Author Topic: OpenVPN Connection Error - TLS Error: TLS handshake failed  (Read 16684 times)

c4rdinal

  • Zen Samurai
  • ****
  • Posts: 341
  • Karma: +4/-0
    • View Profile
OpenVPN Connection Error - TLS Error: TLS handshake failed
« on: September 12, 2012, 04:25:17 am »
Hi,

I'm trying to configure OpenVPN using Zentyal 2.2 with Remote VPN Client for the first time following the Zentyal 2.2 Official Document.

I have 3 NIC cards. Gateway are set for Load-balancing/fail-over.

eth0 = WAN1 [PUBLIC STATIC IP ADD]
eth1 = WAN2 [PUBLIC DHCP]
eth2 = LAN

Config Details are as follows:

Zentyal Server:
Server Port: UDP 1194
VPN Address: 192.168.160.0/24
Server Certificicate: vpn-companyxyz
Client Authorizaiton by common name: disabled
NAT: Checked
Allow client-to-client connection: checked
Interface to listen on: All network Interfaces

I created an Advertised network: 192.168.x.x (my LAN)

Firewall:
Zentyal is facing the Internet and functioning as Gateway/Firewall.
- created a Service for OpenVPN on 1194
- created a Packet filter for EXTERNAL NETWORKS TO ZENTYAL to ACCEPT OpenVPN Service to allow ANY Network
- created a Packet filter for EXTERNAL NETWORKS TO INTERNET to ACCEPT OpenVPN Server to the Internal Network from ANY Network

CLIENT PC
- Then Dowloaded client bundle and install on my Laptop. And connection to the Remote Zentyal Server. My laptop is configured with a PUBLIC IP Address. And firewall is currently OFF in Windows 7.
- Put ALL the openvpn bundle to C:\Program Files (x86)\OpenVPN\config


However, I still have this error connecting to the OpenVPN Network.

Wed Sep 12 10:01:54 2012 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Sep 12 10:02:10 2012 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Sep 12 10:02:40 2012 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Sep 12 10:02:40 2012 TLS Error: TLS handshake failed
Wed Sep 12 10:02:40 2012 TCP/UDP: Closing socket
Wed Sep 12 10:02:40 2012 SIGUSR1[soft,tls-error] received, process restarting
Wed Sep 12 10:02:40 2012 Restart pause, 2 second(s)
Wed Sep 12 10:02:42 2012 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
Wed Sep 12 10:02:42 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Sep 12 10:02:42 2012 Re-using SSL/TLS context
Wed Sep 12 10:02:42 2012 LZO compression initialized
Wed Sep 12 10:02:42 2012 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Sep 12 10:02:42 2012 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed Sep 12 10:02:42 2012 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Sep 12 10:02:42 2012 Local Options hash (VER=V4): 'd79ca330'
Wed Sep 12 10:02:42 2012 Expected Remote Options hash (VER=V4): 'f7df56b8'
Wed Sep 12 10:02:42 2012 UDPv4 link local: [undef]
Wed Sep 12 10:02:42 2012 UDPv4 link remote: 115.84.xxx.x:1194

Googling for the error suggests a firewall error. However, I already provided the proper firewall policy to allow OpenVPN. I even created a PORT FORWARDING rule to forward request from PORT 1194 to the Zentyal Server but of no avail.

Hope you can shed light on this.

Appreciate any help.

Thanks in advance.
« Last Edit: September 12, 2012, 01:13:42 pm by c4rdinal »

browley

  • Zen Apprentice
  • *
  • Posts: 17
  • Karma: +1/-0
    • View Profile
Re: OpenVPN Connection Error - TLS Error: TLS handshake failed
« Reply #1 on: September 12, 2012, 02:57:28 pm »
I had this problem too.  My first recommendation would be to kick up the debug level on both sides; it should give you a better idea of what is going wrong.  That said, one of the confusing things about OpenVPN is that they have 2 windows clients: the "paid" and the "free" client and the TLS hashing method is different for each client.  Check out my post, https://forums.openvpn.net/topic10821.html, at the OpenVPN forums.  Hope that helps.

c4rdinal

  • Zen Samurai
  • ****
  • Posts: 341
  • Karma: +4/-0
    • View Profile
Re: OpenVPN Connection Error - TLS Error: TLS handshake failed
« Reply #2 on: September 13, 2012, 02:25:10 am »
I had this problem too.  My first recommendation would be to kick up the debug level on both sides; it should give you a better idea of what is going wrong.  That said, one of the confusing things about OpenVPN is that they have 2 windows clients: the "paid" and the "free" client and the TLS hashing method is different for each client.  Check out my post, https://forums.openvpn.net/topic10821.html, at the OpenVPN forums.  Hope that helps.

Thank you for taking time to answer. I upgraded the OpenVPN Client from 2.2.0 to 2.2.2, the problem suddenly went away!

However, I cannot browse any Windows network shares but can ping them. Also, I got disconnected automatically after a few minutes. :(

Any clue on how to resolve?
« Last Edit: September 13, 2012, 03:06:46 am by c4rdinal »

browley

  • Zen Apprentice
  • *
  • Posts: 17
  • Karma: +1/-0
    • View Profile
Re: OpenVPN Connection Error - TLS Error: TLS handshake failed
« Reply #3 on: September 13, 2012, 05:28:00 pm »
Seriously, bump up the verbosity of the logs.  Put verb 6 in both your client and server config.  6 is good for debugging.  9 is overkill but can be useful.  Bascially, connect and throw a
Code: [Select]
tail -f on the server side log and connect via windows.  Wait till it disconnects on the client side then look at the log immediately.  See if server/client report errors.  Then google or post in the OpenVPN forums.  Not trying to be brash with that suggestion, but let's put it this way: they answered my questions within 2 days after I spent almost a week doing google work trying to fix it myself.  Good luck.

c4rdinal

  • Zen Samurai
  • ****
  • Posts: 341
  • Karma: +4/-0
    • View Profile
Re: OpenVPN Connection Error - TLS Error: TLS handshake failed
« Reply #4 on: September 14, 2012, 05:35:44 am »
Hi,

The procedure above is complete and working. Just make sure you use Openvpnclient-2.2.2.

Network mapping is also possible.

Thanks for all your help.

Enjoy!