TLS Error: TLS handshake failed

chriskalish commented 3 months ago

Sorry - I'm totally lost here! I'm having the same symptoms as other people with "TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)" ... This is a new install and I have validated that I can connect to port 1194 between client and server. Here's what I've done so far:

Turned off both firewalls (client and server)
Regenned all keys using easy-rsa
Shared keys between client and server
Validated that I can pass TCP and UDP across port 1194 (using ListenOnPort and PortQry) between client and server
Tried on both Windows 10 and Windows 11 workstations
I added a second TAP driver to the server and can connect between the client and server if I run both client and server on the same box (not sure that's even a valid thing to do)
Same error if I use UDP4 as the proto
Fails on dev tun and dev tap
Also fails (timeout) if I use TCP4 as proto (dco connect error: The semaphore timeout period has expired. (errno=121))
I have installed and run OpenVPN on other networks without any issue
Running 2.6.11 [git:v2.6.11/ddf6bf6d2a135835] on both client and server
Increased verb to 9, but did not get any new diagnostic messages related to this
Reset network adapters on windows between changes (several times)
Rebooted between changes (several times)
Tried a different subnet (rather than 10.8.0.0)

Here's the server log:

2024-07-06 13:59:58 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2024-07-06 13:59:58 NOTE: --remote is not defined, disabling data channel offload.
2024-07-06 13:59:58 --pull-filter ignored for --mode server
2024-07-06 13:59:58 OpenVPN 2.6.11 [git:v2.6.11/ddf6bf6d2a135835] Windows [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Jun 26 2024
2024-07-06 13:59:58 Windows version 10.0 (Windows 10 or greater), amd64 executable
2024-07-06 13:59:58 library versions: OpenSSL 3.3.1 4 Jun 2024, LZO 2.10
2024-07-06 13:59:58 DCO version: 1.2.1
2024-07-06 13:59:58 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
2024-07-06 13:59:58 Need hold release from management interface, waiting...
2024-07-06 13:59:59 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:58708
2024-07-06 13:59:59 MANAGEMENT: CMD 'state on'
2024-07-06 13:59:59 MANAGEMENT: CMD 'log on all'
2024-07-06 13:59:59 MANAGEMENT: CMD 'echo on all'
2024-07-06 13:59:59 MANAGEMENT: CMD 'bytecount 5'
2024-07-06 13:59:59 MANAGEMENT: CMD 'state'
2024-07-06 13:59:59 MANAGEMENT: CMD 'hold off'
2024-07-06 13:59:59 MANAGEMENT: CMD 'hold release'
2024-07-06 13:59:59 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
2024-07-06 13:59:59 Diffie-Hellman initialized with 2048 bit key
2024-07-06 13:59:59 interactive service msg_channel=504
2024-07-06 13:59:59 open_tun
2024-07-06 13:59:59 tap-windows6 device [OpenVPN TAP-Windows6] opened
2024-07-06 13:59:59 TAP-Windows Driver Version 9.27 
2024-07-06 13:59:59 Set TAP-Windows TUN subnet mode network/local/netmask = 10.8.0.0/10.8.0.1/255.255.255.0 [SUCCEEDED]
2024-07-06 13:59:59 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.1/255.255.255.0 on interface {8AFAEC8A-542D-468D-B429-543A919033D0} [DHCP-serv: 10.8.0.0, lease-time: 31536000]
2024-07-06 13:59:59 Sleeping for 10 seconds...
2024-07-06 14:00:09 Successful ARP Flush on interface [42] {8AFAEC8A-542D-468D-B429-543A919033D0}
2024-07-06 14:00:09 MANAGEMENT: >STATE:1720288809,ASSIGN_IP,,10.8.0.1,,,,
2024-07-06 14:00:09 IPv4 MTU set to 1500 on interface 42 using service
2024-07-06 14:00:09 Could not determine IPv4/IPv6 protocol. Using AF_INET6
2024-07-06 14:00:09 Socket Buffers: R=[65536->65536] S=[65536->65536]
2024-07-06 14:00:09 setsockopt(IPV6_V6ONLY=0)
2024-07-06 14:00:09 UDPv6 link local (bound): [AF_INET6][undef]:1194
2024-07-06 14:00:09 UDPv6 link remote: [AF_UNSPEC]
2024-07-06 14:00:09 MULTI: multi_init called, r=256 v=256
2024-07-06 14:00:09 IFCONFIG POOL IPv4: base=10.8.0.2 size=253
2024-07-06 14:00:09 IFCONFIG POOL LIST
2024-07-06 14:00:09 Initialization Sequence Completed
2024-07-06 14:00:09 MANAGEMENT: >STATE:1720288809,CONNECTED,SUCCESS,10.8.0.1,,,,

Here's the client log:

2024-07-06 14:11:55 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.
2024-07-06 14:11:55 OpenVPN 2.6.11 [git:v2.6.11/ddf6bf6d2a135835] Windows [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Jun 26 2024
2024-07-06 14:11:55 Windows version 10.0 (Windows 10 or greater), amd64 executable
2024-07-06 14:11:55 library versions: OpenSSL 3.3.1 4 Jun 2024, LZO 2.10
2024-07-06 14:11:55 DCO version: 1.2.1
2024-07-06 14:11:55 TCP/UDP: Preserving recently used remote address: [AF_INET]10.8.0.1:1194
2024-07-06 14:11:55 ovpn-dco device [OpenVPN Data Channel Offload] opened
2024-07-06 14:11:55 UDP link local: (not bound)
2024-07-06 14:11:55 UDP link remote: [AF_INET]10.8.0.1:1194
**2024-07-06 14:12:55 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2024-07-06 14:12:55 TLS Error: TLS handshake failed**
2024-07-06 14:12:55 Closing DCO interface
2024-07-06 14:12:55 SIGUSR1[soft,tls-error] received, process restarting
2024-07-06 14:12:55 Restart pause, 1 second(s)
2024-07-06 14:12:56 TCP/UDP: Preserving recently used remote address: [AF_INET]10.8.0.1:1194
2024-07-06 14:12:56 ovpn-dco device [OpenVPN Data Channel Offload] opened
2024-07-06 14:12:56 UDP link local: (not bound)
2024-07-06 14:12:56 UDP link remote: [AF_INET]10.8.0.1:1194

Here's the server config:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
dh dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1
ca "C:\\Program Files\\OpenVPN\\config\\myOrg\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\myOrg\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\myOrg\\server.key"
dh "C:\\Program Files\\OpenVPN\\config\\myOrg\\dh.pem"
tls-auth "C:\\Program Files\\OpenVPN\\config\\myOrg\\ta.key" 0

Here's the client config:

client
dev tun
proto udp
remote 10.8.0.1 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca "C:\\Program Files\\OpenVPN\\config\\myOrg\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\myOrg\\client1.crt"
key "C:\\Program Files\\OpenVPN\\config\\myOrg\\client1.key"
remote-cert-tls server
tls-auth "C:\\Program Files\\OpenVPN\\config\\myOrg\\ta.key" 1
cipher AES-256-CBC
verb 3

Thoughts? Thanks!

selvanair commented 3 months ago

In your client config:

client
dev tun
proto udp
remote 10.8.0.1 1194

The remote address of your server should be its publicly reachable IP address or hostname, not 10.8.0.1

chriskalish commented 2 months ago

Haha ... you're right. Solved! Thanks so much!

OpenVPN / openvpn