Raspberry Pi 2 - OpenVPN - TLS Error: TLS handshake failed

    • OMV 1.0

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • Raspberry Pi 2 - OpenVPN - TLS Error: TLS handshake failed

      Hi,

      I installed OpenVPN plugin (via "OMV-Extras.org", I ticked "VPN", and then installed"openmediavault-openvpn 1.1" from Plugins).

      Then, I create certificates with the following commands via SSH :

      1/ Edit vars (export KEY_DIR, export KEY_COUTRY, etc.)

      Source Code

      1. nano /etc/openvpn/easy-rsa/2.0/vars


      2/ Open the folder

      Source Code

      1. cd /etc/openvpn/easy-rsa/2.0/


      3/ Use vars

      Source Code

      1. source ./vars


      4/ Delete existing certificates

      Source Code

      1. ./clean-all


      5/ Generate certificate authority and certificate key (client):

      Source Code

      1. ./build-ca


      6/ Generate certificate authority and certificate key (server):

      Source Code

      1. ./build-key-server myserver.no-ip.org


      7/ Generate BUILD DIFFIE-HELLMAN PARAMETERS (necessary for the server end of a SSL/TLS connection)

      Source Code

      1. ./build-dh


      8/Generate a key to use with tls-auth which adds an additional HMAC signature to all SSL/TLS handshake packets

      Source Code

      1. openvpn --genkey --secret /etc/openvpn/keys/ta.key


      9/ Change permisssions to see certificates and keys from eXtplorer

      Source Code

      1. chmod 755 /etc/openvpn/keys/


      Then, I forwarded 1194 UDP port on my router. Should I do the same with the firewall of OMV? If yes, how to populate 'source', 'destination', etc. fields?

      For information, here below the content of "/etc/openvpn/server.conf" (with comments removed):

      Source Code

      1. port 1194
      2. proto udp
      3. dev tun
      4. ca /etc/openvpn/keys/ca.crt
      5. cert /etc/openvpn/keys/server.crt
      6. key /etc/openvpn/keys/server.key # This file should be kept secret
      7. dh /etc/openvpn/keys/dh2048.pem
      8. server 10.8.0.0 255.255.255.0
      9. ifconfig-pool-persist ipp.txt
      10. ;push "route 192.168.1.0 255.255.255.0"
      11. push "redirect-gateway def1 bypass-dhcp"
      12. ;client-to-client
      13. keepalive 10 120
      14. comp-lzo
      15. ;plugin /usr/lib/openvpn/openvpn-auth-pam.so login
      16. user nobody
      17. group nogroup
      18. persist-key
      19. persist-tun
      20. status openvpn-status.log
      21. log /var/log/openvpn.log
      22. verb 2
      23. mute 10
      24. crl-verify /etc/openvpn/keys/crl.pem
      Display All


      When trying to connect using "OpenVPN GUI v5" on Windows, the following log is displayed:

      Source Code

      1. Thu May 14 14:08:02 2015 OpenVPN 2.3.6 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Mar 4 2015
      2. Thu May 14 14:08:02 2015 library versions: OpenSSL 1.0.1l 15 Jan 2015, LZO 2.08
      3. Thu May 14 14:08:02 2015 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
      4. Thu May 14 14:08:02 2015 Need hold release from management interface, waiting...
      5. Thu May 14 14:08:02 2015 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
      6. Thu May 14 14:08:03 2015 MANAGEMENT: CMD 'state on'
      7. Thu May 14 14:08:03 2015 MANAGEMENT: CMD 'log all on'
      8. Thu May 14 14:08:03 2015 MANAGEMENT: CMD 'hold off'
      9. Thu May 14 14:08:03 2015 MANAGEMENT: CMD 'hold release'
      10. Thu May 14 14:08:03 2015 Socket Buffers: R=[8192->8192] S=[8192->8192]
      11. Thu May 14 14:08:03 2015 MANAGEMENT: >STATE:1431605283,RESOLVE,,,
      12. Thu May 14 14:08:03 2015 UDPv4 link local: [undef]
      13. Thu May 14 14:08:03 2015 UDPv4 link remote: [AF_INET]XX.212.126.152:1194
      14. Thu May 14 14:08:03 2015 MANAGEMENT: >STATE:1431605283,WAIT,,,
      15. Thu May 14 14:08:03 2015 MANAGEMENT: >STATE:1431605283,AUTH,,,
      16. Thu May 14 14:08:03 2015 TLS: Initial packet from [AF_INET]XX.212.126.152:1194, sid=25c45403 2b00edda
      Display All


      On OMV side, I had the following log:

      Source Code

      1. Tue Jul 7 07:56:03 2015 192.168.1.1:58942 Re-using SSL/TLS context
      2. Tue Jul 7 07:56:03 2015 192.168.1.1:58942 LZO compression initialized
      3. Tue Jul 7 07:56:03 2015 192.168.1.1:58942 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
      4. Tue Jul 7 07:56:03 2015 192.168.1.1:58942 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
      5. Tue Jul 7 07:56:03 2015 192.168.1.1:58942 Local Options hash (VER=V4): '530fdded'
      6. Tue Jul 7 07:56:03 2015 192.168.1.1:58942 Expected Remote Options hash (VER=V4): '41690919'
      7. Tue Jul 7 07:56:24 2015 192.168.1.1:58922 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
      8. Tue Jul 7 07:56:24 2015 192.168.1.1:58922 TLS Error: TLS handshake failed
      9. Tue Jul 7 07:56:27 2015 80.12.39.138:36654 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
      10. Tue Jul 7 07:56:27 2015 80.12.39.138:36654 TLS Error: TLS handshake failed
      11. Tue Jul 7 07:57:03 2015 192.168.1.1:58942 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
      12. Tue Jul 7 07:57:03 2015 192.168.1.1:58942 TLS Error: TLS handshake failed
      13. Tue Jul 7 07:57:05 2015 192.168.1.1:62717 Re-using SSL/TLS context
      14. Tue Jul 7 07:57:05 2015 192.168.1.1:62717 LZO compression initialized
      15. Tue Jul 7 07:57:05 2015 192.168.1.1:62717 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
      16. Tue Jul 7 07:57:05 2015 192.168.1.1:62717 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
      17. Tue Jul 7 07:57:05 2015 192.168.1.1:62717 Local Options hash (VER=V4): '530fdded'
      18. Tue Jul 7 07:57:05 2015 192.168.1.1:62717 Expected Remote Options hash (VER=V4): '41690919'
      Display All


      Besides, On Android 5.1 when using OpenVPN Connect, the following message is displayed:

      Source Code

      1. OpenVPN server certificate verification failed : PolarSSL: SSL read error : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed.


      I have tried several time to find information but still no solved. Any reason why the connection does not work?

      Regards

      The post was edited 1 time, last by coucoun ().

    • Thanks for port forwarding information.

      I tried to generate them by myselft because initialy I tried with the web gui but it did not work. I have uninstalled the plugin, then "apt-get purge openvpn" and then remove openvpn folder to install it again.

      I ticked 'openvpn' in group list of pi user, then certifcate was generaed from web gui and downloaded to put it in 'config' folder of OpenVPN client.

      But, still got issues:
      Tue Jan 27 17:39:17 2015 192.168.1.14:61529 TLS Error: TLS handshake failed
      Tue Jan 27 17:39:19 2015 192.168.1.14:61530 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
      Tue Jan 27 17:39:19 2015 192.168.1.14:61530 TLS Error: TLS handshake failed
      Tue Jan 27 17:39:19 2015 192.168.1.14:63750 Re-using SSL/TLS context
      Tue Jan 27 17:39:19 2015 192.168.1.14:63750 LZO compression initialized
      Tue Jan 27 17:39:19 2015 192.168.1.14:63750 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
      Tue Jan 27 17:39:19 2015 192.168.1.14:63750 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
      Tue Jan 27 17:39:19 2015 192.168.1.14:63750 Local Options hash (VER=V4): '530fdded'
      Tue Jan 27 17:39:19 2015 192.168.1.14:63750 Expected Remote Options hash (VER=V4): '41690919'

      For PolarSSL message, I think it is not possible to choose. I tried also with 'OpenVPN for Android' but it did not work also.

      Any idea?
    • I get a ZIP file (openvpn-pi.zip) containing:
      pi-ca.crt
      pi-client.conf
      pi-client.crt
      pi-client.key
      pi-client.ovpn

      Then, I unzip it on my PC and:
      - On Windows 7, I put files in "C:\Program Files\OpenVPN\config"
      - On Android 5.1, I put files on it and then import "pi-client.ovpn" (import is successfully done)

      Looking at the content of pi-ca.crt, content seems not to be relevant:
      E = mail@host.domain
      2.5.4.41 = changeme
      CN = changeme
      OU = changeme
      O = Fort-Funston
      L = SanFrancisco
      S = CA
      C = US

      This is default information of /etc/open/easy-rsa/2.0/vars

      For information, I saw that certificates (server (and client)) manually generated were different to the certificate of the pi user created from the web gu. Indeed, some of the above information like 'changeme' info. were displayed for pi user, so it does not match with the server certificate.

      Is the certificate generation from the web gui reliable?
    • Tested and it works. There is issue in your setup. Used an RPi 2 as the server and OpenVPN Connect app on a Galaxy phone. The OpenVPN plugin creates the client files for you. It is important that you use the plugin to create the client files because it is including other facets of your configuration in the files.

      Show your settings from the OpenVPN plugin in the web gui.


      You need to use the Chrome mobile app for browsing. The default browser, labeled "Internet", did not work.

      The post was edited 1 time, last by tekkb ().

    • Here is an example settings page. See pics...

      The public ip address will be your static wan ip or the address you setup with ddns provider.

      You can setup other DNS Server in the "DNS Search" for the server side of the VPN but it is really optional. Usually the router ip will be sufficient in the "DNS Server" field.
      Images
      • openvpnsettings1.jpg

        107.92 kB, 1,150×489, viewed 848 times
      • openvpnsettings2.jpg

        47.54 kB, 756×213, viewed 800 times