Posted: Sun Apr 16, 2017 10:27 Post subject: [solved] OpenVPN: udp -> tls handshake failed / tcp ->
Hi,
since two days I am trying to setup an OpenVPN connection.
When I am using udp as a protocoll, the error messeage is: TLS Error: TLS handshake failed
Code:
$ sudo openvpn --config /etc/openvpn/client/client.conf
Sun Apr 16 11:31:58 2017 OpenVPN 2.4.1 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2017
Sun Apr 16 11:31:58 2017 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.10
Enter Private Key Password: ************************
Sun Apr 16 11:32:08 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Apr 16 11:32:09 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]94.114.160.3:1194
Sun Apr 16 11:32:09 2017 UDP link local: (not bound)
Sun Apr 16 11:32:09 2017 UDP link remote: [AF_INET]94.114.160.3:1194
Sun Apr 16 11:33:09 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Apr 16 11:33:09 2017 TLS Error: TLS handshake failed
Sun Apr 16 11:33:09 2017 SIGUSR1[soft,tls-error] received, process restarting
and in case of tcp: Connection reset, restarting [0]
Code:
sudo openvpn --config /etc/openvpn/client/client.conf
Sun Apr 16 11:53:22 2017 OpenVPN 2.4.1 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2017
Sun Apr 16 11:53:22 2017 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.10
Enter Private Key Password: ************************
Sun Apr 16 11:53:34 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Apr 16 11:53:35 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]94.114.160.3:1194
Sun Apr 16 11:53:35 2017 Attempting to establish TCP connection with [AF_INET]94.114.160.3:1194 [nonblock]
Sun Apr 16 11:53:36 2017 TCP connection established with [AF_INET]94.114.160.3:1194
Sun Apr 16 11:53:36 2017 TCP_CLIENT link local: (not bound)
Sun Apr 16 11:53:36 2017 TCP_CLIENT link remote: [AF_INET]94.114.160.3:1194
Sun Apr 16 11:53:44 2017 Connection reset, restarting [0]
Sun Apr 16 11:53:44 2017 SIGUSR1[soft,connection-reset] received, process restarting
Sun Apr 16 11:53:49 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]94.114.160.3:1194
It makes no difference if the SPI firewall is enabled or disabled.
OpenVpn config file on the client:
Code:
remote <MY-DNS-IP> 1194
client
remote-cert-tls server
dev tun0
proto tcp
resolv-retry infinite
nobind
persist-key
persist-tun
float
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client_LenovoX201.crt
key /etc/openvpn/client_LenovoX201.key
Config file on the dd-wrt-Router:
Code:
push "route 10.0.0.0 255.255.255.0"
server 10.8.0.0 255.255.255.0
dev tun0
proto tcp
port 1194
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
You are using two different OpenVPN versions (2.1 and 2.4)
IPV4 and IPV6 is split in the configuration file from 2.3
Old: proto udp
New: proto udp4
dd-wrt build 31825 contains OpenVPN version 2.4.0
I have a Linksys wrtgl54 Router.
When I look this one up in the dd-wrt database it tells me:
Supported by v24 preSP2 [Beta] Build 13064. The file offered on this webpage which includes "VPN Generic" is dated 2009-10-10.
And when I check on the top-right in my dd-WRT Webgui it says:
Firmware: DD-WRT v24-sp2 (10/10/09) vpn
==> I assume, I have the most updated version I can get for this router (correct?)
... based on the assumption I cannot update my OpenVpn on the dd-WRT router, I tried the following:
in the config-file from the client, I changed "proto tcp" to proto "tcp4" ... but this didn't chagne anything.
Next I also changed on the dd-wrt Router the Openvpn config to tcp4 and the Adminstration->Commands->Save firewall to tcp4 ... still no improvement. I could also see, that in this case "ps | grep openvpn" on the dd-wrt didn't return anything. So I changed it back to tcp on the router (while keeping tcp4 on the client).
okay, I updated the dd-wrt firmeware successfully. Now, it says:
Firmware: DD-WRT v3.0-r31825 vpn (04/06/17).
Also, I changed everything back to tcp only (in the config files and in the firewall command I have now only tcp, not tcp4). But the problem is still there. Same, when I use udp.
But there is now one point different to my old firmeware. I can now choose between Config as "Server" or "Daemon". First I tried it with "Daemon" and putted in the Additional Config box my previous Config setting.
I also tried it with "Server" and I got more field to fill out. Here I was a bit lost and choose for the Network 10.0.0.0 (which is my target network I want to connect with).
Anyhow nothing worked. But in /var/log/messages I have now (new):
Code:
Apr 16 19:02:42 DD-WRT (Host) daemon.notice openvpn[1644]: Diffie-Hellman initialized with 2048 bit key
Apr 16 19:02:42 DD-WRT (Host) daemon.err openvpn[1644]: neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for 'Enter Private Key Password:'. If you used --daemon, you need to use --askpass to make passphrase-protected ke
Apr 16 19:02:42 DD-WRT (Host) daemon.notice openvpn[1644]: Exiting due to fatal error
... once again a full day spend on this without success ... well ... btw ... when should I use "Config as Server", and when "Config as Daemon"???
==> all three commands are asking me automatically for a password.
I assume now, your point is not to use password for the key/certificate which goes to the ddwrtRouter. For this I figured out the following:
Code:
#easyrsa gen-req ddwrtRouter nopass
But so far I couldn't test, if this solves the issue, because with the update to the new ddWRT-firmeware I have now a changed WebGui interface for the OpenVPN setting. Since this is a new problem, I opened another thread http://www.dd-wrt.com/phpBB2/viewtopic.php?p=1075519#1075519.