Moin,
ich bin hier noch in der Ersteinrichtung eines BlackDwarf als VPN-Gateway gefangen.
Die Einrichtung auf dem BlackDwarf ist nach dem RoadWarrior-Wiki erfolgt, der OpenVPN-Client wurde als PortableClient heruntergeladen.
Beim Start des OpenVPN-Client entwickelt sich in dessen Log folgender Ablauf:
Try to start OpenVPN connection SECP_BD_G3_"..."KUNZE C:/Users/Pilgrim/Downloads/openvpn_kkunze/Portable/../data/config
Fri Apr 17 08:27:23 2020 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Fri Apr 17 08:27:23 2020 Windows version 6.1 (Windows 7) 64bit
Fri Apr 17 08:27:23 2020 library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10
Fri Apr 17 08:27:23 2020 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Apr 17 08:27:23 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]217.xxx.xxx.xxx:1194
Fri Apr 17 08:27:23 2020 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Apr 17 08:27:23 2020 UDP link local: (not bound)
Fri Apr 17 08:27:23 2020 UDP link remote: [AF_INET]217.xxx.xxx.xxx:1194
Fri Apr 17 08:28:23 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
ERROR: TLS error! See log for details
Fri Apr 17 08:28:23 2020 TLS Error: TLS handshake failed
Fri Apr 17 08:28:23 2020 SIGUSR1[soft,tls-error] received, process restarting
Fri Apr 17 08:28:23 2020 Restart pause, 5 second(s)
Fri Apr 17 08:28:28 2020 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Apr 17 08:28:28 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]217.xxx.xxx.xxx:1194
Fri Apr 17 08:28:28 2020 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Apr 17 08:28:28 2020 UDP link local: (not bound)
Fri Apr 17 08:28:28 2020 UDP link remote: [AF_INET]217.xxx.xxx.xxx:1194
Fri Apr 17 08:29:28 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
ERROR: TLS error! See log for details
Fri Apr 17 08:29:28 2020 TLS Error: TLS handshake failed
Disconnected
In dem BlackDwarf-Log passiert folgendes:
2020-04-17T08:27:19.998+02:00 openvpn-VPN_KUNZE[759]: MULTI: multi_create_instance called
2020-04-17T08:27:19.998+02:00 openvpn-VPN_KUNZE[759]: 217.xxx.xxx.xxx:29229 Re-using SSL/TLS context
2020-04-17T08:27:19.998+02:00 openvpn-VPN_KUNZE[759]: 217.xxx.xxx.xxx:29229 Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
2020-04-17T08:27:19.998+02:00 openvpn-VPN_KUNZE[759]: 217.xxx.xxx.xxx:29229 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
2020-04-17T08:27:19.998+02:00 openvpn-VPN_KUNZE[759]: 217.xxx.xxx.xxx:29229 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA256,keysize 128,key-method 2,tls-server'
2020-04-17T08:27:19.998+02:00 openvpn-VPN_KUNZE[759]: 217.xxx.xxx.xxx:29229 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA256,keysize 128,key-method 2,tls-client'
2020-04-17T08:27:19.998+02:00 openvpn-VPN_KUNZE[759]: 217.xxx.xxx.xxx:29229 TLS: Initial packet from [AF_INET]217.86.182.8:29229 (via [AF_INET]192.168.2.2%eth0), sid=89d59cb8 af644f9f
2020-04-17T08:27:32.602+02:00 server[3557]: DEBUG: openvpn socket== '/tmp/openvpn_management_4B0B8EE9.sock'
2020-04-17T08:27:32.602+02:00 openvpn-VPN_KUNZE[759]: MANAGEMENT: Client connected from /tmp/openvpn_management_4B0B8EE9.sock
2020-04-17T08:27:32.602+02:00 openvpn-VPN_KUNZE[759]: MANAGEMENT: CMD 'state'
2020-04-17T08:27:32.605+02:00 openvpn-VPN_KUNZE[759]: MANAGEMENT: Client disconnected
2020-04-17T08:27:32.611+02:00 openvpn-VPN_KUNZE[759]: MANAGEMENT: Client connected from /tmp/openvpn_management_4B0B8EE9.sock
2020-04-17T08:27:32.611+02:00 openvpn-VPN_KUNZE[759]: MANAGEMENT: CMD 'status 2'
2020-04-17T08:27:32.611+02:00 openvpn-VPN_KUNZE[759]: MANAGEMENT: Client disconnected
2020-04-17T08:28:19.390+02:00 openvpn-VPN_KUNZE[759]: 217.xxx.xxx.xxx:29229 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2020-04-17T08:28:19.390+02:00 openvpn-VPN_KUNZE[759]: 217.xxx.xxx.xxx:29229 TLS Error: TLS handshake failed
2020-04-17T08:28:19.390+02:00 openvpn-VPN_KUNZE[759]: 217.xxx.xxx.xxx:29229 SIGUSR1[soft,tls-error] received, client-instance restarting
2020-04-17T08:28:23.640+02:00 server[3557]: DEBUG: openvpn socket== '/tmp/openvpn_management_4B0B8EE9.sock'
2020-04-17T08:28:23.640+02:00 openvpn-VPN_KUNZE[759]: MANAGEMENT: Client connected from /tmp/openvpn_management_4B0B8EE9.sock
2020-04-17T08:28:23.640+02:00 openvpn-VPN_KUNZE[759]: MANAGEMENT: CMD 'state'
2020-04-17T08:28:23.642+02:00 openvpn-VPN_KUNZE[759]: MANAGEMENT: Client disconnected
2020-04-17T08:28:23.646+02:00 openvpn-VPN_KUNZE[759]: MANAGEMENT: Client connected from /tmp/openvpn_management_4B0B8EE9.sock
2020-04-17T08:28:23.646+02:00 openvpn-VPN_KUNZE[759]: MANAGEMENT: CMD 'status 2'
2020-04-17T08:28:23.648+02:00 openvpn-VPN_KUNZE[759]: MANAGEMENT: Client disconnected
2020-04-17T08:28:24.925+02:00 openvpn-VPN_KUNZE[759]: MULTI: multi_create_instance called
2020-04-17T08:28:24.925+02:00 openvpn-VPN_KUNZE[759]: 217.xxx.xxx.xxx:29226 Re-using SSL/TLS context
2020-04-17T08:28:24.925+02:00 openvpn-VPN_KUNZE[759]: 217.xxx.xxx.xxx:29226 Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
2020-04-17T08:28:24.925+02:00 openvpn-VPN_KUNZE[759]: 217.xxx.xxx.xxx:29226 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
2020-04-17T08:28:24.925+02:00 openvpn-VPN_KUNZE[759]: 217.xxx.xxx.xxx:29226 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA256,keysize 128,key-method 2,tls-server'
2020-04-17T08:28:24.925+02:00 openvpn-VPN_KUNZE[759]: 217.xxx.xxx.xxx:29226 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA256,keysize 128,key-method 2,tls-client'
2020-04-17T08:28:24.925+02:00 openvpn-VPN_KUNZE[759]: 217.xxx.xxx.xxx:29226 TLS: Initial packet from [AF_INET]217.86.182.8:29226 (via [AF_INET]192.168.2.2%eth0), sid=a6160bee 552702e5
2020-04-17T08:29:14.707+02:00 server[3557]: DEBUG: openvpn socket== '/tmp/openvpn_management_4B0B8EE9.sock'
2020-04-17T08:29:14.707+02:00 openvpn-VPN_KUNZE[759]: MANAGEMENT: Client connected from /tmp/openvpn_management_4B0B8EE9.sock
2020-04-17T08:29:14.707+02:00 openvpn-VPN_KUNZE[759]: MANAGEMENT: CMD 'state'
2020-04-17T08:29:14.709+02:00 openvpn-VPN_KUNZE[759]: MANAGEMENT: Client disconnected
2020-04-17T08:29:14.714+02:00 openvpn-VPN_KUNZE[759]: MANAGEMENT: Client connected from /tmp/openvpn_management_4B0B8EE9.sock
2020-04-17T08:29:14.714+02:00 openvpn-VPN_KUNZE[759]: MANAGEMENT: CMD 'status 2'
2020-04-17T08:29:14.714+02:00 openvpn-VPN_KUNZE[759]: MANAGEMENT: Client disconnected
2020-04-17T08:29:24.047+02:00 openvpn-VPN_KUNZE[759]: 217.xxx.xxx.xxx:29226 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2020-04-17T08:29:24.047+02:00 openvpn-VPN_KUNZE[759]: 217.xxx.xxx.xxx:29226 TLS Error: TLS handshake failed
2020-04-17T08:29:24.047+02:00 openvpn-VPN_KUNZE[759]: 217.xxx.xxx.xxx:29226 SIGUSR1[soft,tls-error] received, client-instance restarting
2020-04-17T08:29:30.553+02:00 openvpn-VPN_KUNZE[759]: MULTI: multi_create_instance called
2020-04-17T08:29:30.553+02:00 openvpn-VPN_KUNZE[759]: 217.xxx.xxx.xxx:29227 Re-using SSL/TLS context
2020-04-17T08:29:30.553+02:00 openvpn-VPN_KUNZE[759]: 217.xxx.xxx.xxx:29227 Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
2020-04-17T08:29:30.553+02:00 openvpn-VPN_KUNZE[759]: 217.xxx.xxx.xxx:29227 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
2020-04-17T08:29:30.553+02:00 openvpn-VPN_KUNZE[759]: 217.xxx.xxx.xxx:29227 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA256,keysize 128,key-method 2,tls-server'
2020-04-17T08:29:30.553+02:00 openvpn-VPN_KUNZE[759]: 217.xxx.xxx.xxx:29227 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA256,keysize 128,key-method 2,tls-client'
2020-04-17T08:29:30.553+02:00 openvpn-VPN_KUNZE[759]: 217.xxx.xxx.xxx:29227 TLS: Initial packet from [AF_INET]217.86.182.8:29227 (via [AF_INET]192.168.2.2%eth0), sid=2251b620 0e07ad08
2020-04-17T08:30:05.786+02:00 server[3557]: DEBUG: openvpn socket== '/tmp/openvpn_management_4B0B8EE9.sock'
2020-04-17T08:30:05.786+02:00 openvpn-VPN_KUNZE[759]: MANAGEMENT: Client connected from /tmp/openvpn_management_4B0B8EE9.sock
2020-04-17T08:30:05.786+02:00 openvpn-VPN_KUNZE[759]: MANAGEMENT: CMD 'state'
2020-04-17T08:30:05.789+02:00 openvpn-VPN_KUNZE[759]: MANAGEMENT: Client disconnected
2020-04-17T08:30:05.793+02:00 openvpn-VPN_KUNZE[759]: MANAGEMENT: Client connected from /tmp/openvpn_management_4B0B8EE9.sock
2020-04-17T08:30:05.793+02:00 openvpn-VPN_KUNZE[759]: MANAGEMENT: CMD 'status 2'
2020-04-17T08:30:05.795+02:00 openvpn-VPN_KUNZE[759]: MANAGEMENT: Client disconnected
2020-04-17T08:30:30.258+02:00 openvpn-VPN_KUNZE[759]: 217.xxx.xxx.xxx:29227 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2020-04-17T08:30:30.258+02:00 openvpn-VPN_KUNZE[759]: 217.xxx.xxx.xxx:29227 TLS Error: TLS handshake failed
2020-04-17T08:30:30.258+02:00 openvpn-VPN_KUNZE[759]: 217.xxx.xxx.xxx:29227 SIGUSR1[soft,tls-error] received, client-instance restarting
Zwischen Internet und BlackDwarf hängt noch ein Lancom-Router. Auf diesem habe ich eine Port-Weiterleitung auf UDP 1194 eingerichtet und in der Firewall eine zusätzliche Regel eingebaut für Anyhost/Anyhost/UDP 1194.
Gefühlt müsste das eigentlich reichen, zumal ja anscheinend Kontakt hergestellt wird.
Woran kann es jetzt noch liegen, dass es nicht funktioniert?
Gruß
Karl Kunze
OpenVPN-CLient - TLS key negotiation failed
Moderator: Securepoint
-
Karl_Kunze
- Beiträge: 19
- Registriert: Di 14.04.2020, 11:25
-
Karl_Kunze
- Beiträge: 19
- Registriert: Di 14.04.2020, 11:25
Moin,
Problem gelöst.
Der BlackDwarf hatte eine Route eingetragen, allerdings die für den normalen Internetverkehr des Netzwerks. Da dieser nicht durch den BlackDwarf läuft (weil der als nur VPN-Gateway gedacht ist) konnte auf dieser Route natürlich kein TLS-Handshake abgeschlossen werden.
Gruß
Karl Kunze
Problem gelöst.
Der BlackDwarf hatte eine Route eingetragen, allerdings die für den normalen Internetverkehr des Netzwerks. Da dieser nicht durch den BlackDwarf läuft (weil der als nur VPN-Gateway gedacht ist) konnte auf dieser Route natürlich kein TLS-Handshake abgeschlossen werden.
Gruß
Karl Kunze