External OpenVPN Server TLS handshake error on an Asus AC68U

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
Knowthenazz
DD-WRT Novice


Joined: 19 Jun 2019
Posts: 8

PostPosted: Fri Jun 21, 2019 20:44    Post subject: External OpenVPN Server TLS handshake error on an Asus AC68U Reply with quote
Hi,

I have 2 DD-WRT Routers. An Asus AC68U and a Netgear R7000. Both connect to my ISP via two, independent dynamic IPs.

The R7000 has an OpenVPN server successfully working on it. I’m able to successfully connect to the OpenVPN server via my android cell phone over a data connection (using the OpenVPN Android client), and from my Windows laptop (using the OpenVPN Windows GUI) from a friend’s house.

The problem is, I can’t connect seem to connect to my R7000 OpenVPN server when my OpenVPN Client is on my Asus AC68U network. I keep getting a TLS handshake failed error.


Code:
20190620 22:48:42 XXX.XXX.XXX.36:33774 TLS: Initial packet from [AF_INET]XXX.XXX.XXX.36:33774 sid=e1ae42f8 e6774df8
20190620 22:48:48 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20190620 22:48:48 D MANAGEMENT: CMD 'state'
20190620 22:48:48 MANAGEMENT: Client disconnected
20190620 22:48:48 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20190620 22:48:48 D MANAGEMENT: CMD 'state'
20190620 22:48:48 MANAGEMENT: Client disconnected
20190620 22:48:48 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20190620 22:48:48 D MANAGEMENT: CMD 'state'
20190620 22:48:48 MANAGEMENT: Client disconnected
20190620 22:48:48 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20190620 22:48:48 MANAGEMENT: Client disconnected
20190620 22:48:48 NOTE: --mute triggered...
20190620 22:48:48 1 variation(s) on previous 3 message(s) suppressed by --mute
20190620 22:48:48 D MANAGEMENT: CMD 'status 2'
20190620 22:48:48 MANAGEMENT: Client disconnected
20190620 22:48:48 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20190620 22:48:48 D MANAGEMENT: CMD 'status 2'
20190620 22:48:48 MANAGEMENT: Client disconnected
20190620 22:48:48 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20190620 22:48:48 D MANAGEMENT: CMD 'log 500'
20190620 22:48:48 MANAGEMENT: Client disconnected
20190620 22:49:00 N XXX.XXX.XXX.36:55966 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
20190620 22:49:00 N XXX.XXX.XXX.36:55966 TLS Error: TLS handshake failed
20190620 22:49:00 XXX.XXX.XXX.36:55966 SIGUSR1[soft tls-error] received client-instance restarting




My Asus AC68U is running Firmware: DD-WRT v3.0-r37015M kongac ( 09/23/18 )

Is there a setting on my AC68U that I need to enable? I don’t think it’s necessary with OpenVPN but I have all the VPN Passthrough settings enabled (IPSec, PPTP, and P2TP).

Does anyone have any suggestions? Any help is appreciated.

Thanks in advance!
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8021

PostPosted: Fri Jun 21, 2019 21:13    Post subject: Reply with quote
Are the two routers **totally** independent of each other? IOW, each is using it own modem, ISP, public IP, everything, and therefore each should only be accessible by the other over the internet.

What I suspect is that one is perhaps nested inside the other, or perhaps both are sharing some common third network. And therefore NOT totally independent.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
Knowthenazz
DD-WRT Novice


Joined: 19 Jun 2019
Posts: 8

PostPosted: Fri Jun 21, 2019 21:28    Post subject: Reply with quote
eibgrad wrote:
Are the two routers **totally** independent of each other? IOW, each is using it own modem, ISP, public IP, everything, and therefore each should only be accessible by the other over the internet.

What I suspect is that one is perhaps nested inside the other, or perhaps both are sharing some common third network. And therefore NOT totally independent.



Hi eibgrad, thanks for your fast response!

First off, from working with getting my OpenVPN server up in the last week or two, I just want to say that your support and input on this forum is really helpful. So thank you.

No, the two routers aren't 100% independent in that sense. They share a common modem, which leads to a switch, then to the two routers.

So would my network topology cause me this handshaking error?

Is there a work around that you might be able to suggest?

Thanks!
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8021

PostPosted: Fri Jun 21, 2019 21:33    Post subject: Reply with quote
And the modem is *only* a modem, NOT a modem+router combo device?
_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
Knowthenazz
DD-WRT Novice


Joined: 19 Jun 2019
Posts: 8

PostPosted: Fri Jun 21, 2019 21:37    Post subject: Reply with quote
eibgrad wrote:
And the modem is *only* a modem, NOT a modem+router combo device?


No, it is a combo device, but it's set up in bridge mode.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8021

PostPosted: Fri Jun 21, 2019 21:42    Post subject: Reply with quote
So the WAN of each router has its own unique public IP, they each use different local networks (e.g., 192.168.1.x and 192.168.2.x), and you're referencing the public IP on the WAN of the router supporting the OpenVPN server, from the OpenVPN client on the other router, correct?

If so, sounds like it should work. I was initially concerned that maybe you might have created a NAT loopback situation, but so far that doesn't seem to be the case.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8021

PostPosted: Fri Jun 21, 2019 21:49    Post subject: Reply with quote
Maybe it's just a configuration error on the OpenVPN client.

One thing you could do to eliminate anything upstream of the WAN of those routers as the culprit is to connect them directly to one another, WAN to WAN, and assign a static IP that's the same as the public IP they receive from the ISP. As long as the OpenVPN server and client configs are correct, that should work too. If it doesn't, then we know it's not something upstream of those routers, but the router configs themselves.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
Knowthenazz
DD-WRT Novice


Joined: 19 Jun 2019
Posts: 8

PostPosted: Fri Jun 21, 2019 21:52    Post subject: Reply with quote
eibgrad wrote:
So the WAN of each router has its own unique public IP, they each use different local networks (e.g., 192.168.1.x and 192.168.2.x), and you're referencing the public IP on the WAN of the router supporting the OpenVPN server, from the OpenVPN client on the other router, correct?

If so, sounds like it should work. I was initially concerned that maybe you might have created a NAT loopback situation, but so far that doesn't seem to be the case.


Hi,

Yes each router has a unique public IP and each has unique local networks. And yes, I'm accessing the OpenVPN server router using it's WAN IP, from the OpenVPN client on the other router.

So you think it should work. Hmm I was beginning to think that maybe I had some bad firmware installed, or the router itself might be defective.

Can you think of anything else that I might try to get it working?

Thanks!
Knowthenazz
DD-WRT Novice


Joined: 19 Jun 2019
Posts: 8

PostPosted: Fri Jun 21, 2019 21:55    Post subject: Reply with quote
eibgrad wrote:
Maybe it's just a configuration error on the OpenVPN client.

One thing you could do to eliminate anything upstream of the WAN of those routers as the culprit is to connect them directly to one another, WAN to WAN, and assign a static IP that's the same as the public IP they receive from the ISP. As long as the OpenVPN server and client configs are correct, that should work too. If it doesn't, then we know it's not something upstream of those routers, but the router configs themselves.



Hmm, that's a very interesting idea. I'll see if I can do that now.

Thanks!
Knowthenazz
DD-WRT Novice


Joined: 19 Jun 2019
Posts: 8

PostPosted: Fri Jun 21, 2019 22:22    Post subject: Reply with quote
Knowthenazz wrote:
eibgrad wrote:
Maybe it's just a configuration error on the OpenVPN client.

One thing you could do to eliminate anything upstream of the WAN of those routers as the culprit is to connect them directly to one another, WAN to WAN, and assign a static IP that's the same as the public IP they receive from the ISP. As long as the OpenVPN server and client configs are correct, that should work too. If it doesn't, then we know it's not something upstream of those routers, but the router configs themselves.



Hmm, that's a very interesting idea. I'll see if I can do that now.

Thanks!



Ok eibgrad, you nailed it originally. I guess my two networks aren't as independent as I had thought.

I'm in the unique situation of currently transitioning from DSL over to cable, but both of my connections are currently live and active. I moved my Asus (OpenVPN client) router over to the old DSL connection and it connected to my OpenVPN server (on my cable connection) flawlessly.

It's nice to know it's not a router issue now.

Isolating this issue a bit more, can you think of a simple workaround for this?

Thanks!
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8021

PostPosted: Fri Jun 21, 2019 22:34    Post subject: Reply with quote
I'm still not sure what the problem is when using the same ISP.

Are the public IPs of each WAN in the same network/subnet?

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8021

PostPosted: Fri Jun 21, 2019 22:42    Post subject: Reply with quote
Frankly, why is it necessary to use a VPN at all between these networks, esp. if they are within physical reach of one another? Why not just route between them, either using VLANs (preferred) or a third router (works, but just creates a bigger footprint)?
_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
Knowthenazz
DD-WRT Novice


Joined: 19 Jun 2019
Posts: 8

PostPosted: Fri Jun 21, 2019 22:51    Post subject: Reply with quote
eibgrad wrote:
Frankly, why is it necessary to use a VPN at all between these networks, esp. if they are within physical reach of one another? Why not just route between them, either using VLANs (preferred) or a third router (works, but just creates a bigger footprint)?



I think those are all valid points. Actually, I wont be connecting to the VPN server in that setup often, but it'll just allow me to test the VPN prior to me leaving for a work trip. It's really just a "nice to have", to just confirm that everything is working as expected.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8021

PostPosted: Fri Jun 21, 2019 23:08    Post subject: Reply with quote
Knowthenazz wrote:
eibgrad wrote:
Frankly, why is it necessary to use a VPN at all between these networks, esp. if they are within physical reach of one another? Why not just route between them, either using VLANs (preferred) or a third router (works, but just creates a bigger footprint)?



I think those are all valid points. Actually, I wont be connecting to the VPN server in that setup often, but it'll just allow me to test the VPN prior to me leaving for a work trip. It's really just a "nice to have", to just confirm that everything is working as expected.


Hmm, well it seems to me you already have verified connectivity, via the smartphone. I'm not sure why using the other router and its network makes things all that much easier or conclusive. In fact, as we now know, it's NOT creating an identical situation to the smartphone, which would seem to be the more relevant test case. FWIW, that's how I test my own, using my smartphone.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
Knowthenazz
DD-WRT Novice


Joined: 19 Jun 2019
Posts: 8

PostPosted: Fri Jun 21, 2019 23:54    Post subject: Reply with quote
eibgrad wrote:
Knowthenazz wrote:
eibgrad wrote:
Frankly, why is it necessary to use a VPN at all between these networks, esp. if they are within physical reach of one another? Why not just route between them, either using VLANs (preferred) or a third router (works, but just creates a bigger footprint)?



I think those are all valid points. Actually, I wont be connecting to the VPN server in that setup often, but it'll just allow me to test the VPN prior to me leaving for a work trip. It's really just a "nice to have", to just confirm that everything is working as expected.


Hmm, well it seems to me you already have verified connectivity, via the smartphone. I'm not sure why using the other router and its network makes things all that much easier or conclusive. In fact, as we now know, it's NOT creating an identical situation to the smartphone, which would seem to be the more relevant test case. FWIW, that's how I test my own, using my smartphone.


OK, I appreciate the input.

I'll just use my smartphone for testing then. I was trying to focus more on laptop testing just because I plan on using that device to access the VPN more when I was traveling is all. But it sounds like it will be more work than it's worth.

Thanks again for all your help!
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum