TLS Error TLS key negotiation failed, TLS handshake failed

AdamQuadmon · September 7, 2019, 11:17am

I'm trying to setup again a VPN tunnel to access a DVR from outside.
It was working before till I did an upgrade of OpenWrt, now I'm getting issues trying to make it work again.

The difference from the previous configuration is the OpenWrt router IP that changed from 192.168.15.1 to 192.168.1.1

I can't see the tun0 device, maybe because of TLS Errors?

Can you help me debbuging the configuration?

TLS Errors on logread

Sat Sep  7 01:34:28 2019 daemon.notice openvpn(vpnclient)[9289]: SIGTERM[hard,init_instance] received, process exiting
Sat Sep  7 01:34:28 2019 daemon.notice openvpn(vpnclient)[9396]: OpenVPN 2.4.5 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Sep  7 01:34:28 2019 daemon.notice openvpn(vpnclient)[9396]: library versions: OpenSSL 1.0.2s  28 May 2019, LZO 2.10
Sat Sep  7 01:34:28 2019 daemon.notice openvpn(vpnclient)[9396]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sat Sep  7 01:34:28 2019 daemon.notice openvpn(vpnclient)[9396]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sat Sep  7 01:34:28 2019 daemon.notice openvpn(vpnclient)[9396]: TCP/UDP: Preserving recently used remote address: [AF_INET]138.34.6.7:1194
Sat Sep  7 01:34:28 2019 daemon.notice openvpn(vpnclient)[9396]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Sat Sep  7 01:34:28 2019 daemon.notice openvpn(vpnclient)[9396]: UDP link local: (not bound)
Sat Sep  7 01:34:28 2019 daemon.notice openvpn(vpnclient)[9396]: UDP link remote: [AF_INET]138.34.6.7:1194
Sat Sep  7 01:34:28 2019 daemon.notice openvpn(vpnclient)[9396]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Sat Sep  7 01:35:28 2019 daemon.err openvpn(vpnclient)[9396]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Sep  7 01:35:28 2019 daemon.err openvpn(vpnclient)[9396]: TLS Error: TLS handshake failed
Sat Sep  7 01:35:28 2019 daemon.notice openvpn(vpnclient)[9396]: SIGUSR1[soft,tls-error] received, process restarting
Sat Sep  7 01:35:28 2019 daemon.notice openvpn(vpnclient)[9396]: Restart pause, 5 second(s)

VPN Client and Site-to-site configuration

On the server

I added to /etc/openvpn/server.conf

client-config-dir /etc/openvpn/ccd
route 192.168.1.1 255.255.255.0 10.8.0.2
push "route 138.34.6.7 255.255.255.0"

/etc/openvpn/ccd/client

ifconfig-push 10.8.0.2 255.255.255.0
iroute 192.168.1.1 255.255.255.0

On the OpenWRT Client

/etc/openvpn/client.conf
I commented out setenv opt block-outside-dns because was giving an error on the log

client
proto udp
sndbuf 0
rcvbuf 0
remote 138.34.6.7
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
#setenv opt block-outside-dns
key-direction 1
verb 3
<ca>
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
[...]
-----END PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
[...]
-----END OpenVPN Static key V1-----
</tls-auth>

user nobody
group nogroup
dev tun0
pull-filter ignore redirect-gateway

ip route show

default via 10.153.17.117 dev wwan0  src 10.153.17.118
10.153.17.116/30 dev wwan0 scope link  src 10.153.17.118
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1

uci show network

network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd53:9377:b98b::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan_dev=device
network.lan_dev.name='eth0.1'
network.lan_dev.macaddr='28:3b:82:cc:b6:56'
network.wan=interface
network.wan.ifname='eth0.2'
network.wan.proto='dhcp'
network.wan_dev=device
network.wan_dev.name='eth0.2'
network.wan_dev.macaddr='28:3b:82:cc:b6:55'
network.wan6=interface
network.wan6.ifname='eth0.2'
network.wan6.proto='dhcpv6'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='0 1 2 3 6t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='4 6t'
network.wwan=interface
network.wwan.proto='wwan'
network.wwan.apn='wap.unomobile.it'

uci show firewall

firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.lan=zone
firewall.lan.name='lan'
firewall.lan.input='ACCEPT'
firewall.lan.output='ACCEPT'
firewall.lan.forward='ACCEPT'
firewall.lan.network='lan wireles_lan'
firewall.lan.device='tun0'
firewall.wan=zone
firewall.wan.name='wan'
firewall.wan.input='REJECT'
firewall.wan.output='ACCEPT'
firewall.wan.forward='REJECT'
firewall.wan.masq='1'
firewall.wan.mtu_fix='1'
firewall.wan.network='wan wwan wan6'
firewall.lan_wan=forwarding
firewall.lan_wan.src='lan'
firewall.lan_wan.dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].proto='tcp udp'
firewall.@redirect[0].src_dport='8016'
firewall.@redirect[0].dest_port='8016'
firewall.@redirect[0].name='DVR'
firewall.@redirect[0].dest_ip='192.168.1.103'
firewall.@redirect[1]=redirect
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].proto='tcp udp'
firewall.@redirect[1].src_dport='10019'
firewall.@redirect[1].dest_ip='192.168.1.103'
firewall.@redirect[1].dest_port='10019'
firewall.@redirect[1].name='DVR Search'
firewall.@redirect[2]=redirect
firewall.@redirect[2].target='DNAT'
firewall.@redirect[2].src='wan'
firewall.@redirect[2].dest='lan'
firewall.@redirect[2].proto='tcp udp'
firewall.@redirect[2].src_dport='8116'
firewall.@redirect[2].dest_ip='192.168.1.103'
firewall.@redirect[2].dest_port='8116'
firewall.@redirect[2].name='DVR Audio'
firewall.ovpn=rule
firewall.ovpn.name='Allow-OpenVPN'
firewall.ovpn.src='wan'
firewall.ovpn.dest_port='1194'
firewall.ovpn.proto='udp'
firewall.ovpn.target='ACCEPT'

uci show openvpn

openvpn.vpnclient=openvpn
openvpn.vpnclient.enabled='1'
openvpn.vpnclient.config='/etc/openvpn/client.conf'

ulmwind · September 7, 2019, 12:15pm

All routing options should be configured after connection is successfully established. So now we should establish connection. On OpenWRT-router, running OpenVPN-server, does exist tun device? I suppose, you are running OpenVPN-client also on OpenWRT-router.

push "route 138.34.6.7 255.255.255.0"

It is strange option. What do you mean adding it?

Now check options on server and client, especially certs, keys, and tls-auth, and key-direction (last option should differ on server and client).

AdamQuadmon · September 7, 2019, 12:42pm

On my OpenWRT router there is only OpenVPN-client.

The OpenVPN-server is on a DigitalOcean droplet and it has a tun0 with ip 10.8.0.1

push "route 138.34.6.7 255.255.255.0" refers to the Site-to-Site configuration (always on the DO server)

138.34.6.7 is the external ip of eth0

10.19.0.5 is the et0:1, should I use this one instead?

https://openwrt.org/docs/guide-user/services/vpn/openvpn/extra#site-to-site

there is no key-direction on the server.conf I suppose it default to 0 as in the OpenWRT client is set to 1

ulmwind · September 7, 2019, 12:51pm

It is option to route lan's behind server and client, so as you can see in example, there are private IP's, not real IP of server.

Add key-direction explicitly, without 'default' assumptions.

vgaetera · September 7, 2019, 3:04pm

The option tls-auth is a degraded version of tls-crypt.
Unless you need compatibility with ancient OpenVPN versions, better switch to tls-crypt and remove key-direction on both server and client.

AdamQuadmon · September 7, 2019, 5:04pm

On the server there is tls-auth ta.key 0 that in the docs is a short version of key-direction 0
but I also tried adding key-direction explicitly on both server (0) and client (1)

I also changed the IP of the push directive on the server using the internal one
push "route 10.19.0.5 255.255.255.0"

Still no good

AdamQuadmon · September 7, 2019, 5:06pm

Tried changing tls-auth to tls-crypt on server and client but still not handshake

ulmwind · September 7, 2019, 5:18pm

OK, there is similar problem concerning DigitalOcean: https://serverfault.com/questions/709860/fix-tls-error-tls-handshake-failed-on-openvpn-client

vgaetera · September 7, 2019, 8:21pm

You clearly have some redundant and potentially incompatible options as well as strange things like port opening on the client.
Who knows, it might be an problem with some outdated server option, messed certificate EKE or similar issues.
So, I recommend to use OpenVPN how-tos tested for OpenWrt 18.06 and later: server + client + site-to-site.
If you still have the issue, perform comprehensive diagnostics and post the info from the troubleshooting section for both server and client.

I installed OpenWrt 18.06.4 in KVM on Linode and it works just fine.
Likely you can do the same on DigitalOcean.
However, note that some of the DigitalOcean subnets are known to be blocked by IP in some countries.

AdamQuadmon · September 16, 2019, 12:47pm

I tried to add the local ip anchor but now neither my phone is connecting to the VPN
I tried to remove the line but nothing changed.

AdamQuadmon · September 16, 2019, 12:52pm

I set up the DO server with a script in the first place, I tried to run that script again and it says ubuntu 16 is not supported anymore.

To upgrade the server is not possible, I have to make a new one and migrate, but is not something I can try now.

Do you know an easier way to made a vpn tunnel to access the machines on my local network?

AdamQuadmon · September 16, 2019, 3:45pm

I found with a quick research a 12$/year plan from centriohost who offer openvpn with unlimited data usage and 2 simultaneous connections that for me will be enough

do you suggest something similar?

vgaetera · September 16, 2019, 10:11pm

If you need only VPN and you trust them to transfer your traffic, then a VPN provider should be your preferred option as the price is usually lower than a VPS provider.

AdamQuadmon · September 17, 2019, 11:14pm

Now the VPN connection is established.

I create a new DO droplet with ubuntu 18.6, I used an automated script: github.com/angristan/openvpn-install

I did the Site to Site configuration, and Disable gateway redirect configuration as for docs on the https://openwrt.org/docs/guide-user/services/vpn/openvpn/extra

But I still cannot access my DVR, I think I need to open another thread.

Tanks for collaboration