[lug] OpenVPN errors on startup

Hugh Brown hugh at math.byu.edu
Tue Nov 1 19:57:26 MST 2005 

On Tue, 2005-11-01 at 18:52 -0500, Gordon Golding wrote:
> A couple of months ago I set up an OpenVPN server and client and they connected and were happy.
> 
> I just set up a new set of keys and copied them over to that original machine and 2 others.  None are connecting - they are all giving the same error (IP address xxx'd for security reasons).  I can scp between these machines, don't think connectivity is and issue.
> Thoughts?
> 
> Tue Nov  1 17:48:47 2005 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
> Tue Nov  1 17:48:47 2005 TLS Error: TLS handshake failed
> Tue Nov  1 17:48:47 2005 TCP/UDP: Closing socket
> Tue Nov  1 17:48:47 2005 SIGUSR1[soft,tls-error] received, process restarting
> Tue Nov  1 17:48:47 2005 Restart pause, 2 second(s)
> Tue Nov  1 17:48:49 2005 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
> Tue Nov  1 17:48:49 2005 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
> Tue Nov  1 17:48:49 2005 Re-using SSL/TLS context
> Tue Nov  1 17:48:49 2005 LZO compression initialized
> Tue Nov  1 17:48:49 2005 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
> Tue Nov  1 17:48:49 2005 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:23 ET:0 EL:0 AF:3/1 ]
> Tue Nov  1 17:48:49 2005 Local Options hash (VER=V4): '41690919'
> Tue Nov  1 17:48:49 2005 Expected Remote Options hash (VER=V4): '530fdded'
> Tue Nov  1 17:48:49 2005 UDPv4 link local: [undef]
> Tue Nov  1 17:48:49 2005 UDPv4 link remote: 128.138.xxx.xx:1194
> ...restart and try again ...

I'll chime in.  I know nothing about OpenVPN (but I have had to
troubleshoot ssl before), but the output makes me think of a couple of
things.  The port number changed.  Is everything pointing at the
appropriate ports?  Do you see the exchange in a tcpdump?

The certificate isn't being verified.  You said you generated two new
certificates.  A certificate authority of some sort signed those certs.
Did the CAs cert get included in OpenVPNs cacert trust store?  If they
are self-signed then I'm assuming you'll need to import the new
self-signed certs.

Can you use openssl s_client -connect <IP>:1194 and verify that you get
a cert?

Those are the things I'd look at it.

FWIW,

Hugh

More information about the LUG mailing list