OpenVPN server easy and fast

Quick and easy OpenVPN server the Foris web interface.

TLS key negotiation failed

Sat Mar 23 20:36:45 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sat Mar 23 20:36:45 2019 Need hold release from management interface, waiting…
Sat Mar 23 20:36:45 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sat Mar 23 20:36:46 2019 MANAGEMENT: CMD ‘state on’
Sat Mar 23 20:36:46 2019 MANAGEMENT: CMD ‘log all on’
Sat Mar 23 20:36:46 2019 MANAGEMENT: CMD ‘echo all on’
Sat Mar 23 20:36:46 2019 MANAGEMENT: CMD ‘bytecount 5’
Sat Mar 23 20:36:46 2019 MANAGEMENT: CMD ‘hold off’
Sat Mar 23 20:36:46 2019 MANAGEMENT: CMD ‘hold release’
Sat Mar 23 20:36:46 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]10.134.194.9:1194
Sat Mar 23 20:36:46 2019 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sat Mar 23 20:36:46 2019 UDP link local: (not bound)
Sat Mar 23 20:36:46 2019 UDP link remote: [AF_INET]10.134.194.9:1194
Sat Mar 23 20:36:46 2019 MANAGEMENT: >STATE:1553369806,WAIT,
Sat Mar 23 20:37:47 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Mar 23 20:37:47 2019 TLS Error: TLS handshake failed
Sat Mar 23 20:37:47 2019 SIGUSR1[soft,tls-error] received, process restarting
Sat Mar 23 20:37:47 2019 MANAGEMENT: >STATE:1553369867,RECONNECTING,tls-error,
Sat Mar 23 20:37:47 2019 Restart pause, 5 second(s)

Hi,

May I ask you, if you try to generate a new CA and try to connect it to your server? If it doesn’t help, may you uninstall and install OpenVPN on the latest release of Turris OS and try it again?

We would appreciate if you can reach us on tech.support@turris.cz with diagnostics, which you can generate in Foris. I’m sending you the article for Error reporting, which you can find here.

I have the same issue, it was working before, I dont know exactly when, but stopped working.
What package you want us to uninstall and reinstall, the openvpn-openssl (vers.:2.4.6-2)?

I have e-mailed the requested diagnostics to support. Lets hope this gets resolved.

Life without a vpn is getting really tedious. Online banking only at home, more cash in my fysical wallet…

well actually I made some test. that while openvpn seems to be running and listening when checking it locally form the router itself, but I cannot see the port opened from the same subnet from my PC:

router# ps |grep -i vpn
3313 root 3132 S /usr/sbin/openvpn --syslog openvpn(server_turris)

router# netstat -tulpn|grep 1194
udp 0 0 0.0.0.0:1194 0.0.0.0:* 3313/openvpn

pc# telnet 192.168.1.1 1194
Trying 192.168.1.1…
telnet: Unable to connect to remote host: Connection refused

I guess it is not normal or is it? should it only listen from the outside?

1 Like

This is perfectly fine. It’s blocked by Firewall (VPN has its zone).

… just some notes
If you are running openvpn-server and client on same subnet (or from router it self), you have to a bit change the options on both sides to make it working. You have to make some changes in firewall zone configuration as well. So it is easier to test connection using different isp (mobile phone, after export of user config, just rename it from xxxx.conf to xxxx.ovpn and import it to phone/openvpn app … and connect :slight_smile: …,).

Also just note, TLS is a bit tricky, you have to set “tls-client” in client config only, remove tls related options/values from server config. There is no any ta.key generated by default.
Aside if windows/android client is used for testing connection, having “mssfix 0” , “fragment 0” and “float” options in client config is recommended.

1 Like

Thank you very much :grinning:

1 month later, no news about my incident report from support. Is this normal?

Guys I really think you need to look into OpenVPN.

After my last comments Ive deleted the OpenVPN modules.

After a month or so Ive installed the modules again. Surprise. My CA generated 1 month ago was still there.

I believe that a complete refresh of the modules and CA isnt possible, and this is why I cant get OpenVPN running. Even a factory reset/installing firmware from USB/medikit doesnt help this.

Im sorry, but this is definitely a dealbreaker. IF the next new grande firmware (4.0) doesnt resolve this, Im selling my router.

1 Like

If you removed the “openvpn” packages and dependend ones, you should also clean up the left-over files in etc, config and key folder (i am pretty sure, that removal via opkg does not remove the “CA” files …you should do it via “Foris” (delete CA, generate CA so the files are overwritten), or if you do that via opkg, you should check all related locations and remove(backup to some location) necessary files manually.

Removing OpenVPN and reinstall does not mean you have re-initialized “CA” folder.

Strange is , factory reset should work, medikit should work as well. It is hard to help without log/configs. Personally i’ve tested Foris plugin three times (with complete removal and re-generation afterwards, tested also with manual opkg removal/reinstall, tested own config before Foris plugin was introduced …) , so i know it is not easy every time, but since that plugin in Foris, all is (should be) smooth.