Problems connecting remotely via Android

valunthar

I'm running into some problems using the recommended OPENVPN for Android client. I constantly get a TLS negotiation failed message

OpenVPN Client Logs

Building configuration…
started Socket Thread
P:Initializing Google Breakpad!
P:DEPRECATED OPTION: --tls-remote, please update your configuration
P:OpenVPN 2.3.1+dspatch3 android-14-armeabi-v7a [SSL (OpenSSL)] [LZO] [SNAPPY] [EPOLL] [MH] [IPv6] built on May 30 2013
Network Status: CONNECTED LTE to
P:Control Channel Authentication: tls-auth using INLINE static key file
P:Protecting socket fd 4
P:UDP link local (bound): [AF_INET][undef]:1194
P:UDP link remote: [AF_INET]<ip address="">:1194
P:WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
P:SIGTERM[soft,management-exit] received, process exiting
Building configuration…
started Socket Thread
Network Status: CONNECTED LTE to 
P:Initializing Google Breakpad!
P:DEPRECATED OPTION: --tls-remote, please update your configuration
P:OpenVPN 2.3.1+dspatch3 android-14-armeabi-v7a [SSL (OpenSSL)] [LZO] [SNAPPY] [EPOLL] [MH] [IPv6] built on May 30 2013
P:Control Channel Authentication: tls-auth using INLINE static key file
P:Protecting socket fd 4
P:UDP link local (bound): [AF_INET][undef]:1194
P:UDP link remote: [AF_INET]<ip address="">:1194
P:WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
P:TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
P:TLS Error: TLS handshake failed
P:SIGUSR1[soft,tls-error] received, process restarting
P:Control Channel Authentication: tls-auth using INLINE static key file
P:TCP/UDP: Preserving recently used remote address: [AF_INET]<ip address="">:1194
P:Protecting socket fd 4
P:UDP link local (bound): [AF_INET][undef]:1194
P:UDP link remote: [AF_INET]<ip address="">:1194
P:SIGINT[hard,] received, process exiting</ip></ip></ip></ip> 

My OpenVPN Config on the server is attached. I am also planning on using this same cert config with a laptop later on, Figured I'd get the bugs worked out through android first.

Any ideas?

phil.davis

I would look for basic connectivity things first, the actual server config looks reasonable.
Is there a firewall rule on WAN that allows source any, destination WAN address, port 1194?

UDP link remote: [AF_INET]<ip address="">:1194</ip>

Is that IP address it tries to connect to, the correct public IP of your pfSense?
Is the pfSense WAN on a private IP behind some other network access device? (If so, then that device will have to forward port 1194)
After checking this, do some Packet Captures to see if anything is arriving on WAN port 1194.

tx_tiger

we have pretty much the same setup and I can connect. the only difference i can spot right now is the "hardware crypto". Mine is set "No hardware crypto acceleration". Change that part and redownload your certificates and see if it works.

valunthar

finally got a chance to test the suggestions in this thread an unfortunately I'm still getting the same error :(

jimp

"TLS key negotiation failed to occur within 60 seconds" just means that it can't reach the server, or the server rejected it.

Check the server log for OpenVPN and you may find the answer, or at least more info we can use to help. If that log shows nothing, then it is either a connectivity issue or a firewall rule issue.