Raspberry Pi 2 - OpenVPN - TLS Error: TLS handshake failed

  • Hi,


    I installed OpenVPN plugin (via "OMV-Extras.org", I ticked "VPN", and then installed"openmediavault-openvpn 1.1" from Plugins).


    Then, I create certificates with the following commands via SSH :


    1/ Edit vars (export KEY_DIR, export KEY_COUTRY, etc.)

    Code
    nano /etc/openvpn/easy-rsa/2.0/vars


    2/ Open the folder

    Code
    cd /etc/openvpn/easy-rsa/2.0/


    3/ Use vars

    Code
    source ./vars


    4/ Delete existing certificates

    Code
    ./clean-all


    5/ Generate certificate authority and certificate key (client):

    Code
    ./build-ca


    6/ Generate certificate authority and certificate key (server):

    Code
    ./build-key-server myserver.no-ip.org


    7/ Generate BUILD DIFFIE-HELLMAN PARAMETERS (necessary for the server end of a SSL/TLS connection)

    Code
    ./build-dh


    8/Generate a key to use with tls-auth which adds an additional HMAC signature to all SSL/TLS handshake packets

    Code
    openvpn --genkey --secret /etc/openvpn/keys/ta.key


    9/ Change permisssions to see certificates and keys from eXtplorer

    Code
    chmod 755 /etc/openvpn/keys/


    Then, I forwarded 1194 UDP port on my router. Should I do the same with the firewall of OMV? If yes, how to populate 'source', 'destination', etc. fields?


    For information, here below the content of "/etc/openvpn/server.conf" (with comments removed):


    When trying to connect using "OpenVPN GUI v5" on Windows, the following log is displayed:


    On OMV side, I had the following log:


    Besides, On Android 5.1 when using OpenVPN Connect, the following message is displayed:

    Code
    OpenVPN server certificate verification failed : PolarSSL: SSL read error : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed.


    I have tried several time to find information but still no solved. Any reason why the connection does not work?


    Regards

  • source blank destination blank 1194 udp


    Why did you create the certs? You can do it with the plugin in the web gui. Then import into OpenVPN Connect.


    OpenSSL should be used. I'm not sure why you are getting that PolarSSL mesage, whether it is client or server issue.

  • Thanks for port forwarding information.


    I tried to generate them by myselft because initialy I tried with the web gui but it did not work. I have uninstalled the plugin, then "apt-get purge openvpn" and then remove openvpn folder to install it again.


    I ticked 'openvpn' in group list of pi user, then certifcate was generaed from web gui and downloaded to put it in 'config' folder of OpenVPN client.


    But, still got issues:
    Tue Jan 27 17:39:17 2015 192.168.1.14:61529 TLS Error: TLS handshake failed
    Tue Jan 27 17:39:19 2015 192.168.1.14:61530 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Tue Jan 27 17:39:19 2015 192.168.1.14:61530 TLS Error: TLS handshake failed
    Tue Jan 27 17:39:19 2015 192.168.1.14:63750 Re-using SSL/TLS context
    Tue Jan 27 17:39:19 2015 192.168.1.14:63750 LZO compression initialized
    Tue Jan 27 17:39:19 2015 192.168.1.14:63750 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Tue Jan 27 17:39:19 2015 192.168.1.14:63750 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Tue Jan 27 17:39:19 2015 192.168.1.14:63750 Local Options hash (VER=V4): '530fdded'
    Tue Jan 27 17:39:19 2015 192.168.1.14:63750 Expected Remote Options hash (VER=V4): '41690919'


    For PolarSSL message, I think it is not possible to choose. I tried also with 'OpenVPN for Android' but it did not work also.


    Any idea?

  • What is the extension on the file that is created by the web gui???? .opvn or something??? You cannot put this in the folder you need to import it. With the OpenVPN Coonect you choose import and guide it to that file.


    I use OpenVPN AS. I would have to check tryout that plugin to be sure.

  • I get a ZIP file (openvpn-pi.zip) containing:
    pi-ca.crt
    pi-client.conf
    pi-client.crt
    pi-client.key
    pi-client.ovpn


    Then, I unzip it on my PC and:
    - On Windows 7, I put files in "C:\Program Files\OpenVPN\config"
    - On Android 5.1, I put files on it and then import "pi-client.ovpn" (import is successfully done)


    Looking at the content of pi-ca.crt, content seems not to be relevant:
    E = mail@host.domain
    2.5.4.41 = changeme
    CN = changeme
    OU = changeme
    O = Fort-Funston
    L = SanFrancisco
    S = CA
    C = US


    This is default information of /etc/open/easy-rsa/2.0/vars


    For information, I saw that certificates (server (and client)) manually generated were different to the certificate of the pi user created from the web gu. Indeed, some of the above information like 'changeme' info. were displayed for pi user, so it does not match with the server certificate.


    Is the certificate generation from the web gui reliable?

  • Tested and it works. There is issue in your setup. Used an RPi 2 as the server and OpenVPN Connect app on a Galaxy phone. The OpenVPN plugin creates the client files for you. It is important that you use the plugin to create the client files because it is including other facets of your configuration in the files.


    Show your settings from the OpenVPN plugin in the web gui.



    You need to use the Chrome mobile app for browsing. The default browser, labeled "Internet", did not work.

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!