Tsl error openvpn

I am configuring OpenVPN 2.3.6-1 on my Arch Linux server in order to encrypt SMB traffic over the public Internet. When I test the setup on one of my Linux virtual machine clients, I get the error...

I am configuring OpenVPN 2.3.6-1 on my Arch Linux server in order to encrypt SMB traffic over the public Internet. When I test the setup on one of my Linux virtual machine clients, I get the error: TLS Error: TLS handshake failed.

I quickly read (OpenVPN on OpenVZ TLS Error: TLS handshake failed (google suggested solutions not helping)) and tried to switch from the default UDP to TCP, but that only caused the client to repeatedly report that the connection timed out. I also tried disabling the cipher and TLS authentication, but that caused the server to fail with Assertion failed at crypto_openssl.c:523. In both instances, the required changes were made to both the client and server configurations.

I have been following the instructions at (https://wiki.archlinux.org/index.php/OpenVPN) to set up OpenVPN and the instructions at (https://wiki.archlinux.org/index.php/Create_a_Public_Key_Infrastructure_Using_the_easy-rsa_Scripts) to create the keys and certificates. The only deviations I have made from these instructions have been specifying my own computers’ names and their corresponding key/certificate file names.

See also my original question about securing SMB traffic over the Internet: (Simple encryption for Samba shares)

Can anybody explain how I can solve this issue?

Details:

Server: Arch Linux (up to date) connected directly to gateway via ethernet cable. No iptables.

Client: Arch Linux (up to date) virtual machine on VirtualBox 4.3.28r100309 Windows 8.1 host, bridged network adapter. No iptables. Windows Firewall disabled.

Gateway: Port forwarding for port 1194 enabled, no firewall restrictions.

Here are the configuration files on the server and client, respectively. I created these according to the instructions on the Arch Wiki.

/etc/openvpn/server.conf (Non-comment lines only):

port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server-name.crt
key /etc/openvpn/server-name.key
dh /etc/openvpn/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
tls-auth /etc/openvpn/ta.key 0
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3

/etc/openvpn/client.conf (Non-comment lines only):

client
dev tun
proto udp
remote [my public IP here] 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client-name.crt
key /etc/openvpn/client-name.key
remote-cert-tls server
tls-auth /etc/openvpn/ta.key 1
comp-lzo
verb 3

Here are the outputs of running openvpn on the machines with the above configurations. I started the server first, then the client.

The output of openvpn /etc/openvpn/server.conf on the server:

Thu Jul 30 17:02:53 2015 OpenVPN 2.3.6 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec  2 2014
Thu Jul 30 17:02:53 2015 library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.09
Thu Jul 30 17:02:53 2015 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Thu Jul 30 17:02:53 2015 Diffie-Hellman initialized with 2048 bit key
Thu Jul 30 17:02:53 2015 Control Channel Authentication: using '/etc/openvpn/ta.key' as a OpenVPN static key file
Thu Jul 30 17:02:53 2015 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jul 30 17:02:53 2015 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jul 30 17:02:53 2015 Socket Buffers: R=[212992->131072] S=[212992->131072]
Thu Jul 30 17:02:53 2015 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=enp5s0 HWADDR=##:##:##:##:##:##
Thu Jul 30 17:02:53 2015 TUN/TAP device tun0 opened
Thu Jul 30 17:02:53 2015 TUN/TAP TX queue length set to 100
Thu Jul 30 17:02:53 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Jul 30 17:02:53 2015 /usr/bin/ip link set dev tun0 up mtu 1500
Thu Jul 30 17:02:53 2015 /usr/bin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Thu Jul 30 17:02:53 2015 /usr/bin/ip route add 10.8.0.0/24 via 10.8.0.2
Thu Jul 30 17:02:53 2015 GID set to nobody
Thu Jul 30 17:02:53 2015 UID set to nobody
Thu Jul 30 17:02:53 2015 UDPv4 link local (bound): [undef]
Thu Jul 30 17:02:53 2015 UDPv4 link remote: [undef]
Thu Jul 30 17:02:53 2015 MULTI: multi_init called, r=256 v=256
Thu Jul 30 17:02:53 2015 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Thu Jul 30 17:02:53 2015 IFCONFIG POOL LIST
Thu Jul 30 17:02:53 2015 Initialization Sequence Completed

The output of openvpn /etc/openvpn/client.conf on the client:

Thu Jul 30 21:03:02 2015 OpenVPN 2.3.6 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec  2 2014
Thu Jul 30 21:03:02 2015 library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.09
Thu Jul 30 21:03:02 2015 WARNING: file '/etc/openvpn/client-name.key' is group or others accessible
Thu Jul 30 21:03:02 2015 WARNING: file '/etc/openvpn/ta.key' is group or others accessible
Thu Jul 30 21:03:02 2015 Control Channel Authentication: using '/etc/openvpn/ta.key' as a OpenVPN static key file
Thu Jul 30 21:03:02 2015 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jul 30 21:03:02 2015 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jul 30 21:03:02 2015 Socket Buffers: R=[212992->131072] S=[212992->131072]
Thu Jul 30 21:03:02 2015 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Thu Jul 30 21:03:02 2015 UDPv4 link local: [undef]
Thu Jul 30 21:03:02 2015 UDPv4 link remote: [AF_INET][my public IP here]:1194
Thu Jul 30 21:04:02 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Jul 30 21:04:02 2015 TLS Error: TLS handshake failed
Thu Jul 30 21:04:02 2015 SIGUSR1[soft,tls-error] received, process restarting
Thu Jul 30 21:04:02 2015 Restart pause, 2 second(s)

Источник

Еще одна причина ошибки при коннекте к OpenVPN серверу
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity). TLS Error: TLS handshake failed


Как ни стран­но, при­чи­на не свя­за­на с кон­фи­га­ми само­го OpenVPN сер­ве­ра или кли­ен­тов, а кро­ет­ся в сети, что и напи­са­но в логе.
Про­слуш­ка тра­фи­ка пока­за­ла, что нет обрат­но­го кон­нек­та от сер­ве­ра до кли­ен­та при рукопожатии:

14:01:59.465502 IP ServerIP.openvpn > ClientIP.54954: UDP, length 42

14:02:00.272635 IP ClientIP.54961 > ServerIP.openvpn: UDP, length 42

14:02:00.272889 IP ServerIP.openvpn > ClientIP.54961: UDP, length 54

14:02:03.568343 IP ClientIP.54961 > ServerIP.openvpn: UDP, length 42

14:02:03.568536 IP ServerIP.openvpn > ClientIP.54961: UDP, length 50

14:02:03.612846 IP ClientIP > ServerIP: ICMP host ClientIP unreachable — admin prohibited filter, length 36

При подроб­ном режи­ме (verbose) такая картина:

14:08:14.154062 IP (tos 0x0, ttl 64, id 21182, offset 0, flags [DF], proto UDP (17), length 70)

    ServerIP.openvpn > ClientIP.57304: [bad udp cksum 0xd2f6 —> 0xb107!] UDP, length 42

14:08:20.193700 IP (tos 0x0, ttl 122, id 29713, offset 0, flags [none], proto UDP (17), length 70)

    ClientIP.62614 > ServerIP.openvpn: [udp sum ok] UDP, length 42

14:08:20.194123 IP (tos 0x0, ttl 64, id 21620, offset 0, flags [DF], proto UDP (17), length 82)

    ServerIP.openvpn > ClientIP.62614: [bad udp cksum 0xd302 —> 0x6091!] UDP, length 54

14:08:20.238329 IP (tos 0x0, ttl 250, id 27288, offset 0, flags [none], proto ICMP (1), length 56)

    ClientIP > ServerIP: ICMP host ClientIP unreachable — admin prohibited filter, length 36

IP (tos 0x0, ttl 58, id 21620, offset 0, flags [DF], proto UDP (17), length 82)

    ServerIP.openvpn > ClientIP.62614: UDP, length 54

14:08:21.400665 IP (tos 0x0, ttl 122, id 29742, offset 0, flags [none], proto UDP (17), length 70)

    ClientIP.62614 > ServerIP.openvpn: [udp sum ok] UDP, length 42

14:08:21.400811 IP (tos 0x0, ttl 64, id 21703, offset 0, flags [DF], proto UDP (17), length 78)

    ServerIP.openvpn > ClientIP.62614: [bad udp cksum 0xd2fe —> 0x80f0!] UDP, length 50

При­чи­на кры­лась в запре­те фор­вар­да вхо­дя­щих UDP под­клю­че­ний на цис­ке роу­те­ре со сто­ро­ны кли­ен­та. При этом исхо­дя­щие рабо­та­ли, т.к. под­клю­че­ние и обще­ние до руко­по­жа­тия происходило.
Как толь­ко раз­ре­ши­ли про­хо­дить UDP тра­фик — кон­нект до OpenVPN сер­ве­ра поднялся.
Если нет воз­мож­но­сти открыть UDP тра­фик, то сто­ит перей­ти на TCP соединение.

https://github.com/midnight47/

Источник

Everything works ok on Ubuntu 16.04, but I can’t connect to my server from Windows 10, using official openvpn app. Firewall is disabled both on server and client.

———-Here is the log———-
Wed May 02 04:21:27 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed May 02 04:21:27 2018 TLS Error: TLS handshake failed
Wed May 02 04:21:27 2018 SIGUSR1[soft,tls-error] received, process restarting
Wed May 02 04:21:27 2018 MANAGEMENT: >STATE:1525224087,RECONNECTING,tls-error,,,,,
Wed May 02 04:21:27 2018 Restart pause, 5 second(s)
Wed May 02 04:21:32 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]95.216.140.175:1194
Wed May 02 04:21:32 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed May 02 04:21:32 2018 UDP link local: (not bound)
Wed May 02 04:21:32 2018 UDP link remote: [AF_INET]95.216.140.175:1194
Wed May 02 04:21:32 2018 MANAGEMENT: >STATE:1525224092,WAIT,,,,,,
Wed May 02 04:22:32 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed May 02 04:22:32 2018 TLS Error: TLS handshake failed
Wed May 02 04:22:32 2018 SIGUSR1[soft,tls-error] received, process restarting
Wed May 02 04:22:32 2018 MANAGEMENT: >STATE:1525224152,RECONNECTING,tls-error,,,,,
Wed May 02 04:22:32 2018 Restart pause, 5 second(s)
Wed May 02 04:22:37 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]95.216.140.175:1194
Wed May 02 04:22:37 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed May 02 04:22:37 2018 UDP link local: (not bound)
Wed May 02 04:22:37 2018 UDP link remote: [AF_INET]95.216.140.175:1194
Wed May 02 04:22:37 2018 MANAGEMENT: >STATE:1525224157,WAIT,,,,,,
Wed May 02 04:22:39 2018 write UDP: Unknown error (code=10051)

———-Here is my .ovpn file’s content———-
client
proto udp
remote 95.216.140.175 1194
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_XtJrEMJvSsZ98eJT name
auth SHA256
auth-nocache
cipher AES-128-CBC
tls-client
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
setenv opt block-outside-dns
verb 3
script-security 2
dhcp-option DNS 213.133.100.100
dhcp-option DNS 213.133.98.98
dhcp-option DNS 213.133.99.99

Please, help to solve this problem.

Источник

Понравилась статья? Поделить с друзьями:
  • Tsig error with server tsig verify failure samba
  • Tsig error with server tsig indicates error
  • Tsgame exe ошибка приложения
  • Tsc ошибка наличия риббона
  • Tsa ошибка хонда crv