OpenVPN: TLS Error

I see many messages like those below in the log:

2018-11-02 11:33:09 err openvpn(server_turris)[4712]: 2.96.143.54:56818 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2018-11-02 11:33:09 err openvpn(server_turris)[4712]: 2.96.143.54:56818 TLS Error: TLS handshake failed
2018-11-02 11:33:09 notice openvpn(server_turris)[4712]: 2.96.143.54:56818 SIGUSR1[soft,tls-error] received, client-instance restarting
2018-11-02 11:33:09 err openvpn(server_turris)[4712]: 2.96.143.54:55939 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2018-11-02 11:33:09 err openvpn(server_turris)[4712]: 2.96.143.54:55939 TLS Error: TLS handshake failed
2018-11-02 11:33:09 notice openvpn(server_turris)[4712]: 2.96.143.54:55939 SIGUSR1[soft,tls-error] received, client-instance restarting

Does it mean someone/something is trying to connect to my OpenVPN server?
If so, what would be the best way to prevent/block this attempts?

It seems more like a client issue than a server issue. Try to increase the verbosity for the log to gather more details.

Increased verbosity, but I do not think it’s an issue with OpenVPN itself. The connections fail because the counterpart does not have a valid certificate, if any. Of course, it’s unsolicited traffic.

2018-11-02 13:31:24 notice openvpn(server_turris)[22295]: 185.41.162.211:41268 Re-using SSL/TLS context
2018-11-02 13:31:24 notice openvpn(server_turris)[22295]: 185.41.162.211:41268 LZO compression initializing
2018-11-02 13:31:24 notice openvpn(server_turris)[22295]: 185.41.162.211:41268 Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
2018-11-02 13:31:24 notice openvpn(server_turris)[22295]: 185.41.162.211:41268 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
2018-11-02 13:31:24 notice openvpn(server_turris)[22295]: 185.41.162.211:41268 UDPv4 READ [14] from [AF_INET]185.41.162.211:41268: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
2018-11-02 13:31:24 notice openvpn(server_turris)[22295]: 185.41.162.211:41268 TLS: Initial packet from [AF_INET]185.41.162.211:41268, sid=6a22eb44 5adb63fe
2018-11-02 13:31:24 notice openvpn(server_turris)[22295]: 185.41.162.211:41268 UDPv4 WRITE [26] to [AF_INET]185.41.162.211:41268: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=0 DATA len=0
2018-11-02 13:31:26 notice openvpn(server_turris)[22295]: 185.41.162.211:41268 UDPv4 WRITE [14] to [AF_INET]185.41.162.211:41268: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ ] pid=0 DATA len=0
2018-11-02 13:31:30 notice openvpn(server_turris)[22295]: 185.41.162.211:41268 UDPv4 WRITE [14] to [AF_INET]185.41.162.211:41268: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ ] pid=0 DATA len=0
2018-11-02 13:31:38 notice openvpn(server_turris)[22295]: 185.41.162.211:41268 UDPv4 WRITE [14] to [AF_INET]185.41.162.211:41268: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ ] pid=0 DATA len=0
2018-11-02 13:31:54 notice openvpn(server_turris)[22295]: 185.41.162.211:41268 UDPv4 WRITE [14] to [AF_INET]185.41.162.211:41268: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ ] pid=0 DATA len=0
2018-11-02 13:32:24 err openvpn(server_turris)[22295]: 185.41.162.211:41268 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2018-11-02 13:32:24 err openvpn(server_turris)[22295]: 185.41.162.211:41268 TLS Error: TLS handshake failed
2018-11-02 13:32:24 notice openvpn(server_turris)[22295]: 185.41.162.211:41268 SIGUSR1[soft,tls-error] received, client-instance restarting

# awk '/SIGUSR1/ {print $5}' /var/log/messages | sort -u | wc -l
408
# awk '/SIGUSR1/ {print $5}' /var/log/messages | cut -d: -f1 | sort -u
185.41.162.211
2.96.138.222
222.187.223.34
43.240.158.250

All these requests are coming from a couple of IPs now, just ports are changing. But blocking them manually could soon become a fighting windmills.

Seems that your OVPN server is utilizing UDP which is good practice against port scans. If however it operates on the standard port 1194 than certainly it makes an easy target for unsolicited traffic to that well known port.

In such case set an arbitrary port in the ephemeral port range 49152 to 65535. Subsequent your legitimate VPN clients need to change to that port too.

There is no explicit TLS setup on default openvpn config done via Foris.

Some scanning bots are trying to connect on 1194 (udp, tcp) anyway (with or without tls setup on client side). Such scan attempts are logged to syslog/openvpnlog file(s). If there will be some breach via openvpn you will get some more errors/warnings/debug/emerg messages following after initial handshake. Which due missing TLS setup is not happening :grin: , if you will have TLS configured there will be different message or none.

You can move the port to some different high number (like @anon50890781 suggested) and/or set different verbosity for logging or you can “mute” repeating messages (in syslog or/and in openvpn log file)

I am seeing such TLS error messages time to time as well (and i know none of my real clients are connected/trying to connect at that time).