#1 2016-10-01 12:59:20

fxfxfx
Trusted Member
From: Denmark
Registered: 2016-03-04
Posts: 47

OpenVPN TLS error 60 second timeout on Nyr's OpenVPN auto-install

I have used Nyr's OpenVPN setup well over 100 times. It has always been a functional and quick way for me to get a VPS up and running.

Lately I haven't been able to establish a connection after install. I have even done a complete reinstall of my OS (Ubuntu 16.04.1) and installed Nyr's OpenVPN as sudo user + also tried the install as root. Tried to revert back to 14.04.5. Same result.

So, currently on a fresh Ubuntu 16.04.1. Only added sudo user and changed to pub key login via ssh only. Clean iptables. Only OS modification post-reinstall is the removal of Apache (sudo service apache2 stop + sudo apt purge --auto-remove apache2*) and the usual update/upgrade routine (today). Then I install Nyr's OpenVPN and smash in the usual NAT port and LES external IP for my NAT server during a successful setup.

No matter what, I can't get a successful OpenVPN connection. Been reading and fiddling away. Still, I'm at a loss.

Here's the local OpenVPN client log:

[email protected]:~$ sudo openvpn --config /home/frank/dload/USIP01.ovpn
Sat Oct  1 14:28:58 2016 Unrecognized option or missing parameter(s) in /home/frank/dload/USIP01.ovpn:14: block-outside-dns (2.3.10)
Sat Oct  1 14:28:58 2016 OpenVPN 2.3.10 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb  2 2016
Sat Oct  1 14:28:58 2016 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Sat Oct  1 14:28:58 2016 Control Channel Authentication: tls-auth using INLINE static key file
Sat Oct  1 14:28:58 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Oct  1 14:28:58 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Oct  1 14:28:58 2016 Socket Buffers: R=[163840->163840] S=[163840->163840]
Sat Oct  1 14:28:58 2016 UDPv4 link local: [undef]
Sat Oct  1 14:28:58 2016 UDPv4 link remote: [AF_INET]162.251.xx.yy:zz11
Sat Oct  1 14:28:58 2016 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Oct  1 14:28:58 2016 TLS Error: TLS handshake failed
Sat Oct  1 14:28:58 2016 SIGUSR1[soft,tls-error] received, process restarting
Sat Oct  1 14:28:58 2016 Restart pause, 2 second(s)
[...rinse, repeat]

I tested without the option block-outside-dns. Same result.

I tested for local oversights in terms of firewall, ISP blocking and similar 'interference' by trying across different OS, networks and devices (including general mobile data ISP access on default androids with the client config). Same result. Nothing. Not a single bit or byte.

The client config hasn't been meddled with:

client
dev tun
proto udp
sndbuf 0
rcvbuf 0
remote 162.251.xx.yy zz11
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-128-CBC
comp-lzo
setenv opt block-outside-dns
key-direction 1
verb 3
<ca>
-----BEGIN CERTIFICATE-----
...
..
.
-----END OpenVPN Static key V1-----
</tls-auth>

Thanks a heap, guys!

/Frank

Last edited by fxfxfx (2016-10-01 13:00:30)

Offline

#2 2016-10-01 14:46:58

LowEnder
Trusted Member
Registered: 2015-08-21
Posts: 38

Re: OpenVPN TLS error 60 second timeout on Nyr's OpenVPN auto-install

Not really any actual solution but how does the log look on the server side? Clientwise afaik what you posted is how the log looks like when the connection simply times out with no reply from the server at all. Also have you checked with tcpdump to see if packets actually leave your client on the interface you are expecting them to with the right destination and arrive at the server? Thats usually the first thing i do in that kind of situation. More than once the answer was just me having fat fingered an ip/port.

Offline

#3 2016-10-01 15:42:58

Backtogeek
Low End Boss
From: ~/
Registered: 2013-02-13
Posts: 3,500
Website

Re: OpenVPN TLS error 60 second timeout on Nyr's OpenVPN auto-install

I have to admit, if you have done a fresh install, on a server that previously had no issues, and tried multiple clients, verified the ports are listening and there is no firewall to interfere on either side I am fairly stumped.

At this stage I would be pulling out wireshark.


http://LittleHappyCloud.net KVM VPS with 1TB Bandwidth for €3.00

Offline

#4 2016-10-01 19:43:21

fxfxfx
Trusted Member
From: Denmark
Registered: 2016-03-04
Posts: 47

Re: OpenVPN TLS error 60 second timeout on Nyr's OpenVPN auto-install

I have some OpenVPN VPS and Shibby Tomato router servers which I can access just fine. So I'm not blocked entirely - at least locally. I can even access these OpenVPN servers using some of the same ports that fail on others. So it's not exclusively a port thingy, at least locally - it seems. But I'm losing my focus and feel like I'm starting to make less of sense than ever. I'm lost, basically.

I use mainly 443, 1194, 4111 and 9911. Tried to paste over the difference in client config from the working OpenVPN servers(only difference was the inclusion of key direction). Did zilch of a difference. Not unexpected though. Just a case of pure despair.

Anyway, thanks for chipping in guys. Here's the tcpdump for LES:

21:00:47.431090 IP frank-black.57126 > xx-yy-251-162-static.reverse.queryfoundry.net.9911: UDP, length 54
21:00:47.442258 IP localhost.58162 > frank-black.domain: 60564+ PTR? xx.yy.251.162.in-addr.arpa. (45)
21:00:47.442374 IP frank-black.28570 > RT-305A3AA85B54.domain: 41376+ PTR? xx.yy.251.162.in-addr.arpa. (45)
21:00:47.445171 IP RT-305A3AA85B54.domain > frank-black.28570: 41376 1/0/0 PTR xx-yy-251-162-static.reverse.queryfoundry.net. (105)
21:00:47.445247 IP frank-black.domain > localhost.58162: 60564 1/0/0 PTR xx-yy-251-162-static.reverse.queryfoundry.net. (105)
21:00:47.597985 IP xx-yy-251-162-static.reverse.queryfoundry.net > frank-black: ICMP xx-yy-251-162-static.reverse.queryfoundry.net udp port 9911 unreachable, length 90
21:00:49.945917 IP frank-black.57126 > xx-yy-251-162-static.reverse.queryfoundry.net.9911: UDP, length 54
21:00:50.119452 IP xx-yy-251-162-static.reverse.queryfoundry.net > frank-black: ICMP xx-yy-251-162-static.reverse.queryfoundry.net udp port 9911 unreachable, length 90
21:00:53.717974 IP frank-black.57126 > xx-yy-251-162-static.reverse.queryfoundry.net.9911: UDP, length 54
21:00:53.884000 IP xx-yy-251-162-static.reverse.queryfoundry.net > frank-black: ICMP xx-yy-251-162-static.reverse.queryfoundry.net udp port 9911 unreachable, length 90

Also, I did another tcpdump for a OpenVPN setup on a port that works fine on a another server (meaning I have two different OpenVPN servers, which utilize the same port (1194). One (old install of Nyr's) works, while the other (newer Nyr install, doesn't), in terms of establishing a connection on port 1194:

listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
21:20:39.336966 IP frank-black.46777 > yy.xx.yy.zz.openvpn: UDP, length 42
21:20:39.347364 IP localhost.42283 > frank-black.domain: 270+ PTR? zz.yy.xx.yy.in-addr.arpa. (42)
21:20:39.347486 IP frank-black.19366 > RT-305A3AA85B54.domain: 4683+ PTR? zz.yy.xx.yy.in-addr.arpa. (42)
21:20:39.350231 IP RT-305A3AA85B54.domain > frank-black.19366: 4683 NXDomain 0/0/0 (42)
21:20:39.350305 IP frank-black.domain > localhost.42283: 270 NXDomain 0/0/0 (42)
21:20:39.372695 IP localhost.54698 > frank-black.domain: 46952+ PTR? 1.4.168.192.in-addr.arpa. (42)
21:20:39.372802 IP frank-black.49074 > RT-305A3AA85B54.domain: 44258+ PTR? 1.4.168.192.in-addr.arpa. (42)
21:20:39.384191 IP yy.xx.yy.zz > frank-black: ICMP yy.xx.yy.zz udp port openvpn unreachable, length 78
21:20:41.417060 IP frank-black.46777 > yy.xx.yy.zz.openvpn: UDP, length 42
21:20:41.459558 IP yy.xx.yy.zz > frank-black: ICMP yy.xx.yy.zz udp port openvpn unreachable, length 78
21:20:45.576904 IP frank-black.46777 > yy.xx.yy.zz.openvpn: UDP, length 42
21:20:45.607154 IP yy.xx.yy.zz > frank-black: ICMP yy.xx.yy.zz udp port openvpn unreachable, length 78
^C
12 packets captured
24 packets received by filter
9 packets dropped by kernel

BUT, the OpenVPN server logs tells a story:

[email protected]:~$ sudo grep VPN /var/log/syslog
Oct  1 07:10:33 openvpnserver systemd[1]: Stopped OpenVPN connection to server.
Oct  1 07:10:33 openvpnserver systemd[1]: Starting OpenVPN connection to server...
Oct  1 07:10:33 openvpnserver ovpn-server[7996]: OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb  2 2016
Oct  1 07:10:33 openvpnserver systemd[1]: Failed to start OpenVPN connection to server.
Oct  1 13:33:05 openvpnserver systemd[1]: Starting OpenVPN connection to server...
Oct  1 13:33:05 openvpnserver systemd[1]: Starting OpenVPN service...
Oct  1 13:33:05 openvpnserver ovpn-server[230]: OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb  2 2016
Oct  1 13:33:05 openvpnserver systemd[1]: Started OpenVPN service.
Oct  1 13:33:05 openvpnserver systemd[1]: Failed to start OpenVPN connection to server.
Oct  1 13:43:38 openvpnserver systemd[1]: Stopped OpenVPN service.
Oct  1 13:43:52 openvpnserver systemd[1]: Starting OpenVPN service...
Oct  1 13:43:52 openvpnserver systemd[1]: Starting OpenVPN connection to server...
Oct  1 13:43:52 openvpnserver systemd[1]: Started OpenVPN service.
Oct  1 13:43:52 openvpnserver ovpn-server[223]: OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb  2 2016
Oct  1 13:43:52 openvpnserver systemd[1]: Failed to start OpenVPN connection to server.
Oct  1 13:55:09 openvpnserver systemd[1]: Stopped OpenVPN service.
Oct  1 13:56:38 openvpnserver systemd[1]: Stopped OpenVPN connection to server.
Oct  1 13:56:38 openvpnserver systemd[1]: Starting OpenVPN connection to server...
Oct  1 13:56:38 openvpnserver ovpn-server[1591]: OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb  2 2016
Oct  1 13:56:38 openvpnserver systemd[1]: Failed to start OpenVPN connection to server.
Oct  1 21:38:17 openvpnserver systemd[1]: Starting OpenVPN connection to server...
Oct  1 21:38:17 openvpnserver systemd[1]: Starting OpenVPN service...
Oct  1 21:38:17 openvpnserver systemd[1]: Started OpenVPN service.
Oct  1 21:38:17 openvpnserver ovpn-server[229]: OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb  2 2016
Oct  1 21:38:17 openvpnserver systemd[1]: Failed to start OpenVPN connection to server.

Did a '/etc/init.d/openvpn restart'  and hard reboots to no avail.

So, the OpenVPN is failing to start - on a fresh install?

I hope you can tell me how to open my eyes and get out of what must be an obvious stupidity on my end...

Offline

#5 2016-10-01 20:17:17

Backtogeek
Low End Boss
From: ~/
Registered: 2013-02-13
Posts: 3,500
Website

Re: OpenVPN TLS error 60 second timeout on Nyr's OpenVPN auto-install

I have just checked your dallas server, your openvpn server is not listening for connections on any port, hence:

21:00:47.597985 IP xx-yy-251-162-static.reverse.queryfoundry.net > frank-black: ICMP xx-yy-251-162-static.reverse.queryfoundry.net udp port 9911 unreachable,


http://LittleHappyCloud.net KVM VPS with 1TB Bandwidth for €3.00

Offline

#6 2016-10-01 20:42:57

fxfxfx
Trusted Member
From: Denmark
Registered: 2016-03-04
Posts: 47

Re: OpenVPN TLS error 60 second timeout on Nyr's OpenVPN auto-install

Since it is happening on a fresh reinstall, as well as (suddenly) on the old Ubuntu 14.04.5 install, I am stumped as why it is happening - and only on new Nyr OpenVPN installs. Old ones all run fine - except the one in Sweden that recently got taken down wink

And I'm stumped about how I can correct it, since it is a fresh install. Starting over won't do much difference. Already did. Plenty.

Any ideas or pointers will be appreciated. Otherwise, I have to wait for sudden and unexpected inspiration smile

Last edited by fxfxfx (2016-10-01 20:43:59)

Offline

#7 2016-10-01 21:14:26

Backtogeek
Low End Boss
From: ~/
Registered: 2013-02-13
Posts: 3,500
Website

Re: OpenVPN TLS error 60 second timeout on Nyr's OpenVPN auto-install

I would suggest manually installing it rather than using a script so you can troubleshoot step by step.


http://LittleHappyCloud.net KVM VPS with 1TB Bandwidth for €3.00

Offline

#8 2016-10-03 08:33:02

fxfxfx
Trusted Member
From: Denmark
Registered: 2016-03-04
Posts: 47

Re: OpenVPN TLS error 60 second timeout on Nyr's OpenVPN auto-install

For the love of..something. Finally found the solution; comment out the LimitNPROC line in /lib/systemd/system/[email protected] + reboot.

Offline

#9 2016-10-03 10:29:01

Backtogeek
Low End Boss
From: ~/
Registered: 2013-02-13
Posts: 3,500
Website

Re: OpenVPN TLS error 60 second timeout on Nyr's OpenVPN auto-install

Wow, so what was happening spawning to many processes. And hitting the oom killer?


http://LittleHappyCloud.net KVM VPS with 1TB Bandwidth for €3.00

Offline

Board footer