Zentyal Forum, Linux Small Business Server

Zentyal Server => Installation and Upgrades => Topic started by: c4rdinal on September 12, 2012, 04:25:17 am

Title: OpenVPN Connection Error - TLS Error: TLS handshake failed
Post by: c4rdinal on September 12, 2012, 04:25:17 am
Hi,

I'm trying to configure OpenVPN using Zentyal 2.2 with Remote VPN Client for the first time following the Zentyal 2.2 Official Document.

I have 3 NIC cards. Gateway are set for Load-balancing/fail-over.

eth0 = WAN1 [PUBLIC STATIC IP ADD]
eth1 = WAN2 [PUBLIC DHCP]
eth2 = LAN

Config Details are as follows:

Zentyal Server:
Server Port: UDP 1194
VPN Address: 192.168.160.0/24
Server Certificicate: vpn-companyxyz
Client Authorizaiton by common name: disabled
NAT: Checked
Allow client-to-client connection: checked
Interface to listen on: All network Interfaces

I created an Advertised network: 192.168.x.x (my LAN)

Firewall:
Zentyal is facing the Internet and functioning as Gateway/Firewall.
- created a Service for OpenVPN on 1194
- created a Packet filter for EXTERNAL NETWORKS TO ZENTYAL to ACCEPT OpenVPN Service to allow ANY Network
- created a Packet filter for EXTERNAL NETWORKS TO INTERNET to ACCEPT OpenVPN Server to the Internal Network from ANY Network

CLIENT PC
- Then Dowloaded client bundle and install on my Laptop. And connection to the Remote Zentyal Server. My laptop is configured with a PUBLIC IP Address. And firewall is currently OFF in Windows 7.
- Put ALL the openvpn bundle to C:\Program Files (x86)\OpenVPN\config


However, I still have this error connecting to the OpenVPN Network.

Wed Sep 12 10:01:54 2012 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Sep 12 10:02:10 2012 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Sep 12 10:02:40 2012 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Sep 12 10:02:40 2012 TLS Error: TLS handshake failed
Wed Sep 12 10:02:40 2012 TCP/UDP: Closing socket
Wed Sep 12 10:02:40 2012 SIGUSR1[soft,tls-error] received, process restarting
Wed Sep 12 10:02:40 2012 Restart pause, 2 second(s)
Wed Sep 12 10:02:42 2012 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
Wed Sep 12 10:02:42 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Sep 12 10:02:42 2012 Re-using SSL/TLS context
Wed Sep 12 10:02:42 2012 LZO compression initialized
Wed Sep 12 10:02:42 2012 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Sep 12 10:02:42 2012 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed Sep 12 10:02:42 2012 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Sep 12 10:02:42 2012 Local Options hash (VER=V4): 'd79ca330'
Wed Sep 12 10:02:42 2012 Expected Remote Options hash (VER=V4): 'f7df56b8'
Wed Sep 12 10:02:42 2012 UDPv4 link local: [undef]
Wed Sep 12 10:02:42 2012 UDPv4 link remote: 115.84.xxx.x:1194

Googling for the error suggests a firewall error. However, I already provided the proper firewall policy to allow OpenVPN. I even created a PORT FORWARDING rule to forward request from PORT 1194 to the Zentyal Server but of no avail.

Hope you can shed light on this.

Appreciate any help.

Thanks in advance.
Title: Re: OpenVPN Connection Error - TLS Error: TLS handshake failed
Post by: browley on September 12, 2012, 02:57:28 pm
I had this problem too.  My first recommendation would be to kick up the debug level on both sides; it should give you a better idea of what is going wrong.  That said, one of the confusing things about OpenVPN is that they have 2 windows clients: the "paid" and the "free" client and the TLS hashing method is different for each client.  Check out my post, https://forums.openvpn.net/topic10821.html (https://forums.openvpn.net/topic10821.html), at the OpenVPN forums.  Hope that helps.
Title: Re: OpenVPN Connection Error - TLS Error: TLS handshake failed
Post by: c4rdinal on September 13, 2012, 02:25:10 am
I had this problem too.  My first recommendation would be to kick up the debug level on both sides; it should give you a better idea of what is going wrong.  That said, one of the confusing things about OpenVPN is that they have 2 windows clients: the "paid" and the "free" client and the TLS hashing method is different for each client.  Check out my post, https://forums.openvpn.net/topic10821.html (https://forums.openvpn.net/topic10821.html), at the OpenVPN forums.  Hope that helps.

Thank you for taking time to answer. I upgraded the OpenVPN Client from 2.2.0 to 2.2.2, the problem suddenly went away!

However, I cannot browse any Windows network shares but can ping them. Also, I got disconnected automatically after a few minutes. :(

Any clue on how to resolve?
Title: Re: OpenVPN Connection Error - TLS Error: TLS handshake failed
Post by: browley on September 13, 2012, 05:28:00 pm
Seriously, bump up the verbosity of the logs.  Put verb 6 in both your client and server config.  6 is good for debugging.  9 is overkill but can be useful.  Bascially, connect and throw a
Code: [Select]
tail -f on the server side log and connect via windows.  Wait till it disconnects on the client side then look at the log immediately.  See if server/client report errors.  Then google or post in the OpenVPN forums.  Not trying to be brash with that suggestion, but let's put it this way: they answered my questions within 2 days after I spent almost a week doing google work trying to fix it myself.  Good luck.
Title: Re: OpenVPN Connection Error - TLS Error: TLS handshake failed
Post by: c4rdinal on September 14, 2012, 05:35:44 am
Hi,

The procedure above is complete and working. Just make sure you use Openvpnclient-2.2.2.

Network mapping is also possible.

Thanks for all your help.

Enjoy!