Wondering how to resolve TLS key negotiation failed error in OpenVPN? We can help you.
As part of our Server Management Services, we assist our customers with several OpenVPN queries.
Today, let us see how our Support techs resolve this error.
How to resolve TLS key negotiation failed error in OpenVPN?
First and foremost, to diagnose problems with an OpenVPN server or client, it is helpful to look at the log files.
Locating the server log files
The log files are located in specific areas on your computer systems.
Log files are the place to check whenever you’re having any problems making a connection with an OpenVPN client program to the OpenVPN Access Server.
On the OpenVPN Access Server there is the server side log:
/var/log/openvpnas.log /var/log/openvpnas.node.log (in case of a failover setup)
In the event that you are having problems with starting the Access Server or certain portions of it, for example the web services, then it may be useful to stop the Access Server service.
Then, move the log file aside, then start the Access Server service, and stop it again immediately.
This creates a new clean log file that contains the startup and shutdown sequence of the Access Server and no other extraneous information.
This makes analysis of the log file much easier.
To do so use these commands in order:
service openvpnas stop
mv /var/log/openvpnas.log /var/log/openvpnas.log.old
service openvpnas start
service openvpnas stop
You can then grab the /var/log/openvpnas.log file for analysis and start the Access Server again:
service openvpnas start
Locating the client log files
Log file location for the OpenVPN Connect Client for Windows:
C:Program Files (x86)OpenVPN TechnologiesOpenVPN Clientetclogopenvpn_(unique_name).log
The OpenVPN Connect Client for Mac:
/Library/Application Support/OpenVPN/log/openvpn_(unique_name).log
To get to the /Library folder, open Finder and in the menu at the top choose Go followed by Go to folder and then enter the path /Library to get into that directory.
You can then go to the correct folder and look up the log file.
Please also note that the OpenVPN Connect Client for Macintosh will have permissions set on the log file so that you cannot normally open it.
To bypass this, right click the log file and choose the Get info option in the menu.
Then at the bottom, under Sharing & Permissions, you will be able to use the yellow padlock icon to unlock the settings and to give everyone read access.
Then, you will be able to open the log file with a right click and selecting Open with and then choosing something like Text editor to view the contents of the log file.
TLS key negotiation failed error
Typical error will look as shown below:
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
This particular error can have multiple different causes as it is a fairly generic error message.
A possible explanation is that the client program is old and supports only TLS 1.0, but the server is expecting TLS level 1.1 or higher.
To see if this is the case log on to the server and check the server side log file.
The chances are high that your client program is an older version, like version 2.2 or older, and that it doesn’t know how to handle a modern TLS minimum level requirement, when you see messages that look like this on the server side:
OpenSSL: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol’
TLS_ERROR: BIO read tls_read_plaintext error’
TLS Error: TLS object -> incoming plaintext read error’
TLS Error: TLS handshake failed’
SIGUSR1[soft,tls-error] received, client-instance restarting’
The solution to this particular problem is to upgrade the client software to the latest version.
Another possible explanation is that the settings regarding TLS minimum requirement level have been altered but the OpenVPN client is using an older copy of the connection profile which has incorrect instructions.
The settings on the client and the server must match for the connection to be successful.
In this situation installing a new copy of the configuration profile will solve the issue.
A complete uninstall, redownload, and reinstall of the OpenVPN Connect Client should take care of that for you.
And yet another possible explanation is that there is a blockage in place in a firewall or at the Internet service provider that is blocking or interfering with the TLS handshake in some way.
[Stuck in between? We’d be glad to assist you]
Conclusion
In short, today we saw steps followed by our Support Techs to resolve TLS key negotiation failed error in OpenVPN.
PREVENT YOUR SERVER FROM CRASHING!
Never again lose customers to poor server speed! Let us help you.
Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.
GET STARTED
Еще одна причина ошибки при коннекте к OpenVPN серверу
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity). TLS Error: TLS handshake failed
Как ни странно, причина не связана с конфигами самого OpenVPN сервера или клиентов, а кроется в сети, что и написано в логе.
Прослушка трафика показала, что нет обратного коннекта от сервера до клиента при рукопожатии:
14:01:59.465502 IP ServerIP.openvpn > ClientIP.54954: UDP, length 42 14:02:00.272635 IP ClientIP.54961 > ServerIP.openvpn: UDP, length 42 14:02:00.272889 IP ServerIP.openvpn > ClientIP.54961: UDP, length 54 14:02:03.568343 IP ClientIP.54961 > ServerIP.openvpn: UDP, length 42 14:02:03.568536 IP ServerIP.openvpn > ClientIP.54961: UDP, length 50 14:02:03.612846 IP ClientIP > ServerIP: ICMP host ClientIP unreachable — admin prohibited filter, length 36 |
При подробном режиме (verbose) такая картина:
14:08:14.154062 IP (tos 0x0, ttl 64, id 21182, offset 0, flags [DF], proto UDP (17), length 70) ServerIP.openvpn > ClientIP.57304: [bad udp cksum 0xd2f6 —> 0xb107!] UDP, length 42 14:08:20.193700 IP (tos 0x0, ttl 122, id 29713, offset 0, flags [none], proto UDP (17), length 70) ClientIP.62614 > ServerIP.openvpn: [udp sum ok] UDP, length 42 14:08:20.194123 IP (tos 0x0, ttl 64, id 21620, offset 0, flags [DF], proto UDP (17), length 82) ServerIP.openvpn > ClientIP.62614: [bad udp cksum 0xd302 —> 0x6091!] UDP, length 54 14:08:20.238329 IP (tos 0x0, ttl 250, id 27288, offset 0, flags [none], proto ICMP (1), length 56) ClientIP > ServerIP: ICMP host ClientIP unreachable — admin prohibited filter, length 36 IP (tos 0x0, ttl 58, id 21620, offset 0, flags [DF], proto UDP (17), length 82) ServerIP.openvpn > ClientIP.62614: UDP, length 54 14:08:21.400665 IP (tos 0x0, ttl 122, id 29742, offset 0, flags [none], proto UDP (17), length 70) ClientIP.62614 > ServerIP.openvpn: [udp sum ok] UDP, length 42 14:08:21.400811 IP (tos 0x0, ttl 64, id 21703, offset 0, flags [DF], proto UDP (17), length 78) ServerIP.openvpn > ClientIP.62614: [bad udp cksum 0xd2fe —> 0x80f0!] UDP, length 50 |
Причина крылась в запрете форварда входящих UDP подключений на циске роутере со стороны клиента. При этом исходящие работали, т.к. подключение и общение до рукопожатия происходило.
Как только разрешили проходить UDP трафик — коннект до OpenVPN сервера поднялся.
Если нет возможности открыть UDP трафик, то стоит перейти на TCP соединение.
https://github.com/midnight47/
Everything works ok on Ubuntu 16.04, but I can’t connect to my server from Windows 10, using official openvpn app. Firewall is disabled both on server and client.
———-Here is the log———-
Wed May 02 04:21:27 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed May 02 04:21:27 2018 TLS Error: TLS handshake failed
Wed May 02 04:21:27 2018 SIGUSR1[soft,tls-error] received, process restarting
Wed May 02 04:21:27 2018 MANAGEMENT: >STATE:1525224087,RECONNECTING,tls-error,,,,,
Wed May 02 04:21:27 2018 Restart pause, 5 second(s)
Wed May 02 04:21:32 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]95.216.140.175:1194
Wed May 02 04:21:32 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed May 02 04:21:32 2018 UDP link local: (not bound)
Wed May 02 04:21:32 2018 UDP link remote: [AF_INET]95.216.140.175:1194
Wed May 02 04:21:32 2018 MANAGEMENT: >STATE:1525224092,WAIT,,,,,,
Wed May 02 04:22:32 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed May 02 04:22:32 2018 TLS Error: TLS handshake failed
Wed May 02 04:22:32 2018 SIGUSR1[soft,tls-error] received, process restarting
Wed May 02 04:22:32 2018 MANAGEMENT: >STATE:1525224152,RECONNECTING,tls-error,,,,,
Wed May 02 04:22:32 2018 Restart pause, 5 second(s)
Wed May 02 04:22:37 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]95.216.140.175:1194
Wed May 02 04:22:37 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed May 02 04:22:37 2018 UDP link local: (not bound)
Wed May 02 04:22:37 2018 UDP link remote: [AF_INET]95.216.140.175:1194
Wed May 02 04:22:37 2018 MANAGEMENT: >STATE:1525224157,WAIT,,,,,,
Wed May 02 04:22:39 2018 write UDP: Unknown error (code=10051)
———-Here is my .ovpn file’s content———-
client
proto udp
remote 95.216.140.175 1194
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_XtJrEMJvSsZ98eJT name
auth SHA256
auth-nocache
cipher AES-128-CBC
tls-client
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
setenv opt block-outside-dns
verb 3
script-security 2
dhcp-option DNS 213.133.100.100
dhcp-option DNS 213.133.98.98
dhcp-option DNS 213.133.99.99
Please, help to solve this problem.
OpenVPN may display the error message «TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)» in the OpenVPN log if is unable to connect to the remote VPN server. The 60 second value may vary (for example, 30 seconds) depending on the configuration.
Troubleshooting for Viscosity Users
Viscosity performs a «reachability check» before attempting to connect a VPN connection. This check allows Viscosity to determine whether the remote VPN server can theoretically be reached over the network so a connection can be established. As this check is passing it means the fault is unlikely to lie with your computer. It is more likely one of the following is the case:
- The remote VPN server is down or unavailable. You will need to get in touch with your VPN Provider to check on the VPN server’s status. If you are unsure of who your VPN Provider is, please see How Do I Find Out Who My VPN Provider Is?.
- You are being blocked from contacting the remote VPN server. This is not uncommon in countries that attempt to censor the Internet, or in some workplaces for security reasons. It is recommended you get in contact with your VPN Provider in this instance as well.
- Your connection’s configuration details may be incorrect or out of date. If you have set up the connection yourself, you should edit your connection in Viscosity and check that the Remote Server Address, Port, and Protocol options are correctly set. Some VPN Providers may periodically update their VPN servers, so you may need to download updated connections to import. Again, you will need to get in contact with your VPN Provider to ensure your configuration details are correct and up to date.
- Your are being blocked by local network filtering or endpoint security software. Some workplaces may require that network filtering or endpoint security software be installed on your computer. In some instances this software can mistakenly block VPN connections. Microsoft Defender for Endpoint is one example of software that has mistakenly blocked VPN connections in the past. You will need to get in contact with your VPN Provider to check that any such software is up-to-date and not blocking connections.
Troubleshooting for VPN Providers
If you’re the administrator of a VPN server and have a user encountering this error (and you’re sure the OpenVPN server is operational), here are some troubleshooting tips for common mistakes:
- Check the OpenVPN log on the server. If the server is rejecting the client’s connection or authentication attempt the reason should be logged here. If there is no indication of a connection attempt in the log, make sure that a firewall or router isn’t blocking access to the OpenVPN server. Check both local firewall rules, as well as firewall and port-forwarding rules on any routers.
- When checking the connection log in Viscosity, look for «VERIFY ERROR» or «OpenSSL: error» messages. These typically indicate that the client was unable to validate the server and hence it is rejecting the connection attempt. More information should be available as part of the message. These typically indicates a CA/Certificate mismatch between the server and the client.
- When checking the connection log in Viscosity, if there are no error messages indicated in the point above, instead check the time difference between the «UDP link remote» message and the «TLS Error: TLS key negotiation failed to occur within 60 seconds». If the failure happens quickly, then in most instances it means that a network link was established however the server has rejected the client. More information about why should be available in the server’s OpenVPN log.
- Make sure both the OpenVPN server and client are using the correct Certificate Authority (CA) file. If this file is incorrect, or there is a mismatch between the client and server, the TLS session will be rejected by the server or client.
- Make sure that the client is using a valid certificate and key. A common cause of this error message is the server being updated with new CA/Cert/Key files, however clients not also being updated. Also check that the user’s certificate hasn’t expired.
- Make sure that the «Use Username/Password authentication» checkbox is properly configured on the client. Enabling this when it’s not required by the server, or disabling it when it is required, can cause connection attempts to fail.
- Make sure that compression settings on both the server and client match. OpenVPN changed the compression options in OpenVPN 2.4, and so this is a common problem with servers running an older version of OpenVPN. More information can be found in the Migrating from OpenVPN 2.3 to OpenVPN 2.4 article.