Closed ghost closed 7 years ago
Can you show a screenshot of the portforward in the router?
Obviously, the static IP I have given to my Pi is 192.168.1.99 on my home network.
Have you connected to the VPN from outside your network (for example in a cafe, neighbors WiFi network,...)?
I've been testing it with mobile data connection using hotspot. Same thing.
Is the OpenVPN server still running? Can you run service openvpn status
on the Pi?
pi@raspberrypi:~ $ service openvpn status ● openvpn.service - OpenVPN service Loaded: loaded (/lib/systemd/system/openvpn.service; enabled) Active: active (exited) since Wed 2017-07-26 00:18:48 CEST; 12h ago Process: 568 ExecStart=/bin/true (code=exited, status=0/SUCCESS) Main PID: 568 (code=exited, status=0/SUCCESS) CGroup: /system.slice/openvpn.service pi@raspberrypi:~ $
I had this issue with OpenVPN-Setup scripts, started when I switched over from a DSL-modem to a 4G/LTE modem/router with Ethernet connections. Reinstalled OpenVPN with PiVPN and everything seems ok - but I still have TLS Handshake error. My Raspi has a static IP and I've got a service from my operator allowing open ports, tried both UDP and TCP but no change, the error remains. It seems that client contacts with the server but does not get a proper response within 60 seconds. Similar results with server running as with user Kavaho.
I'm starting to think my router is here the cause. Current model is Huawei B525, which has a bit unclear settings to actually open ports. Any hints to do this correctly are welcome.
At least that's something easy to test. Take your old router and try port forwarding to see if it works. If it works, it is a router problem for sure, so you will need a different router.
Do you have a firewall set up?
@InnovativeInventor I am pretty much new to all this stuff, so how do i check if I have a firewall set up? As far as I am aware, there is a firewall on pretty much everything these days.
My new router has a firewall on. After some digging it seems to support port triggering only, not opening a port as my previously used ADSL-based router. So I'll try to configure Raspi and clients for port triggering (as you probably know, using a technique where the trigger port for external traffic and local LAN open port are not the same).
Just a few days ago this ADSL-router and OpenVPN operated fine, except that the upload speed on the fastest available local connection was at best only 1 Mbit/s. Huawei B525 has currently without any external antennas an upload speed of at least 5 Mbit/s allowing eg. good quality video streaming.
@InnovativeInventor if you enter your router admin you should see if it has a firewall and if it is on or not. Usually your VPN client's operating system and/or security software have also firewalls which you can turn on or off. Raspberry Pi also has a firewall, for OpenVPN usually on.
@vesatiirikainen Thank you for your suggestions, I really appreciate your time and willingness to help. But, I checked out the router settings, there is something called SPI Firewall that was enabled in the security settings. Disabled it, tried pinging the port again, the port is closed. So I enabled it again, considering it doesn't change anything for me. There are three options to enable VPN passthrough - PPTP, L2TP, IPSec all enabled. As for the client firewall, I don't think that changes anything at this point considering I use a web based open port checking tool and get a result that my 1194 port is closed. Lastly, the RPi firewall... As far as I know, the pivpn installation sets up firewall rules to poke a hole in the RPi firewall so it can communicate with OpenVPN.
*Edit: How do I check if the RPi firewall is set up correctly?
@Kavaho said: "As for the client firewall, I don't think that changes anything at this point considering I use a web based open port checking tool and get a result that my 1194 port is closed." Your situation is pretty much like mine: the required port (1194 or something other chosen) is not open. It might be that your router like mine does not really allow direct opening of ports like many older models do - even though I'm still checking if that would be possible. Currently I think the only way to open a port for VPN is to use "port triggering" where you actually use two ports, so far not success for me. I will keep digging ;)
Hi all, I finally managed to get PiVPN --> OpenVPN operating using my 4G router Huawei B525! If you happen to have even older models of Huawei 4G routers, here is how to do it:
@vesatiirikainen I am super glad you worked it out. Congratz. I have tried using TCP instead of UDP on a previous installation, did not work out. I am still stuck.
Okay, so... I'm happy to announce that I have finally managed to solve the problem.
To whom it might concern: I got the TLS key negotiation failed to occur within 60 seconds... TLS handshake failed. I did everything you are supposed to do, like static private IP, dynamic DNS, forwarding ports etc. Everything seemed good but it did not work. The breakthrough was when I tried checking if the ports are open with a tool, and always got an answer that the ports are closed. I called my ISP and they said they allow the whole traffic through, no blocking on protocols or ports, it SHOULD be working with my configuration. Since I am using a TP-Link router, I contacted their support. They were kind enough to get through some troubleshooting with me, and we noticed that the IP address that my router is getting is some kind of a private address from a NAT device from my ISP. They suggested me to ask my ISP to open that specific port on their NAT device in front of my router. Called my ISP and after 15 minutes of troubleshooting we fixed the problem by assigning a static public IP to my router. also implemented some IP table rules that one of the video tutorials suggested using, which can be found here: https://arashmilani.com/post?id=53. And finally, changed a line in the server.conf file like suggested here: https://itchy.nl/raspberry-pi-3-with-openvpn-pihole-dnscrypt. Funny thing is, when i check if the port is open, it still says it is closed but the VPN works.
The solution was: to comment (using ; before the line) the minimal-tls line in the client and server.conf files. To get a static public IP configured to my router, because my ISP was using some kind of a NAT device that gave me some weird private address. When I checked the status page from my router, I was getting some private IP address from the WAN, like 10.10.xx.xx. Implement some new iptables rules from the link above and change a line in the server.conf file like suggested on the link above.
I'm gonna leave this issue open for 2 weeks so I can add if i had forgotten something and help other people having the same problem. Lastly, I'm uploading the final configurations for reference:
server.conf: https://pastebin.com/raw/fkEYVj9B client.conf: https://pastebin.com/raw/yNigi8UC
@Kavaho good to know that everything is working now! =)
can you or @redfast00 please close this issue?
@vesatiirikainen, tried everything else including ghost's solution, no luck, until yours - use TCP. I have not seen any web tutorial suggest using TCP, how did you come up with this idea? Anyway it is a wonderful try and works just perfect.
PiVPN Issue Template
Console output of
curl install.pivpn.io | bash
Console output of
pivpn add
orpivpn add nopass
Console output of
pivpn debug
Issue
I've been looking through the issues, everyone seems to be able to connect to the server at the very least. Not a case for me. I can not even connect to the server. I get the TLS key negotiation failed to occur within 60 seconds... TLS handshake failed. I've seen a solution to an older issue like this, to comment the minimal tls line both for the client and the server, did that with no luck (i edited the client file directly on the client machine). Tried installing a dozen times, always the same problem. Tried implementing some ip tables rules on previous installations, they did not help too. I've seen that someone had this problem because of their ISP blocking tcp/udp, called to check with my ISP, they say everything is open, I should not have any problems with that. My suspicion is that the problem lies within the firewall rules, but I am an actual newbie. Would also like to add that i port forwarded my router. Tested this out on Win 7 and Win 10 as administrator, also iOS and Android.
giYCkQPu.txt - OpenVPN log
28Pp4t8J.txt - Client conf (note that I have commented the minimal tls line on the actual .ovpn file that I'm using on my client machines for testing)
sCpEnDMU.txt - iptables -L
I would really appreciate any help, been trying to set this up for a long time... I would gladly share any additional info.
Best regards
*Edited to add description to the files