angristan / openvpn-install

Set up your own OpenVPN server on Debian, Ubuntu, Fedora, CentOS or Arch Linux.
https://stanislas.blog
MIT License
13.78k stars 2.98k forks source link

TLS handshake failed #15

Closed Octolus closed 7 years ago

Octolus commented 7 years ago

Sun Dec 18 02:21:46 2016 OpenVPN 2.3.12 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug 23 2016 Sun Dec 18 02:21:46 2016 Windows version 6.2 (Windows 8 or greater) 64bit Sun Dec 18 02:21:46 2016 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.09 Sun Dec 18 02:21:46 2016 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341 Sun Dec 18 02:21:46 2016 Need hold release from management interface, waiting... Sun Dec 18 02:21:46 2016 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341 Sun Dec 18 02:21:46 2016 MANAGEMENT: CMD 'state on' Sun Dec 18 02:21:46 2016 MANAGEMENT: CMD 'log all on' Sun Dec 18 02:21:46 2016 MANAGEMENT: CMD 'hold off' Sun Dec 18 02:21:46 2016 MANAGEMENT: CMD 'hold release' Sun Dec 18 02:21:46 2016 WARNING: Your certificate is not yet valid! Sun Dec 18 02:21:46 2016 Control Channel Authentication: tls-auth using INLINE static key file Sun Dec 18 02:21:46 2016 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication Sun Dec 18 02:21:46 2016 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication Sun Dec 18 02:21:46 2016 Socket Buffers: R=[65536->65536] S=[65536->65536] Sun Dec 18 02:21:46 2016 UDPv4 link local: [undef] Sun Dec 18 02:21:46 2016 UDPv4 link remote: [AF_INET]31.186.250.47:1194 Sun Dec 18 02:21:46 2016 MANAGEMENT: >STATE:1482024106,WAIT,,, Sun Dec 18 02:21:46 2016 MANAGEMENT: >STATE:1482024106,AUTH,,, Sun Dec 18 02:21:46 2016 TLS: Initial packet from [AF_INET]31.186.250.47:1194, sid=c6fffc0e 4c5088f1 Sun Dec 18 02:21:46 2016 VERIFY ERROR: depth=1, error=certificate is not yet valid: CN=ChangeMe Sun Dec 18 02:21:46 2016 OpenSSL: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Sun Dec 18 02:21:46 2016 TLS_ERROR: BIO read tls_read_plaintext error Sun Dec 18 02:21:46 2016 TLS Error: TLS object -> incoming plaintext read error Sun Dec 18 02:21:46 2016 TLS Error: TLS handshake failed Sun Dec 18 02:21:46 2016 SIGUSR1[soft,tls-error] received, process restarting Sun Dec 18 02:21:46 2016 MANAGEMENT: >STATE:1482024106,RECONNECTING,tls-error,, Sun Dec 18 02:21:46 2016 Restart pause, 2 second(s) Sun Dec 18 02:21:48 2016 Socket Buffers: R=[65536->65536] S=[65536->65536] Sun Dec 18 02:21:48 2016 UDPv4 link local: [undef] Sun Dec 18 02:21:48 2016 UDPv4 link remote: [AF_INET]31.186.250.47:1194 Sun Dec 18 02:21:48 2016 MANAGEMENT: >STATE:1482024108,WAIT,,, Sun Dec 18 02:21:49 2016 MANAGEMENT: >STATE:1482024109,AUTH,,, Sun Dec 18 02:21:49 2016 TLS: Initial packet from [AF_INET]31.186.250.47:1194, sid=b60c4eb5 99b13093 Sun Dec 18 02:21:49 2016 VERIFY ERROR: depth=1, error=certificate is not yet valid: CN=ChangeMe Sun Dec 18 02:21:49 2016 OpenSSL: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Sun Dec 18 02:21:49 2016 TLS_ERROR: BIO read tls_read_plaintext error Sun Dec 18 02:21:49 2016 TLS Error: TLS object -> incoming plaintext read error Sun Dec 18 02:21:49 2016 TLS Error: TLS handshake failed Sun Dec 18 02:21:49 2016 SIGUSR1[soft,tls-error] received, process restarting Sun Dec 18 02:21:49 2016 MANAGEMENT: >STATE:1482024109,RECONNECTING,tls-error,, Sun Dec 18 02:21:49 2016 Restart pause, 2 second(s) Sun Dec 18 02:21:51 2016 Socket Buffers: R=[65536->65536] S=[65536->65536] Sun Dec 18 02:21:51 2016 UDPv4 link local: [undef] Sun Dec 18 02:21:51 2016 UDPv4 link remote: [AF_INET]31.186.250.47:1194 Sun Dec 18 02:21:51 2016 MANAGEMENT: >STATE:1482024111,WAIT,,, Sun Dec 18 02:21:51 2016 MANAGEMENT: >STATE:1482024111,AUTH,,, Sun Dec 18 02:21:51 2016 TLS: Initial packet from [AF_INET]31.186.250.47:1194, sid=7c277811 d50b1a33 Sun Dec 18 02:21:51 2016 VERIFY ERROR: depth=1, error=certificate is not yet valid: CN=ChangeMe Sun Dec 18 02:21:51 2016 OpenSSL: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Sun Dec 18 02:21:51 2016 TLS_ERROR: BIO read tls_read_plaintext error Sun Dec 18 02:21:51 2016 TLS Error: TLS object -> incoming plaintext read error Sun Dec 18 02:21:51 2016 TLS Error: TLS handshake failed Sun Dec 18 02:21:51 2016 SIGUSR1[soft,tls-error] received, process restarting Sun Dec 18 02:21:51 2016 MANAGEMENT: >STATE:1482024111,RECONNECTING,tls-error,, Sun Dec 18 02:21:51 2016 Restart pause, 2 second(s)

angristan commented 7 years ago

The certificate can't be verified, can you try to reinstall OpenVPN using the script ?

Octolus commented 7 years ago

I did twice now, I can not remember experiencing this issue before (with older scripts).

Using Debian 7.

I'll try using another hosting provider (VULTR) instead of NFO.

angristan commented 7 years ago

And which client are you using ?

Octolus commented 7 years ago

OpenVPN Default Client i guess.

Octolus commented 7 years ago

tried using asus merlin as well.

Dec 19 02:10:31 openvpn[1003]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Dec 19 02:10:31 openvpn[1003]: Socket Buffers: R=[122880->122880] S=[122880->122880] Dec 19 02:10:31 openvpn[1003]: UDPv4 link local: [undef] Dec 19 02:10:31 openvpn[1003]: UDPv4 link remote: [AF_INET]31.186.250.47:1194 Dec 19 02:10:31 openvpn[1003]: TLS: Initial packet from [AF_INET]31.186.250.47:1194, sid=6d928852 19c0370c Dec 19 02:10:31 openvpn[1003]: VERIFY ERROR: depth=1, error=certificate is not yet valid: CN=ChangeMe Dec 19 02:10:31 openvpn[1003]: OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed Dec 19 02:10:31 openvpn[1003]: TLS_ERROR: BIO read tls_read_plaintext error Dec 19 02:10:31 openvpn[1003]: TLS Error: TLS object -> incoming plaintext read error Dec 19 02:10:31 openvpn[1003]: TLS Error: TLS handshake failed Dec 19 02:10:31 openvpn[1003]: SIGUSR1[soft,tls-error] received, process restarting Dec 19 02:10:31 openvpn[1003]: Restart pause, 2 second(s) Dec 19 02:10:33 openvpn[1003]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Dec 19 02:10:33 openvpn[1003]: Socket Buffers: R=[122880->122880] S=[122880->122880] Dec 19 02:10:33 openvpn[1003]: UDPv4 link local: [undef] Dec 19 02:10:33 openvpn[1003]: UDPv4 link remote: [AF_INET]31.186.250.47:1194 Dec 19 02:10:33 openvpn[1003]: TLS: Initial packet from [AF_INET]31.186.250.47:1194, sid=c7dc7c46 7ba56fad Dec 19 02:10:33 openvpn[1003]: VERIFY ERROR: depth=1, error=certificate is not yet valid: CN=ChangeMe Dec 19 02:10:33 openvpn[1003]: OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed Dec 19 02:10:33 openvpn[1003]: TLS_ERROR: BIO read tls_read_plaintext error Dec 19 02:10:33 openvpn[1003]: TLS Error: TLS object -> incoming plaintext read error Dec 19 02:10:33 openvpn[1003]: TLS Error: TLS handshake failed Dec 19 02:10:33 openvpn[1003]: SIGUSR1[soft,tls-error] received, process restarting Dec 19 02:10:33 openvpn[1003]: Restart pause, 2 second(s)

Octolus commented 7 years ago

And here is a screenshot of my router settings @Angristan http://i.imgur.com/bgaomsj.png

angristan commented 7 years ago

OpenVPN Default Client i guess.

What ? Which device and OS ?

You should have said it's your router. Maybe the OpenVPN client used is not compatible. Try to remove the tls 1.2 line from the config files

Octolus commented 7 years ago

I also tried using Windows 10. I'm trying different services, none seem to work.

Here is a full log: http://pastebin.com/duRuYn78 from my PC Windows 10 @Angristan

Friends got the exactly same issue. Could it be server firewall issue? I'm using NFO.

angristan commented 7 years ago

That's obviously a problem with the certificate. Did you modify the client configuration ?

Octolus commented 7 years ago

I did not modify anything, i literally just clicked enter during the entire installation then grabbed the certificate. @Angristan

Octolus commented 7 years ago

Certificate\, i mean the client.ovpn and put it in C:\Program Files\OpenVPN\config like I have with all other installations. I have never experienced this issue before.

I'm starting to think it's my server, but seems rather weird if it would be. Debian 7.

angristan commented 7 years ago

That's really weird, I can't see what's wrong. I you try to add a client certificate, and then connect with it, do you have the problem ?

Octolus commented 7 years ago

I think the issue might occur from my server, so instead of spamming this github with issues I'll close it then come back when I have a solution @Angristan

Kcchouette commented 7 years ago

@Octolus can I (we?) know why you think it comes with the server? Is the server have a fresh install of your OS?

angristan commented 7 years ago

@Octolus If you happen to have the issue again, please check if there is errors at the setup

Octolus commented 7 years ago

It is a fresh install yes @Kcchouette i went to install Softether VPN instead and it seems to work fine. Had to enable secure nat in that one, it had that TLS error. After enabling "secure nat" within Softether it worked.

chocolateshirt commented 7 years ago

I also get error when setup my OVH VPS the log same with the one @Octolus post. There is similar problem with Nyr original code. I solved this problem by correcting system and hardware time on my VPS.

The details can be accessed here: https://github.com/Nyr/openvpn-install/issues/158

angristan commented 7 years ago

Indeed : "certificate is not yet valid".