[Solved] Help needed to solve the OpenVPN issue : TLS key negotiation failed to occur within 60 seconds

marimo

Hello, I need a help on OpenVPN issue where I get following message in log:
"TLS key negotiation failed to occur within 60 seconds "
After I type in the Login ID and passcode when it prompts

Here is the config of my pfSense for OpenVPN.

WAN FW rule:

CAs

Certificates:

OpenVPN Server:

OpenVPN config file setting:

==========================
dev tun
persist-tun
persist-key
cipher AES-256-GCM
ncp-ciphers AES-128-GCM
auth SHA256
tls-client
client
resolv-retry infinite
remote 174.21.33.229 1194 udp
setenv opt block-outside-dns
auth-user-pass
ca pfSense-UDP4-1194-ca.crt
tls-auth pfSense-UDP4-1194-tls.key 1
remote-cert-tls server

=============================
Note: Remote Ip address is my public IP.

Environment
Internet modem/router

• NAT Enabled and DHCP On
• FW is off
• Port 1 connect to pfSense
• Port 2 connect to Asus WiFi Router

Test Scenarios:

1. Connected a Laptop to Ausu WiFi router and try to connect to openVPn on pfSense. (Ausu router has different IP address then pfSense.)

• Result: Getting a Prompt for login, but after that getting a "TLS key negotiation failed to occur within 60 seconds" error.

2. Connect a laptop to Internet Modem/ Router and try a OpenVPN connection using public IP

• Result: Same as Scenario 1

3. Connect a laptop to Internet Modem/ Router and try a OpenVPN connection using pfsense WAN IP

• Result: Same as Scenario 1

I hope someone can help me to resolve this.
I did search in this form and did search in openvpn site but I have not able to resolve the issue and I need help on troubleshooting.

thank you

Rico

So you're on a double NAT scenario?
Then you first need to forward Port 1194 UDP from the Router upstream pfSense to the pfSense WAN IP.
Second you need to disable Block private networks and loopback addresses (Interfaces > WAN)

-Rico

marimo

Hello @Rico Thank you for the help.
like you have suggested by disable a Block Private networks and loopback address in WAN, I am able to do a test scenario 1 & 3 fine.

Now I am try to figure out why my its not working using a my public IP address.

• set up a port FW in modem but still not working.
• turn off the FW (set disabled) still not working

I wonder is anyone had issue with Actiontec Q1000 modem

marimo

FYI.
I was able to figure it out now and VPN connection is working.

Thank you to @Rico for helping me out.

KOM

What was your solution?

marimo

Hello, @KOM
The solution for the OpenVPN issue was resolved by @Rico suggestion to disable the Block Private Networks and Loopback address

The solution for the modem is I just need to open the openvpn ports manually in modem setting and trust that it works, where try to test / validate a solution behind a modem's network does not work.
so I have to go to local open wifi (such as library or starbucks) to test out that ports are open and validate that VPN is working.

I hope that explains it.

sriram

@marimo hi marimo i had the same tls key error by referring to your solution i disabled the block private networks and loopback address in wan interface setting but still getting the same error can anyone help me out.