TLS Error: TLS key negotiation failed to occur within 60 seconds



  • I'm having some issues with my openVPN.

    When trying to connect I get a timeout error, TLS handshake failed.

    When Locally connecting, no problem.  as soon as I go to a outside network, no dice.

    The PFsense is a public IP I checked config of both the client and server both are displaying the correct port and ip information.

    Server sees the requests so I don't think its a port fwd/firewall

    Nov 18 14:12:24 openvpn[84509]: 207.148.131.170:54713 TLS Error: TLS handshake failed
    Nov 18 14:12:24 openvpn[84509]: 207.148.131.170:54713 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Nov 18 14:11:21 openvpn[84509]: 207.148.131.170:42124 TLS Error: TLS handshake failed
    Nov 18 14:11:21 openvpn[84509]: 207.148.131.170:42124 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Nov 18 14:10:20 openvpn[84509]: 207.148.131.170:58626 TLS Error: TLS handshake failed
    Nov 18 14:10:20 openvpn[84509]: 207.148.131.170:58626 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

    I checked the TLS certs and both are exact matches.
    turned firewall off on the client computer
    I even went as far as creating a giant hole in my firewall creating an any any all traffic rule. basically turning off the firewall.
    because the router has a public IP port forwarding shouldnt be needed, but I tried making a rule for it as well - no effect
    made a port forward rule to have 1194 udp go to the pfsense

    we have multiple ipsec connections that are still alive no problems with those

    self signed certs don't expire until 2020+

    happened around the time we updated from 2.2.3 to 2.2.4, not sure but it may have happened before but this is when I noticed.

    Any help would be greatly appreciated, as im banging my head with this one.  if you need any more info let me know.


  • LAYER 8 Netgate

    You do not need a port forward.  You need a firewall rule to your WAN address. OpenVPN should be told to listen on your WAN address. Not sure what you're testing from inside.



  • that's what I meant sorry,

    added firewall rule just now, there was none before that I could see before

    it worked up until about a month ago, if I try and run the openvpn application from my local intranet (just for testing) it works, but not external.


  • LAYER 8 Netgate

    Show us your config then. You have it wrong.



  • CLIENT
    dev tun
    persist-tun
    persist-key
    cipher AES-128-CBC
    auth SHA1
    tls-client
    client
    resolv-retry infinite
    remote ***.***.***.162 1193 udp
    lport 0
    auth-user-pass
    ca edmescore-udp-1193-ca.crt
    tls-auth edmescore-udp-1193-tls.key 1
    comp-lzo yes
    passtos

    SERVER



  • LAYER 8 Netgate

    And the OpenVPN firewall rule on WAN1_SKYWAY??



  • .




  • oh, I just seen it.  the rule i had 10.110.0.250 as the destination,  changed it to skyway1 address and im up and going.

    Thanks for your help



  • thats weird that it worked before without the firewall rule, wondering if with the update to 2.2.4 they blocked it by firewall, where it was opened before


  • LAYER 8 Netgate

    Nope. Nothing from 2.2.4 to 2.2.5 would have changed that.


Log in to reply