OpenVPN connection failure ---TLS error TLS handshake failed

pietsnot56 · Oct 7, 2020, 10:11 AM

Hi ,
I try to make a VPN connection to my pfsense router 2.4.5-RELEASE-p1 (amd64).
In the log i see my correct dyn ip.
But always i recieve the following error:

Wed Oct 07 11:59:11 2020 OpenVPN 2.4.9 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 16 2020
Wed Oct 07 11:59:11 2020 Windows version 6.2 (Windows 8 or greater) 64bit
Wed Oct 07 11:59:11 2020 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10
Enter Management Password:
Wed Oct 07 11:59:12 2020 TCP/UDP: Preserving recently used remote address: [AF_INET] vvv.xxx.yyy.zzz:1194
Wed Oct 07 11:59:12 2020 UDPv4 link local (bound): [AF_INET][undef]:1194
Wed Oct 07 11:59:12 2020 UDPv4 link remote: [AF_INET] vvv.xxx.yyy.zzz:1194
Wed Oct 07 12:00:13 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Oct 07 12:00:13 2020 TLS Error: TLS handshake failed
Wed Oct 07 12:00:13 2020 SIGUSR1[soft,tls-error] received, process restarting.

Any idea what's wrong?
Win10 and iphone & ipad refuses to make a connection.

Thanks anyway for helping.

viragomann · Oct 7, 2020, 10:49 AM

You get this error, when the client cannot reach the server.

So check you firewall on the server site and the listening settigns of the server and check if OpenVPN packets are arriving on the WAN interface. You can use the pfSense Diag > Packet Capture tool to do that.

pietsnot56 · Oct 7, 2020, 12:10 PM

Hi,

I did the test and this was the result i founded in the log:

13:48:11.218666 IP AAA.BBB.CCC.EEE.47055 > VVV.XXX.YYY.ZZZ.1194: UDP, length 54
where
AAA.BBB.CCC.EEE = WANPORT pFSense
VVV.XXX.YYY.ZZZ = Dyn ip from no-ip.org

So the packets seems to arrive to the wan port.

Rules :
WAN
0 /2 * RFC 1918 networks * * * * * Block private networks

0 /1 KiB * Reserved Not assigned by IANA * * * * * Block bogon networks

0 /0 B IPv4 UDP * * WAN address 1194 (OpenVPN) * none OpenVPN OpenVPN over pfSense wizard

        Openvpn
Actions

0 /0 B IPv4 * * * * * * none OpenVPN OpenVPN over pfSense wizard

LAN

1 /5.63 MiB * * * LAN Address 443 * * Anti-Lockout Rule
80
22

no Port Forward

Can this help?

pietsnot56 · Oct 7, 2020, 12:17 PM

Here also the config client .ovpn

dev tun
persist-tun
persist-key
cipher AES-128-CBC
ncp-ciphers AES-128-GCM
auth SHA256
tls-client
client
resolv-retry infinite
remote XXXXXXXX.no-ip.org 1194 udp4
verify-x509-name "XXXXXXXX.no-ip.org" name
auth-user-pass
pkcs12 pfSense-UDP4-1194-VPNxyz.p12
tls-auth pfSense-UDP4-1194-VPNxyz-tls.key 1
remote-cert-tls server

viragomann · Oct 7, 2020, 12:36 PM

@pietsnot56
Not clear what you're trying to do here.
In your first line :

@pietsnot56 said in OpenVPN connection failure ---TLS error TLS handshake failed:

I try to make a VPN connection to my pfsense router 2.4.5-RELEASE-p1 (amd64)

So I was assuming, you're running an OpenVPN server on pfSense and are trying to connect to it.
Additionally you've hidden the servers IP in the log. If that is a public VPN provider, everyone knows, so why do you hide it?

@pietsnot56 said in OpenVPN connection failure ---TLS error TLS handshake failed:

I did the test and this was the result i founded in the log:
13:48:11.218666 IP AAA.BBB.CCC.EEE.47055 > VVV.XXX.YYY.ZZZ.1194: UDP, length 54
where
AAA.BBB.CCC.EEE = WANPORT pFSense
VVV.XXX.YYY.ZZZ = Dyn ip from no-ip.org

Here it is your WAN address trying to access a VPN server and your config is from a client.

So what now?
You are running a client, Iguess? On pfSense or on a device behind?
Increase the logging level to get some more infos.

pietsnot56 · Oct 7, 2020, 12:42 PM

Hi the client is a win10 pc.
It's from that pc i tried to make a connection to pfsense router firewall.
I did the same test with my iphone (only cellular connection) and my ipad with always the same result.
Can i give other helpfull information?

viragomann · Oct 7, 2020, 12:53 PM

I see.
So the VPN request packets go out on your WAN interface, but you get no response for whatever reason.

If the server IP and port are correct, the packets are blocked somewhere. Maybe at your ISP.

pietsnot56 · Oct 7, 2020, 1:02 PM

correct;

Normally port 1194 is not blocked by the ISP

Only those should be blocked:
TCP Poort 25
TCP/UDP poort 53
TCP/UDP poort 135
TCP/UDP poort 137 – 139
TCP/UDP poort 161 – 162
TCP poort 445
TCP poort 1080
UDP poort 1900

Do i have to forward the port 1194 on pfsense router/firewall?
In the youtube tuto's this was never mentioned.

viragomann · Oct 7, 2020, 1:11 PM

No, that's an outbound connection.

The only NAT which is necessary here is outbound NAT. If you see the pfsense WAN IP in the packet capture on WAN, it work well.

If your the VPN server and port settings are correct and you don't get a response from the server there is nothing you can do on your site.
Don't you have an alternative servers IP.

@pietsnot56 said in OpenVPN connection failure ---TLS error TLS handshake failed:

Only those should be blocked:

These are incoming connection, but we're talking about outgoing here, that may behave different.

pietsnot56 · Oct 7, 2020, 1:23 PM

What do you mean with "Don't you have an alternative servers IP."?

Is this another ISP? Then , no

Make it sense to try with the ip adres that had recieved from te ISP, when i see that no-ip.org give the correct (public) ip on the wan side of the router?
Can I try something else?

viragomann · Oct 7, 2020, 1:39 PM

@pietsnot56 said in OpenVPN connection failure ---TLS error TLS handshake failed:

What do you mean with "Don't you have an alternative servers IP."?

VPN service providers often give you multiple IP / hostnames to connect to.

@pietsnot56 said in OpenVPN connection failure ---TLS error TLS handshake failed:

Can I try something else?

Shut off Wifi on your iphone and try to connect using the cellular network.
It should connect if the settings are correct. But if it doesn't from behind pfSense and the WAN packets are fine, the outbound connection is blocked.

Your Packet Capture from WAN while trying to connect is a bit stingy. Post a whole capture, so we can give more accurate feedback.

pietsnot56 · Oct 7, 2020, 2:32 PM

Eureka, i founded it.
Thanks viragoman, you pushed me in the good direction.

Now the vpn icon becomes green and i recieved a ip in the range of 10.0.x.y. on my pc.

What was wrong?

The "modem" of my ISP is more an AP (with dhcp functionality) then a real modem. It has 1 wan port and 4 lan ports.
If you want to connect your own router ehind it, then the ISP router has to be configured with a "passtrough" function .
The ip adres from the wan site will be pushed to a lan-port on wich my own pfsense router is connected.
So the wan port of pfsense would receive the external isp ip.
I my case i saw that my wan ip adres was in the range of the dhcp range of ISP router instead of the external ip.
I put the mac adres of my wan port in the configuration .... and it was solved.

Thanks a lot

Now just i have still to make the test with the iphone and ipad.