Road Warrior: TLS handshake failed

  • Hi Everyone,

    We have a Road Warrior OpenVPN VPN that has been running flawlessly for months. Currently, we have a user that is traveling in Canada and the US. She had no problem accessing the VPN from hotels in Toronto and Ottawa. However, when she tried to access the VPN from a hotel in New York today, she couldn't. Here is what I see in the OpenVPN log on the server when she tries to connect:

    Oct 24 09:22:12 	openvpn[16017]: 74.2.x.x:1534 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Oct 24 09:22:12 	openvpn[16017]: 74.2.x.x:1534 TLS Error: TLS handshake failed

    Furthermore, on the OpenVPN Status page, I see this:

    Common Name  	Real Address  	Virtual Address  	Connected Since  	Bytes Sent  	Bytes Received
    UNDEF 	74.2.x.x:1536 		Mon Oct 24 09:23:15 2011 	1146 	882

    Notice that the Common Name in the status shows "UNDEF". Normally, it show's the Common Name from that user's certificate (e.g. "JaneDoe").

    Could the hotel be somehow blocking the TLS handshake negotiation? If the user forgot to visit the hotel's captive portal page, could that cause these symptoms? Has anyone seen this before when the user is at a hotel or internet cafe?

  • I did some research and it seems that the hotel's ISP (or their ISP's ISP) is Covad and that Covad has been known to block the UDP protocol in some markets. Luckily, OpenVPN is flexible enough that I can configure it to use the TCP protocol instead of UDP. I will configure an alternate server that uses TCP. Unfortunately, our user is leaving the hotel in a few minutes so she won't get a chance to test the new server.

Log in to reply