OpenVPN connection timeout

I used to use OpenVPN to connect to my home router some years ago. It’s sat idle in the interim and my recollection of configs is non-existent. Still, I find myself wanting to use it again. But I’m faced with some problems.

The basic problem is that the client times out. So it finds the server, port 1194 is open and it’s trying to connect, but it’s timing out. My challenge is figure our why and I’m a little short on understanding what diagnostic tools I might be able to use.

I can see with nmap from another source (even an on-lein web based nmap) that 1194 is open and:

PORT STATE SERVICE
1194/udp open openvpn

I can see on LUCI:

On the Omnia I can see:

# pgrep -a openvpn
3826 /usr/sbin/openvpn

# netstat -tulpen | grep 1194
udp        0      0 0.0.0.0:1194            0.0.0.0:*                           3826/openvpn

# logread -e openvpn | tail -5
2020-08-06 13:38:31 notice openvpn(myvpn)[3826]: 192.168.0.51:52180 SIGUSR1[soft,tls-error] received, client-instance restarting
2020-08-06 13:56:56 notice openvpn(myvpn)[3826]: 185.117.153.79:52771 TLS: Initial packet from [AF_INET]185.117.153.79:52771, sid=64c17801 b89bcb8f
2020-08-06 13:57:56 err openvpn(myvpn)[3826]: 185.117.153.79:52771 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2020-08-06 13:57:56 err openvpn(myvpn)[3826]: 185.117.153.79:52771 TLS Error: TLS handshake failed
2020-08-06 13:57:56 notice openvpn(myvpn)[3826]: 185.117.153.79:52771 SIGUSR1[soft,tls-error] received, client-instance restarting

This last one suggests that TLS handshake failed. Pehraps this means I need somehow to generate a .ovpn file to use in the client? To examine my current layout, it looks like this:

# ls -Rl /etc/openvpn
/etc/openvpn:
-rw-r--r--    1 root     root          1883 Nov 13  2017 ca.crt
-rw-r--r--    1 root     root           424 Nov 13  2017 dh2048.pem
drwxr-xr-x    1 root     root            90 Nov 13  2017 for_client
-rw-r--r--    1 root     root          6624 Nov 13  2017 my-server.crt
-rw-r--r--    1 root     root          1586 Nov 13  2017 my-server.csr
-rw-------    1 root     root          3272 Nov 13  2017 my-server.key
drw-------    1 root     root           378 Nov 13  2017 ssl
-rw-r--r--    1 root     root         11996 Nov 13  2017 uk-tunnel0.ovpn

/etc/openvpn/for_client:
-rw-r--r--    1 root     root          1883 Nov 13  2017 ca.crt
-rw-r--r--    1 root     root          6606 Nov 13  2017 my-client.crt
-rw-r--r--    1 root     root          1586 Nov 13  2017 my-client.csr
-rw-------    1 root     root          3272 Nov 13  2017 my-client.key

/etc/openvpn/ssl:
-rw-r--r--    1 root     root          1883 Nov 13  2017 ca.crt
-rw-------    1 root     root          3272 Nov 13  2017 ca.key
-rw-r--r--    1 root     root           424 Nov 13  2017 dh2048.pem
-rw-r--r--    1 root     root            88 Nov 13  2017 index.txt
-rw-r--r--    1 root     root            21 Nov 13  2017 index.txt.attr
-rw-r--r--    1 root     root            21 Nov 13  2017 index.txt.attr.old
-rw-r--r--    1 root     root            44 Nov 13  2017 index.txt.old
-rw-r--r--    1 root     root          6606 Nov 13  2017 my-client.crt
-rw-r--r--    1 root     root          1586 Nov 13  2017 my-client.csr
-rw-------    1 root     root          3272 Nov 13  2017 my-client.key
-rw-r--r--    1 root     root          6624 Nov 13  2017 my-server.crt
-rw-r--r--    1 root     root          1586 Nov 13  2017 my-server.csr
-rw-------    1 root     root          3272 Nov 13  2017 my-server.key
drw-------    1 root     root            32 Nov 13  2017 newcerts
-rw-r--r--    1 root     root         11313 Nov 13  2017 openssl.cnf
-rw-r--r--    1 root     root             5 Nov 13  2017 serial
-rw-r--r--    1 root     root             5 Nov 13  2017 serial.old

/etc/openvpn/ssl/newcerts:
-rw-r--r--    1 root     root          6624 Nov 13  2017 1000.pem
-rw-r--r--    1 root     root          6606 Nov 13  2017 1001.pem

and I used /etc/openvpn/uk-tunnel0.ovpn in my OPenVPN client for the connection.

Am I right in suspecting that perhaps this ovpn is not the right thing to use? Here is what it holds with private info removed:

# cat /etc/openvpn/uk-tunnel0.ovpn 
  client     ## implies pull, tls-client
  dev tun
# proto udp  ## udp is the default
  fast-io
  remote  1194
  remote-cert-tls server
  nobind
  persist-key
  persist-tun
  comp-lzo no
  verb 3
<ca>
-----BEGIN CERTIFICATE-----
STUFF
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4097 (0x1001)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CountryCode, ST=Somewhere, O=Something
        Validity
            Not Before: Nov 13 09:09:55 2017 GMT
            Not After : Nov 11 09:09:55 2027 GMT
        Subject: CN=my-client
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    STUFF
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: 
                Digital Signature
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
    Signature Algorithm: sha256WithRSAEncryption
        STUFF
-----BEGIN CERTIFICATE-----
STUFF
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
STUFF
-----END PRIVATE KEY-----
</key>

I’m wondering what the problem is, how to further diagnose it, and whether I’ve simply misused/abused the only .ovpn file I found by using it in my openvpn client?

Are clocks synchronized on both ends?

No idea, nor how or why that could even be an issue, least of all in 2020 where pretty much everything is synced with time servers. In practice the server is an Omnia and has internet synched time, and the client is either an Android phone or a Windows box, both with internet synched time.