TLS Error: TLS key negotiation failed to occur within 60 seconds (check your net

Started by forum111, February 28, 2024, 10:34:04 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 28, 2024, 10:34:04 PM Last Edit: March 03, 2024, 10:13:31 AM by forum111
OpenVPN with DDNS return error when client trying to connect:

It turn out I have many problems. Some of those problems are now fixed. The first problem was DDNS configuration was not working.
Find solution and now it is OK. Show me that my external IP from ISP is OK.

The IP is 78.83.81.101. This is my external IP from ISP
I do not have access to ISP router.

My WAN IP is: 192.168.99.20
My LAN IP: 192.168.1.1

My port forwarding rule for port 1194 is:

My router have WAN IP: 192.168.100.*
My router is behind ISP router.
My ISP external IP is 78.83.81.*
On my router my DDNS is set to IP: 78.83.81.*
and host name: cloudstreamsors.mooo.comI
set-up one forwarding port rule:

source port: * destination address:WAN address destination port: 1194 NAT IP: 192.168.2.1 (router LAN ip)
NAT PORT REDIRECT: 1194
My router LAN IP is: 192.168.2.1 it is virtual machine on ESXi.
My router WAN IP is: 192.168.100.65I try is port 1194 on 78.83.81.168 is open?
Use tool from external network to  check.The ip: 78.83.81.168 is external IP from ISP router.
I do not have access to ISP router.Now the question is. Is the port forwarding will work?
All is made in my router.



I located those comment. Still what is the correct way to resolve the problem?



You can change it permamently in OpenSSL configuration. Just modify file /etc/ssl/openssl.cnf

Find the [default_sect] section and change it to:

[default_sect]
activate = 1
[legacy_sect]
activate = 1
Then find the [provider_sect] and use:

[provider_sect]
default = default_sect
legacy = legacy_sect
Save file.

February 28, 2024, 11:58:35 PM #1
Quote from: forum111 on February 28, 2024, 10:34:04 PM
OpenVPN with DDNS return error when client trying to connect:

2024-02-28 23:28:31 OpenSSL: error:0308010C:digital envelope routines::unsupported:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
2024-02-28 23:28:31 OpenSSL: error:11800071:PKCS12 routines::mac verify failure:
2024-02-28 23:28:31 Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption

I located those comment. Still what is the correct way to resolve the problem?


Without details about your certificate setup, recreate all your client and/or server certificates and use some modern ciphers. OpenSSL is complaining about _very_ old ciphers used (RC2-40-CBC), if you use OpenVPN to keep your connection private using this cipher in 2024 is equivalent at using ROT13.

Don't use the "solution" you posted, this just instruct OpenSSL to support this old / insecure cipher, which is _very_ bad practice. The OpenVPN documentation contains enough instructions about creating client & server certificates.

February 29, 2024, 07:45:27 AM #2
Best is to:

- Update OPNsense to latest version
- Set the config of OpenVPN server to best practice (opnsense docs)
- Recreate certficates for the users (no p12)
- Export new profiles
- Install latest OpenVPN on the clients https://openvpn.net/community-downloads/
- Import profile and enjoy
March 03, 2024, 09:56:40 AM #3
I did that and now I have new error which I am not sure it is related with any problem with OpenSense.

Today error is "TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)"


https://openvpn.net/faq/tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds-check-your-network-connectivity/


OpenVPN says, the error is may related to:"A NAT gateway on the server's network does not have a port forward rule for TCP/UDP 1194 to the internal address of the OpenVPN server machine."

I did make firewall rule, port forwarding also and the error was not fix. One reason for that may be due to ISP block all port.
I send request to my ISP and hope soon to find out the resone for the problem.



March 03, 2024, 10:06:16 AM #4 Last Edit: March 03, 2024, 10:11:31 AM by forum111
It turn out I have many problems. Some of those problems are now fixed. The first problem was DDNS configuration was not working.
Find solution and now it is OK. Show me that my external IP from ISP is OK.

The IP is 78.83.81.101. This is my external IP from ISP
I do not have access to ISP router.

My WAN IP is: 192.168.99.20
My LAN IP: 192.168.1.1

My port forwarding rule for port 1194 is:

My router have WAN IP: 192.168.100.*
My router is behind ISP router.
My ISP external IP is 78.83.81.*
On my router my DDNS is set to IP: 78.83.81.*
and host name: cloudstreamsors.mooo.comI
set-up one forwarding port rule:

source port: * destination address:WAN address destination port: 1194 NAT IP: 192.168.2.1 (router LAN ip)
NAT PORT REDIRECT: 1194
My router LAN IP is: 192.168.2.1 it is virtual machine on ESXi.
My router WAN IP is: 192.168.100.65I try is port 1194 on 78.83.81.168 is open?
Use tool from external network to  check.The ip: 78.83.81.168 is external IP from ISP router.
I do not have access to ISP router.Now the question is. Is the port forwarding will work?
All is made in my router.



Quote from: mimugmail on February 29, 2024, 07:45:27 AM
Best is to:

- Update OPNsense to latest version
- Set the config of OpenVPN server to best practice (opnsense docs)
- Recreate certficates for the users (no p12)
- Export new profiles
- Install latest OpenVPN on the clients https://openvpn.net/community-downloads/
- Import profile and enjoy
March 03, 2024, 10:15:41 AM #5
Quote from: forum111 on February 28, 2024, 10:34:04 PM
OpenVPN with DDNS return error when client trying to connect:

It turn out I have many problems. Some of those problems are now fixed. The first problem was DDNS configuration was not working.
Find solution and now it is OK. I  am now seeing  my ISP external IP in DDNS config table.

The IP is 78.83.81.* This is my external IP from ISP
I do not have access to ISP router.

My WAN IP is: 192.168.99.20
My LAN IP: 192.168.1.1

My port forwarding rule for port 1194 is:

My router have WAN IP: 192.168.100.*
My router is behind ISP router.
My ISP external IP is 78.83.81.*
On my router my DDNS is set to IP: 78.83.81.*
and host name: cloudstreamsors.mooo.comI
set-up one forwarding port rule:

source port: * destination address:WAN address destination port: 1194 NAT IP: 192.168.2.1 (router LAN ip)
NAT PORT REDIRECT: 1194
My router LAN IP is: 192.168.2.1 it is virtual machine on ESXi.
My router WAN IP is: 192.168.100.65I try is port 1194 on 78.83.81.168 is open?
Use tool from external network to  check.The ip: 78.83.81.168 is external IP from ISP router.
I do not have access to ISP router.Now the question is. Is the port forwarding will work?
All is made in my router.



I located those comment. Still what is the correct way to resolve the problem?



You can change it permamently in OpenSSL configuration. Just modify file /etc/ssl/openssl.cnf

Find the [default_sect] section and change it to:

[default_sect]
activate = 1
[legacy_sect]
activate = 1
Then find the [provider_sect] and use:

[provider_sect]
default = default_sect
legacy = legacy_sect
Save file.
Print
Go Up Pages1
User actions