After following official how-to for OpenVPN Server - TLS key negotiation failed to occur within 60 seconds

I have followed https://openwrt.org/docs/guide-user/services/vpn/openvpn/server precisely. On starting the server via CLI it appears to be running.

at Jun 26 21:16:13 2021 daemon.err openvpn(server)[22504]: event_wait : Interrupted system call (code=4)
Sat Jun 26 21:16:13 2021 daemon.notice openvpn(server)[22504]: net_addr_v4_del: 192.168.8.1 dev tun0
Sat Jun 26 21:16:13 2021 daemon.warn openvpn(server)[22504]: sitnl_send: rtnl: generic error (-1): Operation not permitted
Sat Jun 26 21:16:13 2021 daemon.warn openvpn(server)[22504]: Linux can't del IP from iface tun0
Sat Jun 26 21:16:13 2021 daemon.notice openvpn(server)[22504]: /usr/libexec/openvpn-hotplug down server tun0 1500 1621 192.168.8.1 255.255.255.0 init
Sat Jun 26 21:16:13 2021 daemon.notice openvpn(server)[22504]: SIGTERM[hard,] received, process exiting
Sat Jun 26 21:16:13 2021 daemon.warn openvpn(server)[23243]: --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
Sat Jun 26 21:16:13 2021 daemon.notice openvpn(server)[23243]: OpenVPN 2.5.2 aarch64-openwrt-linux-gnu [SSL (OpenSSL)] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Jun 26 21:16:13 2021 daemon.notice openvpn(server)[23243]: library versions: OpenSSL 1.1.1k  25 Mar 2021
Sat Jun 26 21:16:13 2021 daemon.warn openvpn(server)[23243]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Jun 26 21:16:13 2021 daemon.notice openvpn(server)[23243]: TUN/TAP device tun0 opened
Sat Jun 26 21:16:13 2021 daemon.notice openvpn(server)[23243]: net_iface_mtu_set: mtu 1500 for tun0
Sat Jun 26 21:16:13 2021 daemon.notice openvpn(server)[23243]: net_iface_up: set tun0 up
Sat Jun 26 21:16:13 2021 daemon.notice openvpn(server)[23243]: net_addr_v4_add: 192.168.8.1/24 dev tun0
Sat Jun 26 21:16:13 2021 daemon.notice openvpn(server)[23243]: /usr/libexec/openvpn-hotplug up server tun0 1500 1621 192.168.8.1 255.255.255.0 init
Sat Jun 26 21:16:13 2021 daemon.warn openvpn(server)[23243]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Sat Jun 26 21:16:13 2021 daemon.notice openvpn(server)[23243]: UDPv4 link local (bound): [AF_INET][undef]:1194
Sat Jun 26 21:16:13 2021 daemon.notice openvpn(server)[23243]: UDPv4 link remote: [AF_UNSPEC]
Sat Jun 26 21:16:13 2021 daemon.notice openvpn(server)[23243]: GID set to nogroup
Sat Jun 26 21:16:13 2021 daemon.notice openvpn(server)[23243]: UID set to nobody
Sat Jun 26 21:16:13 2021 daemon.notice openvpn(server)[23243]: Initialization Sequence Completed
udp        0      0 0.0.0.0:1194            0.0.0.0:*                           23243/openvpn

When I try to connect to the server I get TLS Error: TLS key negotiation failed to occur within 60 seconds

uci show network; uci show firewall; uci show openvpn

network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd33:6941:36c1::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.wan=interface
network.wan.proto='dhcp'
network.wan.ifname='eth1'
network.wan.peerdns='0'
network.wan.dns='1.1.1.1' '1.0.0.1'
network.@device[0]=device
network.@device[0].name='eth1'
network.@device[0].macaddr='mac..'
network.wan6=interface
network.wan6.proto='dhcpv6'
network.wan6.ifname='eth1'
network.wan6.reqaddress='try'
network.wan6.reqprefix='auto'
network.wan6.peerdns='0'
network.wan6.dns='2606:4700:4700::1111' '2606:4700:4700::1001'
network.@device[1]=device
network.@device[1].name='wlan0'
network.@device[1].macaddr='mac...'
network.@device[2]=device
network.@device[2].name='eth0'
network.@device[2].macaddr='mac...'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.lan=zone
firewall.lan.name='lan'
firewall.lan.network='lan'
firewall.lan.input='ACCEPT'
firewall.lan.output='ACCEPT'
firewall.lan.forward='ACCEPT'
firewall.lan.device='tun+'
firewall.wan=zone
firewall.wan.name='wan'
firewall.wan.network='wan' 'wan6'
firewall.wan.input='REJECT'
firewall.wan.output='ACCEPT'
firewall.wan.forward='REJECT'
firewall.wan.masq='1'
firewall.wan.mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[9]=rule
firewall.@rule[9].name='Support-UDP-Traceroute'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest_port='33434:33689'
firewall.@rule[9].proto='udp'
firewall.@rule[9].family='ipv4'
firewall.@rule[9].target='REJECT'
firewall.@rule[9].enabled='false'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@include[0].reload='1'
firewall.ovpn=rule
firewall.ovpn.name='Allow-OpenVPN'
firewall.ovpn.src='wan'
firewall.ovpn.dest_port='1194'
firewall.ovpn.proto='udp'
firewall.ovpn.target='ACCEPT'

client.ovpn

dev tun
nobind
client
remote my.ddns.domain.com 1194 udp
auth-nocache
remote-cert-tls server
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-crypt>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>

server.conf

user nobody
group nogroup
dev tun
port 1194
proto udp
server 192.168.8.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
push "dhcp-option DNS 192.168.8.1"
push "dhcp-option DOMAIN lan"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>
-----BEGIN DH PARAMETERS-----
-----END DH PARAMETERS-----
</dh>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-crypt>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>

Is the client a smartphone or similar?
What does the log in the client app say?

And you are connecting through the internet (4G/5G or public wifi) to your wan, you can’t connect through your own wifi!

For testing I would change the server address ‘remote’ in client conf from a ddns function to the real router WAN IP address.

1 Like

The client is a desktop PC on Windows 10.
I am connecting through a cable connection, the modem is connected to the router.
I have already tried changing it to the routers actual IP (WAN IP) with the same result.
Here is the connection log from the client:

Jun 27 12:54:55 AM: OpenVPN 2.4.11 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [AEAD] built on Apr 21 2021
Jun 27 12:54:55 AM: library versions: OpenSSL 1.1.1k  25 Mar 2021, LZO 2.10
Jun 27 12:54:55 AM: Resolving address: "ddns.domain.com"
Jun 27 12:54:55 AM: Valid endpoint found: ddns.domain.com:1194:udp
Jun 27 12:54:56 AM: TCP/UDP: Preserving recently used remote address: [AF_INET]actual_wan_ip:1194
Jun 27 12:54:56 AM: UDP link local: (not bound)
Jun 27 12:54:56 AM: UDP link remote: [AF_INET]actual_wan_ip:1194
Jun 27 12:55:56 AM: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jun 27 12:55:56 AM: TLS Error: TLS handshake failed
Jun 27 12:55:56 AM: SIGUSR1[soft,tls-error] received, process restarting

EDIT: In the meantime I have setup a vps from which I tested to connect and I am actually connected. I was not aware, that I cannot connect from inside my own network.

So does it work now?

The VPN server only looks for data coming from outside the firewall, that’s the whole idea of a VPN to connect different nodes over the internet. It is technically possible to reroute data from LAN and make it do a U-turn in the firewall and come in on the VPN server port, but what is the point?
For internal network data integrity I doubt a VPN tunnel is the best approach.

So far so good, one can connect to my network via VPN and is able to reach my openwrt, so I would say yes, its working.

Now I am thinking about how I could secure it a little bit - The use-case for this VPN is a gitolite server, that I have running on openwrt - I want to provide access for some of my colleagues for them to be able to push to to the repos they have access to. Network wise all gitolite does is using ssh on port 22 and I was thinking maybe I could create a couple routings / firewall rules to only allow access to port 22 while connected to the vpn - eventually on a per-user basis, so I personally can access everything but everyone else only port 22.

Well the first thing I would do for security on the VPN tunnel is to not show you have the tunnel in the first place by stop using port 1194 all together, that is a toxic port. Every port scanner bot is scanning that port exclusively world wide since the port 1194 is a registered OpenVPN tunnel port and if they get a hit on 1194 on a IP address they expect a company they can destroy on that IP address and then the DOS attacks and brute force attacks comes and they never stop until you abandon that port.

1 Like

I have just applied this change, valid point, same as 22 for ssh or 5900 for VNC. Would it be super complicated to setup some iptables rules only allowing the (internal) port 22 to be reached from inside the network if connected via VPN?

If you connect through VPN from the internet side of the firewall I don’t see that you need any rules at all.
You just connect to the router with the VPN tunnel and then you are inside your network (the network your TUN device is connected to) as usual. Then you just use everything inside the network as usual no matter if you want to connect to a VNC device or a SSH port 22.
In dropbear you specify what interfaces the router are supposed to listen to, I highly recommend not to allow connections from WAN.

As I will be giving my colleagues access to my network, for them to be able to contact my only locally available git-server, gitolite, I was just thinking if it was possible to apply some restrictions for these connected via VPN, so they can really only contact gitolite and not too much else.

There are probably some alternatives to do this.
I would probably make a separate tunnel config to next tunx (tun1 if you now have tun0) device and make a compleatly separate network with its own firewall zone which only this server is connected to.
So when they connect to this separare VPN tunnel they will only have access to the server.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.