Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN: TLS Negotiation Failed?

    OpenVPN
    3
    11
    2.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      AGnet
      last edited by AGnet

      Hello - I seem to keep running into this issue after trying a few things and redoing the setup of OpenVPN (With and without Wizard).

      Here's the network layout and purpose:
      WAN (bce0) is on my Xfinity xFi Router's network (10.0.0.X), Statically assigned IPv4.
      LAN (bce1) is connected to a Netgear Gigabit Plus Switch (10.0.2.X), IPv4 DHCP Server Enabled.
      OPT1 is a VLAN(.10) on LAN's interface - but I disabled this for now.

      My purpose is to be able to tunnel into my 10.0.2.X network locally from my laptop (Macbook Air with Windows 10 via Bootcamp) using OpenVPN. My laptop is on the 10.0.0.X subnet/network. My servers operate off the 10.0.2.X network.

      OpenVPN is using port 1194/UDP as of right now. I also tried to use a Dynamic DNS solution using No-IP. That is now disabled.

      Tue Feb 12 00:16:53 2019 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Tue Feb 12 00:16:53 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Tue Feb 12 00:16:53 2019 library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
Tue Feb 12 00:16:59 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]10.0.0.20:1194
Tue Feb 12 00:16:59 2019 UDP link local (bound): [AF_INET][undef]:1194
Tue Feb 12 00:16:59 2019 UDP link remote: [AF_INET]10.0.0.20:1194
Tue Feb 12 00:17:59 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Feb 12 00:17:59 2019 TLS Error: TLS handshake failed
Tue Feb 12 00:17:59 2019 SIGUSR1[soft,tls-error] received, process restarting
Tue Feb 12 00:18:04 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]10.0.0.20:1194
Tue Feb 12 00:18:04 2019 UDP link local (bound): [AF_INET][undef]:1194
Tue Feb 12 00:18:04 2019 UDP link remote: [AF_INET]10.0.0.20:1194

      Any help is appreciated. I need this to work so I can edit coding projects and other things off my home server.

      1 Reply Last reply Reply Quote 0
      • RicoR
        Rico LAYER 8 Rebel Alliance
        last edited by

        Share your OpenVPN settings and Firewall Rules (screenshots).

        -Rico

        2x Netgate XG-7100 | 11x Netgate SG-5100 | 6x Netgate SG-3100 | 2x Netgate SG-1100

        A 1 Reply Last reply Reply Quote 0
        • A
          AGnet
          last edited by

          @Rico

          Here are all the screenshots requested. Note: "AGVPN (out)" was my Dynamic DNS Solution, I deleted the rule for it as I'm no longer using it right now, but kept some other ones and the Server config just in case I would want to try it again.

          8_1550010999759_openvpn-config1.PNG 7_1550010999759_openvpn-config2.PNG 6_1550010999758_openvpn-config3.PNG 5_1550010999758_openvpn-config4.PNG 4_1550010999757_openvpn-config5.PNG 3_1550010999757_openvpn-config6.PNG 2_1550010999756_Firewall-config1.PNG 1_1550010999756_Firewall-config2.PNG 0_1550010999754_Firewall-config3.PNG

          1 Reply Last reply Reply Quote 0
          • A
            AGnet @Rico
            last edited by

            @rico Also - I have used User Auth only before, but I still get the same error.

            • Andrew
            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              Did you use the client exporter to configure the windows client?

              The default compression setting is Omit Preference. Why is that changed? Do you know you need to change it?

              What does the OpenVPN server log (Status > System Logs, OpenVPN) include when you try to connect?

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • A
                AGnet
                last edited by

                @Derelict I do use the client exporter package. As for the compression setting, I don't ever remember changing that, but it seems I have (not consciously).

                Here is the current System Log for OpenVPN (Most recent and current PID)

                Feb 12 20:12:43	openvpn	81170	OpenVPN 2.4.6 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 3 2018
Feb 12 20:12:43	openvpn	81170	library versions: OpenSSL 1.0.2o-freebsd 27 Mar 2018, LZO 2.10
Feb 12 20:12:43	openvpn	81345	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 12 20:12:43	openvpn	81345	TUN/TAP device ovpns1 exists previously, keep at program end
Feb 12 20:12:43	openvpn	81345	TUN/TAP device /dev/tun1 opened
Feb 12 20:12:43	openvpn	81345	do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Feb 12 20:12:43	openvpn	81345	/sbin/ifconfig ovpns1 10.0.80.1 10.0.80.2 mtu 1500 netmask 255.255.255.0 up
Feb 12 20:12:43	openvpn	81345	/usr/local/sbin/ovpn-linkup ovpns1 1500 1621 10.0.80.1 255.255.255.0 init
Feb 12 20:12:43	openvpn	81345	UDPv4 link local (bound): [AF_INET]10.0.0.20:1194
Feb 12 20:12:43	openvpn	81345	UDPv4 link remote: [AF_UNSPEC]
Feb 12 20:12:43	openvpn	81345	Initialization Sequence Completed
                A 1 Reply Last reply Reply Quote 0
                • A
                  AGnet @AGnet
                  last edited by

                  @agnet said in OpenVPN: TLS Negotiation Failed?:

                  @Derelict I do use the client exporter package. As for the compression setting, I don't ever remember changing that, but it seems I have (not consciously).

                  Here is the current System Log for OpenVPN (Most recent and current PID)

                  Feb 12 20:12:43	openvpn	81170	OpenVPN 2.4.6 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 3 2018
Feb 12 20:12:43	openvpn	81170	library versions: OpenSSL 1.0.2o-freebsd 27 Mar 2018, LZO 2.10
Feb 12 20:12:43	openvpn	81345	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 12 20:12:43	openvpn	81345	TUN/TAP device ovpns1 exists previously, keep at program end
Feb 12 20:12:43	openvpn	81345	TUN/TAP device /dev/tun1 opened
Feb 12 20:12:43	openvpn	81345	do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Feb 12 20:12:43	openvpn	81345	/sbin/ifconfig ovpns1 10.0.80.1 10.0.80.2 mtu 1500 netmask 255.255.255.0 up
Feb 12 20:12:43	openvpn	81345	/usr/local/sbin/ovpn-linkup ovpns1 1500 1621 10.0.80.1 255.255.255.0 init
Feb 12 20:12:43	openvpn	81345	UDPv4 link local (bound): [AF_INET]10.0.0.20:1194
Feb 12 20:12:43	openvpn	81345	UDPv4 link remote: [AF_UNSPEC]
Feb 12 20:12:43	openvpn	81345	Initialization Sequence Completed

                  @Derelict @Rico

                  It doesn't seem like it's even logging any activity from the device. Could there be a setting on the xFi router I need to change? I have 1194/udp Port Forwarded to 10.0.0.20 (pfSense WAN)

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    If it's not logging anything it is probably not receiving the traffic at all. That would dovetail with the client error messages.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    A 1 Reply Last reply Reply Quote 0
                    • A
                      AGnet @Derelict
                      last edited by

                      @derelict So where can I go from here? According to my current firewall rules on pfSense, it's accepting IPv4 UDP traffic on port 1194/udp.. The only other way I can see is forwarding the traffic on the xFi router to the pfSense router's WAN address (which I already did). 💀

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        If you are connecting from afar to the pfSense WAN IP on UDP 1194 and that traffic is not hitting pfSense WAN, you need to look upstream.

                        pfSense can only operate on traffic that actually arrives on its interfaces.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 1
                        • A
                          AGnet
                          last edited by

                          @derelict I hear ya’. That’s a bummer, but makes sense... I could maybe I replace our existing router with another pfSense one and do a P2P server between both of them instead so the firewalls can talk to each other? xFi isn’t the best with their interface - far too simple. Home-Network friendly I suppose.

                          Thank you for the help though.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.