Re: OpenVPN Server fails on TLS-Handshake after reboot (2.2.6) (SOLVED)

  • Hi all,

    I've found that after a system reboot, my openvpn connection fails on TLS-Handshake, even though it worked prior to rebooting and the certificates on the client haven't been changed.

    Is this an issue that anyone else has come across?

  • LAYER 8 Global Moderator

    No, have not..  How about posting the log.. From your client and the server for this connection.

  • Thanks for reply, I've had all sorts of unusual issues since upgrading to 2.2.6, so just in the middle of doing re-install.

    Will post logs if this issue isn't resolved on clean install.  But from memory, client just keeps retrying (due to infinite retry in config) and server log shows generic TLS-Handshake error.

    If checked all of my certs on both server and client and nothing is altered by reboot as far is I can see…

  • LAYER 8 Global Moderator

    An no such issues here.. So your saying it worked, then you rebooted and failed - and then you rebooted and it started working again… Or just that it was working and now stopped?

  • Just worked and then stopped completely after rebooting… even multiple reboots didn't change anything.

    I'm at work at the moment, but will do full reinstall from scratch when I get in and try again.  Going to make sure that both client and server are using same time server as well when I start again.

    Will update later.

  • Built the system from scratch and just recieve the same error as before after a reboot.  These are from the openvpn log files (server side):

    Jan 11 20:10:37 openvpn[10570]: OpenVPN 2.3.8 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 21 2015
    Jan 11 20:10:37 openvpn[10570]: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
    Jan 11 20:10:37 openvpn[11067]: Could not retrieve default gateway from route socket:: No such process (errno=3)
    Jan 11 20:10:37 openvpn[11067]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Jan 11 20:10:37 openvpn[11067]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
    Jan 11 20:10:37 openvpn[11067]: Could not retrieve default gateway from route socket:: No such process (errno=3)
    Jan 11 20:10:37 openvpn[11067]: TUN/TAP device ovpns1 exists previously, keep at program end
    Jan 11 20:10:37 openvpn[11067]: TUN/TAP device /dev/tun1 opened
    Jan 11 20:10:37 openvpn[11067]: ioctl(TUNSIFMODE): Device busy: Device busy (errno=16)
    Jan 11 20:10:37 openvpn[11067]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
    Jan 11 20:10:37 openvpn[11067]: /sbin/ifconfig ovpns1 mtu 1500 netmask up
    Jan 11 20:10:37 openvpn[11067]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1570 init
    Jan 11 20:10:37 openvpn[11067]: UDPv4 link local (bound): [undef]
    Jan 11 20:10:37 openvpn[11067]: UDPv4 link remote: [undef]
    Jan 11 20:10:37 openvpn[11067]: Initialization Sequence Completed
    Jan 11 20:43:51 openvpn[11067]: TLS Error: TLS handshake failed

    The client just shows:

    TLS Error:  TLS key negotiation failed to occur in 60 seconds.

    On top of that, apinger still fails to start on boot and I think it may be because of the DynDNS service that is running…

    Not having all that much luck with this at the moment.

  • Not sure what helped, but changed a single line in the server config file…

    After local was my IP address, but changed this to my dyndns host name.

    Also added my modem on a virtual interface as a static IP and now everything works, even after reboots! :-D

  • LAYER 8 Global Moderator

    "Could not retrieve default gateway from route socket:: No such process (errno=3)"

    Why would you be changing lines in the conf file directly??  Just use the gui/wizard!

    And you sure and the hell do not need to add modem??  As a VIP?  Sounds like your setup is borked from the start..  And your issue is more with connectivity than openvpn.

  • It now works flawlessly… No errors in any of the logs... plus no issues after reboots.

    Plus even though I used the GUI, it would only add my IP address to the config file and not the dyndns name.  Seeing as I'm on a dynamic IP package here, I don't have much choice in the issue.

    I don't know why adding the modem helped, as its my pfSense box handling PPPoE and not the modem.  Modem is only handling the ADSL connection with no credentials.

Log in to reply