBAgIE. . . . /NygscQs1bxBSZ0X3KRk. Lq9iNBNgWg== ——END CERTIFICATE—— ——BEGIN CERTIFICATE—— . . . ——BEGIN RSA PRIVATE KEY—— . . . key-direction 1 ——BEGIN OpenVPN Static key V1—— . . .
Another approach to eliminate certificates and keys from the OpenVPN profile is to use the Android Keychain. For information about this, refer to the section on using the Android Keychain below.
Note: When converting tls-auth to unified format, check for a second parameter after the filename (usually a 0 or 1). This parameter is also known as the key-direction parameter and must be specified as a standalone directive when tls-auth is converted to a unified format. For example, if the parameter is 1, add this line to the profile: key-direction 1. If there is no second parameter to tls-auth, you must add this line to the profile: key-direction bidirectional.
Where are the support forums for OpenVPN Connect?
Is IPv6 supported?
Yes. OpenVPN Connect supports IPv6 transport and IPv6 tunnels as long as the server supports them as well.
Why does OpenVPN Connect show two notification icons when connected?
The Android operating system requires two notification icons. They show that the VPN session is a high priority and shouldn’t be arbitrarily terminated by the system.
Can I disable the connection notification sound?
On some Android devices, a connection notification sound plays whenever a VPN tunnel is established and can’t be silenced by a non-root app.
How can I maximize battery life?
You can enable Battery Saver within OpenVPN Connect to pause the VPN when the phone screen goes blank:
- Launch OpenVPN Connect.
- Tap the menu icon.
- Tap Settings.
- Tap to enable Battery Saver.
Note: It’s possible if you enable Battery Saver settings and Seamless Tunnel options, you will block any app from reaching the internet while the VPN is active, but the device screen isn’t on. Enabling both can be useful for additional energy savings, as long as you don’t have any background apps that need constant internet access.
Can I control the VPN from outside the app?
Yes, you can control the VPN connection using shortcuts. You can quickly connect to a specific profile by adding a shortcut on your phone for OpenVPN Connect:
- Launch OpenVPN Connect.
- Tap the edit icon for the profile you want to make a shortcut.
- Tap Set Connect Shortcut.
- Enter a shortcut name, or keep the default suggestions and tap Create.
- Add the app shortcut to your home screen.
You can quickly disconnect from the VPN by adding a shortcut on your phone for OpenVPN Connect:
- Launch OpenVPN Connect.
- Tap the menu icon at the top left.
- Tap Settings.
- Tap Set Disconnect Shortcut.
- Add the app shortcut to your home screen.
How can I ensure that the VPN stays continuously connected?
In the Preferences menu, select the Reconnect on reboot option. Also, consider setting
You can enable reconnecting on reboot within OpenVPN Connect. If there’s an active VPN connection when the phone restarts, the app will reconnect on reboot.
- Launch OpenVPN Connect.
- Tap the menu icon.
- Tap Settings.
- Tap to enable Reconnect on Reboot.
Additionally, you can set the Connection Timeout under Settings to Continuously Retry.
Why does the VPN disconnect when I make or receive a voice call?
Some cellular networks are incapable of maintaining a data connection during a voice call. If Android detects this as a loss of network connectivity, the VPN pauses during the call and automatically resumes when the call ends.
Given that mobile devices are easily lost or stolen, how best to secure VPN profiles against compromise if the device falls into the wrong hands?
The safest option is not to save your password and use the Android Keychain as a repository for your private key (see below).
You have the option to save the password by checking Save Password when you edit the profile. When you check this, OpenVPN Connect stores your password in the keychain.
Is it safe to save passwords?
If you check the Save checkbox on the authentication or private key password fields, the app will store your password in an encrypted form, however a determined attacker with physical possession of the device would still be able to recover the password with some reverse engineering.
Currently, the best options for security are to avoid saving passwords, and to use the Android Keychain as a repository for your private key (see below).
The Android developers are in the process of implementing an API for secure storage of passwords that will leverage on the hardware-backed keystore and master device password, however this development is not complete as of Android 4.2. This approach will protect saved passwords even if the device is rooted. When this development is complete, we plan to support it in the app.
Why is the save password switch sometimes disabled?
The save password switch on the authentication password field is typically enabled, but you can disable it by adding the following OpenVPN directive to the profile:
Note: The above directive only applies to the authentication password. The private key password, if it exists, can always be saved.
How can I use OpenVPN Connect with profiles that lack a client certificate/key?
If you have a profile that connects to a server without a client certificate/key, you must include the following directive in your profile:
Including this directive is necessary to resolve an ambiguity when the profile doesn’t contain a client certificate or key. When there isn’t a client certificate or key in the profile, OpenVPN Connect doesn’t know whether to obtain an external certificate/key pair from the Android Keychain or whether the server requires a client certificate/key. For example, a server that doesn’t require a client certificate/key is configured with the client-cert-not-required directive. The option is given as a “setenv” to avoid breaking other OpenVPN clients that might not recognize it.
Why does the app not support TAP-style tunnels?
The Android VPN API currently supports only TUN-style or routed tunnels on Layer 3. TAP-style or bridged tunnels on Layer 2 are not possible on Android. This is a limitation of the Android platform. If you try to connect a profile that uses a TAP-based tunnel, you get an error that says only Layer 3 tunnels are currently supported.
If you want to see TAP-style tunnels supported in OpenVPN Connect, contact the Google Android team and ask them to extend the VpnService API to allow this. Without such changes to the VpnService API, non-root apps such as OpenVPN Connect can’t support TAP-style tunnels.
Are there any OpenVPN directives not supported by the app?
While OpenVPN Connect supports most OpenVPN client directives, we’ve made an effort to reduce bloat and improve maintainability by eliminating what we believe to be obsolete or rarely-used directives. Please email us at android@openvpn.net if you think that we should reconsider a specific directive that we’ve excluded.
Here is a partial list of directives not currently supported:
- dev tap — This directive is not supported because the underlying Android VPN API doesn’t support tap-style tunnels.
- fragment — The fragment directive is not supported due to the complexity it adds to the OpenVPN implementation. It’s better to leave fragmentation up to the lower-level transport protocols. Note as well that the client doesn’t support connecting to a server that uses the fragment directive.
- secret — Static key encryption mode (non-TLS) isn’t supported.
- socks-proxy — Socks proxy support is currently not supported.
- Not all ciphers are supported — OpenVPN Connect fully supports the AES-GCM and AES-CBC ciphers, and ChaCha20-Poly1305 as of Connect v3.3. The AES-GCM cipher algorithm in particular is well-suited for modern processors generally used in Android devices, iOS devices, macs and modern PCs. The deprecated DES and Blowfish ciphers are currently still supported but will be removed in the future.
- proxy directives — While proxy directives are currently supported (http-proxy and http-proxy-option), they are currently NOT supported in profiles.
Can I have multiple profiles?
Yes, you can import any number of profiles from the Import menu:
- Launch OpenVPN Connect.
- Tap the Add icon.
- Enter the URL and username credentials or import a .ovpn file.
- To connect to the profile, tap the profile’s radio button.
- Enter your password.
OpenVPN Connect assigns a name to the profile based on the server hostname, username and filename. If you import a profile with the same name as one that already exists, OpenVPN Connect adds (1), (2), etc to the profile name.
How do I delete or rename a profile?
To delete a profile, tap the Edit icon next to the profile. From the Edit Profile screen, tap Delete Profile.
To rename a profile, tap the Edit icon next to the profile. From the Edit Profile screen, tap the Profile Name field and change it.
Can I have multiple proxies?
Yes, you can add any number of proxies from the main menu. Each profile can have one proxy assigned.
- Launch OpenVPN Connect.
- Tap the Menu icon in the top left.
- Tap Proxies.
- Tap the Add icon.
- Enter the connection information for the proxy and tap Save.
Once you’ve added a proxy, you can add it to your profile:
- Tap the Edit icon for the profile.
- Under Proxy, tap the radio button of the proxy to add.
- Tap Save.
The profile now displays both the OpenVPN Profile and the proxy name. When you connect, your connection to the VPN server authenticates using the proxy server.
How do I edit or delete a proxy?
To edit or delete a proxy:
- Launch OpenVPN Connect.
- Tap the Menu icon in the top left.
- Tap Proxies.
- Tap the Edit icon next to the proxy you wish to edit or delete.
- Edit the proxy details and tap Save or if you want to delete, tap Delete Proxy.
You can also edit or delete a proxy from within a profile:
- Launch OpenVPN Connect.
- Tap the Edit icon for a profile.
- Tap the Edit icon for the proxy.
- Edit the proxy details and tap Save or if you want to delete, tap Delete Proxy.
How do I use a client certificate and private key from the Android Keychain?
Using the Android Keychain to store your private key leverages the hardware-backed Keystore on many Android devices. This protects the key with the Android-level device password and prevents key compromise even if the device is rooted.
If you already have your client certificate and private key bundled into a PKCS#12 file (extension .p12 or .pfx), you can import it into the Android Keychain using the Import menu or Android Settings.
If you don’t have a PKCS#12 file, you can convert your certificate and key files into PKCS#12 form using this openssl command (where cert, key, and ca are your client certificate, client key, and root CA files).
After converting your certificate and key files into PKCS#12 form, import the client.p12 file into OpenVPN Connect using the Import / Import PKCS#12 menu option.
Once you’ve done this, remove the ca, cert, and key directives from your .ovpn file and re-import it. When you connect the first time, the app will ask you to select a certificate to use for the profile. Just select the MyClient certificate, and you should be able to connect normally.
When I try to import a PKCS#12 file, why am I being asked for a password?
When you generate a PKCS#12 file, you’re prompted for an «export password» to encrypt the file. You must enter this password when you import the PKCS#12 file into the Android Keychain. This prevents interception and recovery of the private key during transport.
Why doesn’t the PKCS#12 file in my OpenVPN configuration file work the same as on desktop systems?
Android uses PKCS#12 files differently than on desktops using OpenVPN. Android manages PKCS#12 in the Android Keychain. In contrast, desktops can reference the PKCS#12 files bundled in the OpenVPN profile. The Android approach is much better from a security perspective because the Keychain can leverage hardware features in the device, such as hardware-backed keystores. However, it requires that you load the PKCS#12 file into the Android Keychain separate from importing the OpenVPN profile. It also moves the responsibility for managing PKCS#12 files to the Android Keychain and away from OpenVPN, potentially introducing compatibility issues.
To use a PKCS#12 file on Android, see the FAQ item above: How do I use a client certificate and private key from the Android Keychain?
How do I set up my profile for server failover?
You can provide OpenVPN with a list of servers to make connections. On connection failure, OpenVPN will rotate through the list until it finds a responsive server. For example, the following entries in the profile will first try to connect to server A via UDP port 1194, then TCP port 443, then repeat the process with server B. OpenVPN will continue to retry until it successfully connects or hits the Connection Timeout, which you can configure in Settings.
Источник
I am configuring OpenVPN 2.3.6-1 on my Arch Linux server in order to encrypt SMB traffic over the public Internet. When I test the setup on one of my Linux virtual machine clients, I get the error: TLS Error: TLS handshake failed
.
I quickly read (OpenVPN on OpenVZ TLS Error: TLS handshake failed (google suggested solutions not helping)) and tried to switch from the default UDP to TCP, but that only caused the client to repeatedly report that the connection timed out. I also tried disabling the cipher and TLS authentication, but that caused the server to fail with Assertion failed at crypto_openssl.c:523
. In both instances, the required changes were made to both the client and server configurations.
I have been following the instructions at (https://wiki.archlinux.org/index.php/OpenVPN) to set up OpenVPN and the instructions at (https://wiki.archlinux.org/index.php/Create_a_Public_Key_Infrastructure_Using_the_easy-rsa_Scripts) to create the keys and certificates. The only deviations I have made from these instructions have been specifying my own computers’ names and their corresponding key/certificate file names.
See also my original question about securing SMB traffic over the Internet: (Simple encryption for Samba shares)
Can anybody explain how I can solve this issue?
Details:
Server: Arch Linux (up to date) connected directly to gateway via ethernet cable. No iptables.
Client: Arch Linux (up to date) virtual machine on VirtualBox 4.3.28r100309 Windows 8.1 host, bridged network adapter. No iptables. Windows Firewall disabled.
Gateway: Port forwarding for port 1194 enabled, no firewall restrictions.
Here are the configuration files on the server and client, respectively. I created these according to the instructions on the Arch Wiki.
/etc/openvpn/server.conf
(Non-comment lines only):
port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server-name.crt
key /etc/openvpn/server-name.key
dh /etc/openvpn/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
tls-auth /etc/openvpn/ta.key 0
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
/etc/openvpn/client.conf
(Non-comment lines only):
client
dev tun
proto udp
remote [my public IP here] 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client-name.crt
key /etc/openvpn/client-name.key
remote-cert-tls server
tls-auth /etc/openvpn/ta.key 1
comp-lzo
verb 3
Here are the outputs of running openvpn on the machines with the above configurations. I started the server first, then the client.
The output of openvpn /etc/openvpn/server.conf
on the server:
Thu Jul 30 17:02:53 2015 OpenVPN 2.3.6 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 2 2014
Thu Jul 30 17:02:53 2015 library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.09
Thu Jul 30 17:02:53 2015 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Thu Jul 30 17:02:53 2015 Diffie-Hellman initialized with 2048 bit key
Thu Jul 30 17:02:53 2015 Control Channel Authentication: using '/etc/openvpn/ta.key' as a OpenVPN static key file
Thu Jul 30 17:02:53 2015 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jul 30 17:02:53 2015 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jul 30 17:02:53 2015 Socket Buffers: R=[212992->131072] S=[212992->131072]
Thu Jul 30 17:02:53 2015 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=enp5s0 HWADDR=##:##:##:##:##:##
Thu Jul 30 17:02:53 2015 TUN/TAP device tun0 opened
Thu Jul 30 17:02:53 2015 TUN/TAP TX queue length set to 100
Thu Jul 30 17:02:53 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Jul 30 17:02:53 2015 /usr/bin/ip link set dev tun0 up mtu 1500
Thu Jul 30 17:02:53 2015 /usr/bin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Thu Jul 30 17:02:53 2015 /usr/bin/ip route add 10.8.0.0/24 via 10.8.0.2
Thu Jul 30 17:02:53 2015 GID set to nobody
Thu Jul 30 17:02:53 2015 UID set to nobody
Thu Jul 30 17:02:53 2015 UDPv4 link local (bound): [undef]
Thu Jul 30 17:02:53 2015 UDPv4 link remote: [undef]
Thu Jul 30 17:02:53 2015 MULTI: multi_init called, r=256 v=256
Thu Jul 30 17:02:53 2015 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Thu Jul 30 17:02:53 2015 IFCONFIG POOL LIST
Thu Jul 30 17:02:53 2015 Initialization Sequence Completed
The output of openvpn /etc/openvpn/client.conf
on the client:
Thu Jul 30 21:03:02 2015 OpenVPN 2.3.6 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 2 2014
Thu Jul 30 21:03:02 2015 library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.09
Thu Jul 30 21:03:02 2015 WARNING: file '/etc/openvpn/client-name.key' is group or others accessible
Thu Jul 30 21:03:02 2015 WARNING: file '/etc/openvpn/ta.key' is group or others accessible
Thu Jul 30 21:03:02 2015 Control Channel Authentication: using '/etc/openvpn/ta.key' as a OpenVPN static key file
Thu Jul 30 21:03:02 2015 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jul 30 21:03:02 2015 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jul 30 21:03:02 2015 Socket Buffers: R=[212992->131072] S=[212992->131072]
Thu Jul 30 21:03:02 2015 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Thu Jul 30 21:03:02 2015 UDPv4 link local: [undef]
Thu Jul 30 21:03:02 2015 UDPv4 link remote: [AF_INET][my public IP here]:1194
Thu Jul 30 21:04:02 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Jul 30 21:04:02 2015 TLS Error: TLS handshake failed
Thu Jul 30 21:04:02 2015 SIGUSR1[soft,tls-error] received, process restarting
Thu Jul 30 21:04:02 2015 Restart pause, 2 second(s)
If you are facing “OpenVPN TLS handshake failed” Error on computer while attempting to setting up “OpenVPN”, then you are in right place. Here, we are discussing about this problem in details and providing some recommended methods/procedures to fix this error. Let’s take have a look at error message and then starts the discussion.
“Sun May 13 19:39:51 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Sun May 13 19:39:51 2018 TLS Error: TLS handshake failed”
About OpenVPN
“OpenVPN” is open-source commercial software that implements virtual private network techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access faculties. It is available in free for charge. With the digital privacy and online security continuing to be major concerns, more people are interested in “VPNs (Virtual Private Networks)” than ever before.
Pros:
- Free, open-source VPN
- Booted Privacy and Secure browsing
- Supported by developer community
Cons:
- Can lead to poor speeds when is use
- Too technical and complex for first use-timers
- Can be blocked by business proxies
However, it is important to remember that “OpenVPN” is not VPN Provide and it doesn’t add a piece of software to your desktop or simple plug-in to your browser that you click once to connect. “OpenVPN” is encryption protocol that can connect your VPN which means you will need to know exactly how to configure it to your specific server.
What is “OpenVPN TLS handshake failed” Error?
It is common TLS error that is appears while trying to connect to OpenVPN. This error message usually appears on Android, iOS, Windows, Mac and Linux OS based device. “HandShake” word refers to negotiation between two ends just like meeting between two different people for any propose, then shake hands at first, then go ahead with anything else. In this case, “handShake” refers to negotiations between two servers.
On other hand, “TLS (Transport Layer Security)” is used every time when you access a website or application over HTTPS, access emails, messages, and VOIP (Voice over Internet Protocol). In simple word, we can say that HTTPs is implementation of TLS encryption.
Now comes to matter “OpenVPN TLS handshake Failed” Error, it is one of the most common problems in setting up OpenVPN that is occurs due to several reasons. Some user reported that this error appears usually on Windows/Mac/iOS/Linux/Android OS based devices when Windows Firewall is blocking access for the “openvpn.exe”.
“TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)”
Reasons behind OpenVPN TLS handshake failed issues
- Incorrect Client Configuration: The “OpenVPN” client config does not have the correct server address in its config file. The remote directive in the client config must point to either the server itself or the public IP address of the server network’s gateway.
- OpenVPN packets: A perimeter Firewall on server’s network is filtering out incoming OpenVPN packets. By Default OpenVPN uses UDP or TCP port number 1194.
- NAT/PAT: A NAT Gateway on the server’s network does not have a port forward rule for TCP/UDP 1194 to internal address of OpenVPN server machine.
- Firewall/routing blocking port: Windows Firewall is blocking access for the “openvpn.exe” binary.
- OSes block incoming connections: A software firewall running on the OpenVPN server machine itself is filtering incoming connections on port 1194. Be aware that many OSes will block incoming connections by default unless configured otherwise.
[Tips & Tricks] How to Fix OpenVPN TLS handshake failed error on Windows 10?
Procedure 1: Change “TLS” protocol in Windows
Windows 10 and earlier versions of Windows centralize the protocol settings in the System. To fix “OpenVPN TLS handshake failed” Error, you can change TLS version via the steps below:
Step 1: Press “Windows + R” key from keyboard to open “Run Dialog Box”
Step 2: In the opened “Run Dialog Box”, type “inetcpl.cpl” and hit “Ok” button
Step 3: In the opened “Internet Properties” window, click on “Advanced” tab
Step 4: Find “Security” section and here, you can add or remove TLS
Step 5: If the website is looking for TLS 1.2 and it is not checked, you need to check it. Similarly, if someone is experimenting with TLS 1.3, you need to check it
Step 6: Finally, click on “Apply” and “Ok” to save the changes. Once done, try opening the same website again
Procedure 2: Change TLS protocol in Firefox
Step 1: Open “Firefox” browser and type “about:config” in address bar and then hit “Enter” key
Step 2: Now, type “TLS” in search box and locate “security.tls.version.min”
Step 3: You can change it to “1 and 2 to force TLS 1 and 1.1”, “3 to force TLS 1.2”, “4 to force maximum protocol of TLS 1.3”
Procedure 3: Delete Browser profile or certificate database
Every browser maintains a database for certificates. For example, every Firefox profile has Cert8.db file. In case if delete that file, and restart fixes it, then the problem is related to the local certificate database.
In Windows 10 or other Windows OS based device, when you are using Internet Explorer or Edge browser, the Certificate Manager is responsible, or you can go to the edge://settings/privacy and click on Manage HTTPS/SSL certificates and settings. Delete the certificates and try again.
Procedure 4: Reset web browser
To reset Google Chrome settings, follow the steps below:
Step 1: Open Google Chrome browser and type “Chrome://Settings” in address bar and then hit “Enter” key
Step 2: Scroll towards end and click on “Advance settings”
Step 3: You will see the “Reset Browser Settings” button
Step 4: When you use this option, it will reset your profile to the post-fresh-install state
Step 5: This process will reset search engine, homepage, new tab page and pinned tabs to default. Extensions, add-ons and themes will be disabled and Content Settings will be reset. Cookies, Cache and Site data will be deleted.
Step 6: Once done, restart your browser and please check if “OpenVPN TLS handshake failed” Error is resolved.
To reset Microsoft Edge Chromium browser, follow the steps below:
Step 1: Open Microsoft Edge browser
Step 2: Click on Open Settings
Step 3: Navigate to “Reset Settings”
Step 4: Click on “Restore Settings” to their default values.
Step 5: This process will reset your Startup page, new tab page, search engine and pinned tabs, disable all extensions and clear temporary data like cookies, and favourites, history and saved passwords will not be cleared.
Step 6: Once done, restart your browser and please check if the error is resolved.
To reset Firefox settings, follow the steps below:
Step 1: Open “Firefox browser”
Step 2: Go to “Settings > Help > Troubleshooting information”
Step 3: Click on “Reset Firefox” button.
Step 4: This process will reset search engine and homepage to default. Your extensions, sync settings, open tabs, tab groups, themes and toolbars will be removed. However, your passwords, from data, browsing history, favourites or bookmarks, cookies and plug-ins will not be removed. They will instead be moved to new profile.
Procedure 5: Ensuring the correct System time
Step 1: Press “Windows + I” keys together from keyboard to open “Settings App”
Step 2: In the “Settings App”, select “Time & Language”
Step 3: Go to the right pane, then toggle the switch under “Set Time Automatically” to “ON”
Step 4: After that, restart your computer and try visiting the website again to see if TLS handshake error is gone.
You may also read: Fix Cisco AnyConnect Certificate Validation Failure Problem
Conclusion
I am sure this article helped you to “Fix OpenVPN TLS handshake failed on Windows 10” with several easy methods/procedures. You can choose/follow either one or all procedures to fix this issue.
If you are unable to fix OpenVPN TLS handshake failed problem with the solutions mentioned above, then it might possible that your System has infected with malware or viruses. According to security researchers, malware or viruses cause several damages in your computer.
In this case, you can scan your computer with powerful antivirus software that has the ability to delete all types of malware or viruses from System.
You can also try another possible solution to fix this issue. We recommended you to Repair your PCs/laptops with powerful PC Repair Tools/Software that has the ability to remove all the faculty software, clean System registry, remove all types of malware or viruses, fix all types of bugs or errors and improves System performance as well. You can download powerful PC Repair Tool/Software via “Download” link below.
Is Your PC Behaving Abnormal & Needs Instant Optimzation?
We recommend you to choose Advanced System Repair Suite which is dedicated to offer complete options to optimize a PC, fix any Windows error, and remove malware threats in easy. The software is award winning and suggested as the best malware fix application supporting all Windows versions including XP/Vista/7/8/8.1/10. Just 3 steps to avail error free PC.
- Download Advanced System Repair and install on your PC. (Follow all on screen instructions when installer is executed)
- Click “Scan Your PC” button to scan all present issues, errors, junk files, and malware threats.
- Finally, click “Start Repair” to fix all detected problems in next few minutes.
Wondering how to resolve TLS key negotiation failed error in OpenVPN? We can help you.
As part of our Server Management Services, we assist our customers with several OpenVPN queries.
Today, let us see how our Support techs resolve this error.
How to resolve TLS key negotiation failed error in OpenVPN?
First and foremost, to diagnose problems with an OpenVPN server or client, it is helpful to look at the log files.
Locating the server log files
The log files are located in specific areas on your computer systems.
Log files are the place to check whenever you’re having any problems making a connection with an OpenVPN client program to the OpenVPN Access Server.
On the OpenVPN Access Server there is the server side log:
/var/log/openvpnas.log /var/log/openvpnas.node.log (in case of a failover setup)
In the event that you are having problems with starting the Access Server or certain portions of it, for example the web services, then it may be useful to stop the Access Server service.
Then, move the log file aside, then start the Access Server service, and stop it again immediately.
This creates a new clean log file that contains the startup and shutdown sequence of the Access Server and no other extraneous information.
This makes analysis of the log file much easier.
To do so use these commands in order:
service openvpnas stop
mv /var/log/openvpnas.log /var/log/openvpnas.log.old
service openvpnas start
service openvpnas stop
You can then grab the /var/log/openvpnas.log file for analysis and start the Access Server again:
service openvpnas start
Locating the client log files
Log file location for the OpenVPN Connect Client for Windows:
C:Program Files (x86)OpenVPN TechnologiesOpenVPN Clientetclogopenvpn_(unique_name).log
The OpenVPN Connect Client for Mac:
/Library/Application Support/OpenVPN/log/openvpn_(unique_name).log
To get to the /Library folder, open Finder and in the menu at the top choose Go followed by Go to folder and then enter the path /Library to get into that directory.
You can then go to the correct folder and look up the log file.
Please also note that the OpenVPN Connect Client for Macintosh will have permissions set on the log file so that you cannot normally open it.
To bypass this, right click the log file and choose the Get info option in the menu.
Then at the bottom, under Sharing & Permissions, you will be able to use the yellow padlock icon to unlock the settings and to give everyone read access.
Then, you will be able to open the log file with a right click and selecting Open with and then choosing something like Text editor to view the contents of the log file.
TLS key negotiation failed error
Typical error will look as shown below:
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
This particular error can have multiple different causes as it is a fairly generic error message.
A possible explanation is that the client program is old and supports only TLS 1.0, but the server is expecting TLS level 1.1 or higher.
To see if this is the case log on to the server and check the server side log file.
The chances are high that your client program is an older version, like version 2.2 or older, and that it doesn’t know how to handle a modern TLS minimum level requirement, when you see messages that look like this on the server side:
OpenSSL: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol’
TLS_ERROR: BIO read tls_read_plaintext error’
TLS Error: TLS object -> incoming plaintext read error’
TLS Error: TLS handshake failed’
SIGUSR1[soft,tls-error] received, client-instance restarting’
The solution to this particular problem is to upgrade the client software to the latest version.
Another possible explanation is that the settings regarding TLS minimum requirement level have been altered but the OpenVPN client is using an older copy of the connection profile which has incorrect instructions.
The settings on the client and the server must match for the connection to be successful.
In this situation installing a new copy of the configuration profile will solve the issue.
A complete uninstall, redownload, and reinstall of the OpenVPN Connect Client should take care of that for you.
And yet another possible explanation is that there is a blockage in place in a firewall or at the Internet service provider that is blocking or interfering with the TLS handshake in some way.
[Stuck in between? We’d be glad to assist you]
Conclusion
In short, today we saw steps followed by our Support Techs to resolve TLS key negotiation failed error in OpenVPN.
PREVENT YOUR SERVER FROM CRASHING!
Never again lose customers to poor server speed! Let us help you.
Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.
GET STARTED
Еще одна причина ошибки при коннекте к OpenVPN серверу
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity). TLS Error: TLS handshake failed
Как ни странно, причина не связана с конфигами самого OpenVPN сервера или клиентов, а кроется в сети, что и написано в логе.
Прослушка трафика показала, что нет обратного коннекта от сервера до клиента при рукопожатии:
14:01:59.465502 IP ServerIP.openvpn > ClientIP.54954: UDP, length 42 14:02:00.272635 IP ClientIP.54961 > ServerIP.openvpn: UDP, length 42 14:02:00.272889 IP ServerIP.openvpn > ClientIP.54961: UDP, length 54 14:02:03.568343 IP ClientIP.54961 > ServerIP.openvpn: UDP, length 42 14:02:03.568536 IP ServerIP.openvpn > ClientIP.54961: UDP, length 50 14:02:03.612846 IP ClientIP > ServerIP: ICMP host ClientIP unreachable — admin prohibited filter, length 36 |
При подробном режиме (verbose) такая картина:
14:08:14.154062 IP (tos 0x0, ttl 64, id 21182, offset 0, flags [DF], proto UDP (17), length 70) ServerIP.openvpn > ClientIP.57304: [bad udp cksum 0xd2f6 —> 0xb107!] UDP, length 42 14:08:20.193700 IP (tos 0x0, ttl 122, id 29713, offset 0, flags [none], proto UDP (17), length 70) ClientIP.62614 > ServerIP.openvpn: [udp sum ok] UDP, length 42 14:08:20.194123 IP (tos 0x0, ttl 64, id 21620, offset 0, flags [DF], proto UDP (17), length 82) ServerIP.openvpn > ClientIP.62614: [bad udp cksum 0xd302 —> 0x6091!] UDP, length 54 14:08:20.238329 IP (tos 0x0, ttl 250, id 27288, offset 0, flags [none], proto ICMP (1), length 56) ClientIP > ServerIP: ICMP host ClientIP unreachable — admin prohibited filter, length 36 IP (tos 0x0, ttl 58, id 21620, offset 0, flags [DF], proto UDP (17), length 82) ServerIP.openvpn > ClientIP.62614: UDP, length 54 14:08:21.400665 IP (tos 0x0, ttl 122, id 29742, offset 0, flags [none], proto UDP (17), length 70) ClientIP.62614 > ServerIP.openvpn: [udp sum ok] UDP, length 42 14:08:21.400811 IP (tos 0x0, ttl 64, id 21703, offset 0, flags [DF], proto UDP (17), length 78) ServerIP.openvpn > ClientIP.62614: [bad udp cksum 0xd2fe —> 0x80f0!] UDP, length 50 |
Причина крылась в запрете форварда входящих UDP подключений на циске роутере со стороны клиента. При этом исходящие работали, т.к. подключение и общение до рукопожатия происходило.
Как только разрешили проходить UDP трафик — коннект до OpenVPN сервера поднялся.
Если нет возможности открыть UDP трафик, то стоит перейти на TCP соединение.