VPN-client: TLS Error: handshake failed (Slate)

mgaida · April 14, 2019, 8:31pm

Hello,

I’m using the 750S (Slate, 3.009) and try to establish a VPN-connection to my Raspberry Pi running an OpenVPN-server. The Raspberry works well with other VPN-clients.

First problem I had to solve was the askpass, which I had to add to the ovpn-file I got from my Raspberry Pi because at the Slate I had no chance to enter the password I had chosen. Solved.

Now I get the following error messages:

Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
TCP/UDP: Preserving recently used remote address: [AF_INET6]2003:d7:b7ff:22df:3631:c4ff:fe49:ef07:11941
Socket Buffers: R=[163840-&gt;163840] S=[163840-&gt;163840]
UDP link local: (not bound)
UDP link remote: [AF_INET6]2003:d7:b7ff:22df:3631:c4ff:fe49:ef07:11941

and

TLS Error: TLS handshake failed
SIGHUP[soft,tls-error] received, process restarting
OpenVPN 2.4.5 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
library versions: OpenSSL 1.0.2o 27 Mar 2018, LZO 2.10
Restart pause, 5 second(s)

Do you please have an idea what I have to do now?

Thanks
Michael

kyson-lok · April 15, 2019, 1:38am

Did you try the configuration file on your PC directly? You can use the OpenVPN client to do that. Just need to confirm the configuration file is available at first.

mgaida · April 15, 2019, 4:11pm

I used the OPENVPN-client of my smartphone. It works well using the ovpn-file that Slate imported. I can use it over the mobile-net, over WLAN of my home router and over the WLAN of the Slate (when Slate is connected without own VPN).

kyson-lok · April 16, 2019, 6:42am

Could you please check your OpenVPN’s key or certificate? To check if there has any line begin with the letter “u”, because it is a bug in old firmware, we had fixed it.

mgaida · April 16, 2019, 7:16am

There seems to be no such line beginning in the ovpn file. I cut off the key-lines.

client
askpass
dev tun
proto udp
remote xxxxxxxxxxxxxxxz.net 11941
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-version-min 1.2
verify-x509-name server_IizLxxxxxcccylCRZ name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
<ca>
-----BEGIN CERTIFICATE-----
MIIB3TCCAWKgAw
CENoYW5nZU
A1UEAw
IQBH6
bz27U
HQ4EFgQU6B
cTLy2
DAY
lF96xue7ps
AKq0LzGIO2
Rg==
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIB9DCCAXugAwIB
MA8GA1UEAww
WjARMQ8
w7XCTBqHhV5+R
7cvrPOyxiW
gZEwCQY
VR0jBDwwOo
YW5nZU1l
AgeAMAoG
IgxWUWizjSqIqtrbonTQiY
VuAwh+a3RR/KRzq35
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIBEzBOBgkq
MAwGCCqGSIb3
eX/gOZLKZLdBJjyr
nXFgoCMsoiAS
d59o/RSW4rPTnB
ar2CqdlnuF6GfmY7
-----END ENCRYPTED PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
763eee8
b275a7
72062
f6bef
b90af5
5e8b1
09d1
8f5f
7476
8ac
0891
908
96196
1bb
a83fb0
fd164
-----END OpenVPN Static key V1-----
</tls-client
askpass
dev tun
proto udp
remote xxxxxxxxxxxxxxxz.net 11941
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-version-min 1.2
verify-x509-name server_IizLToJ38HWylCRZ name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
<ca>
-----BEGIN CERTIFICATE-----
MIIB3TCCAWKgAw
CENoYW5nZU
A1UEAw
IQBH6
bz27U
HQ4EFgQU6B
cTLy2
DAY
lF96xue7ps
AKq0LzGIO2
Rg==
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIB9DCCAXugAwIB
MA8GA1UEAww
WjARMQ8
w7XCTBqHhV5+R
7cvrPOyxiW
gZEwCQY
VR0jBDwwOo
YW5nZU1l
AgeAMAoG
IgxWUWizjSqIqtrbonTQiY
VuAwh+a3RR/KRzq35
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIBEzBOBgkqhki
MAwGCCqGSIb3DQIJ
eX/gOZL
nXFgoCMsoiASamH
d59o/RSW4rPTnBxM
ar2CqdlnuF6GfmY7J4fJ
-----END ENCRYPTED PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
763eee8
b275a7
72062
f6bef
b90af5
5e8b1
09d1
8f5f
7476
8ac
0891
908
96196
1bb
a83fb0
fd164
-----END OpenVPN Static key V1-----
</tls-crypt>
>

kyson-lok · April 16, 2019, 7:58am

If possible, could you please PM me your configuration file and password? So that we can debug it?

We try to connect 3rd-party VPN server or set up OpenVPN server on Ubuntu without any problem.

mgaida · April 16, 2019, 7:29pm

Is there maybe an other way to debug the device? I’m sceptical about giving out the configuration file and the password. The device is new and not changed. The Raspberry Pi with the OpenVPN-Server was installed with piVPN.

kyson-lok · April 17, 2019, 9:33am

Some users use piVPN before, it works when they add askpass in the OpenVPN’s configuration file.

mgaida · April 17, 2019, 5:31pm

askpass was already inserted, 2nd line.

kyson-lok · April 18, 2019, 1:39am

If everything is fine, it should work, but it says TLS handshake failed, not sure what’s wrong.

If you don’t like send the configuration file to someone, you can debug by yourself. Actually, you can upload the VPN configuration file to router via WinSCP, and start OpenVPN by manual, to see if it can work.

mgaida · May 2, 2019, 7:17pm

The addressed server was redirected by xxx.myfritz.net. I changed that to no-ip.com. Now it works. Strange, because a different device that uses the same ovpn-config works.

kyson-lok · May 5, 2019, 10:36am

Maybe the router cannot resolve the domain, or it has something wrong.

mgaida · May 10, 2019, 12:42pm

Don’t think so. Logged in at Slate, the smartphone connects to myfritz.net without problems and is forwarded to my Raspberry. On the Raspberry Pi works an OpenVPN-server.