Jump to content
Not connected, Your IP: 44.213.65.97
Sign in to follow this  
ableounceony

ANSWERED OpenVPN for Android: Waiting for Server Reply [SOLVED]

Recommended Posts

On my Android phone (Nexus 6P), I'm trying to set up a connection using OpenVPN for Android to a couple of AirVPN servers.  When I try connecting to Merope (Los Angeles), the process gets stuck for a while at "Waiting for Server Reply" and then the logs show two errors:

 

"TLS Error:  TLS Key negotiation failed to occur within 60 seconds (check you network connectivity)"

 

"TLS Error:  TLS handshake failed"

 

and the process repeats.

 

If I try connecting to Alkes (Los Angeles), it connects correctly (unfortunately, it times out after a few minutes with an "inactivity timeout" message and then reconnects, but that's a different problem I haven't tried troubleshooting yet).

 

For Alkes, I'm using UDP port 443 with resolved hosts in the single .ovpn file I downloaded from the Config Generator (I selected Android as the OS).  For Merope, I've tried that same configuration and also tried using UDP port 53, telling the Config Generator to leave hosts unresolved, and choosing Linux as the OS.  It makes no difference.  I can't connect to Merope with OpenVPN for Android on my phone.  I've checked that Merope is up and I'm currently connected to it without problem on my pfSense box at home.

 

I've been connecting to my OpenVPN server on that pfSense box (which connects as a client to Merope) without problem using OpenVPN for Android for 9 months now), so I just can't understand how I'm messing up this much simpler configuration.  Anyone have any suggestions?

Share this post


Link to post

I just tried another generated configuration of Merope (UPD 1194) and got the same "Waiting for Server Reply" and TLS errors.  Could someone else try generating a configuration for the Merope (Los Angels, CA  USA) server and using it in OpenVPN for Android on an Android phone?  I just can't see how I can be messing up a connection to Merope when I can connect to Alkes following the same procedure.

 

EDIT:  I've checked the .ovpn files for both Merope and Alkes.  Except for the addresses/ports, the files are identical:

 

client
dev-tun
proto udp
remote [specific ip and port]
resolve-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
comp-lzo no
verb 3
explicit-exit-notify 5

EDIT 2:  I've even gone to

 

https://airvpn.org/devices/

 

and set up a new key/device for the phone.  Downloaded yet another configuration for Merope and got the same problem with OpenVPN for Android.

Share this post


Link to post

I'm pretty sure my phone's inability to connect directly to Merope via AirVPN for Android is some kind of loop or recursion problem with my setup.  I tried setting up the tunnel using my phone's data plan instead of its wifi ability to my home network.  It worked.  So, it's either something with my home network or Cox is messing with my traffic to Merope only if it originates on my phone.  That last option is pretty unlikely.  So, I'm going to try working through this here (it won't be a pretty sight).

 

Everything on my network goes through my pfSense box where it runs through my encrypted tunnel to AirVPN's Merope server (default AirVPN key using UDP port 53).  That includes our phones since they're connected to my wireless router which is connected to my pfSense box, along with everything else, through a switch.  I'll call that route Regular Ol' Tunned (ROT):  switch > pfSense box > AirVPN (default key UDP 53) > open internet

 

I wanted to encrypt the wireless leg from the phone to my wireless router.  So, I set up a OpenVPN server on my pfSense box specifically for my phones.  Thus, the phone sets up an encrypted tunnel using OpenVPN for Android in one of three ways:

 

- Home Wifi:  phone > wireless router > ROT > my DDNS service for the address > pfSense box's WAN port and the tunnel is encrypted.  Then everything goes through ROT.

 

- Foreign Wifi:  phone > foreign wifi > my DDNS service for the address > pfSense box's WAN port and the tunnel is encrypted.  Then everything goes through ROT.  This path essentially skips one ROT traversal.

 

- Phone's Data Plan:  Same as above, just substituting the data plan for the foreign wifi.

 

Now, I'm trying to connect the phone directly to Merope for the encrypted tunnel instead of using my ROT.  Using a foreign wifi or the phone's data plan shouldn't be a problem:

 

- phone > foreign wifi/data plan > Merope (phone's unique AirVPN key on some port) > open internet.

 

But, via Home Wifi:

 

- phone > wireless router > ROT (which ends at  AirVPN (default key UDP 53)) > BACK to Merope (unique key on some port).

 

I'm assuming the problem is that little loop from the unencrypted output address of Merope to the encrytped input address.  I'd have thought that the different keys for the two devices would prevent issues.  But, it looks like I was wrong.

 

I'm going to have to re-think encrypting the wireless leg to my normal, home wifi setup.  I think I've created a monster.

 

EDIT:  I think I can tell pfSense to send traffic originating with the phones directly out the unencrypted WAN port.  That way, they'll skip one encryption journey to AirVPN while they set up their tunnel.  Once the tunnel is set up, pfSense will translate their local ip addresses to their encrypted versions and that traffic will go through the encrypted part of ROT.  I hope.

Share this post


Link to post

I'm marking this solved.  I moved my whole wireless router to another port on my pfSense box (which I had configured as a CLRNET interface (bypassing the VPN)).  Now, they skip the initial ROT path from above before having my OpenVPN server on that box encrypt their tunnels.  I can also now connect directly to Merope on the phones via OpenVPN for Android.

 

I had to switch my printer to a wired interface since I couldn't figure out how to print across interfaces.  But, at least I figured out what was happening.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  

×
×
  • Create New...