Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    TLS Error: TLS key negotiation failed to occur within 60 seconds

    Scheduled Pinned Locked Moved OpenVPN
    10 Posts 2 Posters 8.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      eskimos
      last edited by

      I'm having some issues with my openVPN.

      When trying to connect I get a timeout error, TLS handshake failed.

      When Locally connecting, no problem.  as soon as I go to a outside network, no dice.

      The PFsense is a public IP I checked config of both the client and server both are displaying the correct port and ip information.

      Server sees the requests so I don't think its a port fwd/firewall

      Nov 18 14:12:24 openvpn[84509]: 207.148.131.170:54713 TLS Error: TLS handshake failed
      Nov 18 14:12:24 openvpn[84509]: 207.148.131.170:54713 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
      Nov 18 14:11:21 openvpn[84509]: 207.148.131.170:42124 TLS Error: TLS handshake failed
      Nov 18 14:11:21 openvpn[84509]: 207.148.131.170:42124 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
      Nov 18 14:10:20 openvpn[84509]: 207.148.131.170:58626 TLS Error: TLS handshake failed
      Nov 18 14:10:20 openvpn[84509]: 207.148.131.170:58626 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

      I checked the TLS certs and both are exact matches.
      turned firewall off on the client computer
      I even went as far as creating a giant hole in my firewall creating an any any all traffic rule. basically turning off the firewall.
      because the router has a public IP port forwarding shouldnt be needed, but I tried making a rule for it as well - no effect
      made a port forward rule to have 1194 udp go to the pfsense

      we have multiple ipsec connections that are still alive no problems with those

      self signed certs don't expire until 2020+

      happened around the time we updated from 2.2.3 to 2.2.4, not sure but it may have happened before but this is when I noticed.

      Any help would be greatly appreciated, as im banging my head with this one.  if you need any more info let me know.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        You do not need a port forward.  You need a firewall rule to your WAN address. OpenVPN should be told to listen on your WAN address. Not sure what you're testing from inside.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • E
          eskimos
          last edited by

          that's what I meant sorry,

          added firewall rule just now, there was none before that I could see before

          it worked up until about a month ago, if I try and run the openvpn application from my local intranet (just for testing) it works, but not external.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Show us your config then. You have it wrong.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • E
              eskimos
              last edited by

              CLIENT
              dev tun
              persist-tun
              persist-key
              cipher AES-128-CBC
              auth SHA1
              tls-client
              client
              resolv-retry infinite
              remote ..***.162 1193 udp
              lport 0
              auth-user-pass
              ca edmescore-udp-1193-ca.crt
              tls-auth edmescore-udp-1193-tls.key 1
              comp-lzo yes
              passtos

              SERVER

              Untitled.png
              Untitled.png_thumb

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                And the OpenVPN firewall rule on WAN1_SKYWAY??

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • E
                  eskimos
                  last edited by

                  .

                  Capture.PNG
                  Capture.PNG_thumb

                  1 Reply Last reply Reply Quote 0
                  • E
                    eskimos
                    last edited by

                    oh, I just seen it.  the rule i had 10.110.0.250 as the destination,  changed it to skyway1 address and im up and going.

                    Thanks for your help

                    1 Reply Last reply Reply Quote 0
                    • E
                      eskimos
                      last edited by

                      thats weird that it worked before without the firewall rule, wondering if with the update to 2.2.4 they blocked it by firewall, where it was opened before

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        Nope. Nothing from 2.2.4 to 2.2.5 would have changed that.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.