OPNsense Forum
Archive => 17.7 Legacy Series => Topic started by: Heathy65 on October 30, 2017, 07:52:56 am
-
I've used this guide (https://wiki.opnsense.org/manual/how-tos/sslvpn_client.html) to set up OpenVPN road warrior on my OPNsense router which is connected to the internet via a vDSL modem.
Having followed the guide, I can't get it working (I've even deleted everything and started again a couple of times too).
This is the error I'm getting, well it's the thing I spotted in the VPN logs that looks like an error to me!
Oct 30 06:45:59 openvpn[50808]: 82.132.230.13:44960 TLS Error: TLS handshake failed
Oct 30 06:45:59 openvpn[50808]: 82.132.230.13:44960 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
The WAN interface on my OPNsense is a public address and I'm using dynamic DNS.
Any thoughts appreciated.
-
OK - There are two parts to any vpn connection (at least).
1 is the client.
1 is the server.
So, you are using opnsense for 1? Is that the server or client?
What is the other machine?
-
Sorry I should have provided more information. The client is the OpenVPN app on my iPhone. I will get the logs from that side too.
Sent from my iPad using Tapatalk
-
How are you getting your configuration from your opnsense to your ipad?
What kind of authentication is your server side set up for?
-
Have you change the TLS Authentication after the export of client configuration?
You could also try to change Auth Digest Algorithm to SHA256 which is still enough - see
https://airvpn.org/topic/14837-control-channel-cipher-satisfactory/page-2#entry33173
https://crypto.stackexchange.com/questions/26510/why-is-hmac-sha1-still-considered-secure
Some more info on your settings can help solve this.
Maybe VPN -> OpenVPN -> Logfile have also some usefull infos
-
Yes - I'd check to be sure the Static TLS key in the server and client match.
-
How are you getting your configuration from your opnsense to your ipad?
What kind of authentication is your server side set up for?
Set up exactly as per the guide, I've used the Client Export option actually on iPhone and opened the file into the OpenVPN client on my iPhone.
I'm using "TOTP VPN Access Server" as per the document, I also tried Local Database as a simpler test.
-
have you checked
https://openvpn.net/index.php/open-source/faq/79-client/253-tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds-check-your-network-connectivity.html
-
Dumb question I'm sure... Are the ports open on the WAN?
Are you running any blocker this blocker than stuff?
-
Dumb question I'm sure... Are the ports open on the WAN?
Are you running any blocker this blocker than stuff?
Not a dumb question :-)
I have 1194/UDP configured in Firewall/Rules on my WAN interface.
What do you mean re. "blocker...."
I assume I don't need any NAT / Port Forward configuration since the VPN server is on my OPNsense box and not "behind it" on my LAN?
-
have you checked
https://openvpn.net/index.php/open-source/faq/79-client/253-tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds-check-your-network-connectivity.html
Yup, saw that, I don't think any of that is effecting me.
-
Yes - I'd check to be sure the Static TLS key in the server and client match.
Can you provide some guidance as how to do this please?
-
Your server should have produced a static key and the same key should be in your openvpn config.
Also, sometimes its just easier to delete the vpn server instance, delete the config and start over.
-
Your server should have produced a static key and the same key should be in your openvpn config.
Also, sometimes its just easier to delete the vpn server instance, delete the config and start over.
So may be I'm missing a step here? I've looked in VPN / Servers and can see the TLS Authentication section with this in it, etc:
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
I looked on the iOS OpenVPN app and I can't see how to look at the TLS key there. Which begs the question should I have done more than just opened the .ovpn file on my iPhone and imported?
Thanks
-
To make sure your config is correct, view it with wordpad in windows, gedit in linux or whatever amazingly expensive edit a Mac ships with...
-
I've confirmed that the TLS static key is the same on both sides.
I do see this error in the iOS/client OpenVPN side.
2017-10-30 15:58:37 Client exception in transport_recv_excode: PolarSSL: SSL read error : SSL - Processing of the Certificate handshake message failed
2017-10-30 15:58:37 Client terminated, restarting in 2000 ms...
-
I think this is either a problem with the format of your cert on opnsense or just your ipad client being picky.
Any chance you can try a different client on ipad?
-
And read the very last lines of this thread.
https://forums.openvpn.net/viewtopic.php?t=21998
-
I think this is either a problem with the format of your cert on opnsense or just your ipad client being picky.
Any chance you can try a different client on ipad?
I tried Viscosity on my Mac and got this (IP addresses changed):
2017-10-30 19:05:49: State changed to Connecting
2017-10-30 19:05:49: TCP/UDP: Preserving recently used remote address: [AF_INET]11.22.33.44:1194
2017-10-30 19:05:49: UDP link local (bound): [AF_INET][undef]:0
2017-10-30 19:05:49: UDP link remote: [AF_INET]11.22.33.44:1194
2017-10-30 19:05:49: State changed to Authenticating
2017-10-30 19:05:49: VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=GB, ST=State, L=City, O=Org, emailAddress=noreply@blah.co.uk, CN=SSLVPN Server Certificate
2017-10-30 19:05:49: OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
2017-10-30 19:05:49: TLS_ERROR: BIO read tls_read_plaintext error
2017-10-30 19:05:49: TLS Error: TLS object -> incoming plaintext read error
2017-10-30 19:05:49: TLS Error: TLS handshake failed
2017-10-30 19:05:49: SIGUSR1[soft,tls-error] received, process restarting
2017-10-30 19:05:49: Viscosity Mac 1.7.5 (1420)
2017-10-30 19:05:49: Viscosity OpenVPN Engine Started
2017-10-30 19:05:49: Running on macOS 10.12.6
-
Yep - Cert errors.
Be sure to create a proper CA. I name mine VPN CA to avoid confusion.
Then use that CA to create a SERVER cert. Not user cert. I call mine something like VpnServerCert (to avoid confusion)
Make sure you fill in all the fields required for the certs. Make crap up if you need to - I do.
Then go back to your VPN server and make sure its using your new server Cert and Shiny new CA
Then export it, and try again.
-
Yep - Cert errors.
Be sure to create a proper CA. I name mine VPN CA to avoid confusion.
Then use that CA to create a SERVER cert. Not user cert. I call mine something like VpnServerCert (to avoid confusion)
Make sure you fill in all the fields required for the certs. Make crap up if you need to - I do.
Then go back to your VPN server and make sure its using your new server Cert and Shiny new CA
Then export it, and try again.
Thanks for the advice. I've checked my homework and this is what I have.
System:Trust:Authorities called SSL VPN CA
System:Trust:Certificates called SSLVPN (Issuer: SSL VPN CA)
System:Trust:Certificates called vpn-user1 (Issuer: SSL VPN CA)
VPN Server Config
Peer Certificate Authority: SSL VPN CA
Server Certificate: SSLVPN Server Certificate (SSL VPN CA)
System:Access:Users
vpn-user1 using vpn-user1 User Certificate (CA = SSL VPN CA)
-
Is that new or old cert. Are these new that you just created?
-
Is that new or old cert. Are these new that you just created?
Old, although I have previously deleted everything and tried again, so I guess I'm doing something stupid every time :)
I will give it another go anyway.
-
Be careful at the point where you are making the cert and the ca. There is a box that says "type". Be sure to select server.
-
Be careful at the point where you are making the cert and the ca. There is a box that says "type". Be sure to select server.
Good news, tried again as you suggested and made sure I selected Type = Server in the Cert creation and I'm now getting authorisation/password issues which is good since I'm progressing. (Although I'm sure I've selected server in the past and it still didn't work, but hey-ho, I could be wrong/blind!).
Since I'm using MFA inc. TOTP do I enter the password plus the authenticator code when I login?
Thanks again.
-
If I were you, I would use SSL/TLS authentication and no username / password. Those settings are in the server setup.
Then I'd export the client again... I hate typing passwords.