<![CDATA[OpenVPN: TLS Negotiation Failed?]]>Hello - I seem to keep running into this issue after trying a few things and redoing the setup of OpenVPN (With and without Wizard).

Here's the network layout and purpose:
WAN (bce0) is on my Xfinity xFi Router's network (10.0.0.X), Statically assigned IPv4.
LAN (bce1) is connected to a Netgear Gigabit Plus Switch (10.0.2.X), IPv4 DHCP Server Enabled.
OPT1 is a VLAN(.10) on LAN's interface - but I disabled this for now.

My purpose is to be able to tunnel into my 10.0.2.X network locally from my laptop (Macbook Air with Windows 10 via Bootcamp) using OpenVPN. My laptop is on the 10.0.0.X subnet/network. My servers operate off the 10.0.2.X network.

OpenVPN is using port 1194/UDP as of right now. I also tried to use a Dynamic DNS solution using No-IP. That is now disabled.

Tue Feb 12 00:16:53 2019 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Tue Feb 12 00:16:53 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Tue Feb 12 00:16:53 2019 library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
Tue Feb 12 00:16:59 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]10.0.0.20:1194
Tue Feb 12 00:16:59 2019 UDP link local (bound): [AF_INET][undef]:1194
Tue Feb 12 00:16:59 2019 UDP link remote: [AF_INET]10.0.0.20:1194
Tue Feb 12 00:17:59 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Feb 12 00:17:59 2019 TLS Error: TLS handshake failed
Tue Feb 12 00:17:59 2019 SIGUSR1[soft,tls-error] received, process restarting
Tue Feb 12 00:18:04 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]10.0.0.20:1194
Tue Feb 12 00:18:04 2019 UDP link local (bound): [AF_INET][undef]:1194
Tue Feb 12 00:18:04 2019 UDP link remote: [AF_INET]10.0.0.20:1194

Any help is appreciated. I need this to work so I can edit coding projects and other things off my home server.

]]>https://forum.netgate.com/topic/140548/openvpn-tls-negotiation-failedRSS for NodeTue, 14 Apr 2026 09:51:26 GMTTue, 12 Feb 2019 19:22:00 GMT60<![CDATA[Reply to OpenVPN: TLS Negotiation Failed? on Wed, 13 Feb 2019 04:51:32 GMT]]>@derelict I hear ya’. That’s a bummer, but makes sense... I could maybe I replace our existing router with another pfSense one and do a P2P server between both of them instead so the firewalls can talk to each other? xFi isn’t the best with their interface - far too simple. Home-Network friendly I suppose.

Thank you for the help though.

]]>https://forum.netgate.com/post/823735https://forum.netgate.com/post/823735Wed, 13 Feb 2019 04:51:32 GMT<![CDATA[Reply to OpenVPN: TLS Negotiation Failed? on Wed, 13 Feb 2019 02:42:21 GMT]]>If you are connecting from afar to the pfSense WAN IP on UDP 1194 and that traffic is not hitting pfSense WAN, you need to look upstream.

pfSense can only operate on traffic that actually arrives on its interfaces.

]]>https://forum.netgate.com/post/823725https://forum.netgate.com/post/823725Wed, 13 Feb 2019 02:42:21 GMT<![CDATA[Reply to OpenVPN: TLS Negotiation Failed? on Wed, 13 Feb 2019 01:41:53 GMT]]>@derelict So where can I go from here? According to my current firewall rules on pfSense, it's accepting IPv4 UDP traffic on port 1194/udp.. The only other way I can see is forwarding the traffic on the xFi router to the pfSense router's WAN address (which I already did). 💀

]]>https://forum.netgate.com/post/823716https://forum.netgate.com/post/823716Wed, 13 Feb 2019 01:41:53 GMT<![CDATA[Reply to OpenVPN: TLS Negotiation Failed? on Wed, 13 Feb 2019 01:31:04 GMT]]>If it's not logging anything it is probably not receiving the traffic at all. That would dovetail with the client error messages.

]]>https://forum.netgate.com/post/823714https://forum.netgate.com/post/823714Wed, 13 Feb 2019 01:31:04 GMT<![CDATA[Reply to OpenVPN: TLS Negotiation Failed? on Wed, 13 Feb 2019 01:30:02 GMT]]>@agnet said in OpenVPN: TLS Negotiation Failed?:

@Derelict I do use the client exporter package. As for the compression setting, I don't ever remember changing that, but it seems I have (not consciously).

Here is the current System Log for OpenVPN (Most recent and current PID)

Feb 12 20:12:43	openvpn	81170	OpenVPN 2.4.6 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 3 2018
Feb 12 20:12:43	openvpn	81170	library versions: OpenSSL 1.0.2o-freebsd 27 Mar 2018, LZO 2.10
Feb 12 20:12:43	openvpn	81345	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 12 20:12:43	openvpn	81345	TUN/TAP device ovpns1 exists previously, keep at program end
Feb 12 20:12:43	openvpn	81345	TUN/TAP device /dev/tun1 opened
Feb 12 20:12:43	openvpn	81345	do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Feb 12 20:12:43	openvpn	81345	/sbin/ifconfig ovpns1 10.0.80.1 10.0.80.2 mtu 1500 netmask 255.255.255.0 up
Feb 12 20:12:43	openvpn	81345	/usr/local/sbin/ovpn-linkup ovpns1 1500 1621 10.0.80.1 255.255.255.0 init
Feb 12 20:12:43	openvpn	81345	UDPv4 link local (bound): [AF_INET]10.0.0.20:1194
Feb 12 20:12:43	openvpn	81345	UDPv4 link remote: [AF_UNSPEC]
Feb 12 20:12:43	openvpn	81345	Initialization Sequence Completed

@Derelict @Rico

It doesn't seem like it's even logging any activity from the device. Could there be a setting on the xFi router I need to change? I have 1194/udp Port Forwarded to 10.0.0.20 (pfSense WAN)

]]>https://forum.netgate.com/post/823713https://forum.netgate.com/post/823713Wed, 13 Feb 2019 01:30:02 GMT<![CDATA[Reply to OpenVPN: TLS Negotiation Failed? on Wed, 13 Feb 2019 01:21:16 GMT]]>@Derelict I do use the client exporter package. As for the compression setting, I don't ever remember changing that, but it seems I have (not consciously).

Here is the current System Log for OpenVPN (Most recent and current PID)

Feb 12 20:12:43	openvpn	81170	OpenVPN 2.4.6 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 3 2018
Feb 12 20:12:43	openvpn	81170	library versions: OpenSSL 1.0.2o-freebsd 27 Mar 2018, LZO 2.10
Feb 12 20:12:43	openvpn	81345	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 12 20:12:43	openvpn	81345	TUN/TAP device ovpns1 exists previously, keep at program end
Feb 12 20:12:43	openvpn	81345	TUN/TAP device /dev/tun1 opened
Feb 12 20:12:43	openvpn	81345	do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Feb 12 20:12:43	openvpn	81345	/sbin/ifconfig ovpns1 10.0.80.1 10.0.80.2 mtu 1500 netmask 255.255.255.0 up
Feb 12 20:12:43	openvpn	81345	/usr/local/sbin/ovpn-linkup ovpns1 1500 1621 10.0.80.1 255.255.255.0 init
Feb 12 20:12:43	openvpn	81345	UDPv4 link local (bound): [AF_INET]10.0.0.20:1194
Feb 12 20:12:43	openvpn	81345	UDPv4 link remote: [AF_UNSPEC]
Feb 12 20:12:43	openvpn	81345	Initialization Sequence Completed
]]>https://forum.netgate.com/post/823711https://forum.netgate.com/post/823711Wed, 13 Feb 2019 01:21:16 GMT<![CDATA[Reply to OpenVPN: TLS Negotiation Failed? on Wed, 13 Feb 2019 00:34:38 GMT]]>Did you use the client exporter to configure the windows client?

The default compression setting is Omit Preference. Why is that changed? Do you know you need to change it?

What does the OpenVPN server log (Status > System Logs, OpenVPN) include when you try to connect?

]]>https://forum.netgate.com/post/823709https://forum.netgate.com/post/823709Wed, 13 Feb 2019 00:34:38 GMT<![CDATA[Reply to OpenVPN: TLS Negotiation Failed? on Tue, 12 Feb 2019 22:39:56 GMT]]>@rico Also - I have used User Auth only before, but I still get the same error.

  • Andrew
]]>https://forum.netgate.com/post/823698https://forum.netgate.com/post/823698Tue, 12 Feb 2019 22:39:56 GMT<![CDATA[Reply to OpenVPN: TLS Negotiation Failed? on Tue, 12 Feb 2019 22:37:13 GMT]]>@Rico

Here are all the screenshots requested. Note: "AGVPN (out)" was my Dynamic DNS Solution, I deleted the rule for it as I'm no longer using it right now, but kept some other ones and the Server config just in case I would want to try it again.

8_1550010999759_openvpn-config1.PNG 7_1550010999759_openvpn-config2.PNG 6_1550010999758_openvpn-config3.PNG 5_1550010999758_openvpn-config4.PNG 4_1550010999757_openvpn-config5.PNG 3_1550010999757_openvpn-config6.PNG 2_1550010999756_Firewall-config1.PNG 1_1550010999756_Firewall-config2.PNG 0_1550010999754_Firewall-config3.PNG

]]>https://forum.netgate.com/post/823696https://forum.netgate.com/post/823696Tue, 12 Feb 2019 22:37:13 GMT<![CDATA[Reply to OpenVPN: TLS Negotiation Failed? on Tue, 12 Feb 2019 22:05:12 GMT]]>Share your OpenVPN settings and Firewall Rules (screenshots).

-Rico

]]>https://forum.netgate.com/post/823687https://forum.netgate.com/post/823687Tue, 12 Feb 2019 22:05:12 GMT