OpenVPN TLS Handshake Error

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi OpenWRT community.

I am using Express VPN and trying to connect to the VPN, but it always gets me this error.

Router: Linksys WRT1900ACS v2 - OpenWrt 19.07.3 r11063-85e04e9f46

Mon Aug  8 23:31:22 2022 daemon.warn openvpn(EXVPN_JP_TOKYO_1)[21235]: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Mon Aug  8 23:31:22 2022 daemon.notice openvpn(EXVPN_JP_TOKYO_1)[21235]: TCP/UDP: Preserving recently used remote address: [AF_INET]185.208.11.10:1194
Mon Aug  8 23:31:22 2022 daemon.notice openvpn(EXVPN_JP_TOKYO_1)[21235]: Socket Buffers: R=[163840->327680] S=[163840->327680]
Mon Aug  8 23:31:22 2022 daemon.notice openvpn(EXVPN_JP_TOKYO_1)[21235]: UDP link local: (not bound)
Mon Aug  8 23:31:22 2022 daemon.notice openvpn(EXVPN_JP_TOKYO_1)[21235]: UDP link remote: [AF_INET]185.208.11.10:1194
Mon Aug  8 23:32:22 2022 daemon.err openvpn(EXVPN_JP_TOKYO_1)[21235]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Aug  8 23:32:22 2022 daemon.err openvpn(EXVPN_JP_TOKYO_1)[21235]: TLS Error: TLS handshake failed
Mon Aug  8 23:32:22 2022 daemon.notice openvpn(EXVPN_JP_TOKYO_1)[21235]: SIGUSR1[soft,tls-error] received, process restarting
Mon Aug  8 23:32:22 2022 daemon.notice openvpn(EXVPN_JP_TOKYO_1)[21235]: Restart pause, 300 second(s)

I have thoroughly followed this guide (Section 2.2)

How can I fix the problem?

Thank you

Configurations:

OpenVPN File: /etc/openvpn/EXVPN_JP_TOKYO_1.openvpn
The credentials are provided in /etc/openvpn/EXVPN_JP_TOKYO_1.auth

dev tun
fast-io
persist-key
persist-tun
nobind
remote japan-tokyo-ca-version-2.expressnetw.com 1194

remote-random
pull
comp-lzo no
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
key-direction 1
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1200
verb 3
cipher AES-256-CBC
keysize 256
auth SHA512
sndbuf 524288
rcvbuf 524288
auth-user-pass /etc/openvpn/EXVPN_JP_TOKYO_1.auth

<cert>
-----BEGIN CERTIFICATE-----
xxxx
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
xxxx
-----END RSA PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
xxxx
-----END OpenVPN Static key V1-----
</tls-auth>
<ca>
-----BEGIN CERTIFICATE-----
xxxxxx
-----END CERTIFICATE-----
</ca>

Network / Interface Config:

config interface 'VPNtun0'
	option ifname 'tun0'
	option proto 'none'

Firewall Config:
The following lines are added:

config rule 'ovpn'
	option name 'Allow-OpenVPN'
	option src 'wan'
	option target 'ACCEPT'

config zone
	option network 'VPNtun0'
	option name 'VPN_Zone'
	option mtu_fix '1'
	option input 'REJECT'
	option forward 'REJECT'
	option output 'ACCEPT'

config forwarding
	option dest 'VPN_Zone'
	option src 'lan'

Openvpn Config:

config openvpn 'EXVPN_JP_TOKYO_1'
	option config '/etc/openvpn/EXVPN_JP_TOKYO_1.ovpn'
	option enabled '1'
2

Remove that options.

Add option:
remote-cert-tls server

3

It generates this error:

Tue Aug  9 08:51:24 2022 daemon.err openvpn(EXVPN_JP_TOKYO_1)[19196]: Options error: Parameter ca_file can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified.
Tue Aug  9 08:51:24 2022 daemon.warn openvpn(EXVPN_JP_TOKYO_1)[19196]: Use --help for more information
4

OK, leave tls-client

5

OK, nice, I usually use src at the first line.

6

I edited the ovpn config file and it it is like this now:

client
dev tun
dev-type tun
remote japan-tokyo-ca-version-2.expressnetw.com 1195 udp
remote-random
fast-io
persist-key
persist-tun
nobind
pull
comp-lzo no
remote-cert-tls server
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1200
verb 3
cipher AES-256-CBC
keysize 256
auth SHA512
sndbuf 524288
rcvbuf 524288
auth-user-pass /etc/openvpn/EXVPN_JP_TOKYO_1.auth

No more the previous CA error, but still a problem with the original error, TLS handshake failed. I noticed the same error happens when I try the same ovpn config file with OpenVPN client on Windows 10, so my guess is that the problem is not with OpenWRT, but perhaps the ISP blocking openvpn connections?

I edited it. Nothing changed. Same error

7

Remove the bloat

Edit this line

remote japan-tokyo-ca-version-2.expressnetw.com 1195

Add

proto udp

Give that a go

8

Same TLS error :frowning:

9

Post your current ovpn config file.

10 
client
dev tun
remote japan-tokyo-ca-version-2.expressnetw.com 1195
proto udp
fast-io
persist-key
persist-tun
nobind
comp-lzo no
remote-cert-tls server
verb 3
cipher AES-256-CBC
keysize 256
auth SHA512
auth-user-pass /etc/openvpn/EXVPN_JP_TOKYO_1.auth

<cert>
-----BEGIN CERTIFICATE-----
xxxx
-----END RSA PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
xxxx
-----END OpenVPN Static key V1-----
</tls-auth>
<ca>
-----BEGIN CERTIFICATE-----
xxxx
-----END CERTIFICATE-----
</ca>
11

Add

fragment 1300
key-direction 1

We're getting there. :slight_smile:

12

Same problem.

Tue Aug  9 13:08:54 2022 daemon.notice openvpn(EXVPN_JP_TOKYO_1)[31910]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Aug  9 13:08:54 2022 daemon.notice openvpn(EXVPN_JP_TOKYO_1)[31910]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Aug  9 13:08:54 2022 daemon.notice openvpn(EXVPN_JP_TOKYO_1)[31910]: TCP/UDP: Preserving recently used remote address: [AF_INET]185.208.11.151:1195
Tue Aug  9 13:08:54 2022 daemon.notice openvpn(EXVPN_JP_TOKYO_1)[31910]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Tue Aug  9 13:08:54 2022 daemon.notice openvpn(EXVPN_JP_TOKYO_1)[31910]: UDP link local: (not bound)
Tue Aug  9 13:08:54 2022 daemon.notice openvpn(EXVPN_JP_TOKYO_1)[31910]: UDP link remote: [AF_INET]185.208.11.151:1195
Tue Aug  9 13:08:55 2022 daemon.notice openvpn(EXVPN_JP_TOKYO_1)[31910]: TLS: Initial packet from [AF_INET]185.208.11.151:1195, sid=e5ad081a 2f9c9fee
Tue Aug  9 13:09:54 2022 daemon.err openvpn(EXVPN_JP_TOKYO_1)[31910]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Aug  9 13:09:54 2022 daemon.err openvpn(EXVPN_JP_TOKYO_1)[31910]: TLS Error: TLS handshake failed

I am considering the fact that the ISP blocks OpenVpn and obfuscation may be required

13

Can you ping the VPN server?
Are you sure 1195 is the correct port? 1194 is the standard OpenVPN port. Most VPN services offer other ports in case the customer's ISP tries to block VPN.

14 
ping japan-tokyo-ca-version-2.expressnetw.com

Pinging 185.208.11.151 with 32 bytes of data:
Reply from 185.208.11.151: bytes=32 time=328ms TTL=50
Reply from 185.208.11.151: bytes=32 time=317ms TTL=50
Reply from 185.208.11.151: bytes=32 time=331ms TTL=50
Reply from 185.208.11.151: bytes=32 time=341ms TTL=50

Ping statistics for 185.208.11.151:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 317ms, Maximum = 341ms, Average = 329ms

Yes. It is as provided in the ovpn downloaded from ExpressVPN. I tried 1194 instead. Same Error.

Shall I ask customer support for other available UDP ports?

15

Here is the first line of each cert from a working client.
Does yours match?

<ca>
-----BEGIN CERTIFICATE-----
MIIF+DCCA+CgAwIBAgIBATANBgkqhkiG9w0BAQ0FADCBhDELMAkGA1UEBhMCVkcx

<cert>
-----BEGIN CERTIFICATE-----
MIIDTjCCAregAwIBAgIDKzZvMA0GCSqGSIb3DQEBCwUAMIGFMQswCQYDVQQGEwJV

<key>
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAqzmLfyjotrjAxnr96V4PI9UjuCf+BFVgxe7yXCq9o62Zag/8

<tls-auth>
-----BEGIN OpenVPN Static key V1-----
48d9999bd71095b10649c7cb471c1051
16

They 100% match