OpenVPN TLS Error

Toggle sidebar Toggle sidebar
M

MastaChief11

Honorable
Jul 20, 2013
10
0
10,530
Today, I set up a VPN with OpenVPN, however I am getting an error which is preventing me from connecting to the server that works.

Error:
TLS Error: TLS key negotiation failed to occur within 60 seconds
 
Last edited:
Solution
C
I don't know if you will any more luck with PPTP. PPTP is just as good as L2TP, but both depend on a password. The password is the weak link. Any reasonably good locksmith can unlock your front door without a key. Any reasonably good hacker can break a password. And after all of that I think there is something wrong with your OS. You once asked about reinstalling the OS. Because of what we have experienced with this PC I think you should reinstall. Sorry I don't have a better answer for you.

sysadm - portdefender
Sort by date Sort by votes
C

cptmikey

Honorable
Jul 15, 2013
35
0
10,540
It doesn't like your certificate. Most likely it doesn't like your certificate authority. Rebuild your certificate authority (usually ca.crt) and then build separate certificates for your openvpn server and each client. Check your configuration files, *.conf if linux and *.ovpn if windows. Make sure they point to the correct ca.crt and server or client.crt and .key files.

Last make sure your OpenVPN network doesn't overlap your local network.

sysadmin - portdefender
 
Upvote 0 Downvote
C

cptmikey

Honorable
Jul 15, 2013
35
0
10,540
OK this will be certificate management 101.

Concept: A Certificate authority creates and distributes all certificates. So first you have to decide which PC will be your certificate authority. You will make all of your certificates on that PC. On Linux systems there is a set of shell scripts that build and maintain certificates. I haven't done this on Windows, but there's a package at https://github.com/OpenVPN/easy-rsa. Copy the ca.crt (certificate authority) to each PC's OpenVPN configuration directory. Also copy the correct client certificate and key file to each PC. And copy the server .crt and .key and the ca.crt to your server.

That should solve your problem

sysadm - portdefender
 
Upvote 0 Downvote
C

cptmikey

Honorable
Jul 15, 2013
35
0
10,540
You have to create a new server cert also. All certs must be from the same ca. Make sure you copy your new ca cert to the server and all clients also. Sorry, there are no shortcuts.
 
Upvote 0 Downvote
C

cptmikey

Honorable
Jul 15, 2013
35
0
10,540
You are almost home. You will make only 1 ca.crt but copy it to the server and all of the clients. Each client and the server will have three files:
on your server
ca.crt
server.crt
server.key

on your clients
ca.crt
client.crt
client.key

IMPORTANT - OpenVPN can be configured to use the same client.crt for all clients but I wouldn't recommend it. Make a unique client.crt for each client, something line client1.crt client2.crt etc. We use our customers email address for the cert's name - that works great for us. You can make up names if you like, maybe kitchen.pc.crt or office.crt - anything you like. This makes it so much easier to identify individual clients if you have a problem.

sysadmin - portdefender.net
 
Upvote 0 Downvote
C

cptmikey

Honorable
Jul 15, 2013
35
0
10,540
Don't feel bad the first time I did this it took forever to figure out....

So, you have your crt's and key's copy the files to the 'config' dir under OpenVPN. It's probably C:\Program Files\OpenVPN\config. Finally edit the *.ovpn files in the same directory to point to your new ca.crt, client.crt and client.key. Restart everything. You should be in business.

sysadm portdefender.net
 
Upvote 0 Downvote
C

cptmikey

Honorable
Jul 15, 2013
35
0
10,540
I'm going off shift for tonight, but I'll check back in tomorrow.

You don't have to uninstall OpenVPN. Just put the certs in the config directory and edit the ovpn files. You didn't say what your server was. If it's Linux the certs go in the /etc/openvpn directory.

You can "sneaker net" the certs to the clients. Copy them to a thumb drive. Or if you have it set up you can ftp them over or even mount a network drive. You can even email them to yourself on the server and then read your email on the client.

sysadmin - portdefender.net
 
Upvote 0 Downvote
C

cptmikey

Honorable
Jul 15, 2013
35
0
10,540
OK, lets talk about TAP. It has two modes, TAP and TUN. I recommend you use TAP. Your server and all clients must have the same setting. It looks like this in your config *.ovpn file ....

dev tap

WINDOWS (UGH) requires admin permission to install the TAP/TUN interface and change the route table. Assuming your are using openvpn-gui find the program openvpn-gui.exe, right click on it and tick the "run as admin" box. That should be all you need .... but not always.

The program that actually sets the tap is devcon.exe. It's in the openvpn bin directory. You may have to set that as "run as admin" as well. Not usually, but sometimes.

So here's what happens when you click on openvpn-gui:

1. openvpn.exe starts up and tries to run devcon.exe. If it succeeds it will create the TAP.

2. openvpn.exe will contact your server and verify your cert.

3. Your server will 'push' instructions to your client. Part of which will be your client's new ip address.

4. openvpn.exe will set the TAP to your new ip address. Your old address will still be available on your network connection, eth0 or wifi0

5. openvpn.exe will create a new default route with a netmask of 128.0.0.0 if your server is set to push 'redirect-gateway'

That's all there is to it.

I think I read that your local network is 192.168.n.n. Make sure you use a completely different network for your VPN. I suggest you use something like 172.18.1.0/24.
 
Upvote 0 Downvote
C

cptmikey

Honorable
Jul 15, 2013
35
0
10,540
We got the OpenVPN software setup, but it won't load the TAP driver. We set admin privilege but still no luck. We turned of UAC but still no luck. Does anyone have any ideas?
 
Upvote 0 Downvote
C

cptmikey

Honorable
Jul 15, 2013
35
0
10,540
It won't hurt to run the delalltap.bat program but follow the instructions I put up at http://portdefender.net/club/forum/topic/6. Then you will know you have installed a TAP driver.

sysadm - portdefender
 
Upvote 0 Downvote
C

cptmikey

Honorable
Jul 15, 2013
35
0
10,540
I don't know if you will any more luck with PPTP. PPTP is just as good as L2TP, but both depend on a password. The password is the weak link. Any reasonably good locksmith can unlock your front door without a key. Any reasonably good hacker can break a password. And after all of that I think there is something wrong with your OS. You once asked about reinstalling the OS. Because of what we have experienced with this PC I think you should reinstall. Sorry I don't have a better answer for you.

sysadm - portdefender
 
Upvote 0 Downvote
Solution
C

cptmikey

Honorable
Jul 15, 2013
35
0
10,540
I can't tell from your screen shot. The packets you are showing are just DNS, ARP, etc. You will have to actually transfer data with ftp, http, windows mount (samba) and then open the packet and look at the 'data'.

The only VPN that hides your source and destination address is OpenVPN. It creates a tunneled network using it's own addresses.
 
Upvote 0 Downvote
C

cptmikey

Honorable
Jul 15, 2013
35
0
10,540
Well I'm not really prepared to give lessons on network protocols and I'm on a VPN so I can't link to a private image. So this is the best I can do. After capturing some data stop the capture and click on a packet. Find one that has a 'data' section. The data should be unreadable. Something like this:

33101c08da86fd7d9a1e8f5177ebbd89383cb2d233d9774447eb632ca7770a8417a8c2e2464f803c0be3b1ae41e290772bf481a0d632b840fc588ef8ff1599829dbd1dfcd1e8468350062334cdaaf0e864fee9bdd40e3ca80b5391d5d6bd45d154c6464cf62225f43970f6ad2147946f7e71392b13
 
Upvote 0 Downvote
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom