Openvpn android tls error

OpenVPN Support Forum

Community Support Forum

TLS Error at working connection

TLS Error at working connection

Post by Yacudzer » Tue Apr 28, 2020 9:04 pm

Re: TLS Error at working connection

Post by TinCanTech » Tue Apr 28, 2020 9:27 pm

Re: TLS Error at working connection

Post by Yacudzer » Tue May 05, 2020 4:43 pm

example config for clients:

client
remote vpn.myvpnserveraddress.su 443
cipher aes-256-cbc
auth sha256
dev tun
proto udp
tls-client
key-direction 1
pull

——BEGIN OpenVPN Static key V1——
— skipped —
——END OpenVPN Static key V1——

What other information needed?

Re: TLS Error at working connection

Post by TinCanTech » Tue May 05, 2020 6:11 pm

Re: TLS Error at working connection

Post by Yacudzer » Tue May 05, 2020 6:36 pm

Re: TLS Error at working connection

Post by Yacudzer » Thu May 07, 2020 11:03 am

Re: TLS Error at working connection

Post by TinCanTech » Thu May 07, 2020 12:07 pm

If you post complete logs they would probably show that the client times out due to some network error.

These are the sort of problems you can get with UDP.

Openvpn recovered from the error without compromising your security.

You can either live with it, which is what I do or you can use TCP.

There is not much else you can do, except find out what is wrong with your network
and that is not going to be easy.

Re: TLS Error at working connection

Post by Yacudzer » Thu May 07, 2020 1:19 pm

Источник

OpenVPN Support Forum

Community Support Forum

Unable to connect with Openvpn server (TLS Error)

Unable to connect with Openvpn server (TLS Error)

Post by kelsini » Tue Apr 12, 2016 12:17 pm

Hello members, i have recently installed a openvpn server on my ARCH 4.4.5-1 i686 GNU/Linux home machine.

Aparently the server is running OK as the output show:

My server config:

When i try to connect my server with my android phone (with openvpn for android app installed) with the respective imported keys and cert (ca.crt; kelsinni.crt; kelsinni.key) i got always the same TLS error:

I have double checked all the configs but still got this same error all the times. can anyone please give me a tip about the source of this problem?
Thanks in advance for all the help given.

Re: Unable to connect with Openvpn server (TLS Error)

Post by Traffic » Tue Apr 12, 2016 2:50 pm

Re: Unable to connect with Openvpn server (TLS Error)

Post by kelsini » Tue Apr 12, 2016 6:47 pm

.
client-to-client
keepalive 1800 4000

cipher DES-EDE3-CBC # Triple-DES
comp-lzo yes

user nobody
group nobody
.

Re: Unable to connect with Openvpn server (TLS Error)

Post by Traffic » Tue Apr 12, 2016 7:23 pm

Re: Unable to connect with Openvpn server (TLS Error)

Post by kelsini » Tue Apr 12, 2016 9:34 pm

Re: Unable to connect with Openvpn server (TLS Error)

Post by Traffic » Tue Apr 12, 2016 10:15 pm

Re: Unable to connect with Openvpn server (TLS Error)

Post by kelsini » Tue Apr 12, 2016 11:11 pm

I have notice that ‘de.blinkt.openvpn’ wasnt for sure correct but. i went on the smartphone openvpn for android app and change the «search domain» on «DNS AND IP» tab form ‘de.blinkt.openvpn’ to my DNS.

The most strange is that after this change the log still give me that ‘de.blinkt.openvpn’ DNS. and the same TLS error.

Re: Unable to connect with Openvpn server (TLS Error)

Post by Traffic » Tue Apr 12, 2016 11:25 pm

Re: Unable to connect with Openvpn server (TLS Error)

Post by kelsini » Wed Apr 13, 2016 9:24 pm

cd /var/log/
dir
btmp faillog journal lastlog old openvpn.log pacman.log wtmp

I think you are asking openvpn.log. here it is:

Re: Unable to connect with Openvpn server (TLS Error)

Post by Traffic » Wed Apr 13, 2016 9:30 pm

Re: Unable to connect with Openvpn server (TLS Error)

Post by kelsini » Wed Apr 13, 2016 9:54 pm

Re: Unable to connect with Openvpn server (TLS Error)

Post by Traffic » Wed Apr 13, 2016 10:53 pm

This most probably means that you have corrupted your tls-auth ta.key while importing it to you phone .. or possibly imported the wrong file. Try again. make sure the file is exactly the same.

FYI: you do not have to call the file ta.key .. you can rename it to anything more memorable.

Re: Unable to connect with Openvpn server (TLS Error)

Post by kelsini » Thu Apr 14, 2016 10:40 am

This most probably means that you have corrupted your tls-auth ta.key while importing it to you phone .. or possibly imported the wrong file. Try again. make sure the file is exactly the same.

FYI: you do not have to call the file ta.key .. you can rename it to anything more memorable.

I have 2 folders where keys and certs are.

in /root/easy-rsa/keys/
01.pem dh2048.pem index.txt ipp.txt serial
02.pem homeserver.crt index.txt.attr kelsinni.crt serial.old
ca.crt homeserver.csr index.txt.attr.old kelsinni.csr ta.key
ca.key homeserver.key index.txt.old kelsinni.key

and in /etc/openvpn/certs/
ca.crt dh2048.pem homeserver.key
ca.key homeserver.crt ta.key

The keys that i copied to my android were the client certificate (kelsinni.crt), client certificate key (kelsinni.key) and the CA certificate (ca.crt) all locate on /root/easy-rsa/keys/

The app openvpn for android only asks these 3 files CA certificate, Client certificate and Client certificate key. nothing about ta.key:

Im going to copy again the files to the android.

Источник

OpenVPN Support Forum

Community Support Forum

tls-crypt not working with OpenVPN Connect/Android?

tls-crypt not working with OpenVPN Connect/Android?

Post by vpnhuman » Thu Jul 06, 2017 1:52 am

Hi all, posted this in the Android/OpenVPN Connect form, no answers.

I’ve googled this and searched these fourms, and wanted to confirm with others: it appears OpenVPN Connect on Android 1.1.17 does not connect when using the new «tls-auth» option. I’ve tried the exact same client configuration file on windows, linux, and the OpenVPN for Android app and they all connect correctly. So the issue seems to be OpenVPN Connect.

Can anyone else confirm?

The server error message (from two different android devices, one on android 6 and one on android 7, both using OpenVPN Connect) is:
tls-crypt unwrap error: packet too short
TLS Error: tls-crypt unwrapping failed from [AF_INET]x.x.x.x:34258

Running ovpn server on linux, startup message and configs below
OpenVPN 2.4.3 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jun 23 2017
library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.08
Sat Jun 24 13:06:30 2017 TUN/TAP device tun0 opened
Sat Jun 24 13:06:30 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat Jun 24 13:06:30 2017 /sbin/ifconfig tun0 x.x.x.x pointopoint x.x.x.y mtu 1500
Sat Jun 24 13:06:30 2017 UDPv4 link local (bound): [AF_INET][undef]:1194
Sat Jun 24 13:06:30 2017 UDPv4 link remote: [AF_UNSPEC]
Sat Jun 24 13:06:30 2017 GID set to nobody
Sat Jun 24 13:06:30 2017 UID set to nobody
Sat Jun 24 13:06:30 2017 Initialization Sequence Completed

server.conf
[oconf=]
port 1194
proto udp4
dev tun0

server x.x.x.x 255.255.255.0
client-to-client

push «dhcp-option DNS y.y.y.y»
push «redirect-gateway»

keepalive 10 60

user nobody
group nobody
persist-key
persist-tun
auth SHA512

cipher AES-256-GCM
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
ncp-disable

——BEGIN OpenVPN Static key V1——

——END OpenVPN Static key V1——

ca ca.crt
cert server.crt
key server.key
dh dh4096.pem

client.conf
[oconf=]
remote x.x.x.y 1194
client

dev tun0
proto udp

cipher AES-256-GCM
auth SHA512

——BEGIN OpenVPN Static key V1——

——END OpenVPN Static key V1——

ca ca.crt
cert client.crt
key client.key
[/oconf]

Re: tls-crypt not working with OpenVPN Connect/Android?

Post by TinCanTech » Thu Jul 06, 2017 12:46 pm

Openvpn-Connect-Android does not support —tls-crypt.

Источник

FAQ regarding OpenVPN Connect Android

Some common errors and solutions

The following are common error messages and information about them.

error parsing certificate : X509 — The date tag or value is invalid

This error message occurs with a faulty certificate. Refer to this detailed forum post for more info.

certificate verification failed : x509 — certificate verification failed, e.g. crl, ca or signature check failed

This error message occurs when a certificate can’t be verified properly. Certificate verification failure can occur, for example, if you are using an MD5-signed certificate. With an MD5-signed certificate, the security level is so low that the authenticity of the certificate can’t by any reasonable means be assured. In other words, it could very well be a fake certificate. The solution is to use a certificate not signed with MD5 but with SHA256 or better. Refer to the MD5 signature algorithm support section for more information.

digest_error: NONE: not usable

This error message occurs if you specify auth none and also tls-auth in your client profile. This happens because tls-auth needs an auth digest, but it isn’t specified. To resolve the error, remove the tls-auth directive. It’s not possible to enable it with auth none enabled.

SSL — Processing of the ServerKeyExchange handshake message failed

This error message likely occurs when using older versions of OpenVPN/OpenSSL on the server-side. Some users have solved this issue by updating their OpenVPN and OpenSSL software on the server-side.

BIO read tls_read_plaintext error: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

This error message relates to cipher suites. You can usually remedy this by going to the app settings in OpenVPN Connect and checking the box for AES-CBC Cipher Algorithm.

Other client error messages

MD5 signature algorithm support

We recommend not using MD5 as an algorithm for a signing certificate due to its possible insecurity. For example, time-standard home computer equipment takes about eight hours to falsify a certificate signed using MD5 as an algorithm. Using MD5 means it’s possible to fake the identity of the server. This opens up to a risk for a man-in-the-middle attack. Such an attack leads to the interception of data communication.

You should only support the use of MD5 for older equipment.

We pushed out a security and functionality upgrade of OpenVPN Connect for Android in November 2017 and discovered that many people’s devices still used MD5-signed certificates.

We recommend converting to a setup with SHA256-signed certificates for any installations that still use MD5-signed certificates. If the devices in use don’t support this option, we recommend updating the device to add the function or replacing the device completely.

For your reference, we have a list of deprecated options and ciphers here: https://community.openvpn.net/openvpn/wiki/DeprecatedOptions

Refer to these links for more information about MD5 signatures:

To determine if you are using an MD5 type certificate, use this command with openssl as your testing tool:

Example result if the certificate is using MD5:

If you see this result on the CA certificate or client certificate, we recommend converting to a proper, securely signed certificate set that uses at least SHA256 or better.

OpenVPN Access Server doesn’t use MD5-certificate signatures.

For open-source OpenVPN users or users with a third-party device that includes OpenVPN functionality using MD5-type certificates, you should investigate the option to update the software on your device or change the signature algorithm type, if possible.

The default settings of a program like EasyRSA 3, used by open-source OpenVPN for generating client certificates and keys, are pretty secure and will generate certificates that are not signed with MD5.

How to get started with OpenVPN Connect

To use OpenVPN Connect, you must have an OpenVPN profile that connects to a VPN server. OpenVPN profiles are files with the extension .ovpn.

To import a profile, do one of the following:

• If you have a .ovpn profile, copy the profile and any files it references to a folder or SD card on your device. Ensure you copy all files to the same folder. Launch OpenVPN Connect, tap the menu icon, tap Import Profile, and tap File. Select the .ovpn profile from the folder location.
• If you need to connect with OpenVPN Access Server, import the profile directly from Access Server: launch OpenVPN Connect, tap the menu icon, tap Import Profile, and enter the URL for the Access Server Client UI.

If you need to connect with OpenVPN Cloud, import the profile directly from your private Cloud service: launch OpenVPN Connect, tap the menu icon, tap Import Profile, and enter your OpenVPN Cloud URL.

Is OpenVPN Connect for Android vulnerable to Heartbleed?

No—all versions of OpenVPN Connect for Android use the OpenSSL library, which is immune to Heartbleed.

Are CRLs (certificate revocation lists) supported?

Yes, OpenVPN Connect supports certificate revocation lists (CRLs) as of Android version 1.1.14.

To use a CRL, you must add it to the .ovpn profile:

You can concatenate multiple CRLs together within the crl-verify block above.

If you are importing a .ovpn file that references an external CRL file such as crl-verify crl.pem make sure to drop the file crl.pem into the same place as the .ovpn file during import so the profile parser can access it.

I am having trouble importing my .ovpn file.

The following pointers can help with importing .ovpn files:

1. All files must be in the same directory

When you import a .ovpn file, ensure that all files referenced by the .ovpn file, such as ca, cert, and key files, are in the same directory on the device as the .ovpn file.

2. Check formatting and size

Profiles must be UTF-8 (or ASCII) and under 256 KB in size.

3. Use the unified format for OpenVPN profiles

Consider using the unified format for OpenVPN profiles which allows all certs and keys to be embedded into the .ovpn file. This simplifies OpenVPN configuration management because it integrates all elements of the configuration into a single file.

For example, a traditional OpenVPN profile might specify certs and keys as follows: ca ca.crt cert client.crt key client.key tls-auth ta.key 1. You can convert this usage to unified form by pasting the content of the certificate and key files directly into the OpenVPN profile as follows using an XML-like syntax:

——BEGIN CERTIFICATE—— MIIBszCCARygAwIBAgIE. . . . /NygscQs1bxBSZ0X3KRk. Lq9iNBNgWg== ——END CERTIFICATE—— ——BEGIN CERTIFICATE—— . . . ——BEGIN RSA PRIVATE KEY—— . . . key-direction 1 ——BEGIN OpenVPN Static key V1—— . . .

Another approach to eliminate certificates and keys from the OpenVPN profile is to use the Android Keychain. For information about this, refer to the section on using the Android Keychain below.

Note: When converting tls-auth to unified format, check for a second parameter after the filename (usually a 0 or 1). This parameter is also known as the key-direction parameter and must be specified as a standalone directive when tls-auth is converted to a unified format. For example, if the parameter is 1, add this line to the profile: key-direction 1. If there is no second parameter to tls-auth, you must add this line to the profile: key-direction bidirectional.

Where are the support forums for OpenVPN Connect?

Is IPv6 supported?

Yes. OpenVPN Connect supports IPv6 transport and IPv6 tunnels as long as the server supports them as well.

Why does OpenVPN Connect show two notification icons when connected?

The Android operating system requires two notification icons. They show that the VPN session is a high priority and shouldn’t be arbitrarily terminated by the system.

Can I disable the connection notification sound?

On some Android devices, a connection notification sound plays whenever a VPN tunnel is established and can’t be silenced by a non-root app.

How can I maximize battery life?

You can enable Battery Saver within OpenVPN Connect to pause the VPN when the phone screen goes blank:

1. Launch OpenVPN Connect.
2. Tap the menu icon.
3. Tap Settings.
4. Tap to enable Battery Saver.

Note: It’s possible if you enable Battery Saver settings and Seamless Tunnel options, you will block any app from reaching the internet while the VPN is active, but the device screen isn’t on. Enabling both can be useful for additional energy savings, as long as you don’t have any background apps that need constant internet access.

Can I control the VPN from outside the app?

Yes, you can control the VPN connection using shortcuts. You can quickly connect to a specific profile by adding a shortcut on your phone for OpenVPN Connect:

1. Launch OpenVPN Connect.
2. Tap the edit icon for the profile you want to make a shortcut.
3. Tap Set Connect Shortcut.
4. Enter a shortcut name, or keep the default suggestions and tap Create.
5. Add the app shortcut to your home screen.

You can quickly disconnect from the VPN by adding a shortcut on your phone for OpenVPN Connect:

1. Launch OpenVPN Connect.
2. Tap the menu icon at the top left.
3. Tap Settings.
4. Tap Set Disconnect Shortcut.
5. Add the app shortcut to your home screen.

How can I ensure that the VPN stays continuously connected?

In the Preferences menu, select the Reconnect on reboot option. Also, consider setting

You can enable reconnecting on reboot within OpenVPN Connect. If there’s an active VPN connection when the phone restarts, the app will reconnect on reboot.

1. Launch OpenVPN Connect.
2. Tap the menu icon.
3. Tap Settings.
4. Tap to enable Reconnect on Reboot.

Additionally, you can set the Connection Timeout under Settings to Continuously Retry.

Why does the VPN disconnect when I make or receive a voice call?

Some cellular networks are incapable of maintaining a data connection during a voice call. If Android detects this as a loss of network connectivity, the VPN pauses during the call and automatically resumes when the call ends.

Given that mobile devices are easily lost or stolen, how best to secure VPN profiles against compromise if the device falls into the wrong hands?

The safest option is not to save your password and use the Android Keychain as a repository for your private key (see below).

You have the option to save the password by checking Save Password when you edit the profile. When you check this, OpenVPN Connect stores your password in the keychain.

Is it safe to save passwords?

If you check the Save checkbox on the authentication or private key password fields, the app will store your password in an encrypted form, however a determined attacker with physical possession of the device would still be able to recover the password with some reverse engineering.

Currently, the best options for security are to avoid saving passwords, and to use the Android Keychain as a repository for your private key (see below).

The Android developers are in the process of implementing an API for secure storage of passwords that will leverage on the hardware-backed keystore and master device password, however this development is not complete as of Android 4.2. This approach will protect saved passwords even if the device is rooted. When this development is complete, we plan to support it in the app.

Why is the save password switch sometimes disabled?

The save password switch on the authentication password field is typically enabled, but you can disable it by adding the following OpenVPN directive to the profile:

Note: The above directive only applies to the authentication password. The private key password, if it exists, can always be saved.

How can I use OpenVPN Connect with profiles that lack a client certificate/key?

If you have a profile that connects to a server without a client certificate/key, you must include the following directive in your profile:

Including this directive is necessary to resolve an ambiguity when the profile doesn’t contain a client certificate or key. When there isn’t a client certificate or key in the profile, OpenVPN Connect doesn’t know whether to obtain an external certificate/key pair from the Android Keychain or whether the server requires a client certificate/key. For example, a server that doesn’t require a client certificate/key is configured with the client-cert-not-required directive. The option is given as a “setenv” to avoid breaking other OpenVPN clients that might not recognize it.

Why does the app not support TAP-style tunnels?

The Android VPN API currently supports only TUN-style or routed tunnels on Layer 3. TAP-style or bridged tunnels on Layer 2 are not possible on Android. This is a limitation of the Android platform. If you try to connect a profile that uses a TAP-based tunnel, you get an error that says only Layer 3 tunnels are currently supported.

If you want to see TAP-style tunnels supported in OpenVPN Connect, contact the Google Android team and ask them to extend the VpnService API to allow this. Without such changes to the VpnService API, non-root apps such as OpenVPN Connect can’t support TAP-style tunnels.

Are there any OpenVPN directives not supported by the app?

While OpenVPN Connect supports most OpenVPN client directives, we’ve made an effort to reduce bloat and improve maintainability by eliminating what we believe to be obsolete or rarely-used directives. Please email us at android@openvpn.net if you think that we should reconsider a specific directive that we’ve excluded.

Here is a partial list of directives not currently supported:

• dev tap — This directive is not supported because the underlying Android VPN API doesn’t support tap-style tunnels.
• fragment — The fragment directive is not supported due to the complexity it adds to the OpenVPN implementation. It’s better to leave fragmentation up to the lower-level transport protocols. Note as well that the client doesn’t support connecting to a server that uses the fragment directive.
• secret — Static key encryption mode (non-TLS) isn’t supported.
• socks-proxy — Socks proxy support is currently not supported.
• Not all ciphers are supported — OpenVPN Connect fully supports the AES-GCM and AES-CBC ciphers, and ChaCha20-Poly1305 as of Connect v3.3. The AES-GCM cipher algorithm in particular is well-suited for modern processors generally used in Android devices, iOS devices, macs and modern PCs. The deprecated DES and Blowfish ciphers are currently still supported but will be removed in the future.
• proxy directives — While proxy directives are currently supported (http-proxy and http-proxy-option), they are currently NOT supported in profiles.

Can I have multiple profiles?

Yes, you can import any number of profiles from the Import menu:

1. Launch OpenVPN Connect.
2. Tap the Add icon.
3. Enter the URL and username credentials or import a .ovpn file.
4. To connect to the profile, tap the profile’s radio button.
5. Enter your password.

OpenVPN Connect assigns a name to the profile based on the server hostname, username and filename. If you import a profile with the same name as one that already exists, OpenVPN Connect adds (1), (2), etc to the profile name.

How do I delete or rename a profile?

To delete a profile, tap the Edit icon next to the profile. From the Edit Profile screen, tap Delete Profile.

To rename a profile, tap the Edit icon next to the profile. From the Edit Profile screen, tap the Profile Name field and change it.

Can I have multiple proxies?

Yes, you can add any number of proxies from the main menu. Each profile can have one proxy assigned.

1. Launch OpenVPN Connect.
2. Tap the Menu icon in the top left.
3. Tap Proxies.
4. Tap the Add icon.
5. Enter the connection information for the proxy and tap Save.

Once you’ve added a proxy, you can add it to your profile:

1. Tap the Edit icon for the profile.
2. Under Proxy, tap the radio button of the proxy to add.
3. Tap Save.

The profile now displays both the OpenVPN Profile and the proxy name. When you connect, your connection to the VPN server authenticates using the proxy server.

How do I edit or delete a proxy?

To edit or delete a proxy:

1. Launch OpenVPN Connect.
2. Tap the Menu icon in the top left.
3. Tap Proxies.
4. Tap the Edit icon next to the proxy you wish to edit or delete.
5. Edit the proxy details and tap Save or if you want to delete, tap Delete Proxy.

You can also edit or delete a proxy from within a profile:

1. Launch OpenVPN Connect.
2. Tap the Edit icon for a profile.
3. Tap the Edit icon for the proxy.
4. Edit the proxy details and tap Save or if you want to delete, tap Delete Proxy.

How do I use a client certificate and private key from the Android Keychain?

Using the Android Keychain to store your private key leverages the hardware-backed Keystore on many Android devices. This protects the key with the Android-level device password and prevents key compromise even if the device is rooted.

If you already have your client certificate and private key bundled into a PKCS#12 file (extension .p12 or .pfx), you can import it into the Android Keychain using the Import menu or Android Settings.

If you don’t have a PKCS#12 file, you can convert your certificate and key files into PKCS#12 form using this openssl command (where cert, key, and ca are your client certificate, client key, and root CA files).

After converting your certificate and key files into PKCS#12 form, import the client.p12 file into OpenVPN Connect using the Import / Import PKCS#12 menu option.

Once you’ve done this, remove the ca, cert, and key directives from your .ovpn file and re-import it. When you connect the first time, the app will ask you to select a certificate to use for the profile. Just select the MyClient certificate, and you should be able to connect normally.

When I try to import a PKCS#12 file, why am I being asked for a password?

When you generate a PKCS#12 file, you’re prompted for an «export password» to encrypt the file. You must enter this password when you import the PKCS#12 file into the Android Keychain. This prevents interception and recovery of the private key during transport.

Why doesn’t the PKCS#12 file in my OpenVPN configuration file work the same as on desktop systems?

Android uses PKCS#12 files differently than on desktops using OpenVPN. Android manages PKCS#12 in the Android Keychain. In contrast, desktops can reference the PKCS#12 files bundled in the OpenVPN profile. The Android approach is much better from a security perspective because the Keychain can leverage hardware features in the device, such as hardware-backed keystores. However, it requires that you load the PKCS#12 file into the Android Keychain separate from importing the OpenVPN profile. It also moves the responsibility for managing PKCS#12 files to the Android Keychain and away from OpenVPN, potentially introducing compatibility issues.

To use a PKCS#12 file on Android, see the FAQ item above: How do I use a client certificate and private key from the Android Keychain?

How do I set up my profile for server failover?

You can provide OpenVPN with a list of servers to make connections. On connection failure, OpenVPN will rotate through the list until it finds a responsive server. For example, the following entries in the profile will first try to connect to server A via UDP port 1194, then TCP port 443, then repeat the process with server B. OpenVPN will continue to retry until it successfully connects or hits the Connection Timeout, which you can configure in Settings.

Источник

I am configuring OpenVPN 2.3.6-1 on my Arch Linux server in order to encrypt SMB traffic over the public Internet. When I test the setup on one of my Linux virtual machine clients, I get the error: TLS Error: TLS handshake failed.

I quickly read (OpenVPN on OpenVZ TLS Error: TLS handshake failed (google suggested solutions not helping)) and tried to switch from the default UDP to TCP, but that only caused the client to repeatedly report that the connection timed out. I also tried disabling the cipher and TLS authentication, but that caused the server to fail with Assertion failed at crypto_openssl.c:523. In both instances, the required changes were made to both the client and server configurations.

I have been following the instructions at (https://wiki.archlinux.org/index.php/OpenVPN) to set up OpenVPN and the instructions at (https://wiki.archlinux.org/index.php/Create_a_Public_Key_Infrastructure_Using_the_easy-rsa_Scripts) to create the keys and certificates. The only deviations I have made from these instructions have been specifying my own computers’ names and their corresponding key/certificate file names.

See also my original question about securing SMB traffic over the Internet: (Simple encryption for Samba shares)

Can anybody explain how I can solve this issue?

Details:

Server: Arch Linux (up to date) connected directly to gateway via ethernet cable. No iptables.

Client: Arch Linux (up to date) virtual machine on VirtualBox 4.3.28r100309 Windows 8.1 host, bridged network adapter. No iptables. Windows Firewall disabled.

Gateway: Port forwarding for port 1194 enabled, no firewall restrictions.

Here are the configuration files on the server and client, respectively. I created these according to the instructions on the Arch Wiki.

/etc/openvpn/server.conf (Non-comment lines only):

port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server-name.crt
key /etc/openvpn/server-name.key
dh /etc/openvpn/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
tls-auth /etc/openvpn/ta.key 0
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3

/etc/openvpn/client.conf (Non-comment lines only):

client
dev tun
proto udp
remote [my public IP here] 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client-name.crt
key /etc/openvpn/client-name.key
remote-cert-tls server
tls-auth /etc/openvpn/ta.key 1
comp-lzo
verb 3

Here are the outputs of running openvpn on the machines with the above configurations. I started the server first, then the client.

The output of openvpn /etc/openvpn/server.conf on the server:

Thu Jul 30 17:02:53 2015 OpenVPN 2.3.6 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec  2 2014
Thu Jul 30 17:02:53 2015 library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.09
Thu Jul 30 17:02:53 2015 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Thu Jul 30 17:02:53 2015 Diffie-Hellman initialized with 2048 bit key
Thu Jul 30 17:02:53 2015 Control Channel Authentication: using '/etc/openvpn/ta.key' as a OpenVPN static key file
Thu Jul 30 17:02:53 2015 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jul 30 17:02:53 2015 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jul 30 17:02:53 2015 Socket Buffers: R=[212992->131072] S=[212992->131072]
Thu Jul 30 17:02:53 2015 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=enp5s0 HWADDR=##:##:##:##:##:##
Thu Jul 30 17:02:53 2015 TUN/TAP device tun0 opened
Thu Jul 30 17:02:53 2015 TUN/TAP TX queue length set to 100
Thu Jul 30 17:02:53 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Jul 30 17:02:53 2015 /usr/bin/ip link set dev tun0 up mtu 1500
Thu Jul 30 17:02:53 2015 /usr/bin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Thu Jul 30 17:02:53 2015 /usr/bin/ip route add 10.8.0.0/24 via 10.8.0.2
Thu Jul 30 17:02:53 2015 GID set to nobody
Thu Jul 30 17:02:53 2015 UID set to nobody
Thu Jul 30 17:02:53 2015 UDPv4 link local (bound): [undef]
Thu Jul 30 17:02:53 2015 UDPv4 link remote: [undef]
Thu Jul 30 17:02:53 2015 MULTI: multi_init called, r=256 v=256
Thu Jul 30 17:02:53 2015 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Thu Jul 30 17:02:53 2015 IFCONFIG POOL LIST
Thu Jul 30 17:02:53 2015 Initialization Sequence Completed

The output of openvpn /etc/openvpn/client.conf on the client:

Thu Jul 30 21:03:02 2015 OpenVPN 2.3.6 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec  2 2014
Thu Jul 30 21:03:02 2015 library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.09
Thu Jul 30 21:03:02 2015 WARNING: file '/etc/openvpn/client-name.key' is group or others accessible
Thu Jul 30 21:03:02 2015 WARNING: file '/etc/openvpn/ta.key' is group or others accessible
Thu Jul 30 21:03:02 2015 Control Channel Authentication: using '/etc/openvpn/ta.key' as a OpenVPN static key file
Thu Jul 30 21:03:02 2015 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jul 30 21:03:02 2015 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jul 30 21:03:02 2015 Socket Buffers: R=[212992->131072] S=[212992->131072]
Thu Jul 30 21:03:02 2015 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Thu Jul 30 21:03:02 2015 UDPv4 link local: [undef]
Thu Jul 30 21:03:02 2015 UDPv4 link remote: [AF_INET][my public IP here]:1194
Thu Jul 30 21:04:02 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Jul 30 21:04:02 2015 TLS Error: TLS handshake failed
Thu Jul 30 21:04:02 2015 SIGUSR1[soft,tls-error] received, process restarting
Thu Jul 30 21:04:02 2015 Restart pause, 2 second(s)

If you are facing “OpenVPN TLS handshake failed” Error on computer while attempting to setting up “OpenVPN”, then you are in right place. Here, we are discussing about this problem in details and providing some recommended methods/procedures to fix this error. Let’s take have a look at error message and then starts the discussion.

“Sun May 13 19:39:51 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Sun May 13 19:39:51 2018 TLS Error: TLS handshake failed”

About OpenVPN

“OpenVPN” is open-source commercial software that implements virtual private network techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access faculties. It is available in free for charge. With the digital privacy and online security continuing to be major concerns, more people are interested in “VPNs (Virtual Private Networks)” than ever before.

Pros:

• Free, open-source VPN
• Booted Privacy and Secure browsing
• Supported by developer community

Cons:

• Can lead to poor speeds when is use
• Too technical and complex for first use-timers
• Can be blocked by business proxies

However, it is important to remember that “OpenVPN” is not VPN Provide and it doesn’t add a piece of software to your desktop or simple plug-in to your browser that you click once to connect. “OpenVPN” is encryption protocol that can connect your VPN which means you will need to know exactly how to configure it to your specific server.

What is “OpenVPN TLS handshake failed” Error?

It is common TLS error that is appears while trying to connect to OpenVPN. This error message usually appears on Android, iOS, Windows, Mac and Linux OS based device. “HandShake” word refers to negotiation between two ends just like meeting between two different people for any propose, then shake hands at first, then go ahead with anything else. In this case, “handShake” refers to negotiations between two servers.

On other hand, “TLS (Transport Layer Security)” is used every time when you access a website or application over HTTPS, access emails, messages, and VOIP (Voice over Internet Protocol). In simple word, we can say that HTTPs is implementation of TLS encryption.

Now comes to matter “OpenVPN TLS handshake Failed” Error, it is one of the most common problems in setting up OpenVPN that is occurs due to several reasons. Some user reported that this error appears usually on Windows/Mac/iOS/Linux/Android OS based devices when Windows Firewall is blocking access for the “openvpn.exe”.

“TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)”

Reasons behind OpenVPN TLS handshake failed issues

• Incorrect Client Configuration: The “OpenVPN” client config does not have the correct server address in its config file. The remote directive in the client config must point to either the server itself or the public IP address of the server network’s gateway.
• OpenVPN packets: A perimeter Firewall on server’s network is filtering out incoming OpenVPN packets. By Default OpenVPN uses UDP or TCP port number 1194.
• NAT/PAT: A NAT Gateway on the server’s network does not have a port forward rule for TCP/UDP 1194 to internal address of OpenVPN server machine.
• Firewall/routing blocking port: Windows Firewall is blocking access for the “openvpn.exe” binary.
• OSes block incoming connections: A software firewall running on the OpenVPN server machine itself is filtering incoming connections on port 1194. Be aware that many OSes will block incoming connections by default unless configured otherwise.

[Tips & Tricks] How to Fix OpenVPN TLS handshake failed error on Windows 10?

Procedure 1: Change “TLS” protocol in Windows

Windows 10 and earlier versions of Windows centralize the protocol settings in the System. To fix “OpenVPN TLS handshake failed” Error, you can change TLS version via the steps below:

Step 1: Press “Windows + R” key from keyboard to open “Run Dialog Box”

Step 2: In the opened “Run Dialog Box”, type “inetcpl.cpl” and hit “Ok” button

Step 3: In the opened “Internet Properties” window, click on “Advanced” tab

Step 4: Find “Security” section and here, you can add or remove TLS

Step 5: If the website is looking for TLS 1.2 and it is not checked, you need to check it. Similarly, if someone is experimenting with TLS 1.3, you need to check it

Step 6: Finally, click on “Apply” and “Ok” to save the changes. Once done, try opening the same website again

Procedure 2: Change TLS protocol in Firefox

Step 1: Open “Firefox” browser and type “about:config” in address bar and then hit “Enter” key

Step 2: Now, type “TLS” in search box and locate “security.tls.version.min”

Step 3: You can change it to “1 and 2 to force TLS 1 and 1.1”, “3 to force TLS 1.2”, “4 to force maximum protocol of TLS 1.3”

Procedure 3: Delete Browser profile or certificate database

Every browser maintains a database for certificates. For example, every Firefox profile has Cert8.db file. In case if delete that file, and restart fixes it, then the problem is related to the local certificate database.

In Windows 10 or other Windows OS based device, when you are using Internet Explorer or Edge browser, the Certificate Manager is responsible, or you can go to the edge://settings/privacy and click on Manage HTTPS/SSL certificates and settings. Delete the certificates and try again.

Procedure 4: Reset web browser

To reset Google Chrome settings, follow the steps below:

Step 1: Open Google Chrome browser and type “Chrome://Settings” in address bar and then hit “Enter” key

Step 2: Scroll towards end and click on “Advance settings”

Step 3: You will see the “Reset Browser Settings” button

Step 4: When you use this option, it will reset your profile to the post-fresh-install state

Step 5: This process will reset search engine, homepage, new tab page and pinned tabs to default. Extensions, add-ons and themes will be disabled and Content Settings will be reset. Cookies, Cache and Site data will be deleted.

Step 6: Once done, restart your browser and please check if “OpenVPN TLS handshake failed” Error is resolved.

To reset Microsoft Edge Chromium browser, follow the steps below:

 Step 1: Open Microsoft Edge browser

Step 2: Click on Open Settings

Step 3: Navigate to “Reset Settings”

Step 4: Click on “Restore Settings” to their default values.

Step 5: This process will reset your Startup page, new tab page, search engine and pinned tabs, disable all extensions and clear temporary data like cookies, and favourites, history and saved passwords will not be cleared.

Step 6: Once done, restart your browser and please check if the error is resolved.

To reset Firefox settings, follow the steps below:

Step 1: Open “Firefox browser”

Step 2: Go to “Settings > Help > Troubleshooting information”

Step 3: Click on “Reset Firefox” button.

Step 4: This process will reset search engine and homepage to default. Your extensions, sync settings, open tabs, tab groups, themes and toolbars will be removed. However, your passwords, from data, browsing history, favourites or bookmarks, cookies and plug-ins will not be removed. They will instead be moved to new profile.

Procedure 5: Ensuring the correct System time

Step 1: Press “Windows + I” keys together from keyboard to open “Settings App”

Step 2: In the “Settings App”, select “Time & Language”

Step 3: Go to the right pane, then toggle the switch under “Set Time Automatically” to “ON”

Step 4: After that, restart your computer and try visiting the website again to see if TLS handshake error is gone.

You may also read: Fix Cisco AnyConnect Certificate Validation Failure Problem

Conclusion

I am sure this article helped you to “Fix OpenVPN TLS handshake failed on Windows 10” with several easy methods/procedures. You can choose/follow either one or all procedures to fix this issue.

If you are unable to fix OpenVPN TLS handshake failed problem with the solutions mentioned above, then it might possible that your System has infected with malware or viruses. According to security researchers, malware or viruses cause several damages in your computer.

In this case, you can scan your computer with powerful antivirus software that has the ability to delete all types of malware or viruses from System.

You can also try another possible solution to fix this issue. We recommended you to Repair your PCs/laptops with powerful PC Repair Tools/Software that has the ability to remove all the faculty software, clean System registry, remove all types of malware or viruses, fix all types of bugs or errors and improves System performance as well. You can download powerful PC Repair Tool/Software via “Download” link below.

Wondering how to resolve TLS key negotiation failed error in OpenVPN? We can help you.

As part of our Server Management Services, we assist our customers with several OpenVPN queries.

Today, let us see how our Support techs resolve this error.

How to resolve TLS key negotiation failed error in OpenVPN?

First and foremost, to diagnose problems with an OpenVPN server or client, it is helpful to look at the log files.

Locating the server log files

The log files are located in specific areas on your computer systems.

Log files are the place to check whenever you’re having any problems making a connection with an OpenVPN client program to the OpenVPN Access Server.

On the OpenVPN Access Server there is the server side log:

/var/log/openvpnas.log /var/log/openvpnas.node.log (in case of a failover setup)

In the event that you are having problems with starting the Access Server or certain portions of it, for example the web services, then it may be useful to stop the Access Server service.

Then, move the log file aside, then start the Access Server service, and stop it again immediately.

This creates a new clean log file that contains the startup and shutdown sequence of the Access Server and no other extraneous information.

This makes analysis of the log file much easier.

To do so use these commands in order:

service openvpnas stop
mv /var/log/openvpnas.log /var/log/openvpnas.log.old
service openvpnas start
service openvpnas stop

You can then grab the /var/log/openvpnas.log file for analysis and start the Access Server again:

service openvpnas start

Locating the client log files

Log file location for the OpenVPN Connect Client for Windows:

C:Program Files (x86)OpenVPN TechnologiesOpenVPN Clientetclogopenvpn_(unique_name).log

The OpenVPN Connect Client for Mac:

/Library/Application Support/OpenVPN/log/openvpn_(unique_name).log

To get to the /Library folder, open Finder and in the menu at the top choose Go followed by Go to folder and then enter the path /Library to get into that directory.

You can then go to the correct folder and look up the log file.

Please also note that the OpenVPN Connect Client for Macintosh will have permissions set on the log file so that you cannot normally open it.

To bypass this, right click the log file and choose the Get info option in the menu.

Then at the bottom, under Sharing & Permissions, you will be able to use the yellow padlock icon to unlock the settings and to give everyone read access.

Then, you will be able to open the log file with a right click and selecting Open with and then choosing something like Text editor to view the contents of the log file.

TLS key negotiation failed error

Typical error will look as shown below:

TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

This particular error can have multiple different causes as it is a fairly generic error message.

A possible explanation is that the client program is old and supports only TLS 1.0, but the server is expecting TLS level 1.1 or higher.

To see if this is the case log on to the server and check the server side log file.

The chances are high that your client program is an older version, like version 2.2 or older, and that it doesn’t know how to handle a modern TLS minimum level requirement, when you see messages that look like this on the server side:

OpenSSL: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol’
TLS_ERROR: BIO read tls_read_plaintext error’
TLS Error: TLS object -> incoming plaintext read error’
TLS Error: TLS handshake failed’
SIGUSR1[soft,tls-error] received, client-instance restarting’

The solution to this particular problem is to upgrade the client software to the latest version.

Another possible explanation is that the settings regarding TLS minimum requirement level have been altered but the OpenVPN client is using an older copy of the connection profile which has incorrect instructions.

The settings on the client and the server must match for the connection to be successful.

In this situation installing a new copy of the configuration profile will solve the issue.

A complete uninstall, redownload, and reinstall of the OpenVPN Connect Client should take care of that for you.

And yet another possible explanation is that there is a blockage in place in a firewall or at the Internet service provider that is blocking or interfering with the TLS handshake in some way.

[Stuck in between? We’d be glad to assist you]

Conclusion

In short, today we saw steps followed by our Support Techs to resolve TLS key negotiation failed error in OpenVPN.