Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
Z
Z
ZoriN892020-05-01 18:22:35
openvpn
ZoriN89, 2020-05-01 18:22:35

Why can't OpenVPN do TLS?

Hello everyone, this is the problem I set the OpenVPN server for myself, I even found an auto-installation script (But I also tried the option manually without scripts too) but all the same, in the end, I can’t get through the TLS handshake from the client in an error

Fri May 01 20:05:52 2020 TLS: Initial packet from [AF_INET]тут_ип_моего_сервера:13555, sid=ae9503b4 52f4177f
Fri May 01 20:06:52 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri May 01 20:06:52 2020 TLS Error: TLS handshake failed


What I tried to do, included net ipv4 forward in sysctl.conf, reinstalled openvpn from scratch 5 times, did absolutely different instructions, including through a couple of auto installation scripts. The process itself is such that I put the server, make the keys, make the keys to the client, I try to connect, the connection starts, but at the moment TLS has an error.

Here is the server config

server.conf
local тут внешний ip адрес сервера
port 13555
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
duplicate-cn
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
#push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
#fragment 1200
#mssfix 1200
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 10
log openvpn-log.log
#crl-verify crl.pem


here is client.ovpn client config
client
dev tun
proto udp
sndbuf 0
rcvbuf 0
remote тут_внешний_Ip_моего_сервера 13555
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
setenv opt block-outside-dns
key-direction 1
verb 3


Here is the OpenVPn log at verb 10
https://pastebin.com/yKa1qe1h

Here is my iptables
# Generated by iptables-save v1.4.21 on Fri May  1 20:17:11 2020
*mangle
:PREROUTING ACCEPT [16769:4887526]
:INPUT ACCEPT [16769:4887526]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [25942:23122279]
:POSTROUTING ACCEPT [25942:23122279]
COMMIT
# Completed on Fri May  1 20:17:11 2020
# Generated by iptables-save v1.4.21 on Fri May  1 20:17:11 2020
*filter
:INPUT DROP [90:4759]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [15067:8176131]
:XL-Firewall-1-INPUT - [0:0]
:vesta - [0:0]
-A INPUT -p udp -m udp --dport 13555 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s мой_внешний_ip/32 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -p udp -m udp --dport 13555 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 22,38022 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 21,12000:12100 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 25,465,587,2525 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 110,995 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 143,993 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 3306,5432 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8083 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
COMMIT
# Completed on Fri May  1 20:17:11 2020
# Generated by iptables-save v1.4.21 on Fri May  1 20:17:11 2020
*nat
:PREROUTING ACCEPT [23:1004]
:INPUT ACCEPT [20:860]
:OUTPUT ACCEPT [4:240]
:POSTROUTING ACCEPT [4:240]
-A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to-source мой_внешний_ip
COMMIT
# Completed on Fri May  1 20:17:11 2020


As a result, the UDP port is open, SNAT is made to have access to the Internet, but it is on TLS that the plug is. But there is one BUT in favor of the fact that the specified should work, at some point, when saving changes to iptables, TLS seems to have passed, and everything connected, I connected, got ip 10.8.0.2 checked ping, everything really works through the server and to google, but as soon as I clicked reconnect, everything stopped working and again an error occurred with TLS, and now I've been fiddling with it for 2 days, it's just that the ideas have already run out of what could be the matter. I already checked whether my home PC connects to VPNs in general, just in case, everything is fine connected to a public VPN server. Any other ideas?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
R
rPman, 2020-05-01
@rPman

With a probability of 99%, your provider is attacked by an intermediary attack
(if it is Russia, then it has already been very common for several years) to be more precise, so as not to spend a lot of time setting up)

Report
Z
ZoriN89, 2020-05-04
@ZoriN89

In general, it’s some kind of garbage on my PC, I tried to take the ovpn file and import it into OpenVPN for android and it all worked. Thank you all for your help, I'll deal with my PC.

Similar questions
R
rexerka2016-02-11 10:47:18
How to block all outgoing traffic except openvpn? 1Reply
D
Dana2018-07-05 11:44:19
How to remove AUTH_FAILED error when using client-connect? 2Reply
S
Sergey Vyvolokin2016-02-21 08:10:54
Multiple firms and one OpenVPN? 3Reply
J
juffinhalli2013-11-05 14:36:35
How to turn off the OpenVPN client correctly 2Reply
S
sixhundredsixtyfive2013-11-18 12:03:31
One IP address or DNS name for a host both on the local network and on the other side of the OpenVPN tunnel 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question