Solved: Setting Up an OpenVPN Server: TLS Errors
Posted: Mon Jun 24, 2013 7:12 am
Just installed 1.5.10 on a Netgear WNDR-3800 - truly lovely.
Works perfectly so far.
Am trying to set up the router as an Openvpn server.
I currently use 2 openvpn services (Witopia and Strongvpn) from my Kubuntu 12.04 laptops and my GNex phone,
so I am generally familiar with the client procedure but have not set up an openvpn server before.
The Gargoyle router is behind a Billion modem/voip/router at a fixed ip address.
I have set the VPN port to 27nnn and then forwarded 27nnn at the Billion gateway to the Gargoyle router.
In the OpenVPN setup, I specify:
which is set to the fixed IP of the Billion router.
I have modified the downloaded .conf file to move the certificates inline.
Reason: As I have about 20 .conf files in my /etc/openvpn directory, it is best to avoid having the dir filled with .crt files etc.
When I try to connect from either the Linux box or the Android phone I get the same error in the log:
At first I wondered if this version of openvpn in the server did not support inline certs,
but the server version is 2.2.2 and the version in my linux box is 2.2.1, so this seems unlikely.
The format of the inline certs seems the same as for the ones I am currently using,
so I don't think I have made an error on the insertion.
Any ideas what the problem may be? Grateful for any help offered. This is my first serious use of Gargoyle and my first attempt to set up an openvpn server.
Following are my client.conf, server.conf and log files all with the cert info and addresses redacted (can't find any allowed extension to upload the files):
My .conf file
Server.conf
Log file from linux laptop
Works perfectly so far.
Am trying to set up the router as an Openvpn server.
I currently use 2 openvpn services (Witopia and Strongvpn) from my Kubuntu 12.04 laptops and my GNex phone,
so I am generally familiar with the client procedure but have not set up an openvpn server before.
The Gargoyle router is behind a Billion modem/voip/router at a fixed ip address.
I have set the VPN port to 27nnn and then forwarded 27nnn at the Billion gateway to the Gargoyle router.
In the OpenVPN setup, I specify:
Code: Select all
Client Connects To Other Ip or domain I have modified the downloaded .conf file to move the certificates inline.
Reason: As I have about 20 .conf files in my /etc/openvpn directory, it is best to avoid having the dir filled with .crt files etc.
When I try to connect from either the Linux box or the Android phone I get the same error in the log:
Code: Select all
TLs-auth using INLINE static key file
...
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failedAt first I wondered if this version of openvpn in the server did not support inline certs,
but the server version is 2.2.2 and the version in my linux box is 2.2.1, so this seems unlikely.
The format of the inline certs seems the same as for the ones I am currently using,
so I don't think I have made an error on the insertion.
Any ideas what the problem may be? Grateful for any help offered. This is my first serious use of Gargoyle and my first attempt to set up an openvpn server.
Following are my client.conf, server.conf and log files all with the cert info and addresses redacted (can't find any allowed extension to upload the files):
My .conf file
Code: Select all
client
dev tun
proto udp
remote 59.167.nnn.nn 27nnn
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
cipher bf-cbc
comp-lzo
verb 3
mute 20
<ca>
-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----
</ca>
<key>
-----BEGIN PRIVATE KEY-----
xxx
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----
</cert>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
xxx
-----END OpenVPN Static key V1-----
</tls-auth>
Code: Select all
mode server
port 27nnn
proto udp
tls-server
ifconfig 10.8.0.1 255.255.255.0
topology subnet
client-config-dir /etc/openvpn/ccd
cipher BF-CBC
keysize 256
dev tun
keepalive 25 180
status /var/openvpn/current_status
verb 3
dh /etc/openvpn/dh1024.pem
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
tls-auth /etc/openvpn/ta.key 0
persist-key
persist-tun
comp-lzo
push "route-gateway 10.8.0.1"
push "redirect-gateway def1"Code: Select all
Mon Jun 24 19:10:26 2013 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Feb 27 2013
Mon Jun 24 19:10:26 2013 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Jun 24 19:10:26 2013 Control Channel Authentication: tls-auth using INLINE static key file
Mon Jun 24 19:10:26 2013 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jun 24 19:10:26 2013 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jun 24 19:10:26 2013 LZO compression initialized
Mon Jun 24 19:10:26 2013 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Mon Jun 24 19:10:26 2013 Socket Buffers: R=[229376->131072] S=[229376->131072]
Mon Jun 24 19:10:26 2013 Data Channel MTU parms [ L:1542 D:1300 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Jun 24 19:10:26 2013 Local Options hash (VER=V4): '02af3434'
Mon Jun 24 19:10:26 2013 Expected Remote Options hash (VER=V4): '3f08d474'
Mon Jun 24 19:10:26 2013 UDPv4 link local: [undef]
Mon Jun 24 19:10:26 2013 UDPv4 link remote: [AF_INET]59.167.nnn.nn:27nnn
Mon Jun 24 19:11:26 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Jun 24 19:11:26 2013 TLS Error: TLS handshake failed
Mon Jun 24 19:11:26 2013 TCP/UDP: Closing socket
Mon Jun 24 19:11:26 2013 SIGUSR1[soft,tls-error] received, process restarting
Mon Jun 24 19:11:26 2013 Restart pause, 2 second(s)
Mon Jun 24 19:11:28 2013 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Jun 24 19:11:28 2013 Re-using SSL/TLS context
Mon Jun 24 19:11:28 2013 LZO compression initialized
Mon Jun 24 19:11:28 2013 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Mon Jun 24 19:11:28 2013 Socket Buffers: R=[229376->131072] S=[229376->131072]
Mon Jun 24 19:11:28 2013 Data Channel MTU parms [ L:1542 D:1300 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Jun 24 19:11:28 2013 Local Options hash (VER=V4): '02af3434'
Mon Jun 24 19:11:28 2013 Expected Remote Options hash (VER=V4): '3f08d474'
Mon Jun 24 19:11:28 2013 UDPv4 link local: [undef]
Mon Jun 24 19:11:28 2013 UDPv4 link remote: [AF_INET]59.167.nnn.nn:27nnn
Mon Jun 24 19:12:28 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Jun 24 19:12:28 2013 TLS Error: TLS handshake failed
Mon Jun 24 19:12:28 2013 TCP/UDP: Closing socket
Mon Jun 24 19:12:28 2013 SIGUSR1[soft,tls-error] received, process restarting
Mon Jun 24 19:12:28 2013 Restart pause, 2 second(s)
Mon Jun 24 19:12:30 2013 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Jun 24 19:12:30 2013 Re-using SSL/TLS context
Mon Jun 24 19:12:30 2013 LZO compression initialized
Mon Jun 24 19:12:30 2013 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Mon Jun 24 19:12:30 2013 Socket Buffers: R=[229376->131072] S=[229376->131072]
Mon Jun 24 19:12:30 2013 Data Channel MTU parms [ L:1542 D:1300 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Jun 24 19:12:30 2013 Local Options hash (VER=V4): '02af3434'
Mon Jun 24 19:12:30 2013 Expected Remote Options hash (VER=V4): '3f08d474'
Mon Jun 24 19:12:30 2013 UDPv4 link local: [undef]
Mon Jun 24 19:12:30 2013 UDPv4 link remote: [AF_INET]59.167.nnn.nn:27nnn
Mon Jun 24 19:12:59 2013 event_wait : Interrupted system call (code=4)
Mon Jun 24 19:12:59 2013 TCP/UDP: Closing socket
Mon Jun 24 19:12:59 2013 SIGTERM[hard,] received, process exiting