[svlug] OpenVPN

Tin Le tin at le.org
Mon Mar 19 19:56:56 PDT 2007 

I am deep in the middle of bringing up a manufacturing facility network,
servers, etc... so won't be able to help you much.

1. Ok, so you are sure that inbound/outbound 1194 UDP is open.
2. You tested it by using nc (from the remote client?)


> Before I post such very long log files, can I post the following and ask
> if this might
> be the problem? First, the server log file has this:
>
> Sun Mar 18 22:55:39 2007 us=164119   server_network = 10.8.0.0
> Sun Mar 18 22:55:39 2007 us=164139   server_netmask = 255.255.255.0
>
> Showing the network just as it is configured in the server.conf  file
> read when
> OpenVPN starts up. however, the client machine here has this:
>
> Sun Mar 18 23:59:44 2007 us=721671   server_network = 0.0.0.0
> Sun Mar 18 23:59:44 2007 us=721736   server_netmask = 0.0.0.0
>
> Could this be the problem? Nowhere in the sample client.conf file do I
> find an
> entry to set up the netowrk the same way the server.conf file does.
>
> Is that handled when the client connects through port 1194, or is there
> something
> else I need to do on the client.

The server will act as a DHCP server to the client, once a connection has
been established successfully.  Routing, DNS, etc. will be sent from the
server.


>> 3. Turn on more verbosity in server.conf when you start OpenVPN, do the
>> same on client.conf.  Post both logs here.
>>
> Okay, since you asked for the log files, here are they, but they are
> quite long. I'll truncate the
> server log file at the point where it gets the "handshake failed"
> messages so you can see
> everything leading to that point. The rest is the same.
>
> First, the server:


> Sun Mar 18 23:03:27 2007 us=985480 209.181.37.219:33402 UDPv4 WRITE [22]
> to 209.181.37.219:33402: P_ACK_V1 kid=0 [ 0 ]
> Sun Mar 18 23:03:29 2007 us=112253 209.181.37.219:33402 TLS Error: TLS
> key negotiation failed to occur within 60 seconds (check your network
> connectivity)
> Sun Mar 18 23:03:29 2007 us=112297 209.181.37.219:33402 TLS Error: TLS
> handshake failed

> Now the client:

> Mon Mar 19 00:00:44 2007 us=734089 TLS Error: TLS key negotiation failed
> to occur within 60 seconds (check your network connectivity)
> Mon Mar 19 00:00:44 2007 us=734201 TLS Error: TLS handshake failed
> Mon Mar 19 00:00:44 2007 us=734571 TCP/UDP: Closing socket
> Mon Mar 19 00:00:44 2007 us=734702 SIGUSR1[soft,tls-error] received,
> process restarting
> Mon Mar 19 00:00:44 2007 us=734773 Restart pause, 2 second(s)

There is a problem in the TLS handshaking.  There is several possible
causes.

1. Your certs are bad, wrong, etc.
2. Firewall problem.  Packets are not getting through.  Port 1194 to your
VPN server is open, but whatabout your client?

You can try changing from UDP to TCP to see if that work.  If it does,
then something is blocking UDP.

This URL might help.

http://openvpn.net/archive/openvpn-users/2005-06/msg00163.html

Good luck.  I am way burried in work at the moment.

Tin Le
-- 
"Your chances of success are directly proportional to the degree of
pleasure you desire from what you do. If you are in a job you hate, face
the fact squarely and get out." -- Michael Korda

More information about the Svlug mailing list