Road Warrior: TLS handshake failed
We have a Road Warrior OpenVPN VPN that has been running flawlessly for months. Currently, we have a user that is traveling in Canada and the US. She had no problem accessing the VPN from hotels in Toronto and Ottawa. However, when she tried to access the VPN from a hotel in New York today, she couldn't. Here is what I see in the OpenVPN log on the server when she tries to connect:
Oct 24 09:22:12 openvpn: 74.2.x.x:1534 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Oct 24 09:22:12 openvpn: 74.2.x.x:1534 TLS Error: TLS handshake failed
Furthermore, on the OpenVPN Status page, I see this:
Common Name Real Address Virtual Address Connected Since Bytes Sent Bytes Received UNDEF 74.2.x.x:1536 Mon Oct 24 09:23:15 2011 1146 882
Notice that the Common Name in the status shows "UNDEF". Normally, it show's the Common Name from that user's certificate (e.g. "JaneDoe").
Could the hotel be somehow blocking the TLS handshake negotiation? If the user forgot to visit the hotel's captive portal page, could that cause these symptoms? Has anyone seen this before when the user is at a hotel or internet cafe?
I did some research and it seems that the hotel's ISP (or their ISP's ISP) is Covad and that Covad has been known to block the UDP protocol in some markets. Luckily, OpenVPN is flexible enough that I can configure it to use the TCP protocol instead of UDP. I will configure an alternate server that uses TCP. Unfortunately, our user is leaving the hotel in a few minutes so she won't get a chance to test the new server.