openvpn was working...

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Author Message
kmkittre
DD-WRT Novice


Joined: 19 Jan 2007
Posts: 40

PostPosted: Mon Sep 21, 2009 18:05    Post subject: openvpn was working... Reply with quote
I've been running dd-wrt for years and I have had OpenVPN working for a long time using a static key.

This weekend I upgraded my firmware and decided it was time to also upgrade to a certificate-based OpenVPN solution. When I first tried to get it working, everything was fine until I got an error that said that my certificate was not yet valid. I searched these forums and saw that a lot of people had that issue because the certs were created in GMT and that if they set their timezone to UTC that it would work. So I did that, and I was able to successfully connect.

However, now (and nothing has changed) I am no longer able to connect to my openvpn system. I've tried the timezone in UTC and in the correct time (UTC -7) and neither works. I get the same error when I look at the logs (I replaced my remote IP with xxx.xxx.xxx.xxx):

Code:

Sep 21 10:10:57 DD-WRT daemon.notice openvpn[1098]: MULTI: multi_create_instance called
Sep 21 10:10:57 DD-WRT daemon.notice openvpn[1098]: xxx.xxx.xxx.xxx:59172 Re-using SSL/TLS context
Sep 21 10:10:57 DD-WRT daemon.notice openvpn[1098]: xxx.xxx.xxx.xxx:59172 LZO compression initialized
Sep 21 10:10:57 DD-WRT daemon.notice openvpn[1098]: xxx.xxx.xxx.xxx:59172 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sep 21 10:10:57 DD-WRT daemon.notice openvpn[1098]: xxx.xxx.xxx.xxx:59172 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Sep 21 10:10:57 DD-WRT daemon.notice openvpn[1098]: xxx.xxx.xxx.xxx:59172 TLS: Initial packet from xxx.xxx.xxx.xxx:59172, sid=84309b0a 58cfebce
Sep 21 10:11:57 DD-WRT daemon.err openvpn[1098]: xxx.xxx.xxx.xxx:59172 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sep 21 10:11:57 DD-WRT daemon.err openvpn[1098]: xxx.xxx.xxx.xxx:59172 TLS Error: TLS handshake failed
Sep 21 10:11:57 DD-WRT daemon.notice openvpn[1098]: xxx.xxx.xxx.xxx:59172 SIGUSR1[soft,tls-error] received, client-instance restarting
Sep 21 10:11:57 DD-WRT daemon.notice openvpn[1098]: MULTI: multi_create_instance called
Sep 21 10:11:57 DD-WRT daemon.notice openvpn[1098]: xxx.xxx.xxx.xxx:54771 Re-using SSL/TLS context
Sep 21 10:11:57 DD-WRT daemon.notice openvpn[1098]: xxx.xxx.xxx.xxx:54771 LZO compression initialized
Sep 21 10:11:57 DD-WRT daemon.notice openvpn[1098]: xxx.xxx.xxx.xxx:54771 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sep 21 10:11:57 DD-WRT daemon.notice openvpn[1098]: xxx.xxx.xxx.xxx:54771 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Sep 21 10:11:57 DD-WRT daemon.notice openvpn[1098]: xxx.xxx.xxx.xxx:54771 TLS: Initial packet from xxx.xxx.xxx.xxx:54771, sid=4e40a7a0 449b612d


when I type date on each machine, I get the following:
server: Mon Sep 21 10:40:12 UTC 2009
laptop: Mon Sep 21 10:40:20 MST 2009

Any Help? Perhaps I should just go back to using a static key...
Sponsor
Cyberian
DD-WRT User


Joined: 07 Jun 2006
Posts: 198
Location: Oregon, US

PostPosted: Mon Sep 21, 2009 18:48    Post subject: Reply with quote
There's something wrong with your TLS (ta) key.

Be sure you have...
Quote:
tls-server # Enable TLS and assume server role during TLS handshake
tls-auth ta.key 0 # TLS authentication
...on your router.

And...
Quote:
tls-auth ta.key 1
...on your client.
_________________
Michael
WRT54GS v1.1 with Eko JFFS + OpenVPN
kmkittre
DD-WRT Novice


Joined: 19 Jan 2007
Posts: 40

PostPosted: Mon Sep 21, 2009 20:27    Post subject: Reply with quote
I haven't seen any reference to tls-auth in any of the tutorials. What key do I reference with it?

Here is my server conf:
mode server
server-bridge 192.168.1.1 255.255.255.0 192.168.1.128 192.168.1.199
proto udp
port 443
dev tap0
keepalive 15 120
daemon
verb 5
comp-lzo
client-to-client
duplicate-cn
tls-server
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem

and this is my client conf:
client
dev tap
proto udp
remote xxx.xxx.xxx.xxx
port 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert kevin.crt
key kevin.key
ns-cert-type server
comp-lzo
keepalive 10 120
verb 3
Cyberian
DD-WRT User


Joined: 07 Jun 2006
Posts: 198
Location: Oregon, US

PostPosted: Mon Sep 21, 2009 20:38    Post subject: Reply with quote
Search for "tls-auth" @ http://openvpn.net/index.php/open-source/documentation/manuals/openvpn-21.html

It references the key file "ta.key".

Quote:
Control Channel Authentication: using 'ta.key' as a OpenVPN static key file

_________________
Michael
WRT54GS v1.1 with Eko JFFS + OpenVPN
kmkittre
DD-WRT Novice


Joined: 19 Jan 2007
Posts: 40

PostPosted: Mon Sep 21, 2009 20:43    Post subject: Reply with quote
I've setup OpenVPN certificate authentication more than once and I've never needed a ta.key. Also, I don't see a ta.key in my key folder...

also, I didn't see any mention of ta.key in any of the tutorials on these forums or in the wiki.

And, in addition, there's no field for ta.key on the web gui of the dd-wrt router.
kmkittre
DD-WRT Novice


Joined: 19 Jan 2007
Posts: 40

PostPosted: Mon Sep 21, 2009 20:45    Post subject: Reply with quote
From what I see on the openvpn server this is extra security. I don't need it, I just want this thing to work...
Cyberian
DD-WRT User


Joined: 07 Jun 2006
Posts: 198
Location: Oregon, US

PostPosted: Mon Sep 21, 2009 20:56    Post subject: Reply with quote
Then take "tls-server" out.
_________________
Michael
WRT54GS v1.1 with Eko JFFS + OpenVPN
kmkittre
DD-WRT Novice


Joined: 19 Jan 2007
Posts: 40

PostPosted: Mon Sep 21, 2009 21:10    Post subject: Reply with quote
wrong. I fixed it.

The problem I had was that I didn't have tls-client in my client config. Not sure why it worked without this before...
Cyberian
DD-WRT User


Joined: 07 Jun 2006
Posts: 198
Location: Oregon, US

PostPosted: Mon Sep 21, 2009 21:16    Post subject: Reply with quote
Hmmm, I don't have that, either.
_________________
Michael
WRT54GS v1.1 with Eko JFFS + OpenVPN
kmkittre
DD-WRT Novice


Joined: 19 Jan 2007
Posts: 40

PostPosted: Mon Sep 21, 2009 21:19    Post subject: Reply with quote
Hmm, it seems to be an OS X thing... I can get the connection working without tls-client in Windows, but it looks like it's needed in OS X. Odd.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum