[Solved] Help needed to solve the OpenVPN issue : TLS key negotiation failed to occur within 60 seconds



  • Hello, I need a help on OpenVPN issue where I get following message in log:
    "TLS key negotiation failed to occur within 60 seconds "
    After I type in the Login ID and passcode when it prompts

    OpenVPN_Log.JPG

    Here is the config of my pfSense for OpenVPN.

    WAN FW rule:
    WAN_FW.JPG

    CAs
    CA.JPG

    Certificates:
    Certificates.JPG

    OpenVPN Server:
    openVPN.JPG

    OpenVPN config file setting:

    ==========================
    dev tun
    persist-tun
    persist-key
    cipher AES-256-GCM
    ncp-ciphers AES-128-GCM
    auth SHA256
    tls-client
    client
    resolv-retry infinite
    remote 174.21.33.229 1194 udp
    setenv opt block-outside-dns
    auth-user-pass
    ca pfSense-UDP4-1194-ca.crt
    tls-auth pfSense-UDP4-1194-tls.key 1
    remote-cert-tls server

    =============================
    Note: Remote Ip address is my public IP.

    Environment
    Internet modem/router

    • NAT Enabled and DHCP On
    • FW is off
    • Port 1 connect to pfSense
    • Port 2 connect to Asus WiFi Router

    Test Scenarios:

    1. Connected a Laptop to Ausu WiFi router and try to connect to openVPn on pfSense. (Ausu router has different IP address then pfSense.)
    • Result: Getting a Prompt for login, but after that getting a "TLS key negotiation failed to occur within 60 seconds" error.
    1. Connect a laptop to Internet Modem/ Router and try a OpenVPN connection using public IP
    • Result: Same as Scenario 1
    1. Connect a laptop to Internet Modem/ Router and try a OpenVPN connection using pfsense WAN IP
    • Result: Same as Scenario 1

    I hope someone can help me to resolve this.
    I did search in this form and did search in openvpn site but I have not able to resolve the issue and I need help on troubleshooting.

    thank you


  • LAYER 8 Rebel Alliance

    So you're on a double NAT scenario?
    Then you first need to forward Port 1194 UDP from the Router upstream pfSense to the pfSense WAN IP.
    Second you need to disable Block private networks and loopback addresses (Interfaces > WAN)

    -Rico



  • Hello @Rico Thank you for the help.
    like you have suggested by disable a Block Private networks and loopback address in WAN, I am able to do a test scenario 1 & 3 fine.

    Now I am try to figure out why my its not working using a my public IP address.

    • set up a port FW in modem but still not working.
    • turn off the FW (set disabled) still not working

    I wonder is anyone had issue with Actiontec Q1000 modem



  • FYI.
    I was able to figure it out now and VPN connection is working.

    Thank you to @Rico for helping me out.



  • What was your solution?



  • Hello, @KOM
    The solution for the OpenVPN issue was resolved by @Rico suggestion to disable the Block Private Networks and Loopback address

    The solution for the modem is I just need to open the openvpn ports manually in modem setting and trust that it works, where try to test / validate a solution behind a modem's network does not work.
    so I have to go to local open wifi (such as library or starbucks) to test out that ports are open and validate that VPN is working.

    I hope that explains it.


Log in to reply