jornane
commented
4 years ago Apparently, this error is a generic "Something went wrong with OpenVPN"-error, since a user where OpenVPN failed to connect due to timeout got the same error.
Open jornane opened 4 years ago
jornane
commented
4 years ago Apparently, this error is a generic "Something went wrong with OpenVPN"-error, since a user where OpenVPN failed to connect due to timeout got the same error.
ghost
commented
4 years ago The problem was a server clock issue, i.e. the server was not using NTP. As the Norwegian deploy(s) use two machines, it is very important that the time between those server is the same to avoid certificates being rejected as "not yet valid".
In the new vpn-ca planned as a default for one of the next releases this is somewhat mitigated by issuing certificates that are valid starting 5 minutes in the past.
ghost
commented
4 years ago It is difficult for the client to find out what went wrong, the server log usually has more details. Assuming the log is on...
ghost
commented
4 years ago Getting the exact same error now for different issue. It seems the client really does use the wrong client cert or tls-crypt key. Not sure what is going on. It doesn't help the client doesn't log anything before the connection is successful :(
ghost
commented
4 years ago Server log in this case:
Nov 28 20:39:07 pi-vpn.tuxed.net openvpn[2407]: 2a02:8109:9dc0:42f9:fd16:e09:XXXX:XXXX TLS: Initial packet from [AF_INET6]2a02:8109:9dc0:42f9:fd16:e09:XXXX:XXXX:55134, sid=460b1694 d1a49483
Nov 28 20:39:55 pi-vpn.tuxed.net openvpn[2407]: 2a02:8109:9dc0:42f9:fd16:e09:XXXX:XXXX TLS: Initial packet from [AF_INET6]2a02:8109:9dc0:42f9:fd16:e09:XXXX:XXXX:55135, sid=4d78aa8c 0a8b64ac
Nov 28 20:40:07 pi-vpn.tuxed.net openvpn[2407]: 2a02:8109:9dc0:42f9:fd16:e09:XXXX:XXXX TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Nov 28 20:40:07 pi-vpn.tuxed.net openvpn[2407]: 2a02:8109:9dc0:42f9:fd16:e09:XXXX:XXXX TLS Error: TLS handshake failed
Nov 28 20:40:07 pi-vpn.tuxed.net openvpn[2407]: 2a02:8109:9dc0:42f9:fd16:e09:XXXX:XXXX SIGUSR1[soft,tls-error] received, client-instance restarting
Nov 28 20:40:55 pi-vpn.tuxed.net openvpn[2407]: 2a02:8109:9dc0:42f9:fd16:e09:XXXX:XXXX TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Nov 28 20:40:55 pi-vpn.tuxed.net openvpn[2407]: 2a02:8109:9dc0:42f9:fd16:e09:XXXX:XXXX TLS Error: TLS handshake failed
Nov 28 20:40:55 pi-vpn.tuxed.net openvpn[2407]: 2a02:8109:9dc0:42f9:fd16:e09:XXXX:XXXX SIGUSR1[soft,tls-error] received, client-instance restarting
Nov 28 20:41:58 pi-vpn.tuxed.net openvpn[2407]: 2a02:8109:9dc0:42f9:fd16:e09:XXXX:XXXX TLS: Initial packet from [AF_INET6]2a02:8109:9dc0:42f9:fd16:e09:XXXX:XXXX:55136, sid=e9430f16 d6192f88
Nov 28 20:42:20 pi-vpn.tuxed.net openvpn[2407]: 2a02:8109:9dc0:42f9:fd16:e09:XXXX:XXXX TLS: Initial packet from [AF_INET6]2a02:8109:9dc0:42f9:fd16:e09:XXXX:XXXX:55137, sid=f39d4f94 1779c93a
Nov 28 20:42:58 pi-vpn.tuxed.net openvpn[2407]: 2a02:8109:9dc0:42f9:fd16:e09:XXXX:XXXX TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Nov 28 20:42:58 pi-vpn.tuxed.net openvpn[2407]: 2a02:8109:9dc0:42f9:fd16:e09:XXXX:XXXX TLS Error: TLS handshake failed
Nov 28 20:42:58 pi-vpn.tuxed.net openvpn[2407]: 2a02:8109:9dc0:42f9:fd16:e09:XXXX:XXXX SIGUSR1[soft,tls-error] received, client-instance restarting
Nov 28 20:43:20 pi-vpn.tuxed.net openvpn[2407]: 2a02:8109:9dc0:42f9:fd16:e09:XXXX:XXXX TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Nov 28 20:43:20 pi-vpn.tuxed.net openvpn[2407]: 2a02:8109:9dc0:42f9:fd16:e09:XXXX:XXXX TLS Error: TLS handshake failed
Nov 28 20:43:20 pi-vpn.tuxed.net openvpn[2407]: 2a02:8109:9dc0:42f9:fd16:e09:XXXX:XXXX SIGUSR1[soft,tls-error] received, client-instance restarting
My client suddenly failed asking me to verify that I am using the correct certificate. I as a technical user don't know whether I am using the correct certificate, the client should handle that for me. A less technical user wouldn't know either. The error should therefore be handled by the client.
In this case, clicking OK and trying again solved the problem for me, but I don't know if the client did anything in the background.
I noticed the string in the source code here: https://github.com/eduvpn/macos/blob/4fea6a0db1701126d2ed0a263fe9b182e9cc2ee1/eduVPN/ConnectionService.swift#L85