[Solved] Help needed to solve the OpenVPN issue : TLS key negotiation failed to occur within 60 seconds

marimo · Aug 25, 2019, 5:40 PM

Hello, I need a help on OpenVPN issue where I get following message in log:
"TLS key negotiation failed to occur within 60 seconds "
After I type in the Login ID and passcode when it prompts

Here is the config of my pfSense for OpenVPN.

WAN FW rule:

CAs

Certificates:

OpenVPN Server:

OpenVPN config file setting:

==========================
dev tun
persist-tun
persist-key
cipher AES-256-GCM
ncp-ciphers AES-128-GCM
auth SHA256
tls-client
client
resolv-retry infinite
remote 174.21.33.229 1194 udp
setenv opt block-outside-dns
auth-user-pass
ca pfSense-UDP4-1194-ca.crt
tls-auth pfSense-UDP4-1194-tls.key 1
remote-cert-tls server

=============================
Note: Remote Ip address is my public IP.

Environment
Internet modem/router

NAT Enabled and DHCP On
FW is off
Port 1 connect to pfSense
Port 2 connect to Asus WiFi Router

Test Scenarios:

Connected a Laptop to Ausu WiFi router and try to connect to openVPn on pfSense. (Ausu router has different IP address then pfSense.)

Result: Getting a Prompt for login, but after that getting a "TLS key negotiation failed to occur within 60 seconds" error.

Connect a laptop to Internet Modem/ Router and try a OpenVPN connection using public IP

Result: Same as Scenario 1

Connect a laptop to Internet Modem/ Router and try a OpenVPN connection using pfsense WAN IP

Result: Same as Scenario 1

I hope someone can help me to resolve this.
I did search in this form and did search in openvpn site but I have not able to resolve the issue and I need help on troubleshooting.

thank you

Rico · Aug 22, 2019, 8:33 AM

So you're on a double NAT scenario?
Then you first need to forward Port 1194 UDP from the Router upstream pfSense to the pfSense WAN IP.
Second you need to disable Block private networks and loopback addresses (Interfaces > WAN)

-Rico

marimo · Aug 22, 2019, 3:52 PM

Hello @Rico Thank you for the help.
like you have suggested by disable a Block Private networks and loopback address in WAN, I am able to do a test scenario 1 & 3 fine.

Now I am try to figure out why my its not working using a my public IP address.

set up a port FW in modem but still not working.
turn off the FW (set disabled) still not working

I wonder is anyone had issue with Actiontec Q1000 modem

marimo · Aug 25, 2019, 5:39 PM

FYI.
I was able to figure it out now and VPN connection is working.

Thank you to @Rico for helping me out.

KOM · Aug 25, 2019, 5:46 PM

What was your solution?

marimo · Aug 26, 2019, 5:29 PM

Hello, @KOM
The solution for the OpenVPN issue was resolved by @Rico suggestion to disable the Block Private Networks and Loopback address

The solution for the modem is I just need to open the openvpn ports manually in modem setting and trust that it works, where try to test / validate a solution behind a modem's network does not work.
so I have to go to local open wifi (such as library or starbucks) to test out that ports are open and validate that VPN is working.

I hope that explains it.

sriram · Jan 22, 2021, 7:29 PM

@marimo hi marimo i had the same tls key error by referring to your solution i disabled the block private networks and loopback address in wan interface setting but still getting the same error can anyone help me out.