Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Road Warrior: TLS handshake failed

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 1 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cyboc
      last edited by

      Hi Everyone,

      We have a Road Warrior OpenVPN VPN that has been running flawlessly for months. Currently, we have a user that is traveling in Canada and the US. She had no problem accessing the VPN from hotels in Toronto and Ottawa. However, when she tried to access the VPN from a hotel in New York today, she couldn't. Here is what I see in the OpenVPN log on the server when she tries to connect:

      Oct 24 09:22:12 	openvpn[16017]: 74.2.x.x:1534 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
      Oct 24 09:22:12 	openvpn[16017]: 74.2.x.x:1534 TLS Error: TLS handshake failed
      

      Furthermore, on the OpenVPN Status page, I see this:

      Common Name  	Real Address  	Virtual Address  	Connected Since  	Bytes Sent  	Bytes Received
      UNDEF 	74.2.x.x:1536 		Mon Oct 24 09:23:15 2011 	1146 	882
      

      Notice that the Common Name in the status shows "UNDEF". Normally, it show's the Common Name from that user's certificate (e.g. "JaneDoe").

      Could the hotel be somehow blocking the TLS handshake negotiation? If the user forgot to visit the hotel's captive portal page, could that cause these symptoms? Has anyone seen this before when the user is at a hotel or internet cafe?

      1 Reply Last reply Reply Quote 0
      • C
        cyboc
        last edited by

        I did some research and it seems that the hotel's ISP (or their ISP's ISP) is Covad and that Covad has been known to block the UDP protocol in some markets. Luckily, OpenVPN is flexible enough that I can configure it to use the TCP protocol instead of UDP. I will configure an alternate server that uses TCP. Unfortunately, our user is leaving the hotel in a few minutes so she won't get a chance to test the new server.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.