I wanted to see if I could get the OpenVPN server running, so I followed OpenVPN server easy and fast to try to get a VPN going.
I copied the turris.conf file to my machine at work as turris.ovpn and ran
sudo openvpn turris.ovpn
to see if I could get connected. Mostly, I was interested in adding my work machine to my home network. At this point, I’m not really interested routing everything through the VPN. As such, I do not have All traffic through vpn or Use DNS from vpn checked.
$ sudo openvpn turris.ovpn
[sudo] password for myuser:
Wed Jun 20 14:31:51 2018 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Jun 22 2017
Wed Jun 20 14:31:51 2018 Socket Buffers: R=[212992->131072] S=[212992->131072]
Wed Jun 20 14:31:51 2018 UDPv4 link local: [undef]
Wed Jun 20 14:31:51 2018 UDPv4 link remote: [AF_INET]<homeip>:1194
Wed Jun 20 14:32:51 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Jun 20 14:32:51 2018 TLS Error: TLS handshake failed
Wed Jun 20 14:32:51 2018 SIGUSR1[soft,tls-error] received, process restarting
Wed Jun 20 14:32:51 2018 Restart pause, 2 second(s)
Wed Jun 20 14:32:53 2018 Socket Buffers: R=[212992->131072] S=[212992->131072]
Wed Jun 20 14:32:53 2018 UDPv4 link local: [undef]
As a test of the VPN port, 1194, I attempted to telnet to the port and got a Connection refused. That normally means that it’s being blocked by the firewall I think. I would have thought that the Turris interface would take care of that for me.
I welcome any further suggestions to get this working “fast and easy”.
Sometimes this might be the just time difference between client and server. So make sure your TO is having time synced.
Sometimes creation of CA takes quite longer (over 30 mins if your router is under some load) and might get frozen, not finished correctly. --> I think easiest way for you is to reset the Cert.Authority in Foris-openvpn and start again. Once done ,if you can reboot the router, if you do not want to reboot it, restart openvpn, firewall services (via LUCI or via SSH). Return back to Foris-openvpn and generate user config.
As for TLS setup , you should have only “remote-cert-tls server” option in your client config, on server side you don’t need it explicitly setup. Also if you specify “cipher” (cipher-list) it might not work correctly.
Aside you can check /etc/config/openvpn for “server” setup and content of /etc/ssl/ca and /etc/dhparam/ if you have necessary files there (and correct ownership/rights).
Firewall config /etc/config/firewall should have some new rules and setup for your vpn zone.
It is hard to give you something useful, so do not hesitate to write me directly.
-max-