Need Help With OpenVPN Config

Forum: LinuxTotal Replies: 3
Author Content
dcparris

Dec 11, 2006
11:51 PM EDT
O.k., I've been tinkering with OpenVPN, and I managed to get the server and 2 clients config'd, RSA-wise at least. However, when I attempt to establish the tunnel from the client, I get a TLS handshake error. I'm running Debian Etch on the server and one client, and Ichthux (Kubuntu) on the other client. All machines are currently 'behind' the server, but the laptop will roam around a bit.

I'm pretty sure my certs are good. What I am not sure about is my IP address assignments:

Local Options hash (VER=V4): '41690919' Tue Dec 12 03:25:21 2006 Expected Remote Options hash (VER=V4): '530fdded' Tue Dec 12 03:25:21 2006 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay Tue Dec 12 03:25:21 2006 UDPv4 link local: [undef] Tue Dec 12 03:25:21 2006 UDPv4 link remote: 192.168.1.11:443

Here is where the error message comes into play: VERIFY OK: depth=0, /C=US/ST=US_State/O=My_Org/CN=vpn-server/emailAddress=My@email.add Tue Dec 12 03:00:39 2006 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Tue Dec 12 03:00:39 2006 TLS Error: TLS handshake failed Tue Dec 12 03:00:39 2006 TCP/UDP: Closing socket Tue Dec 12 03:00:39 2006 SIGUSR1[soft,tls-error] received, process restarting

I can SSH between these same systems all day long, and I'm using port 443 for a reason, though not necessarily a great one.

Thanks in advance! Don
jdixon

Dec 12, 2006
6:01 AM EDT
Well, the only hint a quick Google search could find was the following

It turns out the problem was on the server, I is using ppoe to connect to dsl and had it's default route pointing to the local network's router which was also connected to the internet through a different pipe. :)

Now since ssh is working, I'd think the routing was OK, but perhaps not. There could also be a firewall problem, of course, but that seems equally unlikely.

The thread is here: http://openvpn.net/archive/openvpn-users/2002-12/msg00023.ht...
dcparris

Dec 13, 2006
9:08 AM EDT
Well, I have managed to make OpenVPN work using a static key. Yippee! I looked around a little further, and that error message may not actually be a show stopper. I'll try the cert-based approach again tonight or tomorrow. I took a break last night, just because I needed a break. :-)
dcparris

Dec 15, 2006
8:34 AM EDT
O.k., as you can see, in my book review, I now have OpenVPN working with certificates. I had followed the commands given in the book, and the author seems to have used the same command for the clients as for the server, which is incorrect.

For the server cert, use ./build-key-server server_name

For the client cert, us ./build-key client_name

The result of using the server cert for your clients is that your clients won't be able to shake hands with the server. They'll just sit there staring at each other until you decided to hit (Ctrl)+c. :-) It will appear that the certs are different, which they really are.

You cannot post until you login.