Еще одна причина ошибки при коннекте к OpenVPN серверу
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity). TLS Error: TLS handshake failed
Как ни странно, причина не связана с конфигами самого OpenVPN сервера или клиентов, а кроется в сети, что и написано в логе.
Прослушка трафика показала, что нет обратного коннекта от сервера до клиента при рукопожатии:
|
14:01:59.465502 IP ServerIP.openvpn > ClientIP.54954: UDP, length 42 14:02:00.272635 IP ClientIP.54961 > ServerIP.openvpn: UDP, length 42 14:02:00.272889 IP ServerIP.openvpn > ClientIP.54961: UDP, length 54 14:02:03.568343 IP ClientIP.54961 > ServerIP.openvpn: UDP, length 42 14:02:03.568536 IP ServerIP.openvpn > ClientIP.54961: UDP, length 50 14:02:03.612846 IP ClientIP > ServerIP: ICMP host ClientIP unreachable — admin prohibited filter, length 36 |
При подробном режиме (verbose) такая картина:
|
14:08:14.154062 IP (tos 0x0, ttl 64, id 21182, offset 0, flags [DF], proto UDP (17), length 70) ServerIP.openvpn > ClientIP.57304: [bad udp cksum 0xd2f6 —> 0xb107!] UDP, length 42 14:08:20.193700 IP (tos 0x0, ttl 122, id 29713, offset 0, flags [none], proto UDP (17), length 70) ClientIP.62614 > ServerIP.openvpn: [udp sum ok] UDP, length 42 14:08:20.194123 IP (tos 0x0, ttl 64, id 21620, offset 0, flags [DF], proto UDP (17), length 82) ServerIP.openvpn > ClientIP.62614: [bad udp cksum 0xd302 —> 0x6091!] UDP, length 54 14:08:20.238329 IP (tos 0x0, ttl 250, id 27288, offset 0, flags [none], proto ICMP (1), length 56) ClientIP > ServerIP: ICMP host ClientIP unreachable — admin prohibited filter, length 36 IP (tos 0x0, ttl 58, id 21620, offset 0, flags [DF], proto UDP (17), length 82) ServerIP.openvpn > ClientIP.62614: UDP, length 54 14:08:21.400665 IP (tos 0x0, ttl 122, id 29742, offset 0, flags [none], proto UDP (17), length 70) ClientIP.62614 > ServerIP.openvpn: [udp sum ok] UDP, length 42 14:08:21.400811 IP (tos 0x0, ttl 64, id 21703, offset 0, flags [DF], proto UDP (17), length 78) ServerIP.openvpn > ClientIP.62614: [bad udp cksum 0xd2fe —> 0x80f0!] UDP, length 50 |
Причина крылась в запрете форварда входящих UDP подключений на циске роутере со стороны клиента. При этом исходящие работали, т.к. подключение и общение до рукопожатия происходило.
Как только разрешили проходить UDP трафик — коннект до OpenVPN сервера поднялся.
Если нет возможности открыть UDP трафик, то стоит перейти на TCP соединение.
https://github.com/midnight47/
Everything works ok on Ubuntu 16.04, but I can’t connect to my server from Windows 10, using official openvpn app. Firewall is disabled both on server and client.
———-Here is the log———-
Wed May 02 04:21:27 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed May 02 04:21:27 2018 TLS Error: TLS handshake failed
Wed May 02 04:21:27 2018 SIGUSR1[soft,tls-error] received, process restarting
Wed May 02 04:21:27 2018 MANAGEMENT: >STATE:1525224087,RECONNECTING,tls-error,,,,,
Wed May 02 04:21:27 2018 Restart pause, 5 second(s)
Wed May 02 04:21:32 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]95.216.140.175:1194
Wed May 02 04:21:32 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed May 02 04:21:32 2018 UDP link local: (not bound)
Wed May 02 04:21:32 2018 UDP link remote: [AF_INET]95.216.140.175:1194
Wed May 02 04:21:32 2018 MANAGEMENT: >STATE:1525224092,WAIT,,,,,,
Wed May 02 04:22:32 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed May 02 04:22:32 2018 TLS Error: TLS handshake failed
Wed May 02 04:22:32 2018 SIGUSR1[soft,tls-error] received, process restarting
Wed May 02 04:22:32 2018 MANAGEMENT: >STATE:1525224152,RECONNECTING,tls-error,,,,,
Wed May 02 04:22:32 2018 Restart pause, 5 second(s)
Wed May 02 04:22:37 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]95.216.140.175:1194
Wed May 02 04:22:37 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed May 02 04:22:37 2018 UDP link local: (not bound)
Wed May 02 04:22:37 2018 UDP link remote: [AF_INET]95.216.140.175:1194
Wed May 02 04:22:37 2018 MANAGEMENT: >STATE:1525224157,WAIT,,,,,,
Wed May 02 04:22:39 2018 write UDP: Unknown error (code=10051)
———-Here is my .ovpn file’s content———-
client
proto udp
remote 95.216.140.175 1194
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_XtJrEMJvSsZ98eJT name
auth SHA256
auth-nocache
cipher AES-128-CBC
tls-client
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
setenv opt block-outside-dns
verb 3
script-security 2
dhcp-option DNS 213.133.100.100
dhcp-option DNS 213.133.98.98
dhcp-option DNS 213.133.99.99
Please, help to solve this problem.
Wondering how to resolve TLS key negotiation failed error in OpenVPN? We can help you.
As part of our Server Management Services, we assist our customers with several OpenVPN queries.
Today, let us see how our Support techs resolve this error.
How to resolve TLS key negotiation failed error in OpenVPN?
First and foremost, to diagnose problems with an OpenVPN server or client, it is helpful to look at the log files.
Locating the server log files
The log files are located in specific areas on your computer systems.
Log files are the place to check whenever you’re having any problems making a connection with an OpenVPN client program to the OpenVPN Access Server.
On the OpenVPN Access Server there is the server side log:
/var/log/openvpnas.log /var/log/openvpnas.node.log (in case of a failover setup)In the event that you are having problems with starting the Access Server or certain portions of it, for example the web services, then it may be useful to stop the Access Server service.
Then, move the log file aside, then start the Access Server service, and stop it again immediately.
This creates a new clean log file that contains the startup and shutdown sequence of the Access Server and no other extraneous information.
This makes analysis of the log file much easier.
To do so use these commands in order:
service openvpnas stop
mv /var/log/openvpnas.log /var/log/openvpnas.log.old
service openvpnas start
service openvpnas stopYou can then grab the /var/log/openvpnas.log file for analysis and start the Access Server again:
service openvpnas startLocating the client log files
Log file location for the OpenVPN Connect Client for Windows:
C:Program Files (x86)OpenVPN TechnologiesOpenVPN Clientetclogopenvpn_(unique_name).logThe OpenVPN Connect Client for Mac:
/Library/Application Support/OpenVPN/log/openvpn_(unique_name).logTo get to the /Library folder, open Finder and in the menu at the top choose Go followed by Go to folder and then enter the path /Library to get into that directory.
You can then go to the correct folder and look up the log file.
Please also note that the OpenVPN Connect Client for Macintosh will have permissions set on the log file so that you cannot normally open it.
To bypass this, right click the log file and choose the Get info option in the menu.
Then at the bottom, under Sharing & Permissions, you will be able to use the yellow padlock icon to unlock the settings and to give everyone read access.
Then, you will be able to open the log file with a right click and selecting Open with and then choosing something like Text editor to view the contents of the log file.
TLS key negotiation failed error
Typical error will look as shown below:
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
This particular error can have multiple different causes as it is a fairly generic error message.
A possible explanation is that the client program is old and supports only TLS 1.0, but the server is expecting TLS level 1.1 or higher.
To see if this is the case log on to the server and check the server side log file.
The chances are high that your client program is an older version, like version 2.2 or older, and that it doesn’t know how to handle a modern TLS minimum level requirement, when you see messages that look like this on the server side:
OpenSSL: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol’
TLS_ERROR: BIO read tls_read_plaintext error’
TLS Error: TLS object -> incoming plaintext read error’
TLS Error: TLS handshake failed’
SIGUSR1[soft,tls-error] received, client-instance restarting’
The solution to this particular problem is to upgrade the client software to the latest version.
Another possible explanation is that the settings regarding TLS minimum requirement level have been altered but the OpenVPN client is using an older copy of the connection profile which has incorrect instructions.
The settings on the client and the server must match for the connection to be successful.
In this situation installing a new copy of the configuration profile will solve the issue.
A complete uninstall, redownload, and reinstall of the OpenVPN Connect Client should take care of that for you.
And yet another possible explanation is that there is a blockage in place in a firewall or at the Internet service provider that is blocking or interfering with the TLS handshake in some way.
[Stuck in between? We’d be glad to assist you]
Conclusion
In short, today we saw steps followed by our Support Techs to resolve TLS key negotiation failed error in OpenVPN.
PREVENT YOUR SERVER FROM CRASHING!
Never again lose customers to poor server speed! Let us help you.
Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.
GET STARTED
I’m configuring an OpenVPN (version 2.3.10) server on a Windows 2012 server but I cannot make it to work.
The server is behind a router and I opened the 1194 port and created a rule to forward traffic on this port to the server.
Here is the log I see on the server when I try to connect from a client:
Mon Mar 21 11:11:47 2016 XX.XX.XX.XX:57804 TLS: Initial packet from [AF_INET]XX.XX.XX.XX:57804, sid=fdf7a7ac 0264c7f3
Mon Mar 21 11:12:38 2016 XX.XX.XX.XX:55938 TLS: Initial packet from [AF_INET]XX.XX.XX.XX:55938, sid=1f242a3f e454a525
Mon Mar 21 11:12:48 2016 XX.XX.XX.XX:57804 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Mar 21 11:12:48 2016 XX.XX.XX.XX:57804 TLS Error: TLS handshake failed
Mon Mar 21 11:12:48 2016 XX.XX.XX.XX:57804 SIGUSR1[soft,tls-error] received, client-instance restarting
Where XX.XX.XX.XX is the ip of the client. So I understand from this that the client at least is able to arrive at the server, so there’s no routing or firewall issues.
I followed the description provided here Easy Windows Guide Any ideas?
MadHatter
79k20 gold badges183 silver badges231 bronze badges
asked Mar 23, 2016 at 7:04
6
What’s interesting is how the port number changes mid-stream:
Mon Mar 21 11:11:47 2016 XX.XX.XX.XX:57804 TLS: Initial packet from [AF_INET]XX.XX.XX.XX:57804, sid=fdf7a7ac 0264c7f3
Mon Mar 21 11:12:38 2016 XX.XX.XX.XX:55938 TLS: Initial packet from [AF_INET]XX.XX.XX.XX:55938, sid=1f242a3f e454a525
This makes me think that, somewhere between client and server, there is a misbehaving NAT device, a device with very short-lived state table entries, which is changing the source port number that it applies to the client’s established stream, causing the server to think that two short-lived communications are in progress, instead of one continuous one.
Such devices generally only do this with UDP, so I have advised you to confirm that you are using UDP, and try TCP instead. This you have done, and found that it fixes the problem. The next step is to identify the misbehaving NAT device, hit it with a club hammer, and replace it with one that doesn’t make the cardinal mistake of assuming that all UDP communications are ephemeral; but you have indicated that you’re happy with changing to TCP as a workaround, and so the matter is concluded.
answered Mar 23, 2016 at 10:39
MadHatterMadHatter
79k20 gold badges183 silver badges231 bronze badges
6
This is one of the most common error in setting up Openvpn and there is a FAQ entry for this. I’m going to quote this here:
TLS Error: TLS key negotiation failed to occur within 60 seconds
(check your network connectivity)One of the most common problems in setting up OpenVPN is that the two
OpenVPN daemons on either side of the connection are unable to
establish a TCP or UDP connection with each other.This is almost a result of:
- A perimeter firewall on the server’s network is filtering out incoming OpenVPN packets (by default OpenVPN uses UDP or TCP port
number 1194).- A software firewall running on the OpenVPN server machine itself is filtering incoming connections on port 1194. Be aware that many
OSes will block incoming connections by default, unless configured
otherwise.- A NAT gateway on the server’s network does not have a port forward rule for TCP/UDP 1194 to the internal address of the OpenVPN server
machine.- The OpenVPN client config does not have the correct server address in its config file. The remote directive in the client config file
must point to either the server itself or the public IP address of the
server network’s gateway.- Another possible cause is that the windows firewall is blocking access for the openvpn.exe binary. You may need to whitelist (add it
to the «Exceptions» list) it for OpenVPN to work.
It’s highly likely that any of these is causing the same problem in your case too. So just go through the list one by one to resolve it.
Ref: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
MadHatter
79k20 gold badges183 silver badges231 bronze badges
answered Mar 23, 2016 at 8:23
DiamondDiamond
8,9213 gold badges23 silver badges38 bronze badges
4
I was getting TLS key negotiation timeouts like this. But in my case I realised that the remote link was a local IP address.
The VPN on our pfSense firewall had mistakenly been put on the LAN interface instead of the WAN interface, and so the exported config was set to try and connect to the firewall’s LAN IP address — which was never going to work with the client naturally being on a different LAN.
I think the main takeaways from this are:
-
Getting a key negotiation timeout does not necessarily mean you’ve even managed to connect to anything.
So at this stage it may still be worth checking you’re actually connecting to the right place, and there are no firewall rules blocking the connection, etc. Particularly if your configuration has been automatically generated.
Note that getting a login prompt does not mean that you’re connected, since OpenVPN asks for your credentials before trying to connect.
-
Make sure your VPN server is listening on the right interface.
(Of course, this is one of a number of server-side misconfigurations that could occur, such as firewall rules, putting the wrong port number, intermixing TCP and UDP, etc.)
answered Mar 21, 2017 at 12:18
mwfearnleymwfearnley
7881 gold badge10 silver badges21 bronze badges
I had the same error and no advice helped, everything seemed to be fine: IPs, ports, firewall, everything. Gone insane for 2 hours.
Solution was to change the protocol from UDP to TCP in the client config (apparently I disabled UDP on purpose a long while ago).
Hope this helps someone 
LE: this solved my problem but it’s not the best approach as per below comments. You should use UDP instead of TCP. It helped me because I had different settings between the client and the server configs.
answered Jun 1, 2017 at 20:11
boschbosch
1856 bronze badges
5
None of the solutions mentioned earlier worked. In my case, even though the client log showed same error TLS Error: TLS key negotiation failed to occur within 60 seconds, the server logs showed VERIFY ERROR: depth=0, error=CRL has expired.
On the server, following steps resolved the connection issue:
# cd <easyrsa folder>
# ./easyrsa gen-crl
above command generates new crl.pem file (in my case in pki folder)
using chown/chmod make sure 'pki/crl.pem' is readable by openvpn server (for example: chmod 640 pki/crl.pem)
# systemctl restart openvpn
answered Dec 5, 2018 at 3:49
mpprdevmpprdev
1511 gold badge1 silver badge5 bronze badges
Note that you can get a TLS key negotiation error, without successfully connecting to the OpenVPN server — or even successfully connecting to anything at all!
I modified a VPN config to connect to localhost, on a port that wasn’t listening on anything:
OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018 Windows version 6.2 (Windows 8 or greater) 64bit library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10 TCP/UDP: Preserving recently used remote address: [AF_INET]127.0.0.1:12345 UDP link local (bound): [AF_INET][undef]:0 UDP link remote: [AF_INET]127.0.0.1:12345 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) TLS Error: TLS handshake failed SIGUSR1[soft,tls-error] received, process restarting ...
The error can lull you into a false sense that you’re talking to a VPN server.
You may even get prompted for credentials first, but nothing outside your computer has actually asked for them.
answered Aug 10, 2018 at 15:21
mwfearnleymwfearnley
7881 gold badge10 silver badges21 bronze badges
I ran into this error in AWS, where OpenVPN was installed on a server with a public IP, but on an instance which was in a private subnet, i.e. a subnet which didn’t have a route to an internet gateway.
Once I deployed OpenVPN on a server within a public subnet, it all worked nicely
On public/private subnets in AWS: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html
answered Aug 29, 2018 at 15:15
ZoltánZoltán
2172 silver badges6 bronze badges
I also came across the TLS key negotiation failed to occur within 60 seconds problem.
From the official suggestion, as Diamant post, there must be something wrong in the network connection. However, neither the firewall nor the NAT cause the problem.
In my case, I first checked the connection by nc -uvz xxx.xxx.xxx.xxx 1194. The link is OK.
Besides, several other vpn clients within the same LAN work fine.
From somewhere I noticed that udp connection has some problems in response or port forward.
So I stop the running vpn clients from the largest ip to the hanging client, e.g, from «10.8.0.100» to «10.8.0.50».
Then start the stopped vpn clients in reverse.
Bang! All the vpn clients work propoerly.
In conclusion, there is a chance leads to TLS key negotiation failed to occur within 60 seconds problem that multiple vpn clients within a LAN starting in a wrong sequence.
answered May 30, 2019 at 6:18
1
One possible reason is if the server requires TLS version newer then the TLS supported by the client. i.e 1.2 vs 1.0.
The obvious thing to try is to update the OpenVPN client, or modify the server side to accept TLS 1.0.
kenlukas
2,9862 gold badges14 silver badges25 bronze badges
answered Mar 24, 2020 at 17:45
You should create a SSL/TLS certificate on OMV and then enable secure connection SSL/TLS and add the created certificate.
So simple!
answered May 28, 2020 at 3:50
Are there more than two NetCards on your OVPN-Server?
In UDP, the source IP is not checked when responding. OVPN-Server will use the default configuration to send UDP data, so we need to specify the NetCard in server.conf.
local the-IP-in-client.ovpn
answered Aug 21, 2020 at 4:03
There seems to be a lot of different causes for the error — I was seeing this on the server for one client, but successfully connecting with another (the latter client being an android device using the OpenVPN Connect App).
What it turned out to be in my case is that I’d neglected to include a CommonName value when creating the server certificate — the app was ignoring this mistake but the other clients (OpenVPN plugin for Network Manager and pfSense) were validating this and refusing to continue the connection. This could be found within the client logs, but all that was visible on the server-side logs was:
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed
answered Apr 29, 2021 at 5:03
OpenVPN may display the error message «TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)» in the OpenVPN log if is unable to connect to the remote VPN server. The 60 second value may vary (for example, 30 seconds) depending on the configuration.
Troubleshooting for Viscosity Users
Viscosity performs a «reachability check» before attempting to connect a VPN connection. This check allows Viscosity to determine whether the remote VPN server can theoretically be reached over the network so a connection can be established. As this check is passing it means the fault is unlikely to lie with your computer. It is more likely one of the following is the case:
- The remote VPN server is down or unavailable. You will need to get in touch with your VPN Provider to check on the VPN server’s status. If you are unsure of who your VPN Provider is, please see How Do I Find Out Who My VPN Provider Is?.
- You are being blocked from contacting the remote VPN server. This is not uncommon in countries that attempt to censor the Internet, or in some workplaces for security reasons. It is recommended you get in contact with your VPN Provider in this instance as well.
- Your connection’s configuration details may be incorrect or out of date. If you have set up the connection yourself, you should edit your connection in Viscosity and check that the Remote Server Address, Port, and Protocol options are correctly set. Some VPN Providers may periodically update their VPN servers, so you may need to download updated connections to import. Again, you will need to get in contact with your VPN Provider to ensure your configuration details are correct and up to date.
- Your are being blocked by local network filtering or endpoint security software. Some workplaces may require that network filtering or endpoint security software be installed on your computer. In some instances this software can mistakenly block VPN connections. Microsoft Defender for Endpoint is one example of software that has mistakenly blocked VPN connections in the past. You will need to get in contact with your VPN Provider to check that any such software is up-to-date and not blocking connections.
Troubleshooting for VPN Providers
If you’re the administrator of a VPN server and have a user encountering this error (and you’re sure the OpenVPN server is operational), here are some troubleshooting tips for common mistakes:
- Check the OpenVPN log on the server. If the server is rejecting the client’s connection or authentication attempt the reason should be logged here. If there is no indication of a connection attempt in the log, make sure that a firewall or router isn’t blocking access to the OpenVPN server. Check both local firewall rules, as well as firewall and port-forwarding rules on any routers.
- When checking the connection log in Viscosity, look for «VERIFY ERROR» or «OpenSSL: error» messages. These typically indicate that the client was unable to validate the server and hence it is rejecting the connection attempt. More information should be available as part of the message. These typically indicates a CA/Certificate mismatch between the server and the client.
- When checking the connection log in Viscosity, if there are no error messages indicated in the point above, instead check the time difference between the «UDP link remote» message and the «TLS Error: TLS key negotiation failed to occur within 60 seconds». If the failure happens quickly, then in most instances it means that a network link was established however the server has rejected the client. More information about why should be available in the server’s OpenVPN log.
- Make sure both the OpenVPN server and client are using the correct Certificate Authority (CA) file. If this file is incorrect, or there is a mismatch between the client and server, the TLS session will be rejected by the server or client.
- Make sure that the client is using a valid certificate and key. A common cause of this error message is the server being updated with new CA/Cert/Key files, however clients not also being updated. Also check that the user’s certificate hasn’t expired.
- Make sure that the «Use Username/Password authentication» checkbox is properly configured on the client. Enabling this when it’s not required by the server, or disabling it when it is required, can cause connection attempts to fail.
- Make sure that compression settings on both the server and client match. OpenVPN changed the compression options in OpenVPN 2.4, and so this is a common problem with servers running an older version of OpenVPN. More information can be found in the Migrating from OpenVPN 2.3 to OpenVPN 2.4 article.
I’ve got a problem on implementin openvpn So I’m here and hope some one could help me
the story:
I’ve installed openvpn server on a ubuntu server VPS and I’ve used the tun point-to-point instead of tap bridge.
there is no error caused by miss configuration on the server.
When I issue the openvpn client.conf command on the client, it gives me:
Thu Oct 27 15:17:39 2011 OpenVPN 2.1.0 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Jul 12 2010
Thu Oct 27 15:17:39 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Oct 27 15:17:39 2011 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Thu Oct 27 15:17:39 2011 LZO compression initialized
Thu Oct 27 15:17:39 2011 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Thu Oct 27 15:17:39 2011 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Oct 27 15:17:39 2011 Local Options hash (VER=V4): '69109d17'
Thu Oct 27 15:17:39 2011 Expected Remote Options hash (VER=V4): 'c0103fa8'
Thu Oct 27 15:17:39 2011 Attempting to establish TCP connection with [AF_INET]VPS_IP_ADDR:4242 [nonblock]
Thu Oct 27 15:17:40 2011 TCP connection established with [AF_INET]VPS_IP_ADDR:PORT_NUM
Thu Oct 27 15:17:40 2011 Socket Buffers: R=[87380->131072] S=[16384->131072]
Thu Oct 27 15:17:40 2011 TCPv4_CLIENT link local: [undef]
Thu Oct 27 15:17:40 2011 TCPv4_CLIENT link remote: [AF_INET]VPS_IP_ADDR:4242
Thu Oct 27 15:17:40 2011 TLS: Initial packet from [AF_INET]VPS_IP_ADDR:4242, sid=b78095e0 079e400c
Thu Oct 27 15:18:40 2011 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Oct 27 15:18:40 2011 TLS Error: TLS handshake failed
Thu Oct 27 15:18:40 2011 Fatal TLS error (check_tls_errors_co), restarting
Thu Oct 27 15:18:40 2011 TCP/UDP: Closing socket
Thu Oct 27 15:18:40 2011 SIGUSR1[soft,tls-error] received, process restarting
Thu Oct 27 15:18:40 2011 Restart pause, 5 second(s)
When I googled the problem I found out people and the openvpn manual itself are saying it’s caused by the server’s firewall configuration
here are my rules:
iptables -A INPUT -p tcp --dport 4242 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 4242 -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to VPS_IP_ADDR