F5F Stay Refreshed Power Users Networks Multiple connection issues with OpenVPN are common. Try restarting the service or checking network settings.

Multiple connection issues with OpenVPN are common. Try restarting the service or checking network settings.

Multiple connection issues with OpenVPN are common. Try restarting the service or checking network settings.

N
Nixelord03
Member
Find
182
01-14-2021, 06:58 AM
#1
Hi everyone, I am ’hosting’ my own openvpn server to connect to a different facility. However as soon as I am establishing a connection via cli I get a few errors which in the end doesn’t matter as the connection still works after those errors. Still I would like to diminish those errors and get everything working properly. First of all this is what my vpn config looks like: client dev tun proto udp remote XXXXXXXXXX 1194 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server auth SHA512 cipher AES-256-CBC ignore-unknown-option block-outside-dns verb 3 <ca> -----BEGIN CERTIFICATE----- XXXXXXX -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- XXXXXX -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- XXXXXX -----END PRIVATE KEY----- </key> <tls-crypt> -----BEGIN OpenVPN Static key V1----- XXXXXX -----END OpenVPN Static key V1----- </tls-crypt> the parts marked with ’X’ are filled with the correct private data in my configuration. Whenever I start this config this is what the cli returns: Sun Dec 5 22:22:41 2021 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 19 2021 Sun Dec 5 22:22:41 2021 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10 Sun Dec 5 22:22:41 2021 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Sun Dec 5 22:22:41 2021 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Sun Dec 5 22:22:41 2021 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Sun Dec 5 22:22:41 2021 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Sun Dec 5 22:22:41 2021 TCP/UDP: Preserving recently used remote address: [AF_INET6]XXXXXXXXXX Sun Dec 5 22:22:41 2021 Socket Buffers: R=[212992->212992] S=[212992->212992] Sun Dec 5 22:22:41 2021 UDP link local: (not bound) Sun Dec 5 22:22:41 2021 UDP link remote: [AF_INET6]XXXXXXXXXXXXXX Sun Dec 5 22:23:41 2021 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Sun Dec 5 22:23:41 2021 TLS Error: TLS handshake failed Sun Dec 5 22:23:41 2021 SIGUSR1[soft,tls-error] received, process restarting Sun Dec 5 22:23:41 2021 Restart pause, 5 second(s) Sun Dec 5 22:23:46 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]XXXXXXXXXX Sun Dec 5 22:23:46 2021 Socket Buffers: R=[212992->212992] S=[212992->212992] Sun Dec 5 22:23:46 2021 UDP link local: (not bound) Sun Dec 5 22:23:46 2021 UDP link remote: [AF_INET]XXXXXXXXXXX Sun Dec 5 22:23:46 2021 TLS: Initial packet from [AF_INET]XXXXXXXXXX Sun Dec 5 22:23:46 2021 VERIFY OK: depth=1, CN=ChangeMe Sun Dec 5 22:23:46 2021 VERIFY KU OK Sun Dec 5 22:23:46 2021 Validating certificate extended key usage Sun Dec 5 22:23:46 2021 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Sun Dec 5 22:23:46 2021 VERIFY EKU OK Sun Dec 5 22:23:46 2021 VERIFY OK: depth=0, CN=server Sun Dec 5 22:23:46 2021 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA Sun Dec 5 22:23:46 2021 [server] Peer Connection Initiated with [AF_INET]XXXXXXXXX Sun Dec 5 22:23:47 2021 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Sun Dec 5 22:23:47 2021 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 ipv6 bypass-dhcp,dhcp-option DNS XXXX tun 6,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig-ipv6 fddd:1194:1194:1194::1003/64 fddd:1194:1194:1194::1,ifconfig 10.8.0.5 255.255.255.0,peer-id 0,cipher AES-256-GCM' Sun Dec 5 22:23:47 2021 OPTIONS IMPORT: timers and/or timeouts modified Sun Dec 5 22:23:47 2021 OPTIONS IMPORT: --ifconfig/up options modified Sun Dec 5 22:23:47 2021 OPTIONS IMPORT: route options modified Sun Dec 5 22:23:47 2021 OPTIONS IMPORT: route-related options modified Sun Dec 5 22:23:47 2021 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Sun Dec 5 22:23:47 2021 OPTIONS IMPORT: peer-id set Sun Dec 5 22:23:47 2021 OPTIONS IMPORT: adjusting link_mtu to 1624 Sun Dec 5 22:23:47 2021 OPTIONS IMPORT: data channel crypto options modified Sun Dec 5 22:23:47 2021 Data Channel: using negotiated cipher 'AES-256-GCM' Sun Dec 5 22:23:47 2021 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Sun Dec 5 22:23:47 2021 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Sun Dec 5 22:23:47 2021 ROUTE_GATEWAY 192.168.178.1/255.255.255.0 IFACE=wlo1 HWADDR=XXXXXXXXXX Sun Dec 5 22:23:47 2021 GDG6: remote_host_ipv6=n/a Sun Dec 5 22:23:47 2021 ROUTE6_GATEWAY XXXXXXXXX IFACE=wlo1 Sun Dec 5 22:23:47 2021 TUN/TAP device tun0 opened Sun Dec 5 22:23:47 2021 TUN/TAP TX queue length set to 100 Sun Dec 5 22:23:47 2021 /sbin/ip link set dev tun0 up mtu 1500 Sun Dec 5 22:23:47 2021 /sbin/ip addr add dev tun0 10.8.0.5/24 broadcast 10.8.0.255 Sun Dec 5 22:23:47 2021 /sbin/ip -6 addr add XXXXXXXXXXXXXXXXXXXXXXXXXXXX dev tun0 Sun Dec 5 22:23:47 2021 /sbin/ip route add XXXXXXXXXXXXXXXX via 192.168.178.1 Sun Dec 5 22:23:47 2021 /sbin/ip route add 0.0.0.0/1 via 10.8.0.1 Sun Dec 5 22:23:47 2021 /sbin/ip route add 128.0.0.0/1 via 10.8.0.1 Sun Dec 5 22:23:47 2021 add_route_ipv6(::/3 -> XXXXXXXXXXXXXXXXXXXXXX metric -1) dev tun0 Sun Dec 5 22:23:47 2021 /sbin/ip -6 route add ::/3 dev tun0 Sun Dec 5 22:23:47 2021 add_route_ipv6(2000::/4 -> XXXXXXXXXXXXXXXXXXXXXX metric -1) dev tun0 Sun Dec 5 22:23:47 2021 /sbin/ip -6 route add 2000::/4 dev tun0 Sun Dec 5 22:23:47 2021 add_route_ipv6(3000::/4 -> XXXXXXXXXXXXXXXXXXXXXX metric -1) dev tun0 Sun Dec 5 22:23:47 2021 /sbin/ip -6 route add 3000::/4 dev tun0 Sun Dec 5 22:23:47 2021 add_route_ipv6(fc00::/7 -> XXXXXXXXXXXXXXXXXXXXXX metric -1) dev tun0 Sun Dec 5 22:23:47 2021 /sbin/ip -6 route add fc00::/7 dev tun0 Sun Dec 5 22:23:47 2021 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Sun Dec 5 22:23:47 2021 Initialization Sequence Completed again, the parts with ’XXX’ have the correct data in my real world return. Any help in getting those errors out is appreciated. Side note: when I change the config from udp to tcp it doesn’t work anymore. Router firewall and so on have neccessary ports open.
Reply
Reply
N
Nixelord03
01-14-2021, 06:58 AM #1

Hi everyone, I am ’hosting’ my own openvpn server to connect to a different facility. However as soon as I am establishing a connection via cli I get a few errors which in the end doesn’t matter as the connection still works after those errors. Still I would like to diminish those errors and get everything working properly. First of all this is what my vpn config looks like: client dev tun proto udp remote XXXXXXXXXX 1194 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server auth SHA512 cipher AES-256-CBC ignore-unknown-option block-outside-dns verb 3 <ca> -----BEGIN CERTIFICATE----- XXXXXXX -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- XXXXXX -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- XXXXXX -----END PRIVATE KEY----- </key> <tls-crypt> -----BEGIN OpenVPN Static key V1----- XXXXXX -----END OpenVPN Static key V1----- </tls-crypt> the parts marked with ’X’ are filled with the correct private data in my configuration. Whenever I start this config this is what the cli returns: Sun Dec 5 22:22:41 2021 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 19 2021 Sun Dec 5 22:22:41 2021 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10 Sun Dec 5 22:22:41 2021 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Sun Dec 5 22:22:41 2021 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Sun Dec 5 22:22:41 2021 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Sun Dec 5 22:22:41 2021 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Sun Dec 5 22:22:41 2021 TCP/UDP: Preserving recently used remote address: [AF_INET6]XXXXXXXXXX Sun Dec 5 22:22:41 2021 Socket Buffers: R=[212992->212992] S=[212992->212992] Sun Dec 5 22:22:41 2021 UDP link local: (not bound) Sun Dec 5 22:22:41 2021 UDP link remote: [AF_INET6]XXXXXXXXXXXXXX Sun Dec 5 22:23:41 2021 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Sun Dec 5 22:23:41 2021 TLS Error: TLS handshake failed Sun Dec 5 22:23:41 2021 SIGUSR1[soft,tls-error] received, process restarting Sun Dec 5 22:23:41 2021 Restart pause, 5 second(s) Sun Dec 5 22:23:46 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]XXXXXXXXXX Sun Dec 5 22:23:46 2021 Socket Buffers: R=[212992->212992] S=[212992->212992] Sun Dec 5 22:23:46 2021 UDP link local: (not bound) Sun Dec 5 22:23:46 2021 UDP link remote: [AF_INET]XXXXXXXXXXX Sun Dec 5 22:23:46 2021 TLS: Initial packet from [AF_INET]XXXXXXXXXX Sun Dec 5 22:23:46 2021 VERIFY OK: depth=1, CN=ChangeMe Sun Dec 5 22:23:46 2021 VERIFY KU OK Sun Dec 5 22:23:46 2021 Validating certificate extended key usage Sun Dec 5 22:23:46 2021 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Sun Dec 5 22:23:46 2021 VERIFY EKU OK Sun Dec 5 22:23:46 2021 VERIFY OK: depth=0, CN=server Sun Dec 5 22:23:46 2021 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA Sun Dec 5 22:23:46 2021 [server] Peer Connection Initiated with [AF_INET]XXXXXXXXX Sun Dec 5 22:23:47 2021 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Sun Dec 5 22:23:47 2021 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 ipv6 bypass-dhcp,dhcp-option DNS XXXX tun 6,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig-ipv6 fddd:1194:1194:1194::1003/64 fddd:1194:1194:1194::1,ifconfig 10.8.0.5 255.255.255.0,peer-id 0,cipher AES-256-GCM' Sun Dec 5 22:23:47 2021 OPTIONS IMPORT: timers and/or timeouts modified Sun Dec 5 22:23:47 2021 OPTIONS IMPORT: --ifconfig/up options modified Sun Dec 5 22:23:47 2021 OPTIONS IMPORT: route options modified Sun Dec 5 22:23:47 2021 OPTIONS IMPORT: route-related options modified Sun Dec 5 22:23:47 2021 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Sun Dec 5 22:23:47 2021 OPTIONS IMPORT: peer-id set Sun Dec 5 22:23:47 2021 OPTIONS IMPORT: adjusting link_mtu to 1624 Sun Dec 5 22:23:47 2021 OPTIONS IMPORT: data channel crypto options modified Sun Dec 5 22:23:47 2021 Data Channel: using negotiated cipher 'AES-256-GCM' Sun Dec 5 22:23:47 2021 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Sun Dec 5 22:23:47 2021 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Sun Dec 5 22:23:47 2021 ROUTE_GATEWAY 192.168.178.1/255.255.255.0 IFACE=wlo1 HWADDR=XXXXXXXXXX Sun Dec 5 22:23:47 2021 GDG6: remote_host_ipv6=n/a Sun Dec 5 22:23:47 2021 ROUTE6_GATEWAY XXXXXXXXX IFACE=wlo1 Sun Dec 5 22:23:47 2021 TUN/TAP device tun0 opened Sun Dec 5 22:23:47 2021 TUN/TAP TX queue length set to 100 Sun Dec 5 22:23:47 2021 /sbin/ip link set dev tun0 up mtu 1500 Sun Dec 5 22:23:47 2021 /sbin/ip addr add dev tun0 10.8.0.5/24 broadcast 10.8.0.255 Sun Dec 5 22:23:47 2021 /sbin/ip -6 addr add XXXXXXXXXXXXXXXXXXXXXXXXXXXX dev tun0 Sun Dec 5 22:23:47 2021 /sbin/ip route add XXXXXXXXXXXXXXXX via 192.168.178.1 Sun Dec 5 22:23:47 2021 /sbin/ip route add 0.0.0.0/1 via 10.8.0.1 Sun Dec 5 22:23:47 2021 /sbin/ip route add 128.0.0.0/1 via 10.8.0.1 Sun Dec 5 22:23:47 2021 add_route_ipv6(::/3 -> XXXXXXXXXXXXXXXXXXXXXX metric -1) dev tun0 Sun Dec 5 22:23:47 2021 /sbin/ip -6 route add ::/3 dev tun0 Sun Dec 5 22:23:47 2021 add_route_ipv6(2000::/4 -> XXXXXXXXXXXXXXXXXXXXXX metric -1) dev tun0 Sun Dec 5 22:23:47 2021 /sbin/ip -6 route add 2000::/4 dev tun0 Sun Dec 5 22:23:47 2021 add_route_ipv6(3000::/4 -> XXXXXXXXXXXXXXXXXXXXXX metric -1) dev tun0 Sun Dec 5 22:23:47 2021 /sbin/ip -6 route add 3000::/4 dev tun0 Sun Dec 5 22:23:47 2021 add_route_ipv6(fc00::/7 -> XXXXXXXXXXXXXXXXXXXXXX metric -1) dev tun0 Sun Dec 5 22:23:47 2021 /sbin/ip -6 route add fc00::/7 dev tun0 Sun Dec 5 22:23:47 2021 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Sun Dec 5 22:23:47 2021 Initialization Sequence Completed again, the parts with ’XXX’ have the correct data in my real world return. Any help in getting those errors out is appreciated. Side note: when I change the config from udp to tcp it doesn’t work anymore. Router firewall and so on have neccessary ports open.

Reply
Reply