pfSense Gold Subscription

Author Topic: OpenVPN Errors - TLS handshake failed  (Read 35308 times)

0 Members and 1 Guest are viewing this topic.

Offline UNet

  • Jr. Member
  • **
  • Posts: 66
  • Karma: +1/-0
    • View Profile
OpenVPN Errors - TLS handshake failed
« on: September 03, 2014, 01:46:15 pm »
OpenVPN is configured thanks to the following YouTube video: https://www.youtube.com/watch?v=VdAHVSTl1ys

However, we are unable to connect and receive the error following error:
Quote
Wed Sep 03 14:44:23 2014 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Sep 03 14:44:23 2014 TLS Error: TLS handshake failed
Wed Sep 03 14:44:23 2014 SIGUSR1[soft,tls-error] received, process restarting

Are there firewall rules that must be created in order to establish a connection? Last year, we followed that video an were successful without connections, without doing anything special. Our users are authenticating using RADIUS (which works since have captive portal working also), and we are using port 1194.

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4886
  • Karma: +193/-39
  • Debugging...
    • View Profile
Re: OpenVPN Errors - TLS handshake failed
« Reply #1 on: September 03, 2014, 01:58:23 pm »
Well - Yes - You have to open the port that the vpn server communicates on.  Thats a simple firewall rule on the WAN to pass traffic, either udp or tcp depending on what you are using.  Not a NAT rule.

If you used the wizard, a port should have been opened on the WAN for you.

Got to firewall, rules, WAN and check to see if its there.

Also, clock sync can be an issue if the client is ahead of time/date compared to the server.

Good to provide a good NTP server list.

Offline KOM

  • Hero Member
  • *****
  • Posts: 5359
  • Karma: +667/-19
    • View Profile
Re: OpenVPN Errors - TLS handshake failed
« Reply #2 on: September 03, 2014, 02:27:17 pm »
Also, ensure that:

1) The OpenVPN client setup must be installed by Administator

2) The OpenVPN client must be run as Administator

In other words, everything about OpenVPN client requires UAC elevation.

Offline UNet

  • Jr. Member
  • **
  • Posts: 66
  • Karma: +1/-0
    • View Profile
Re: OpenVPN Errors - TLS handshake failed
« Reply #3 on: September 08, 2014, 09:27:24 am »
Well - Yes - You have to open the port that the vpn server communicates on.  Thats a simple firewall rule on the WAN to pass traffic, either udp or tcp depending on what you are using.  Not a NAT rule.

If you used the wizard, a port should have been opened on the WAN for you.

Got to firewall, rules, WAN and check to see if its there.

Also, clock sync can be an issue if the client is ahead of time/date compared to the server.

Good to provide a good NTP server list.

The rule was definitely created. I went ahead and moved the rule to the top of the list, but same results. Through the Wizard, we chose to use UDP.



Also, ensure that:

1) The OpenVPN client setup must be installed by Administator

2) The OpenVPN client must be run as Administator

In other words, everything about OpenVPN client requires UAC elevation.

I went ahead and uninstalled the client, reinstalled with the same result.

chemlud

  • Guest
Re: OpenVPN Errors - TLS handshake failed
« Reply #4 on: September 08, 2014, 09:41:08 am »
Tried an alternative port in the 30-40-50-60-thousand-something range?

Just give it a try, don't forget to adjust the firewall rule for the server....

chemlud

  • Guest
Re: OpenVPN Errors - TLS handshake failed
« Reply #5 on: September 08, 2014, 10:25:13 am »
EDIT: Why did you delete your reply to my first post?  :o

Anyways:

https://forums.openvpn.net/topic12938.html

http://serverfault.com/questions/92312/openvpn-tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds

- misconfig of server/client

- something wrong with certificates

- firewall blocking somewhere inbetween

...as the bottom line... ;)
« Last Edit: September 08, 2014, 10:37:45 am by chemlud »

Offline UNet

  • Jr. Member
  • **
  • Posts: 66
  • Karma: +1/-0
    • View Profile
Re: OpenVPN Errors - TLS handshake failed
« Reply #6 on: September 08, 2014, 10:53:54 am »
It looked like a pointless post. I wanted to troubleshoot a little more!  :D

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4886
  • Karma: +193/-39
  • Debugging...
    • View Profile
Re: OpenVPN Errors - TLS handshake failed
« Reply #7 on: September 08, 2014, 12:15:04 pm »
Is lime a "WAN" port?

You know - Multi "Wan"...    You could also be having a gateway problem or outbound NAT problem.

Offline adbrown1982

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: OpenVPN Errors - TLS handshake failed
« Reply #8 on: March 26, 2016, 04:32:54 pm »
I know this topic is long closed.

 However for any future reader with this issue using the OpenVPN client exported from PFsense there are a few things to check which may help you.

If you are using a Radius server, perhaps the Microsoft Network Policy Server. And youve checked all the obvious usch as ports on PFsense, firewall entries, shared key etc etc

The first port of call is via PFSENSE --> diagnostics --> authentication

If you use a radius server this will be in the drop down list, pick this and enter a username and password thats authenticating with this radius server. your active directory username and password, or the user in question.

If this fails then youve narrowed the issue down to the radius server itself.

Go to services and ensure the network policy server service is running.

For me following an in place upgrade of the server OS this service was no longer set to automatic and after many hours of focusing on the client side, uninstalling, re-adding. searching the net for answers i eventually got to the bottom of it.

So for anyone else in my position i hope this helps and saves you a lot of time.

CHECK THE RADIUS SERVER SERVICE IS RUNNING! :)