OpenVPN Server Stops Responding - TLS Error



  • The OpenVPN server on 1 of my pfSense boxes has been working fine for several months. Last week, while I was remoting in this box using OpenVPN client (everything was still working fine then) my PC had a power surge which caused a sudden reboot. Although, the PC came back online with no issues, I could no longer vpn into this pfSense box. So far, I’ve verified the following:

    1. My client (.ovpn) config file; no changes/corruption here
    2. Attempts to vpn into this box using a different PC; no success
    3. Server settings on the pfSense box. Also restarted this box
    4. Attempts to vpn into this box using different profiles without success. Prior to the incident, I had 5 different road-warrior setup and they were working fine then.

    Ever since the power surge incident, I get a TLS error every time I try to vpn into this box. Below is copy of the console message on my PC:
    Sat Dec 05 17:16:39 2009 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
    Sat Dec 05 17:16:39 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
    Sat Dec 05 17:16:39 2009 LZO compression initialized
    Sat Dec 05 17:16:39 2009 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Sat Dec 05 17:16:39 2009 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Sat Dec 05 17:16:39 2009 Local Options hash (VER=V4): '41690919'
    Sat Dec 05 17:16:39 2009 Expected Remote Options hash (VER=V4): '530fdded'
    Sat Dec 05 17:16:39 2009 UDPv4 link local: [undef]
    Sat Dec 05 17:16:39 2009 UDPv4 link remote: xxx.xxx.xxx.xx4:1198
    Sat Dec 05 17:17:40 2009 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Sat Dec 05 17:17:40 2009 TLS Error: TLS handshake failed
    Sat Dec 05 17:17:40 2009 TCP/UDP: Closing socket
    Sat Dec 05 17:17:40 2009 SIGUSR1[soft,tls-error] received, process restarting
    Sat Dec 05 17:17:40 2009 Restart pause, 2 second(s)

    I’ve been reading some TLS related postings in this forum, but do not see any connections to my issue. There is 1 posting indicated that the ISP was blocking certain ports (hence TLS does not work properly.) I can say that this is not the case for me as I can vpn into my other pfSense box using the same PC. Also, the OpenVPN client on this box works fine still; it connects to my other pfSense box.

    Could anyone let me know how to correct this TLS error on this pfSense box?

    Thank you,

    PV



  • Just had this same issue and turns out it was due to an IP change, dynamic IP on my pfSense box.

    Very elementary but a show stopper nonetheless.

    Verify your IP and if its correct, then change your config to verb 5 and see if the more detailed openvpn output provides a better clue to the problem.



  • I've verified its IP, and there is no change. (All of my pfSense boxes including this 1 have static IP. If the IP were changed, my IPsec tunnels on this box would have broken already. But they are not affected.) I'll alter my client config file as suggested and see if I get more details/hints.

    Does anyone know where TLS certificate(s) reside on a pfSense box? (/var/etc ?) And can this certificate be manually generated?



  • i dont know if this is your scenario, but recently one of my employees tell me of your problem.. TLS error.

    The server was ok, other connection are ok, but he still have problem…

    The difference are that the connection starts on a virtual machine, not at host, thats the problem (but we dont know why). When establish the connection on host, all work again.

    The server is only one, but the client are a huge universe...

    Again, i dont know if your problem, but at least could be a hint



  • Got this resolved; apparently a FW rule was moved to a wrong position  ::)


Log in to reply