TLS handshake failing

[ghost]

PiVPN Issue Template

Console output of curl install.pivpn.io | bash

Console output of pivpn add or pivpn add nopass

Console output of pivpn debug

pi@raspberrypi:~ $ pivpn debug
::: Generating Debug Output
:::                                     :::
::              PiVPN Debug              ::
:::                                     :::
::      Latest Commit                    ::
:::                                     :::
commit 3c764db9b6d670c8bf9eae3ad94f1dbd570043c7
Merge: 6ce39bf fbec57d
Author: redfast00 <redfast00@users.noreply.github.com>
Date:   Thu Jun 29 13:32:14 2017 +0200

    Merge pull request #292 from cfcolaco/master

    changed to new openvpn repos
:::                                     :::
::      Recursive list of files in       ::
::      /etc/openvpn/easy-rsa/pki        ::
:::                                     :::
/etc/openvpn/easy-rsa/pki/:
android.ovpn
ca.crt
Default.txt
dh2048.pem
index.txt
index.txt.attr
index.txt.attr.old
index.txt.old
issued
private
serial
serial.old
ta.key

/etc/openvpn/easy-rsa/pki/issued:
android.crt
server.crt

/etc/openvpn/easy-rsa/pki/private:
android.key
ca.key
server.key
:::                                     :::
::      Output of /etc/pivpn/*           ::
:::                                     :::
:: START /etc/pivpn/DET_PLATFORM ::
Raspbian
:: END /etc/pivpn/DET_PLATFORM ::
:: START /etc/pivpn/INSTALL_PORT ::
1194
:: END /etc/pivpn/INSTALL_PORT ::
:: START /etc/pivpn/INSTALL_PROTO ::
udp
:: END /etc/pivpn/INSTALL_PROTO ::
:: START /etc/pivpn/INSTALL_USER ::
pi
:: END /etc/pivpn/INSTALL_USER ::
:: START /etc/pivpn/NO_UFW ::
1
:: END /etc/pivpn/NO_UFW ::
:: START /etc/pivpn/pivpnINTERFACE ::
eth0
:: END /etc/pivpn/pivpnINTERFACE ::
:: START /etc/pivpn/REVOKE_STATUS ::
0
:: END /etc/pivpn/REVOKE_STATUS ::
:::                                     :::
:: /etc/openvpn/easy-rsa/pki/Default.txt ::
:::                                     :::
client
dev tun
proto udp
remote no-ip dns 1194
resolv-retry infinite
nobind
persist-key
persist-tun
key-direction 1
remote-cert-tls server
tls-version-min 1.2
verify-x509-name server name
cipher AES-256-CBC
auth SHA256
comp-lzo
verb 1
:::                                     :::
::      Debug Output Complete            ::
:::                                     :::
:::
::: Debug output completed above.
::: Copy saved to /tmp/debug.txt
:::

Issue

I've been looking through the issues, everyone seems to be able to connect to the server at the very least. Not a case for me. I can not even connect to the server. I get the TLS key negotiation failed to occur within 60 seconds... TLS handshake failed. I've seen a solution to an older issue like this, to comment the minimal tls line both for the client and the server, did that with no luck (i edited the client file directly on the client machine). Tried installing a dozen times, always the same problem. Tried implementing some ip tables rules on previous installations, they did not help too. I've seen that someone had this problem because of their ISP blocking tcp/udp, called to check with my ISP, they say everything is open, I should not have any problems with that. My suspicion is that the problem lies within the firewall rules, but I am an actual newbie. Would also like to add that i port forwarded my router. Tested this out on Win 7 and Win 10 as administrator, also iOS and Android.

giYCkQPu.txt - OpenVPN log

28Pp4t8J.txt - Client conf (note that I have commented the minimal tls line on the actual .ovpn file that I'm using on my client machines for testing)

sCpEnDMU.txt - iptables -L

I would really appreciate any help, been trying to set this up for a long time... I would gladly share any additional info.

Best regards

*Edited to add description to the files

[redfast00]

Can you show a screenshot of the portforward in the router?

[ghost]

Obviously, the static IP I have given to my Pi is 192.168.1.99 on my home network.

[redfast00]

Have you connected to the VPN from outside your network (for example in a cafe, neighbors WiFi network,...)?

[ghost]

I've been testing it with mobile data connection using hotspot. Same thing.

[redfast00]

Is the OpenVPN server still running? Can you run service openvpn status on the Pi?

[ghost]

pi@raspberrypi:~ $ service openvpn status ● openvpn.service - OpenVPN service Loaded: loaded (/lib/systemd/system/openvpn.service; enabled) Active: active (exited) since Wed 2017-07-26 00:18:48 CEST; 12h ago Process: 568 ExecStart=/bin/true (code=exited, status=0/SUCCESS) Main PID: 568 (code=exited, status=0/SUCCESS) CGroup: /system.slice/openvpn.service pi@raspberrypi:~ $

[vesatiirikainen]

I had this issue with OpenVPN-Setup scripts, started when I switched over from a DSL-modem to a 4G/LTE modem/router with Ethernet connections. Reinstalled OpenVPN with PiVPN and everything seems ok - but I still have TLS Handshake error. My Raspi has a static IP and I've got a service from my operator allowing open ports, tried both UDP and TCP but no change, the error remains. It seems that client contacts with the server but does not get a proper response within 60 seconds. Similar results with server running as with user Kavaho.

[vesatiirikainen]

I'm starting to think my router is here the cause. Current model is Huawei B525, which has a bit unclear settings to actually open ports. Any hints to do this correctly are welcome.

[ghost]

At least that's something easy to test. Take your old router and try port forwarding to see if it works. If it works, it is a router problem for sure, so you will need a different router.

[InnovativeInventor]

Do you have a firewall set up?

[ghost]

@InnovativeInventor I am pretty much new to all this stuff, so how do i check if I have a firewall set up? As far as I am aware, there is a firewall on pretty much everything these days.

[vesatiirikainen]

My new router has a firewall on. After some digging it seems to support port triggering only, not opening a port as my previously used ADSL-based router. So I'll try to configure Raspi and clients for port triggering (as you probably know, using a technique where the trigger port for external traffic and local LAN open port are not the same).

Just a few days ago this ADSL-router and OpenVPN operated fine, except that the upload speed on the fastest available local connection was at best only 1 Mbit/s. Huawei B525 has currently without any external antennas an upload speed of at least 5 Mbit/s allowing eg. good quality video streaming.

[vesatiirikainen]

@InnovativeInventor if you enter your router admin you should see if it has a firewall and if it is on or not. Usually your VPN client's operating system and/or security software have also firewalls which you can turn on or off. Raspberry Pi also has a firewall, for OpenVPN usually on.

[ghost]

@vesatiirikainen Thank you for your suggestions, I really appreciate your time and willingness to help. But, I checked out the router settings, there is something called SPI Firewall that was enabled in the security settings. Disabled it, tried pinging the port again, the port is closed. So I enabled it again, considering it doesn't change anything for me. There are three options to enable VPN passthrough - PPTP, L2TP, IPSec all enabled. As for the client firewall, I don't think that changes anything at this point considering I use a web based open port checking tool and get a result that my 1194 port is closed. Lastly, the RPi firewall... As far as I know, the pivpn installation sets up firewall rules to poke a hole in the RPi firewall so it can communicate with OpenVPN.

*Edit: How do I check if the RPi firewall is set up correctly?

[vesatiirikainen]

@Kavaho said: "As for the client firewall, I don't think that changes anything at this point considering I use a web based open port checking tool and get a result that my 1194 port is closed." Your situation is pretty much like mine: the required port (1194 or something other chosen) is not open. It might be that your router like mine does not really allow direct opening of ports like many older models do - even though I'm still checking if that would be possible. Currently I think the only way to open a port for VPN is to use "port triggering" where you actually use two ports, so far not success for me. I will keep digging ;)

[vesatiirikainen]

Hi all, I finally managed to get PiVPN --> OpenVPN operating using my 4G router Huawei B525! If you happen to have even older models of Huawei 4G routers, here is how to do it:

1. In the router, open a port at the admin page using Settings -> Security -> Virtual Server. In there ADD a new entry for your Raspi, opening a port e.g. 1194 at your Raspi's Static IP (there are articles in the net telling how to set that under 4G/LTE routers and Raspi settings). Use TCP Protocol as UDP will not work. Also change Firewall settings by enbling firewall as such, but do not enable anything else e.g. IP Address Filtering or other filters your router may have.
2. Reinstall pivpn using the same port and as protocol TCP even though pivpn warns against using it.
3. Make client ovpns and copy them into your clients. You easily can test it e.g. by using your smartphone without WiFi, only using 4G mobile data. This just minutes ago enabled me to use VPN and now should allow very good video streaming outside my home. Hope this helps somebody!

[ghost]

@vesatiirikainen I am super glad you worked it out. Congratz. I have tried using TCP instead of UDP on a previous installation, did not work out. I am still stuck.

[ghost]

Okay, so... I'm happy to announce that I have finally managed to solve the problem.

To whom it might concern: I got the TLS key negotiation failed to occur within 60 seconds... TLS handshake failed. I did everything you are supposed to do, like static private IP, dynamic DNS, forwarding ports etc. Everything seemed good but it did not work. The breakthrough was when I tried checking if the ports are open with a tool, and always got an answer that the ports are closed. I called my ISP and they said they allow the whole traffic through, no blocking on protocols or ports, it SHOULD be working with my configuration. Since I am using a TP-Link router, I contacted their support. They were kind enough to get through some troubleshooting with me, and we noticed that the IP address that my router is getting is some kind of a private address from a NAT device from my ISP. They suggested me to ask my ISP to open that specific port on their NAT device in front of my router. Called my ISP and after 15 minutes of troubleshooting we fixed the problem by assigning a static public IP to my router. also implemented some IP table rules that one of the video tutorials suggested using, which can be found here: https://arashmilani.com/post?id=53. And finally, changed a line in the server.conf file like suggested here: https://itchy.nl/raspberry-pi-3-with-openvpn-pihole-dnscrypt. Funny thing is, when i check if the port is open, it still says it is closed but the VPN works.

The solution was: to comment (using ; before the line) the minimal-tls line in the client and server.conf files. To get a static public IP configured to my router, because my ISP was using some kind of a NAT device that gave me some weird private address. When I checked the status page from my router, I was getting some private IP address from the WAN, like 10.10.xx.xx. Implement some new iptables rules from the link above and change a line in the server.conf file like suggested on the link above.

I'm gonna leave this issue open for 2 weeks so I can add if i had forgotten something and help other people having the same problem. Lastly, I'm uploading the final configurations for reference:

server.conf: https://pastebin.com/raw/fkEYVj9B client.conf: https://pastebin.com/raw/yNigi8UC

[coolapso]

@Kavaho good to know that everything is working now! =)

can you or @redfast00 please close this issue?

[redyounger]

@vesatiirikainen, tried everything else including ghost's solution, no luck, until yours - use TCP. I have not seen any web tutorial suggest using TCP, how did you come up with this idea? Anyway it is a wonderful try and works just perfect.