Here's what I get in the server log. Note that I am testing this from on the LAN. The public interface of the router is also on the LAN while I do my testing:
Code:
Dec 2 16:35:38 copernicus daemon.err openvpn[794]: 192.168.0.200:61128 TLS Error: TLS handshake failed
Dec 2 16:35:38 copernicus daemon.notice openvpn[794]: 192.168.0.200:61128 SIGUSR1[soft,tls-error] received, client-instance restarting
Dec 2 16:35:38 copernicus daemon.err openvpn[794]: 192.168.0.200:61189 write UDPv4 [ECONNREFUSED]: Connection refused (code=146)
Dec 2 16:35:39 copernicus daemon.notice openvpn[794]: MULTI: multi_create_instance called
Dec 2 16:35:39 copernicus daemon.notice openvpn[794]: 192.168.0.200:61198 Re-using SSL/TLS context
Dec 2 16:35:39 copernicus daemon.notice openvpn[794]: 192.168.0.200:61198 LZO compression initialized
Dec 2 16:35:39 copernicus daemon.notice openvpn[794]: 192.168.0.200:61198 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Dec 2 16:35:39 copernicus daemon.notice openvpn[794]: 192.168.0.200:61198 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Dec 2 16:35:39 copernicus daemon.notice openvpn[794]: 192.168.0.200:61198 TLS: Initial packet from 192.168.0.200:61198, sid=ff8746b7 820f78f7
Dec 2 16:35:40 copernicus daemon.err openvpn[794]: 192.168.0.200:61132 write UDPv4 [ECONNREFUSED]: Connection refused (code=146)
Dec 2 16:35:40 copernicus daemon.err openvpn[794]: 192.168.0.200:61129 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
What's up with all the UDPv4 Connection refused messages? This is in my firewall settings:
Also try re-entering your certificates, Ensure that you have included the
----------Begin Certificate----- and ---End Certificate--- lines. _________________ D-Link DIR-300
Asus RT-N16
Asus WL-500gPv2
Linksys WRT54GL 1.1
Way too much time.
Thanks guys, I've tried both these suggestions and even re-generating my certs and keys from scratch using exactly the same settings in the tutorial, but no luck. Does anyone understand the error messages I posted? This is not quite the easy button I was expecting from the tutorial...and I work with linux servers for a living!
Ok, I was able to get openvpn working on both Ubuntu and Windows Vista. here's what I ended up doing, hopefully it saves someone else pain in the future:
When I first tried this I used the "easy-rsa" scripts included with the Windows distribution of openvpn. I also tried using the openvpn package from dag's repository on my Centos 5.3 box. This also failed. In the end what worked was this:
1. Follow the "VPN (the easy way)" tutorial:
http://www.dd-wrt.com/wiki/index.php/VPN_%28the_easy_way%29_v24%2B
2. Make sure you use an Ubuntu package to generate the certs, just like in the tutorial. I'm not sure why but this seemed to work for me, when it didn't on CentOS or Windows Vista.
3. Now for the tricky part - something is wrong with Firefox in Ubuntu, you can't paste the certificates into the gui using firefox because the server.crt will get chopped in half, causing openvpn not to start at all. You'll have to somehow get the certificates off your Ubuntu machine, and onto a Windows desktop (this is just too sad...), then you can copy and paste them into the GUI using Internet Exploder.
Use the config from the tutorial mentioned above on your client, and it should work. At least it does for me now - woohoo!
I have a dual-boot machine, so I booted into ubuntu to generate the keys. Then I zipped them all up in a .tar.gz file and emailed them to myself. Next I rebooted, unzipped them and used Notepad++ to open the files, and copy them into the GUI on a windows machine.
I didn't include any blank space at the end of key or certs.
Another thing that helped was setting the clock on the router to UTC time. Apparently it creates a cert that for many of us in the USA will not be valid until several hours in the future. Alternatively you can make your certs and just wait until they become valid.
is this the right key being generated. i gen them under ubuntu and i also get invisble /blank character between the line.. here is a screen shot of the key when view with notpad++ with view display all characters
Posted: Wed Sep 21, 2011 4:36 Post subject: It's the Windows key/cert generation that is the culprit
Here we are two years later and the problem still exists. Two identical routers with same version of DD-WRT and the first one went fine. But the second one I couldn't get to work no matter how many times I tried to recreate the certs on Windows. Then I tried creating them on Ubuntu as suggest and it worked like a charm.