Posted: Sat Jan 02, 2021 23:56 Post subject: OpenVPN PIA, ERROR RECONNECTING tls-error
Ive been trying to get an Open VPN to work with Private Internet Access, I got it up and running, tested and the vpn was working. But after a couple of hours, I get the error "Client: RECONNECTING tls-error' Please help! Ill post the log below
Info
connection type, DHCP
Tunnel protocol, UDP
Clientlog:
20210102 18:17:13 I UDPv4 link local: (not bound)
20210102 18:17:13 I UDPv4 link remote: [AF_INET]154.3.42.11:502
20210102 18:17:52 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210102 18:17:52 D MANAGEMENT: CMD 'state'
20210102 18:17:52 MANAGEMENT: Client disconnected
20210102 18:17:52 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210102 18:17:52 D MANAGEMENT: CMD 'state'
20210102 18:17:52 MANAGEMENT: Client disconnected
20210102 18:17:52 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210102 18:17:52 D MANAGEMENT: CMD 'state'
20210102 18:17:52 MANAGEMENT: Client disconnected
20210102 18:17:52 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210102 18:17:52 D MANAGEMENT: CMD 'status 2'
20210102 18:17:52 MANAGEMENT: Client disconnected
20210102 18:17:52 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210102 18:17:52 D MANAGEMENT: CMD 'log 500'
20210102 18:17:52 MANAGEMENT: Client disconnected
20210102 18:18:13 N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
20210102 18:18:13 N TLS Error: TLS handshake failed
20210102 18:18:13 I SIGUSR1[soft tls-error] received process restarting
20210102 18:18:13 Restart pause 300 second(s)
20210102 18:23:13 W WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
20210102 18:23:13 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20210102 18:23:13 I TCP/UDP: Preserving recently used remote address: [AF_INET]154.3.42.21:502
20210102 18:23:13 Socket Buffers: R=[180224->180224] S=[180224->180224]
20210102 18:23:13 I UDPv4 link local: (not bound)
20210102 18:23:13 I UDPv4 link remote: [AF_INET]154.3.42.21:502
20210102 18:24:13 N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
20210102 18:24:13 N TLS Error: TLS handshake failed
20210102 18:24:13 I SIGUSR1[soft tls-error] received process restarting
20210102 18:24:13 Restart pause 300 second(s)
20210102 18:29:13 W WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
20210102 18:29:13 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20210102 18:29:13 I TCP/UDP: Preserving recently used remote address: [AF_INET]154.3.42.32:502
20210102 18:29:13 Socket Buffers: R=[180224->180224] S=[180224->180224]
20210102 18:29:13 I UDPv4 link local: (not bound)
20210102 18:29:13 I UDPv4 link remote: [AF_INET]154.3.42.32:502
20210102 18:30:13 N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
20210102 18:30:13 N TLS Error: TLS handshake failed
20210102 18:30:13 I SIGUSR1[soft tls-error] received process restarting
20210102 18:30:13 Restart pause 300 second(s)
20210102 18:35:13 W WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
20210102 18:35:13 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20210102 18:35:18 N RESOLVE: Cannot resolve host address: ca-toronto.privacy.network:502 (Try again)
20210102 18:35:21 Socket Buffers: R=[180224->180224] S=[180224->180224]
20210102 18:35:21 I UDPv4 link local: (not bound)
20210102 18:35:21 I UDPv4 link remote: [AF_INET]154.3.40.61:502
20210102 18:36:21 N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
20210102 18:36:21 N TLS Error: TLS handshake failed
20210102 18:36:21 I SIGUSR1[soft tls-error] received process restarting
20210102 18:36:21 Restart pause 300 second(s)
20210102 18:41:21 W WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
20210102 18:41:21 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20210102 18:41:21 I TCP/UDP: Preserving recently used remote address: [AF_INET]154.3.40.41:502
20210102 18:41:21 Socket Buffers: R=[180224->180224] S=[180224->180224]
20210102 18:41:21 I UDPv4 link local: (not bound)
20210102 18:41:21 I UDPv4 link remote: [AF_INET]154.3.40.41:502
20210102 18:42:04 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210102 18:42:04 D MANAGEMENT: CMD 'state'
20210102 18:42:04 MANAGEMENT: Client disconnected
20210102 18:42:04 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210102 18:42:04 D MANAGEMENT: CMD 'state'
20210102 18:42:04 MANAGEMENT: Client disconnected
20210102 18:42:04 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210102 18:42:04 D MANAGEMENT: CMD 'state'
20210102 18:42:04 MANAGEMENT: Client disconnected
20210102 18:42:04 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210102 18:42:04 D MANAGEMENT: CMD 'status 2'
20210102 18:42:04 MANAGEMENT: Client disconnected
20210102 18:42:04 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210102 18:42:04 D MANAGEMENT: CMD 'log 500'
20210102 18:42:04 MANAGEMENT: Client disconnected
20210102 18:42:22 N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
20210102 18:42:22 N TLS Error: TLS handshake failed
20210102 18:42:22 I SIGUSR1[soft tls-error] received process restarting
20210102 18:42:22 Restart pause 300 second(s)
20210102 18:47:22 W WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
20210102 18:47:22 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20210102 18:47:22 I TCP/UDP: Preserving recently used remote address: [AF_INET]154.3.40.51:502
20210102 18:47:22 Socket Buffers: R=[180224->180224] S=[180224->180224]
20210102 18:47:22 I UDPv4 link local: (not bound)
20210102 18:47:22 I UDPv4 link remote: [AF_INET]154.3.40.51:502
20210102 18:48:22 N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
20210102 18:48:22 N TLS Error: TLS handshake failed
20210102 18:48:22 I SIGUSR1[soft tls-error] received process restarting
20210102 18:48:22 Restart pause 300 second(s)
20210102 18:51:55 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210102 18:51:55 D MANAGEMENT: CMD 'state'
20210102 18:51:55 MANAGEMENT: Client disconnected
20210102 18:51:55 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210102 18:51:55 D MANAGEMENT: CMD 'state'
20210102 18:51:55 MANAGEMENT: Client disconnected
20210102 18:51:55 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210102 18:51:55 D MANAGEMENT: CMD 'state'
20210102 18:51:55 MANAGEMENT: Client disconnected
20210102 18:51:56 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210102 18:51:56 D MANAGEMENT: CMD 'status 2'
20210102 18:51:56 MANAGEMENT: Client disconnected
20210102 18:51:56 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210102 18:51:56 D MANAGEMENT: CMD 'log 500'
19691231 19:00:00
"TLS Web Server Authentication" is NOT an OpenVPN directive. But regardless, the fact it (apparently) runs for several hours and *then* fails suggests it is NOT a configuration error, but more likely just a server that at some point refuses to accept connections. Sometimes VPN providers kick users off servers if they become overloaded, or for maintenance purposes. This is why you should never rely on *just one* server to establish your VPN connection, but instead provide several alternatives.
In the case of my own VPN (ExpressVPN), I've added the following to the Additional Config field so that in case any given server is inaccessible, it will try several others.
The "server-poll-timeout" directive tells the OpenVPN client to never wait for more than 10 seconds for the server connection to be established before trying another server randomly (thanks to the "remote-random" directive). If you want then processed sequentially (e.g., to give certain servers higher preference), just least out that directive.
Last edited by eibgrad on Thu Apr 15, 2021 16:46; edited 2 times in total
Joined: 16 Nov 2015 Posts: 6440 Location: UK, London, just across the river..
Posted: Sun Jan 03, 2021 8:26 Post subject:
do not use their guide its messy and not working, also do not use 40559 its a bad build from router data base
use this guide... need to be logged in to see the attachment...
also have a look here
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=326913 _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 16 Nov 2015 Posts: 6440 Location: UK, London, just across the river..
Posted: Sun Jan 03, 2021 21:46 Post subject: Re: OpenVPN PIA, ERROR RECONNECTING tls-error
dloree wrote:
Hey! I got it working through port 1198 and the config stuff in that pdf, but now my speed is at around 5-8% of what it was on speedtest
did you start with telling us, your router model and current build running ? (you should)
probably that's the routers max...as VPN needs resources...but we don't know your router, yet so that far we can go...
VPN needs dual core CPU router, preferably Netgear R7800 or R9000, to gain some performance above 100Mbit over VPN, try Wireguard instead...but than again we still dont know your router
a quick tip is to use a better PIA server, that offers better performance and use 128 GCM encryption instead of 128 CBC...but it wont make miracles if router has low specs... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913