Re: [Openvpn-users] TLS key negotiation failed to occur ISP screws up the VPN

Fri, 17 May 2024 10:32:08 -0700 

Hi,

> Fri May 17 13:23:15 2024 us=936860 SIGUSR1[soft,tls-error] received,
process restarting
> Fri May 17 13:23:15 2024 us=937343 Restart pause, 300 second(s)

If this is the tls-server side of the p2p connection, this is weird. What
version of OpenVPN is this?
We fixed the backoff logic in 2.5.3 to delay only on one side (the
client-side iirc) as otherwise the two sides could miss each other and lead
to timeout.

Could you please post matching logs from the other side as well?

Selva

On Fri, May 17, 2024 at 8:15 AM shadowbladeee via Openvpn-users <
openvpn-users@lists.sourceforge.net> wrote:

> Hello Folks,
>
> I have a VPN setup which works since years it's a simple peer to peer udp
> VPN. There was absolute zero change on the two endpoints, nothing on the
> routers, network equipment, servers etc. The VPN simply stopped functioning
> like a week ago with no reason. I have pretty much restarted all components
> (of course did not change anything). I get this in the log on the server:
>
> RFri May 17 13:22:15 2024 us=116136 TLS: Initial packet from
> [AF_INET]<CONNECTING PEER IP>:39729, sid=77d2b662 053040f3
> WWWrrrrWrrrrrrrrrrWrrrrrrrrrrrrrrrrrrrrrFri May 17 13:23:15 2024 us=858988
> TLS Error: TLS key negotiation failed to occur within 60 seconds (check
> your network connectivity)
> Fri May 17 13:23:15 2024 us=859084 TLS Error: TLS handshake failed
> Fri May 17 13:23:15 2024 us=859405 TCP/UDP: Closing socket
> Fri May 17 13:23:15 2024 us=859487 Closing TUN/TAP interface
> Fri May 17 13:23:15 2024 us=859528 /sbin/ip addr del dev tun1 local
> 10.0.0.1 peer 10.0.0.2
> Fri May 17 13:23:15 2024 us=936860 SIGUSR1[soft,tls-error] received,
> process restarting
> Fri May 17 13:23:15 2024 us=937343 Restart pause, 300 second(s)
> Fri May 17 13:28:15 2024 us=939065 Diffie-Hellman initialized with 2048
> bit key
> Fri May 17 13:28:15 2024 us=942435 Outgoing Control Channel
> Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
> Fri May 17 13:28:15 2024 us=942581 Incoming Control Channel
> Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
> Fri May 17 13:28:15 2024 us=943674 Control Channel MTU parms [ L:1557
> D:1184 EF:66 EB:0 ET:0 EL:3 ]
> Fri May 17 13:28:15 2024 us=947603 TUN/TAP device tun1 opened
> Fri May 17 13:28:15 2024 us=949077 TUN/TAP TX queue length set to 100
> Fri May 17 13:28:15 2024 us=949249 do_ifconfig,
> tt->did_ifconfig_ipv6_setup=0
> Fri May 17 13:28:15 2024 us=949702 /sbin/ip link set dev tun1 up mtu 1500
> Fri May 17 13:28:15 2024 us=961794 /sbin/ip addr add dev tun1 local
> 10.0.0.1 peer 10.0.0.2
> Fri May 17 13:28:15 2024 us=975521 Data Channel MTU parms [ L:1557 D:1269
> EF:57 EB:395 ET:0 EL:3 ]
> Fri May 17 13:28:15 2024 us=975855 Local Options String (VER=V4):
> 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,ifconfig 10.0.0.2
> 10.0.0.1,keydir 0,cipher AES-256-CBC,auth SHA1,keysize
> 256,tls-auth,key-method 2,tls-server'
> Fri May 17 13:28:15 2024 us=976030 Expected Remote Options String
> (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,ifconfig
> 10.0.0.1 10.0.0.2,keydir 1,cipher AES-256-CBC,auth SHA1,keysize
> 256,tls-auth,key-method 2,tls-client'
> Fri May 17 13:28:15 2024 us=976118 Could not determine IPv4/IPv6 protocol.
> Using AF_INET
> Fri May 17 13:28:15 2024 us=976236 Socket Buffers: R=[163840->163840]
> S=[163840->163840]
> Fri May 17 13:28:15 2024 us=976352 UDPv4 link local (bound):
> [AF_INET][undef]:43000
> Fri May 17 13:28:15 2024 us=976428 UDPv4 link remote: [AF_UNSPEC]
> RFri May 17 13:28:16 2024 us=563831 TLS: Initial packet from
> [AF_INET]<CONNECTING PEER IP>:45086, sid=94460619 1b42cb70
> WWrrWrrrWrrrrrrrrrrrrrWrrrrrrrrrrrrrrrrrFri May 17 13:29:16 2024 us=241264
> TLS Error: TLS key negotiation failed to occur within 60 seconds (check
> your network connectivity)
> Fri May 17 13:29:16 2024 us=241385 TLS Error: TLS handshake failed
> Fri May 17 13:29:16 2024 us=242113 TCP/UDP: Closing socket
> Fri May 17 13:29:16 2024 us=242322 Closing TUN/TAP interface
> Fri May 17 13:29:16 2024 us=242433 /sbin/ip addr del dev tun1 local
> 10.0.0.1 peer 10.0.0.2
> Fri May 17 13:29:16 2024 us=356949 SIGUSR1[soft,tls-error] received,
> process restarting
> Fri May 17 13:29:16 2024 us=357112 Restart pause, 300 second(s)
> Fri May 17 13:34:16 2024 us=357823 Diffie-Hellman initialized with 2048
> bit key
> Fri May 17 13:34:16 2024 us=358991 Outgoing Control Channel
> Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
> Fri May 17 13:34:16 2024 us=359037 Incoming Control Channel
> Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
> Fri May 17 13:34:16 2024 us=359179 Control Channel MTU parms [ L:1557
> D:1184 EF:66 EB:0 ET:0 EL:3 ]
> Fri May 17 13:34:16 2024 us=359788 TUN/TAP device tun1 opened
> Fri May 17 13:34:16 2024 us=359859 TUN/TAP TX queue length set to 100
> Fri May 17 13:34:16 2024 us=359905 do_ifconfig,
> tt->did_ifconfig_ipv6_setup=0
> Fri May 17 13:34:16 2024 us=359947 /sbin/ip link set dev tun1 up mtu 1500
> Fri May 17 13:34:16 2024 us=365445 /sbin/ip addr add dev tun1 local
> 10.0.0.1 peer 10.0.0.2
> Fri May 17 13:34:16 2024 us=371612 Data Channel MTU parms [ L:1557 D:1269
> EF:57 EB:395 ET:0 EL:3 ]
> Fri May 17 13:34:16 2024 us=371770 Local Options String (VER=V4):
> 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,ifconfig 10.0.0.2
> 10.0.0.1,keydir 0,cipher AES-256-CBC,auth SHA1,keysize
> 256,tls-auth,key-method 2,tls-server'
> Fri May 17 13:34:16 2024 us=371808 Expected Remote Options String
> (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,ifconfig
> 10.0.0.1 10.0.0.2,keydir 1,cipher AES-256-CBC,auth SHA1,keysize
> 256,tls-auth,key-method 2,tls-client'
> Fri May 17 13:34:16 2024 us=371841 Could not determine IPv4/IPv6 protocol.
> Using AF_INET
> Fri May 17 13:34:16 2024 us=371895 Socket Buffers: R=[163840->163840]
> S=[163840->163840]
> Fri May 17 13:34:16 2024 us=371946 UDPv4 link local (bound):
> [AF_INET][undef]:43000
>
>
> Tcpdamp
>
> 13:57:45.995046 IP <REMOTE PEER IP>.41699 > <VPN SERVER IP>.43000: UDP,
> length 42
>         0x0000:  0000 0000 0201 244c 07ee cc12 0800 4500  ......$L......E.
>         0x0010:  0046 0bf4 4000 3a11 0710 3e4d e48b 0a02  .F..@.:...>M....
>         0x0020:  00c9 a2e3 c352 0032 a244 38dc 45ed b506  .....R.2.D8.E...
>         0x0030:  d98e ecd9 3b34 e019 1cc2 5b09 ca17 facd  ....;4....[.....
>         0x0040:  34e2 0875 892f 2f00 0000 0166 4746 3900  4..u.//....fGF9.
>         0x0050:  0000 0000                                ....
> 13:57:47.080365 IP <REMOTE PEER IP>.41699 > <VPN SERVER IP>.43000: UDP,
> length 42
>         0x0000:  0000 0000 0201 244c 07ee cc12 0800 4500  ......$L......E.
>         0x0010:  0046 0c0b 4000 3a11 06f9 3e4d e48b 0a02  .F..@.:...>M....
>         0x0020:  00c9 a2e3 c352 0032 27ab 38dc 45ed b506  .....R.2'.8.E...
>         0x0030:  d98e ec1b bd22 e15b 8310 a9e7 241b d34f  .....".[....$..O
>         0x0040:  0c86 cc2c 7748 b500 0000 0266 4746 3900  ...,wH.....fGF9.
>         0x0050:  0000 0000                                ....
> 13:57:51.413290 IP <REMOTE PEER IP>.41699 > <VPN SERVER IP>.43000: UDP,
> length 42
>         0x0000:  0000 0000 0201 244c 07ee cc12 0800 4500  ......$L......E.
>         0x0010:  0046 0dac 4000 3a11 0558 3e4d e48b 0a02  .F..@.:..X>M....
>         0x0020:  00c9 a2e3 c352 0032 833b 38dc 45ed b506  .....R.2.;8.E...
>         0x0030:  d98e ec14 d391 03c4 04e7 adec 7e6e 321c  ............~n2.
>         0x0040:  f6de c542 e97d 8b00 0000 0366 4746 3900  ...B.}.....fGF9.
>         0x0050:  0000 0000                                ....
> 13:57:51.413664 IP <VPN SERVER IP>.43000 > <REMOTE PEER IP>.41699: UDP,
> length 54
>         0x0000:  244c 07ee cc12 0000 0000 0201 0800 4500  $L............E.
>         0x0010:  0052 41a4 4000 4011 cb53 0a02 00c9 3e4d  .RA.@.@..S....>M
>         0x0020:  e48b c352 a2e3 003e 2df3 405a dae7 6244  ...R...>-.@Z..bD
>         0x0030:  ff21 8529 97e5 7c0f 60ca d5e6 4382 3ab8  .!.)..|.`...C.:.
>         0x0040:  c91d 051d 0adb 0e00 0000 0166 4746 3f01  ...........fGF?.
>         0x0050:  0000 0000 dc45 edb5 06d9 8eec 0000 0000  .....E..........
> 13:57:53.004424 IP <VPN SERVER IP>.43000 > <REMOTE PEER IP>.41699: UDP,
> length 42
>         0x0000:  244c 07ee cc12 0000 0000 0201 0800 4500  $L............E.
>         0x0010:  0046 41e3 4000 4011 cb20 0a02 00c9 3e4d  .FA.@.@.......>M
>         0x0020:  e48b c352 a2e3 0032 2de7 405a dae7 6244  ...r......@z..bd
>         0x0030:  ff21 85f5 9aab e7ca eeb6 f1cd 1e32 a8de  .!...........2..
>         0x0040:  60c7 3bba 114c 6900 0000 0266 4746 3f00  `.;..Li....fGF?.
>         0x0050:  0000 0000                                ....
>
> So here is what is interesting, packets are "sipping in" so you cannot say
> it's a firewall issue, especially as I said nothing changed from my side
> and all the components were even rebooted.
>
> Here is what I tried:
>
> 1, tried to move the udp port -> didn't help
>
> 2, switched from udp to tcp -> didn't help
>
> Anyone encountered similar situation?
>
>
> Thanks
>
>
>
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>

_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users






















					Reply via email to