tls error: tls handshake failed

[marcos.machado 0]

Hi,

I have the asus XT9 that supports VPN. In my desktop I can connect to the VPN using the eddie-UI. When I try to connect using the router, it doesn`t work. It did work using WireGuard configuration.
I did a check and the router from the telecom company (virgin media) doesn`t have the firewall enabled. I saw on internet some people saying to unblock a specific port but from the posts I saw that didn`t fix the issue.

Anyone has any idea what i can do to try make the openvpn work? are the openvpn client version and opensll version ok?
 

Jan 18 20:52:02 rc_service: httpd 7515:notify_rc restart_vpnc
Jan 18 20:52:04 vpnclient5[14780]: OpenVPN 2.4.12 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May  6 2023
Jan 18 20:52:04 vpnclient5[14780]: library versions: OpenSSL 1.1.1n  15 Mar 2022, LZO 2.10
Jan 18 20:52:04 vpnclient5[14781]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 18 20:52:04 vpnclient5[14781]: TCP/UDP: Preserving recently used remote address: [AF_INET]37.46.117.92:443
Jan 18 20:52:04 vpnclient5[14781]: Socket Buffers: R=[524288->524288] S=[524288->524288]
Jan 18 20:52:04 vpnclient5[14781]: UDP link local: (not bound)
Jan 18 20:52:04 vpnclient5[14781]: UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:443
Jan 18 20:53:04 vpnclient5[14781]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 18 20:53:04 vpnclient5[14781]: TLS Error: TLS handshake failed
Jan 18 20:53:04 vpnclient5[14781]: SIGUSR1[soft,tls-error] received, process restarting
Jan 18 20:53:04 vpnclient5[14781]: Restart pause, 5 second(s)
Jan 18 20:53:09 vpnclient5[14781]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 18 20:53:09 vpnclient5[14781]: TCP/UDP: Preserving recently used remote address: [AF_INET]134.19.179.133:443
Jan 18 20:53:09 vpnclient5[14781]: Socket Buffers: R=[524288->524288] S=[524288->524288]
Jan 18 20:53:09 vpnclient5[14781]: UDP link local: (not bound)
Jan 18 20:53:09 vpnclient5[14781]: UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:443
Jan 18 20:54:10 vpnclient5[14781]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 18 20:54:10 vpnclient5[14781]: TLS Error: TLS handshake failed
Jan 18 20:54:10 vpnclient5[14781]: SIGUSR1[soft,tls-error] received, process restarting
Jan 18 20:54:10 vpnclient5[14781]: Restart pause, 5 second(s)
Jan 18 20:54:15 vpnclient5[14781]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 18 20:54:15 vpnclient5[14781]: TCP/UDP: Preserving recently used remote address: [AF_INET]134.19.179.133:443
Jan 18 20:54:15 vpnclient5[14781]: Socket Buffers: R=[524288->524288] S=[524288->524288]
Jan 18 20:54:15 vpnclient5[14781]: UDP link local: (not bound)
Jan 18 20:54:15 vpnclient5[14781]: UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:443
Jan 18 20:55:15 vpnclient5[14781]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 18 20:55:15 vpnclient5[14781]: TLS Error: TLS handshake failed
Jan 18 20:55:15 vpnclient5[14781]: SIGUSR1[soft,tls-error] received, process restarting
Jan 18 20:55:15 vpnclient5[14781]: Restart pause, 5 second(s)
Jan 18 20:55:20 vpnclient5[14781]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 18 20:55:20 vpnclient5[14781]: TCP/UDP: Preserving recently used remote address: [AF_INET]134.19.179.133:443
Jan 18 20:55:20 vpnclient5[14781]: Socket Buffers: R=[524288->524288] S=[524288->524288]
Jan 18 20:55:20 vpnclient5[14781]: UDP link local: (not bound)
Jan 18 20:55:20 vpnclient5[14781]: UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:443
Jan 18 20:56:20 vpnclient5[14781]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 18 20:56:20 vpnclient5[14781]: TLS Error: TLS handshake failed
Jan 18 20:56:20 vpnclient5[14781]: SIGUSR1[soft,tls-error] received, process restarting
Jan 18 20:56:20 vpnclient5[14781]: Restart pause, 5 second(s)
Jan 18 20:56:25 vpnclient5[14781]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 18 20:56:25 vpnclient5[14781]: TCP/UDP: Preserving recently used remote address: [AF_INET]134.19.179.133:443
Jan 18 20:56:25 vpnclient5[14781]: Socket Buffers: R=[524288->524288] S=[524288->524288]
Jan 18 20:56:25 vpnclient5[14781]: UDP link local: (not bound)
Jan 18 20:56:25 vpnclient5[14781]: UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:443

 

[Staff 9972]

@marcos.machado

Hello!

Assuming that there is indeed no block at all against OpenVPN or UDP in the network, a possible cause of the problem is a mismatched TLS key. For entry-IP address 1 you need tls-auth key while for entry-IP address 3 you need TLS Crypt key. You deleted the IP address of the server so we can't tell which key you need. Since tls-auth and tls-crypt are mutually incompatible and OpenVPN server can start either in tls-auth or in tls-crypt mode we have been forced to make this distinction on different entry-IP addresses. Your OpenVPN version is also quite old, so consider an upgrade if possible.

The Configuration Generator generates the proper key according to the connection mode you have picked. If you need split files (i.e. certificates and keys not embedded in the ovpn file) you can enable "Advanced" mode and then check "Separate certs/keys from ovpn files" option. In this case, the CG names the tls-auth and tls-crypt keys respectively ta.key and tls-crypt.key. You will also need to select "2.4" in the "OpenVPN profile" combo box, because OpenVPN 2.5 and newer versions support directives which are unknown to OpenVPN 2.4.

Kind regards
 

[marcos.machado 0]

3 hours ago, Staff said:

@marcos.machado

Hello!

Assuming that there is indeed no block at all against OpenVPN or UDP in the network, a possible cause of the problem is a mismatched TLS key. For entry-IP address 1 you need tls-auth key while for entry-IP address 3 you need TLS Crypt key. You deleted the IP address of the server so we can't tell which key you need. Since tls-auth and tls-crypt are mutually incompatible and OpenVPN server can start either in tls-auth or in tls-crypt mode we have been forced to make this distinction on different entry-IP addresses. Your OpenVPN version is also quite old, so consider an upgrade if possible.

The Configuration Generator generates the proper key according to the connection mode you have picked. If you need split files (i.e. certificates and keys not embedded in the ovpn file) you can enable "Advanced" mode and then check "Separate certs/keys from ovpn files" option. In this case, the CG names the tls-auth and tls-crypt keys respectively ta.key and tls-crypt.key. You will also need to select "2.4" in the "OpenVPN profile" combo box, because OpenVPN 2.5 and newer versions support directives which are unknown to OpenVPN 2.4.

Kind regards
 

thank you for the help.

the ip is 213.152.162.86

i have the certificates added manually, (ca.crt -> CA cert, user.crt -> client cert, user.key -> client key, tls-crypt.key -> static key )
 

[Staff 9972]

Hello!

You have entered the TLS Crypt key for the correct entry-IP address (213.152.162.86 is an entry-IP address "three", where you have support for tls-crypt). Thus the problem is somewhere else.

On some firmware, the "static key" field is not the "TLS key" field. If that's the case you need to put the tls-auth.key content in the TLS field, while the static key field must be left empty (it's for an OpenVPN working mode without PFS which we do not support).

Also you should make sure that there's no block against UDP in the firewall rules.

Kind regards