Running OpenVPN client on Raspbian fails with a TLS Key negotiation failure:
Tue Jan 16 17:21:58 2018 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 27 2017
Tue Jan 16 17:21:58 2018 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.08
Tue Jan 16 17:21:58 2018 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Tue Jan 16 17:21:58 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan 16 17:21:58 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan 16 17:21:58 2018 Socket Buffers: R=[163840->131072] S=[163840->131072]
Tue Jan 16 17:21:58 2018 UDPv4 link local: [undef]
Tue Jan 16 17:21:58 2018 UDPv4 link remote: [AF_INET]~hidden~:7799
Tue Jan 16 17:21:58 2018 TLS: Initial packet from [AF_INET]~hidden~:7799, sid=95132897 59367d19
Tue Jan 16 17:22:58 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Jan 16 17:22:58 2018 TLS Error: TLS handshake failed
Tue Jan 16 17:22:58 2018 SIGUSR1[soft,tls-error] received, process restarting
Tue Jan 16 17:22:58 2018 Restart pause, 2 second(s)
Although, I can connect to the server with no issues from my other 'normal' (non raspberry-pi) computers. For instance, logs from Ubuntu:
Jan 16 17:17:15 elara ovpn-client[8741]: OpenVPN 2.4.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 3 2017
Jan 16 17:17:15 elara ovpn-client[8741]: library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
Jan 16 17:17:15 elara systemd[1]: Started OpenVPN connection to client.
Jan 16 17:17:15 elara ovpn-client[8741]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 16 17:17:15 elara ovpn-client[8741]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 16 17:17:15 elara ovpn-client[8741]: TCP/UDP: Preserving recently used remote address: [AF_INET]~hidden~:7799
Jan 16 17:17:15 elara ovpn-client[8741]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Jan 16 17:17:15 elara ovpn-client[8741]: UDP link local: (not bound)
Jan 16 17:17:15 elara ovpn-client[8741]: UDP link remote: [AF_INET]~hidden~:7799
Jan 16 17:17:15 elara ovpn-client[8741]: TLS: Initial packet from [AF_INET]~hidden~:7799, sid=ca91bf02 d006bf9d
Jan 16 17:17:15 elara ovpn-client[8741]: VERIFY OK: ~hidden~
Jan 16 17:17:15 elara ovpn-client[8741]: VERIFY KU OK
Jan 16 17:17:15 elara ovpn-client[8741]: Validating certificate extended key usage
Jan 16 17:17:15 elara ovpn-client[8741]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Jan 16 17:17:15 elara ovpn-client[8741]: VERIFY EKU OK
Jan 16 17:17:15 elara ovpn-client[8741]: VERIFY OK: ~hidden~
Jan 16 17:17:16 elara ovpn-client[8741]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1558'
Jan 16 17:17:16 elara ovpn-client[8741]: WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-256-CBC'
Jan 16 17:17:16 elara ovpn-client[8741]: WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
Jan 16 17:17:16 elara ovpn-client[8741]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES128-GCM-SHA256, 2048 bit RSA
Jan 16 17:17:16 elara ovpn-client[8741]: [server] Peer Connection Initiated with [AF_INET]~hidden~:7799
Jan 16 17:17:17 elara ovpn-client[8741]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Jan 16 17:17:17 elara ovpn-client[8741]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,compress lz4-v2,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 1,cipher AES-256-GCM'
Jan 16 17:17:17 elara ovpn-client[8741]: OPTIONS IMPORT: timers and/or timeouts modified
Jan 16 17:17:17 elara ovpn-client[8741]: OPTIONS IMPORT: compression parms modified
Jan 16 17:17:17 elara ovpn-client[8741]: OPTIONS IMPORT: --ifconfig/up options modified
Jan 16 17:17:17 elara ovpn-client[8741]: OPTIONS IMPORT: route-related options modified
Jan 16 17:17:17 elara ovpn-client[8741]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Jan 16 17:17:17 elara ovpn-client[8741]: OPTIONS IMPORT: peer-id set
Jan 16 17:17:17 elara ovpn-client[8741]: OPTIONS IMPORT: adjusting link_mtu to 1625
Jan 16 17:17:17 elara systemd-udevd[8757]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
Jan 16 17:17:17 elara ovpn-client[8741]: OPTIONS IMPORT: data channel crypto options modified
Jan 16 17:17:17 elara ovpn-client[8741]: Data Channel: using negotiated cipher 'AES-256-GCM'
Jan 16 17:17:17 elara ovpn-client[8741]: Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 16 17:17:17 elara ovpn-client[8741]: Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 16 17:17:17 elara ovpn-client[8741]: TUN/TAP device tun0 opened
Jan 16 17:17:17 elara ovpn-client[8741]: TUN/TAP TX queue length set to 100
Jan 16 17:17:17 elara ovpn-client[8741]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Jan 16 17:17:17 elara ovpn-client[8741]: /sbin/ip link set dev tun0 up mtu 1500
Jan 16 17:17:17 elara NetworkManager[778]: <info> [1516119437.2038] manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/8)
Jan 16 17:17:17 elara ovpn-client[8741]: /sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255
Works on Windows computer as well. All computers (and raspberry pi) are behind the same router and the VPN server is remote.
tcpdump on pi:
root@raspberrypi:/etc/openvpn# tcpdump -ni wlan0 udp and port 7799
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:41:08.458713 IP 192.168.2.43.56835 > 163.~hidden~.7799: UDP, length 42
17:41:08.494048 IP 163.~hidden~.7799 > 192.168.2.43.56835: UDP, length 54
17:41:08.494813 IP 192.168.2.43.56835 > 163.~hidden~.7799: UDP, length 50
17:41:08.495279 IP 192.168.2.43.56835 > 163.~hidden~.7799: UDP, length 142
17:41:08.495596 IP 192.168.2.43.56835 > 163.~hidden~.7799: UDP, length 135
17:41:08.535574 IP 163.~hidden~.7799 > 192.168.2.43.56835: UDP, length 50
17:41:11.548510 IP 192.168.2.43.56835 > 163.~hidden~.7799: UDP, length 135
17:41:15.565617 IP 192.168.2.43.56835 > 163.~hidden~.7799: UDP, length 135
No firewall is running on Raspbian as far as I can see. I did try binding the OpenVPN server to the inet address as recommended in some other answers to similar questions here.
The server has the following firewalld setup:
firewall-cmd --permanent --add-service openvpn
firewall-cmd --permanent --zone=trusted --add-interface=tun0
firewall-cmd --permanent --zone=trusted --add-masquerade
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
firewall-cmd --reload
(openvpn service xml was modified to reflect the custom port 7799)
The issue was the inability of the (old) Raspbian Jessie running on the Raspberry Pi to not be able to negotiate a tls-cipher
due to the strict settings on the server side. Removing tls-cipher
statements from the server configuration fixes the issue.
In case you are still having issues, I recommend enabling the log
file in the server configuration and setting a relatively high verb
setting as well, and looking at both the server and client logs.
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments