TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

joedoe · Jul 6, 2018, 9:59 AM

Hello every one,

I tried to create a vpn access to my local noetwork but i met some problems.

I followed this video to create an openvpn access :
https://www.youtube.com/watch?v=7rQ-Tgt3L18

All was succesful installed and configure (i think) but when i want to connect to my server with my client this message appears :
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

First let's me present you my network :

BOX 1--
| --------- ||| pfsense & openvpn ||| ------ my network
BOX 2--

This is my first vpn access so may be i do something wrong.
The both box work correctly.

for the test i use only one box and only with authentification for the moment.

So i check to some web site like this one : https://openvpn.net/index.php/open-source/faq/79-client/253-tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds-check-your-network-connectivity.html

I used the wizzard to install openvpn and i check if the rules on my wan interface was correct (and they are).
I switch off my windows firewall and all protections on client side.
i used client export utility (so i thing all configuration was correctly export)

Here my client log
Fri Jul 06 11:52:41 2018 OpenVPN 2.4.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 26 2017
Fri Jul 06 11:52:41 2018 Windows version 6.2 (Windows 8 or greater) 64bit
Fri Jul 06 11:52:41 2018 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
Fri Jul 06 11:52:45 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.0.50:1194
Fri Jul 06 11:52:45 2018 UDP link local (bound): [AF_INET][undef]:1194
Fri Jul 06 11:52:45 2018 UDP link remote: [AF_INET]192.168.0.50:1194
Fri Jul 06 11:53:45 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Jul 06 11:53:45 2018 TLS Error: TLS handshake failed
Fri Jul 06 11:53:45 2018 SIGUSR1[soft,tls-error] received, process restarting

And there is no server log.

Please help me i need your help :)
Thank a lot and have a good weekend !

viragomann · Jul 6, 2018, 10:12 AM

Obviously the client cant reach the server.
So double check if the server sides WAN rule allow the incoming access to WAN address.
Your OpenVPN server is listening on WAN IP?
Is your WAN IP a public static one?

joedoe · Jul 6, 2018, 10:23 AM

hello, thanks for the reply.
As you can see the rule is correctly configure.

My server is listening to the WAN IP

And for you last question yes it's a static ip

johnpoz · Jul 6, 2018, 10:30 AM

@joedoe said in TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity):

[AF_INET]192.168.0.50:1194

How is that going to work? Your blocking rfc1918.. Have to assume your box is on this 192.168.0/? network..

joedoe · Jul 6, 2018, 10:39 AM

yes my box is on the network 192.168.0.0/24 => ip adress : 192.168.0.254/24
rfc1918 is block : it's the default rule in pfsense

viragomann · Jul 6, 2018, 10:39 AM

So uncheck the block of private networks in the WAN interface settings.
And ensure the OpenVPN access is forwarded correctly to pfSense WAN.

johnpoz · Jul 6, 2018, 10:43 AM

Where do you think he would need to forward anything? He has a test box connected to pfsense wan network 192.168.0.. So source of his traffic would be 192.168.0.254 so yeah your blocking rfc1918 - its not going to work.

If you want to test your vpn connections using rfc1918, then your going to have to turn off the block rfc1918 rule.

joedoe · Jul 6, 2018, 10:43 AM

@viragomann said in TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity):

And ensure the OpenVPN access is forwarded correctly to pfSense WAN.

how can i do it ?

johnpoz · Jul 6, 2018, 10:44 AM

You don't need to..

joedoe · Jul 6, 2018, 10:46 AM

@johnpoz said in TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity):

You don't need to..

Ok i just diseable the restriction concerning rfc1918 and nothing change

johnpoz · Jul 6, 2018, 10:53 AM

Yes.. I you have some client on 192.168.0 and you want to connect to 192.168.0.50 to try and create a vpn connection to pfsense.. Your going to have to turn off that default block of rfc1918

What is your lan network? What did you use for tunnel? You could still run into a problem with such a test if yoru lan behind pfsense is also 192.168.0? Or you tunnel network overlaps either your wan or lan network address space.

BTW: Next time you want to draw some ascii art diagram

https://textik.com/

viragomann · Jul 6, 2018, 10:51 AM

@johnpoz said in TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity):

Where do you think he would need to forward anything?

@viragomann said in TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity):

Is your WAN IP a public static one?

@joedoe said in TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity):

And for you last question yes it's a static ip

joedoe · Jul 6, 2018, 10:53 AM

Ok

My client (w10 x64) is connected to my cell phone with the ip adress : 192.168.43.39/24

And here more informations concerning the architecture :

box : 192.168.0.254
|
|
WAN1FREE : 192.168.0.50/24
The tunnel network : 10.0.8.0/24
LAN : 192.168.1.3/24
|
|
....

johnpoz · Jul 6, 2018, 10:54 AM

And again what does his wan IP being static have to do with a forward? His test box is on 192.168.0 along with his pfsense wan?

johnpoz · Jul 6, 2018, 10:56 AM

@joedoe said in TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity):

my cell phone with the ip adress : 192.168.43.39/24

Huh??? Dude that is never going to work!!! How is some device out on the public internet?? Behind a Carrier grade nat going to get to a rfc1918 address? Your pfsense wan IP.. Is your cell phone on some wifi network that is routed to this 192.168.0 network??

Draw up where your cell phone is connecting and what this 192.168.0.254 box is???

viragomann · Jul 6, 2018, 10:59 AM

@johnpoz
If his pfSense is in a private network, but his WAN is a public address, there is obviously a router in front of it.
I didn't realize that's a test environment with private networks.

joedoe · Jul 6, 2018, 11:15 AM

@viragomann said in TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity):

@johnpoz
If his pfSense is in a private network, but his WAN is a public address, there is obviously a router in front of it.
I didn't realize that's a test environment with private networks.

Sorry maybe i wasn't enought accurate,
I just want to create a vpn access to my network and i want to give access from the outside. (i pretty new in network configuration, i'm learning)
I just want to test and configure a vpn so i just link my computer

When i plug my computer to my box it works i can go to my network now.
But i just try to share my cell phone to my computer and it doesn't works.

johnpoz · Jul 6, 2018, 12:38 PM

Confused to what this box is? Its some router - where is its internet connection?

If your on the internet you can not connect to some rfc1918 address. You would have to connect to a public IP, which you could forward into pfsense sure.

joedoe · Jul 7, 2018, 6:11 AM

Yes it's a router, this box give a internet and have a public ip adresse.

joedoe · Jul 7, 2018, 7:24 AM

i just try from my home and i can't connect to the vpn i don't understand.