Solved: Setting Up an OpenVPN Server: TLS Errors

If your problem doesn't fall into one of the other categories, report it here.

Moderator: Moderators

Post Reply
User avatar
alienheartbeat
Posts: 22
Joined: Fri Feb 15, 2013 6:59 am
Location: Hong Kong
Contact:
Contact alienheartbeat

Solved: Setting Up an OpenVPN Server: TLS Errors

Post by alienheartbeat »

Just installed 1.5.10 on a Netgear WNDR-3800 - truly lovely.
Works perfectly so far.

Am trying to set up the router as an Openvpn server.
I currently use 2 openvpn services (Witopia and Strongvpn) from my Kubuntu 12.04 laptops and my GNex phone,
so I am generally familiar with the client procedure but have not set up an openvpn server before.

The Gargoyle router is behind a Billion modem/voip/router at a fixed ip address.
I have set the VPN port to 27nnn and then forwarded 27nnn at the Billion gateway to the Gargoyle router.

In the OpenVPN setup, I specify:

Code: Select all

	Client Connects To	Other Ip or domain
which is set to the fixed IP of the Billion router.

I have modified the downloaded .conf file to move the certificates inline.
Reason: As I have about 20 .conf files in my /etc/openvpn directory, it is best to avoid having the dir filled with .crt files etc.

When I try to connect from either the Linux box or the Android phone I get the same error in the log:

Code: Select all

	TLs-auth using INLINE static key file
	...
	TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
	TLS Error: TLS handshake failed

At first I wondered if this version of openvpn in the server did not support inline certs,
but the server version is 2.2.2 and the version in my linux box is 2.2.1, so this seems unlikely.

The format of the inline certs seems the same as for the ones I am currently using,
so I don't think I have made an error on the insertion.

Any ideas what the problem may be? Grateful for any help offered. This is my first serious use of Gargoyle and my first attempt to set up an openvpn server.

Following are my client.conf, server.conf and log files all with the cert info and addresses redacted (can't find any allowed extension to upload the files):

My .conf file

Code: Select all

client
dev tun
proto udp
remote 59.167.nnn.nn 27nnn
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
cipher bf-cbc
comp-lzo
verb 3
mute 20
<ca>
-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----
</ca>
<key>
-----BEGIN PRIVATE KEY-----
xxx
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----
</cert>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
xxx
-----END OpenVPN Static key V1-----
</tls-auth>
Server.conf

Code: Select all

mode                  server
port                  27nnn
proto                 udp
tls-server
ifconfig              10.8.0.1 255.255.255.0
topology              subnet
client-config-dir     /etc/openvpn/ccd
cipher                BF-CBC
keysize               256
dev                   tun
keepalive             25 180
status                /var/openvpn/current_status
verb                  3
dh                    /etc/openvpn/dh1024.pem
ca                    /etc/openvpn/ca.crt
cert                  /etc/openvpn/server.crt
key                   /etc/openvpn/server.key
tls-auth              /etc/openvpn/ta.key 0
persist-key
persist-tun
comp-lzo
push "route-gateway 10.8.0.1"
push "redirect-gateway def1"
Log file from linux laptop

Code: Select all

Mon Jun 24 19:10:26 2013 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Feb 27 2013
Mon Jun 24 19:10:26 2013 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Jun 24 19:10:26 2013 Control Channel Authentication: tls-auth using INLINE static key file
Mon Jun 24 19:10:26 2013 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jun 24 19:10:26 2013 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jun 24 19:10:26 2013 LZO compression initialized
Mon Jun 24 19:10:26 2013 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Mon Jun 24 19:10:26 2013 Socket Buffers: R=[229376->131072] S=[229376->131072]
Mon Jun 24 19:10:26 2013 Data Channel MTU parms [ L:1542 D:1300 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Jun 24 19:10:26 2013 Local Options hash (VER=V4): '02af3434'
Mon Jun 24 19:10:26 2013 Expected Remote Options hash (VER=V4): '3f08d474'
Mon Jun 24 19:10:26 2013 UDPv4 link local: [undef]
Mon Jun 24 19:10:26 2013 UDPv4 link remote: [AF_INET]59.167.nnn.nn:27nnn
Mon Jun 24 19:11:26 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Jun 24 19:11:26 2013 TLS Error: TLS handshake failed
Mon Jun 24 19:11:26 2013 TCP/UDP: Closing socket
Mon Jun 24 19:11:26 2013 SIGUSR1[soft,tls-error] received, process restarting
Mon Jun 24 19:11:26 2013 Restart pause, 2 second(s)
Mon Jun 24 19:11:28 2013 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Jun 24 19:11:28 2013 Re-using SSL/TLS context
Mon Jun 24 19:11:28 2013 LZO compression initialized
Mon Jun 24 19:11:28 2013 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Mon Jun 24 19:11:28 2013 Socket Buffers: R=[229376->131072] S=[229376->131072]
Mon Jun 24 19:11:28 2013 Data Channel MTU parms [ L:1542 D:1300 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Jun 24 19:11:28 2013 Local Options hash (VER=V4): '02af3434'
Mon Jun 24 19:11:28 2013 Expected Remote Options hash (VER=V4): '3f08d474'
Mon Jun 24 19:11:28 2013 UDPv4 link local: [undef]
Mon Jun 24 19:11:28 2013 UDPv4 link remote: [AF_INET]59.167.nnn.nn:27nnn
Mon Jun 24 19:12:28 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Jun 24 19:12:28 2013 TLS Error: TLS handshake failed
Mon Jun 24 19:12:28 2013 TCP/UDP: Closing socket
Mon Jun 24 19:12:28 2013 SIGUSR1[soft,tls-error] received, process restarting
Mon Jun 24 19:12:28 2013 Restart pause, 2 second(s)
Mon Jun 24 19:12:30 2013 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Jun 24 19:12:30 2013 Re-using SSL/TLS context
Mon Jun 24 19:12:30 2013 LZO compression initialized
Mon Jun 24 19:12:30 2013 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Mon Jun 24 19:12:30 2013 Socket Buffers: R=[229376->131072] S=[229376->131072]
Mon Jun 24 19:12:30 2013 Data Channel MTU parms [ L:1542 D:1300 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Jun 24 19:12:30 2013 Local Options hash (VER=V4): '02af3434'
Mon Jun 24 19:12:30 2013 Expected Remote Options hash (VER=V4): '3f08d474'
Mon Jun 24 19:12:30 2013 UDPv4 link local: [undef]
Mon Jun 24 19:12:30 2013 UDPv4 link remote: [AF_INET]59.167.nnn.nn:27nnn
Mon Jun 24 19:12:59 2013 event_wait : Interrupted system call (code=4)
Mon Jun 24 19:12:59 2013 TCP/UDP: Closing socket
Mon Jun 24 19:12:59 2013 SIGTERM[hard,] received, process exiting
Last edited by alienheartbeat on Tue Jun 25, 2013 3:50 am, edited 1 time in total.
http://alien-heartbeat.com
Top
User avatar
alienheartbeat
Posts: 22
Joined: Fri Feb 15, 2013 6:59 am
Location: Hong Kong
Contact:
Contact alienheartbeat

Solved:Setting Up an OpenVPN Server: TLS Errors

Post by alienheartbeat »

Solution:

While all other certificates can be put inline with no issues
the tls cert (ta.key) may need a direction parameter .

The original .conf file contained:

Code: Select all

tls-auth        ta.key 1
So the new .conf file, with the tls key inline, needs an added 'parameter'

Code: Select all

key-direction 1
which replaces the "1" after the ta.key above.

By way of background, this is needed if TLS authentication is directional.
http://alien-heartbeat.com
Top
Post Reply

Return to “Other Issues”