search

kylemanna / docker-openvpn

🔒 OpenVPN server in a Docker container complete with an EasyRSA PKI CA
https://hub.docker.com/r/kylemanna/openvpn/
MIT License
8.77k stars 2.39k forks source link

Client is stucked (TLS Error: TLS key negotiation failed) #312

Open pavelsr opened 7 years ago

pavelsr commented 7 years ago

Set up container at server exactly like in Quick setup section.

When I'm trying to connect to openvpn server from client process got stucked:

pi@RPi31:~/FabKey $ sudo openvpn --config client.ovpn 
Sun Sep 17 20:43:51 2017 OpenVPN 2.4.0 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 22 2017
Sun Sep 17 20:43:51 2017 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.08
Sun Sep 17 20:43:51 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]104.31.89.168:1194
Sun Sep 17 20:43:51 2017 UDP link local: (not bound)
Sun Sep 17 20:43:51 2017 UDP link remote: [AF_INET]104.31.89.168:1194
Sun Sep 17 20:44:52 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Sep 17 20:44:52 2017 TLS Error: TLS handshake failed
Sun Sep 17 20:44:52 2017 SIGUSR1[soft,tls-error] received, process restarting
Sun Sep 17 20:44:57 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]104.31.88.168:1194
Sun Sep 17 20:44:57 2017 UDP link local: (not bound)
Sun Sep 17 20:44:57 2017 UDP link remote: [AF_INET]104.31.88.168:1194
Sun Sep 17 20:45:57 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Sep 17 20:45:57 2017 TLS Error: TLS handshake failed
Sun Sep 17 20:45:57 2017 SIGUSR1[soft,tls-error] received, process restarting
Sun Sep 17 20:46:02 2017 TCP/UDP: Preserving recently used remote address: [AF_INET6]2400:cb00:2048:1::681f:58a8:1194
Sun Sep 17 20:46:02 2017 UDP link local: (not bound)
Sun Sep 17 20:46:02 2017 UDP link remote: [AF_INET6]2400:cb00:2048:1::681f:58a8:1194
Sun Sep 17 20:46:02 2017 write UDP: Network is unreachable (code=101)
Sun Sep 17 20:46:02 2017 Network unreachable, restarting
Sun Sep 17 20:46:02 2017 SIGUSR1[soft,network-unreachable] received, process restarting
Sun Sep 17 20:46:07 2017 TCP/UDP: Preserving recently used remote address: [AF_INET6]2400:cb00:2048:1::681f:59a8:1194
Sun Sep 17 20:46:07 2017 UDP link local: (not bound)
Sun Sep 17 20:46:07 2017 UDP link remote: [AF_INET6]2400:cb00:2048:1::681f:59a8:1194
Sun Sep 17 20:46:07 2017 write UDP: Network is unreachable (code=101)
Sun Sep 17 20:46:07 2017 Network unreachable, restarting
Sun Sep 17 20:46:07 2017 SIGUSR1[soft,network-unreachable] received, process restarting
Sun Sep 17 20:46:12 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]104.31.88.168:1194
Sun Sep 17 20:46:12 2017 UDP link local: (not bound)
Sun Sep 17 20:46:12 2017 UDP link remote: [AF_INET]104.31.88.168:1194

here is a log from server with DEBUG enabled:

docker run -v $OVPN_DATA:/etc/openvpn -p 1194:1194/udp --privileged -e DEBUG=1 kylemanna/openvpn
+ set -e
+ cd /etc/openvpn
+ USER_ARGS=("${@}")
+ ARGS=()
+ addArg --config /etc/openvpn/openvpn.conf
+ local arg=--config
+ '[' 2 -ge 1 ']'
+ local val=/etc/openvpn/openvpn.conf
+ hasArg --config
+ local element
+ return 1
+ ARGS+=("${arg}")
+ '[' 2 -ge 1 ']'
+ ARGS+=("${val}")
+ source /etc/openvpn/ovpn_env.sh
++ declare -x OVPN_AUTH=
++ declare -x OVPN_CIPHER=
++ declare -x OVPN_CLIENT_TO_CLIENT=
++ declare -x OVPN_CN=vpn.fabmarkt.ru
++ declare -x OVPN_COMP_LZO=0
++ declare -x OVPN_DEFROUTE=1
++ declare -x OVPN_DEVICE=tun
++ declare -x OVPN_DEVICEN=0
++ declare -x OVPN_DISABLE_PUSH_BLOCK_DNS=0
++ declare -x OVPN_DNS=1
++ OVPN_DNS_SERVERS=([0]="8.8.8.8" [1]="8.8.4.4")
++ declare -x OVPN_DNS_SERVERS
++ declare -x OVPN_ENV=/etc/openvpn/ovpn_env.sh
++ OVPN_EXTRA_CLIENT_CONFIG=()
++ declare -x OVPN_EXTRA_CLIENT_CONFIG
++ OVPN_EXTRA_SERVER_CONFIG=()
++ declare -x OVPN_EXTRA_SERVER_CONFIG
++ declare -x OVPN_FRAGMENT=
++ declare -x 'OVPN_KEEPALIVE=10 60'
++ declare -x OVPN_MTU=
++ declare -x OVPN_NAT=0
++ declare -x OVPN_PORT=1194
++ declare -x OVPN_PROTO=udp
++ OVPN_PUSH=()
++ declare -x OVPN_PUSH
++ OVPN_ROUTES=([0]="192.168.254.0/24")
++ declare -x OVPN_ROUTES
++ declare -x OVPN_SERVER=192.168.255.0/24
++ declare -x OVPN_SERVER_URL=udp://vpn.fabmarkt.ru
++ declare -x OVPN_TLS_CIPHER=
+ mkdir -p /dev/net
+ '[' '!' -c /dev/net/tun ']'
+ '[' -d /etc/openvpn/ccd ']'
+ addArg --client-config-dir /etc/openvpn/ccd
+ local arg=--client-config-dir
+ '[' 2 -ge 1 ']'
+ local val=/etc/openvpn/ccd
+ hasArg --client-config-dir
+ local element
+ return 1
+ ARGS+=("${arg}")
+ '[' 2 -ge 1 ']'
+ ARGS+=("${val}")
+ '[' -z '' ']'
+ OVPN_NATDEVICE=eth0
+ '[' 1 '!=' 0 ']'
+ setupIptablesAndRouting
+ iptables -t nat -C POSTROUTING -s 192.168.255.0/24 -o eth0 -j MASQUERADE
iptables: No chain/target/match by that name.
+ iptables -t nat -A POSTROUTING -s 192.168.255.0/24 -o eth0 -j MASQUERADE
+ for i in '"${OVPN_ROUTES[@]}"'
+ iptables -t nat -C POSTROUTING -s 192.168.254.0/24 -o eth0 -j MASQUERADE
iptables: No chain/target/match by that name.
+ iptables -t nat -A POSTROUTING -s 192.168.254.0/24 -o eth0 -j MASQUERADE
+ '[' /etc/openvpn/pki/crl.pem -nt /etc/openvpn/crl.pem ']'
+ '[' -r /etc/openvpn/crl.pem ']'
+ addArg --crl-verify /etc/openvpn/crl.pem
+ local arg=--crl-verify
+ '[' 2 -ge 1 ']'
+ local val=/etc/openvpn/crl.pem
+ hasArg --crl-verify
+ local element
+ return 1
+ ARGS+=("${arg}")
+ '[' 2 -ge 1 ']'
+ ARGS+=("${val}")
+ ip -6 route show default
+ '[' 0 = 0 ']'
+ echo 'Enabling IPv6 Forwarding'
+ sysctl -w net.ipv6.conf.all.disable_ipv6=0
Enabling IPv6 Forwarding
net.ipv6.conf.all.disable_ipv6 = 0
+ sysctl -w net.ipv6.conf.default.forwarding=1
net.ipv6.conf.default.forwarding = 1
+ sysctl -w net.ipv6.conf.all.forwarding=1
net.ipv6.conf.all.forwarding = 1
+ echo 'Running '\''openvpn --config' /etc/openvpn/openvpn.conf --client-config-dir /etc/openvpn/ccd --crl-verify '/etc/openvpn/crl.pem '\'''
Running 'openvpn --config /etc/openvpn/openvpn.conf --client-config-dir /etc/openvpn/ccd --crl-verify /etc/openvpn/crl.pem '
+ exec openvpn --config /etc/openvpn/openvpn.conf --client-config-dir /etc/openvpn/ccd --crl-verify /etc/openvpn/crl.pem
Sun Sep 17 20:38:41 2017 OpenVPN 2.4.3 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jun 23 2017
Sun Sep 17 20:38:41 2017 library versions: LibreSSL 2.5.4, LZO 2.10
Sun Sep 17 20:38:41 2017 Diffie-Hellman initialized with 2048 bit key
Sun Sep 17 20:38:41 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Sep 17 20:38:41 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Sep 17 20:38:41 2017 ROUTE_GATEWAY 172.17.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:11:00:02
Sun Sep 17 20:38:41 2017 TUN/TAP device tun0 opened
Sun Sep 17 20:38:41 2017 TUN/TAP TX queue length set to 100
Sun Sep 17 20:38:41 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Sep 17 20:38:41 2017 /sbin/ip link set dev tun0 up mtu 1500
Sun Sep 17 20:38:41 2017 /sbin/ip addr add dev tun0 local 192.168.255.1 peer 192.168.255.2
Sun Sep 17 20:38:41 2017 /sbin/ip route add 192.168.254.0/24 via 192.168.255.2
Sun Sep 17 20:38:41 2017 /sbin/ip route add 192.168.255.0/24 via 192.168.255.2
Sun Sep 17 20:38:41 2017 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sun Sep 17 20:38:41 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sun Sep 17 20:38:41 2017 UDPv4 link local (bound): [AF_INET][undef]:1194
Sun Sep 17 20:38:41 2017 UDPv4 link remote: [AF_UNSPEC]
Sun Sep 17 20:38:41 2017 GID set to nogroup
Sun Sep 17 20:38:41 2017 UID set to nobody
Sun Sep 17 20:38:41 2017 MULTI: multi_init called, r=256 v=256
Sun Sep 17 20:38:41 2017 IFCONFIG POOL: base=192.168.255.4 size=62, ipv6=0
Sun Sep 17 20:38:41 2017 Initialization Sequence Completed

What could be wrong ? I also tried to run container at server with --network=host option, but same result. Any suggestion is much appreciated.

santochen commented 7 years ago

@pavelsr , I had the same issues, then re-do the whole steps again under root user and seems to work fine now.

tennysontbardwell commented 7 years ago

I'm also having this issue. Performed the quick setup on host machine A, connected from machine B. However, I was not able to connect to the container running on A from the host machine A. I attempted to connect by targeting A's IP address, 0.0.0.0, localhost, DNS hostname pointing at A, and 127.0.0.1. I also attempted --network=host. Attempting to send udp packets to A's port 1194 resulting in hanging (same results as from B) which indicates that port 1194 is being treated differently than other ports on A (which reject packets immediately).

Machine A is also able to connect to other openvpn server.

UPDATE: Viewing the logs output it seems they were talking to each other but the certificate on machine A was rejected. It mentioned that A's certificate was self signed, and since A's certificate was named the same as the server's I generated a new one with a different name. All worked after that.