1

I set up openvpn for my service server. Everything is fine in the test environment, but when I run deloy, I see that there is a large number of users with errors:

Tue Jun 14 08:35:05 2022 us=6947 xxx.xxx.xxx.xxx:8891 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Jun 14 08:35:05 2022 us=7024 xxx.xxx.xxx.xxx:8891 TLS Error: TLS handshake failed
Tue Jun 14 08:35:05 2022 us=7134 xxx.xxx.xxx.xxx:8891 SIGUSR1[soft,tls-error] received, client-instance restarting

After having a problem, I see that there are users who can connect again, but most of the users who fail to connect have the same thing in common are from countries like Algeria, Yemen, Brazil. I have tried many solutions such as switching to tcp to change to other ports but the number of users having the above problem is still very large and none of the solutions really work. This is my server config

port 1194
proto udp6
dev tun
user root
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.8.0.0 255.255.255.0"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "redirect-gateway def1 bypass-dhcp"
server-ipv6 fd42:42:42:42::/112
tun-ipv6
push tun-ipv6
push "route-ipv6 2000::/3"
push "redirect-gateway ipv6"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
duplicate-cn
max-clients 3000
crl-verify crl.pem
ca ca.crt
cert server_YUi76qUq8Yad4OM7.crt
key server_YUi76qUq8Yad4OM7.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
log-append /var/log/openvpn/vpn.log
management localhost xxxx
verb 4
script-security 3
down-pre
up /etc/openvpn/tc.sh
down /etc/openvpn/tc.sh
client-connect /etc/openvpn/tc.sh
client-disconnect /etc/openvpn/tc.sh

and this is the client's

client
proto udp
explicit-exit-notify
remote xxx.xxx.xxx.xxx 1194
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_YUi76qUq8Yad4OM7 name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3
van nguyen
  • 11
  • 1
  • 2
  • To troubleshoot, the following is required: change protocol to TCP, client's config to `verb 5`, and both the client and server log. **`root` should _never_ be the user or group**, it should always be `user nobody`, `group nogroup`, else if the OpenVPN server is ever compromised _(server itself, not the physical machine)_, the attacker has immediate `root` privileges _(it's also why it's recommended to configure a chroot for an OpenVPN server, however this isn't usually feasible on routers unless they have >60MB+ for the firmware partition since it requires ~10MB of storage for the chroot)_. – JW0914 Jun 17 '22 at 13:49
  • _(Cont'd...)_ It's also insecure to use `duplicate-cn` - is there a specific reason for using this over individualized [SAN](https://superuser.com/a/1618151/529800)s? – JW0914 Jun 17 '22 at 13:59

0 Answers0