[SOLVED] OpenVPN Site-to-Site TLS problem unestablish

tquang · 11-15-2010, 12:56 AM

Before post new question, i found and read http://readthefuckingmanual.net/error/383/
However, it not useful for me.

I'm building VPN follow kind Site-to-Site with secure by TLS [Virtual Machine].

Quote:

Originally Posted by My Server A

WAN: 192.168.1.20
LAN: 172.16.0.20

File config below

Code:

local 192.168.1.20
dev tun
port 1194
proto udp
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server1.crt
key /etc/openvpn/keys/server1.key
dh /etc/openvpn/keys/dh1024.pem
tls-server
ifconfig 192.168.3.20 192.168.3.21
push "route 10.0.0.0 255.255.255.0"
route 10.0.0.0 255.255.255.0
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log         openvpn.log
log-append  openvpn.log
verb 3

Quote:

Originally Posted by My Server B

WAN: 192.168.2.21
LAN: 10.0.0.21

File config below

Code:

client
local 192.168.2.21
remote 192.168.1.20
dev tun
port 1194
proto udp
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server2.crt
key /etc/openvpn/keys/server2.key
tls-client
ifconfig 192.168.3.21 192.168.3.20
push "route 172.16.0.0 255.255.255.0"
route 172.16.0.0.0 255.255.255.0
keepalive 10 120
nobind
persist-key
persist-tun
comp-lzo
status openvpn-status.log
log         openvpn.log
log-append  openvpn.log
verb 3

======================
Not connect and error

Quote:

Originally Posted by My Server A

Mon Nov 15 13:53:51 2010 TLS Error: Unroutable control packet received from 192.168.2.21:42845 (si=3 op=P_CONTROL_V1)

Quote:

Originally Posted by My Server B

Mon Nov 15 13:53:44 2010 Local Options hash (VER=V4): '41690919'
Mon Nov 15 13:53:44 2010 Expected Remote Options hash (VER=V4): '530fdded'
Mon Nov 15 13:53:44 2010 UDPv4 link local: 192.168.2.21
Mon Nov 15 13:53:44 2010 UDPv4 link remote: 192.168.1.20:1194
Mon Nov 15 13:53:44 2010 TLS: Initial packet from 192.168.1.20:1194, sid=1cc61bfa c0fe7994
Mon Nov 15 13:53:44 2010 VERIFY OK: depth=1, /C=VN/ST=TQuang/L=Saigon/O=TQuang/OU=TQuang/CN=server/emailAddress=phungthanhquang@gmail.com
Mon Nov 15 13:53:44 2010 VERIFY OK: depth=0, /C=VN/ST=TQuang/O=TQuang/OU=TQuang/CN=centos.vps/emailAddress=phungthanhquang@gmail.com
Mon Nov 15 13:54:44 2010 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Nov 15 13:54:44 2010 TLS Error: TLS handshake failed
Mon Nov 15 13:54:44 2010 TCP/UDP: Closing socket
Mon Nov 15 13:54:44 2010 SIGUSR1[soft,tls-error] received, process restarting
Mon Nov 15 13:54:44 2010 Restart pause, 2 second(s)
Mon Nov 15 13:54:46 2010 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Mon Nov 15 13:54:46 2010 Re-using SSL/TLS context
Mon Nov 15 13:54:46 2010 LZO compression initialized
Mon Nov 15 13:54:46 2010 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Nov 15 13:54:46 2010 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]

tquang · 11-15-2010, 01:25 AM

Thank you when you reading this thread. I was fixed it.

Recheck steps create/general KEY, CA. Thank!

SOLVED

=========
Here my mistake

Code:

#Tạo CA [Quá trình tạo ra 2 file: ca.crt ca.key]
./build-ca

#Create Server Certificate (server1)
./build-key-server server1

#Create Client Certificate (server2): lưu ý, bước này hơi khác bước trên 1 chút, vì ở trên là của CA
./build-key-server server2

Above are steps wrong, exactly are

Code:

#Tạo CA [Quá trình tạo ra 2 file: ca.crt ca.key]
./build-ca

#Create Server Certificate (server1)
./build-key-server server1

#Create Client Certificate (server2): lưu ý, bước này hơi khác bước trên 1 chút, vì ở trên là của CA
./build-key server2