VPN "authotizing" loop

dears
without changing anything in settings, VPN stops working. Tried multiple accounts, multiple networks - always the same. In log of VPN I can see:

2022-04-22 08:15:39.056879 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:55089
2022-04-22 08:15:39.079656 MANAGEMENT: CMD ‘pid’
2022-04-22 08:15:39.079837 MANAGEMENT: CMD ‘auth-retry interact’
2022-04-22 08:15:39.079944 MANAGEMENT: CMD ‘state on’
2022-04-22 08:15:39.080041 MANAGEMENT: CMD ‘state’
2022-04-22 08:15:39.080270 MANAGEMENT: CMD ‘bytecount 1’
2022-04-22 08:15:39.080282 *Tunnelblick: Established communication with OpenVPN
2022-04-22 08:15:39.093211 *Tunnelblick: >INFO:OpenVPN Management Interface Version 3 – type ‘help’ for more info
2022-04-22 08:15:39.094300 MANAGEMENT: CMD ‘hold release’
2022-04-22 08:15:39.095154 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2022-04-22 08:15:39.098920 MANAGEMENT: >STATE:1650608139,RESOLVE,
2022-04-22 08:15:39.107106 TCP/UDP: Preserving recently used remote address: [AF_INET]public_ip:1194
2022-04-22 08:15:39.107235 Socket Buffers: R=[786896->786896] S=[9216->9216]
2022-04-22 08:15:39.107274 UDP link local: (not bound)
2022-04-22 08:15:39.107306 UDP link remote: [AF_INET]public_ip:1194
2022-04-22 08:15:39.107384 MANAGEMENT: >STATE:1650608139,WAIT,
2022-04-22 08:15:39.127096 MANAGEMENT: >STATE:1650608139,AUTH,
2022-04-22 08:15:39.127342 TLS: Initial packet from [AF_INET]1public_ip:1194, sid=69b572f0 98504f8f
2022-04-22 08:15:39.480051 VERIFY OK: depth=1, CN=openvpn
2022-04-22 08:15:39.484744 VERIFY KU OK
2022-04-22 08:15:39.484885 Validating certificate extended key usage
2022-04-22 08:15:39.484903 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2022-04-22 08:15:39.484916 VERIFY EKU OK
2022-04-22 08:15:39.484929 VERIFY OK: depth=0, CN=turris
2022-04-22 08:16:39.407480 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2022-04-22 08:16:39.418442 TLS Error: TLS handshake failed
2022-04-22 08:16:39.419839 SIGUSR1[soft,tls-error] received, process restarting
2022-04-22 08:16:39.419895 MANAGEMENT: >STATE:1650608199,RECONNECTING,tls-error,
2022-04-22 08:16:39.424957 MANAGEMENT: CMD ‘hold release’

Turris itself:
Turris 1.X
|Verze Turris OS|3.11.23|
|Verze jádra systému|4.4.199-f90a52a6230ecb072f657fce5aebd444-1|

Any idea?

thanks, Zdenek

And what you see in logs on client side?

oh, my fault - posted log is from Client side. How to get from Turris I’ve no idea :frowning:

And there is an answer to your question. Use SSH and see /var/log/messages.

thx, but cause vpn doesn’t work and i’m outside, i’ve to ssh on wan and it says “connection refused” on port 22. So I’ve to create fw rule to enable 22 from outside? or port forward to lan_ip:22 from wan_ip:whateverport ?
btw, i’ve there ssh honeypot - may i use ssh from wan even there is runnig honeypot?

Everything is possible but you have to configure it.

great, thanks - every single step u get me closer

2022-04-22 11:56:44 notice openvpn(server_turris)[6201]: remote_ip TLS: Initial packet from [AF_INET6]::ffff:remote_ip:60965, sid=eace6868 e5e206f7
2022-04-22 11:56:45 notice openvpn(server_turris)[6201]: remote_ip VERIFY WARNING: depth=0, unable to get certificate CRL: CN=DK
2022-04-22 11:56:45 notice openvpn(server_turris)[6201]: remote_ip VERIFY WARNING: depth=1, unable to get certificate CRL: CN=openvpn
2022-04-22 11:56:45 err openvpn(server_turris)[6201]: remote_ip VERIFY ERROR: CRL not loaded
2022-04-22 11:56:45 err openvpn(server_turris)[6201]: remote_ip OpenSSL: error:14089086:lib(20):func(137):reason(134)
2022-04-22 11:56:45 err openvpn(server_turris)[6201]: remote_ip TLS_ERROR: BIO read tls_read_plaintext error
2022-04-22 11:56:45 err openvpn(server_turris)[6201]: remote_ip TLS Error: TLS object → incoming plaintext read error
2022-04-22 11:56:45 err openvpn(server_turris)[6201]: remote_ip TLS Error: TLS handshake failed
2022-04-22 11:56:45 notice openvpn(server_turris)[6201]: remote_ip SIGUSR1[soft,tls-error] received, client-instance restarting

but i’ve no idea, whats wrong

image
the cert exists and is valid

the same behavior is for all issued cert/users

What is the content of /etc/config/openvpn?

config openvpn ‘custom_config’
option enabled ‘0’
option config ‘/etc/openvpn/my-vpn.conf’

config openvpn ‘sample_server’
option enabled ‘0’
option port ‘1194’
option proto ‘udp’
option dev ‘tun’
option ca ‘/etc/openvpn/ca.crt’
option cert ‘/etc/openvpn/server.crt’
option key ‘/etc/openvpn/server.key’
option dh ‘/etc/openvpn/dh1024.pem’
option server ‘10.8.0.0 255.255.255.0’
option ifconfig_pool_persist ‘/tmp/ipp.txt’
option keepalive ‘10 120’
option compress ‘lzo’
option persist_key ‘1’
option persist_tun ‘1’
option user ‘nobody’
option status ‘/tmp/openvpn-status.log’
option verb ‘3’

config openvpn ‘server_turris’
option enabled ‘1’
option port ‘1194’
option proto ‘udp’
option dev ‘tun_turris’
option ca ‘/etc/ssl/ca/openvpn/ca.crt’
option crl_verify ‘/etc/ssl/ca/openvpn/ca.crl’
option cert ‘/etc/ssl/ca/openvpn/01.crt’
option key ‘/etc/ssl/ca/openvpn/01.key’
option dh ‘/etc/dhparam/dh-default.pem’
option server ‘10.111.111.0 255.255.255.0’
option ifconfig_pool_persist ‘/tmp/ipp.txt’
option duplicate_cn ‘0’
option keepalive ‘10 120’
option persist_key ‘1’
option persist_tun ‘1’
option status ‘/tmp/openvpn-status.log’
option verb ‘3’
option mute ‘20’
list push ‘route 192.168.1.0 255.255.255.0’

Does this file exist?

Btw, are you aware you are running unsupported version of TurrisOS?
You should upgrade to the latest.

root@turris:/etc/ssl/ca/openvpn# ls *.crl
ca.crl

yes


yes, but i thought, this will do the job, but it’s selceted for about a month and nothing happend

Well, you need to solve this issue first. I guess
Start here.

thx, iˇll do that - thanks