Hi people, I bought a GL-A1300 some months ago to increase the performance of my home LAN. I added this router between provider router (first router, the most external router) and the switch of my LAN. I set up GL-A1300 with a static IP address. I need to connect to my home LAN from outside accross a VPN connection. Even if this router gives me the chance to connect to my LAN home with its VPN, I need to connect to OpenVPN server application that is running in a PC of my LAN.
So, I opened a new port on my first router and configured a DDNS service on it, then I opened the same port on the second router (GL-A1300) and I set up all configuration files on all systems (PC with OpenVPN server and clients like mobiles phones and other PCs). When I try to start VPN connection from outside, OpenVPN client remains in “authentication phase” and after various seconds it appears me “TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)” and after it retries to start VPN connection without success!
I think the problem is on my PC, in fact if I try to start VPN connection by my phone from outside and OpenVPN server application is closed, OpenVPN client remains in “Waiting for server reply” phase, but if I open OpenVPN server and after I try to reconnect, application says me usual TLS Error message.
I tried to start VPN connection to OpenVPN server on my PC disabling OpenVPN service of GL-A1300 router, but nothing is changed… Anyone knows how can I solve this problem? Thank you in advance!
When OpenVPN server on your PC is behind a1300 which is behind provider router, you need to setup port forward both for the provider router and a1300, if you access by DDNS which only resolved to public IP address.
Already I setup port forwarding in both routers on the same port but VPN still doesn’t work! DDNS is only configured on first router (provider router).
What ISP do you have?
My Internet Service Provider is TIM, why?
Do you know if you are allowed to open ports or is CG-NAT in use?
I don’t know. Before I bought GL-A1300 I used VPN with OpenVPN server on my PC without issues… The problem only occurs when adding GL-A1300 between router and switch.
So, after many attempts I can see on OpenVPN server log the follow message:
Sun Dec 24 22:44:52 2023 XX.XX.XX.XX:YYYYY TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Dec 24 22:44:52 2023 XX.XX.XX.XX:YYYYY TLS Error: TLS handshake failed
In XX.XX.XX.XX I see IP address of my client device that is trying to connect… This makes me understand that client reaches the server but for some reason TLS key negotiation fails.
Now I tried to connect my phone (using home WLAN) to OpenVPN server and works fine. But this not resolve my problem, because I need to use VPN from outside.
Do you enable both port port ward and DMZ of a1300?
I enabled port forwarding on provider router and DMZ on GL-1300, but nothing is changed…
I tried to install a virtual machine with OpenVPN server but nothing changes… Any suggestions to solve this problem?
Could you please follow these steps to make it for us more clear how your setup looks like?
Ok, I try to answer to the questions to make more clear the situation:
Router model: GL.iNet GL-A1300;
Firmware version: v4.4.6.
This router reach the Internet accross an Ethernet cable connected to the provider router (see graphic example below).
Provider router model: Technicolor AGHP;
ISP: TIM.
I use GL-A1300 like DNS server with AdGuard Home enabled and a static IP address on OpenVPN server machine.
Thanks for the detailed description.
I suggest you install the RC firmware.
https://dl.gl-inet.com/?model=a1300&type=rc
If there’s still an issue, please export the log, which includes your firewall rule, so that I can look into it.
Hi, I’ve some updates… I tried to replace the machine with OpenVPN server role, using a virtual machine with a new version of the OpenVPN application, I changed the client too, but the problem is still present! So, I think it’s neither a server nor client problem. I thought maybe it might be:
- a missing string in some configuration files of OpenVPN server or client;
- a missing rule in GL.iNet router;
- a missing route from provider router to GL-A1300 router.
In all attempts I added this firewall rule to OpenVPN server machine:
New-NetFirewallRule -DisplayName "OpenVPN" -Direction inbound -Profile Any -Action Allow -LocalPort 1199 -Protocol UDP
What do you think about?
This is an example of client log when I try to connect to the server:
Sun Dec 31 17:46:38 2023 pkcs11_private_mode = 00000000
Sun Dec 31 17:46:38 2023 pkcs11_private_mode = 00000000
Sun Dec 31 17:46:38 2023 pkcs11_private_mode = 00000000
Sun Dec 31 17:46:38 2023 pkcs11_private_mode = 00000000
Sun Dec 31 17:46:38 2023 pkcs11_private_mode = 00000000
Sun Dec 31 17:46:38 2023 pkcs11_private_mode = 00000000
Sun Dec 31 17:46:38 2023 pkcs11_private_mode = 00000000
Sun Dec 31 17:46:38 2023 pkcs11_private_mode = 00000000
Sun Dec 31 17:46:38 2023 pkcs11_private_mode = 00000000
Sun Dec 31 17:46:38 2023 pkcs11_cert_private = DISABLED
Sun Dec 31 17:46:38 2023 pkcs11_cert_private = DISABLED
Sun Dec 31 17:46:38 2023 pkcs11_cert_private = DISABLED
Sun Dec 31 17:46:38 2023 pkcs11_cert_private = DISABLED
Sun Dec 31 17:46:38 2023 pkcs11_cert_private = DISABLED
Sun Dec 31 17:46:38 2023 pkcs11_cert_private = DISABLED
Sun Dec 31 17:46:38 2023 pkcs11_cert_private = DISABLED
Sun Dec 31 17:46:38 2023 pkcs11_cert_private = DISABLED
Sun Dec 31 17:46:38 2023 pkcs11_cert_private = DISABLED
Sun Dec 31 17:46:38 2023 pkcs11_cert_private = DISABLED
Sun Dec 31 17:46:38 2023 pkcs11_cert_private = DISABLED
Sun Dec 31 17:46:38 2023 pkcs11_cert_private = DISABLED
Sun Dec 31 17:46:38 2023 pkcs11_cert_private = DISABLED
Sun Dec 31 17:46:38 2023 pkcs11_cert_private = DISABLED
Sun Dec 31 17:46:38 2023 pkcs11_cert_private = DISABLED
Sun Dec 31 17:46:38 2023 pkcs11_cert_private = DISABLED
Sun Dec 31 17:46:38 2023 pkcs11_pin_cache_period = -1
Sun Dec 31 17:46:38 2023 pkcs11_id = '[UNDEF]'
Sun Dec 31 17:46:38 2023 pkcs11_id_management = DISABLED
Sun Dec 31 17:46:38 2023 server_network = 0.0.0.0
Sun Dec 31 17:46:38 2023 server_netmask = 0.0.0.0
Sun Dec 31 17:46:38 2023 server_network_ipv6 = ::
Sun Dec 31 17:46:38 2023 server_netbits_ipv6 = 0
Sun Dec 31 17:46:38 2023 server_bridge_ip = 0.0.0.0
Sun Dec 31 17:46:38 2023 server_bridge_netmask = 0.0.0.0
Sun Dec 31 17:46:38 2023 server_bridge_pool_start = 0.0.0.0
Sun Dec 31 17:46:38 2023 server_bridge_pool_end = 0.0.0.0
Sun Dec 31 17:46:38 2023 ifconfig_pool_defined = DISABLED
Sun Dec 31 17:46:38 2023 ifconfig_pool_start = 0.0.0.0
Sun Dec 31 17:46:38 2023 ifconfig_pool_end = 0.0.0.0
Sun Dec 31 17:46:38 2023 ifconfig_pool_netmask = 0.0.0.0
Sun Dec 31 17:46:38 2023 ifconfig_pool_persist_filename = '[UNDEF]'
Sun Dec 31 17:46:38 2023 ifconfig_pool_persist_refresh_freq = 600
Sun Dec 31 17:46:38 2023 ifconfig_ipv6_pool_defined = DISABLED
Sun Dec 31 17:46:38 2023 ifconfig_ipv6_pool_base = ::
Sun Dec 31 17:46:38 2023 ifconfig_ipv6_pool_netbits = 0
Sun Dec 31 17:46:38 2023 n_bcast_buf = 256
Sun Dec 31 17:46:38 2023 tcp_queue_limit = 64
Sun Dec 31 17:46:38 2023 real_hash_size = 256
Sun Dec 31 17:46:38 2023 virtual_hash_size = 256
Sun Dec 31 17:46:38 2023 client_connect_script = '[UNDEF]'
Sun Dec 31 17:46:38 2023 learn_address_script = '[UNDEF]'
Sun Dec 31 17:46:38 2023 client_disconnect_script = '[UNDEF]'
Sun Dec 31 17:46:38 2023 client_crresponse_script = '[UNDEF]'
Sun Dec 31 17:46:38 2023 client_config_dir = '[UNDEF]'
Sun Dec 31 17:46:38 2023 ccd_exclusive = DISABLED
Sun Dec 31 17:46:38 2023 tmp_dir = 'C:\Users\WTNAME~1\AppData\Local\Temp\'
Sun Dec 31 17:46:38 2023 push_ifconfig_defined = DISABLED
Sun Dec 31 17:46:38 2023 push_ifconfig_local = 0.0.0.0
Sun Dec 31 17:46:38 2023 push_ifconfig_remote_netmask = 0.0.0.0
Sun Dec 31 17:46:38 2023 push_ifconfig_ipv6_defined = DISABLED
Sun Dec 31 17:46:38 2023 push_ifconfig_ipv6_local = ::/0
Sun Dec 31 17:46:38 2023 push_ifconfig_ipv6_remote = ::
Sun Dec 31 17:46:38 2023 enable_c2c = DISABLED
Sun Dec 31 17:46:38 2023 duplicate_cn = DISABLED
Sun Dec 31 17:46:38 2023 cf_max = 0
Sun Dec 31 17:46:38 2023 cf_per = 0
Sun Dec 31 17:46:38 2023 cf_initial_max = 100
Sun Dec 31 17:46:38 2023 cf_initial_per = 10
Sun Dec 31 17:46:38 2023 max_clients = 1024
Sun Dec 31 17:46:38 2023 max_routes_per_client = 256
Sun Dec 31 17:46:38 2023 auth_user_pass_verify_script = '[UNDEF]'
Sun Dec 31 17:46:38 2023 auth_user_pass_verify_script_via_file = DISABLED
Sun Dec 31 17:46:38 2023 auth_token_generate = DISABLED
Sun Dec 31 17:46:38 2023 auth_token_lifetime = 0
Sun Dec 31 17:46:38 2023 auth_token_secret_file = '[UNDEF]'
Sun Dec 31 17:46:38 2023 vlan_tagging = DISABLED
Sun Dec 31 17:46:38 2023 vlan_accept = all
Sun Dec 31 17:46:38 2023 vlan_pvid = 1
Sun Dec 31 17:46:38 2023 client = ENABLED
Sun Dec 31 17:46:38 2023 pull = ENABLED
Sun Dec 31 17:46:38 2023 auth_user_pass_file = '[UNDEF]'
Sun Dec 31 17:46:38 2023 show_net_up = DISABLED
Sun Dec 31 17:46:38 2023 route_method = 3
Sun Dec 31 17:46:38 2023 block_outside_dns = DISABLED
Sun Dec 31 17:46:38 2023 ip_win32_defined = DISABLED
Sun Dec 31 17:46:38 2023 ip_win32_type = 1
Sun Dec 31 17:46:38 2023 dhcp_masq_offset = 0
Sun Dec 31 17:46:38 2023 dhcp_lease_time = 31536000
Sun Dec 31 17:46:38 2023 tap_sleep = 0
Sun Dec 31 17:46:38 2023 dhcp_options = 0x00000000
Sun Dec 31 17:46:38 2023 dhcp_renew = DISABLED
Sun Dec 31 17:46:38 2023 dhcp_pre_release = DISABLED
Sun Dec 31 17:46:38 2023 domain = '[UNDEF]'
Sun Dec 31 17:46:38 2023 netbios_scope = '[UNDEF]'
Sun Dec 31 17:46:38 2023 netbios_node_type = 0
Sun Dec 31 17:46:38 2023 disable_nbt = DISABLED
Sun Dec 31 17:46:38 2023 OpenVPN 2.6.8 [git:v2.6.8/3f1d8576cc178fe3] Windows [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Nov 17 2023
Sun Dec 31 17:46:38 2023 Windows version 10.0 (Windows 10 or greater), x86 executable running on (unknown) host
Sun Dec 31 17:46:38 2023 library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
Sun Dec 31 17:46:38 2023 DCO version: 1.0.0
Sun Dec 31 17:46:38 2023 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:24622
Sun Dec 31 17:46:38 2023 Need hold release from management interface, waiting...
Sun Dec 31 17:46:39 2023 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:57279
Sun Dec 31 17:46:39 2023 MANAGEMENT: CMD 'state on'
Sun Dec 31 17:46:39 2023 MANAGEMENT: CMD 'log on all'
Sun Dec 31 17:46:39 2023 MANAGEMENT: CMD 'echo on all'
Sun Dec 31 17:46:39 2023 MANAGEMENT: CMD 'bytecount 5'
Sun Dec 31 17:46:39 2023 MANAGEMENT: CMD 'state'
Sun Dec 31 17:46:39 2023 MANAGEMENT: CMD 'hold off'
Sun Dec 31 17:46:39 2023 MANAGEMENT: CMD 'hold release'
Sun Dec 31 17:46:39 2023 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Dec 31 17:46:39 2023 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Dec 31 17:46:39 2023 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
Sun Dec 31 17:46:39 2023 MANAGEMENT: >STATE:1576127504,RESOLVE,,,,,,
Sun Dec 31 17:46:39 2023 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
Sun Dec 31 17:46:39 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]11.22.33.44:1199
Sun Dec 31 17:46:39 2023 ovpn-dco device [OpenVPN Data Channel Offload] opened
Sun Dec 31 17:46:39 2023 UDPv4 link local: (not bound)
Sun Dec 31 17:46:39 2023 UDPv4 link remote: [AF_INET]11.22.33.44:1199
Sun Dec 31 17:46:39 2023 MANAGEMENT: >STATE:1576127504,WAIT,,,,,,
Sun Dec 31 17:46:40 2023 MANAGEMENT: >STATE:1576127505,AUTH,,,,,,
Sun Dec 31 17:46:40 2023 TLS: Initial packet from [AF_INET]11.22.33.44:1199, sid=c9f7ccd5 9fe2a567
Sun Dec 31 17:47:40 2023 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Dec 31 17:47:40 2023 TLS Error: TLS handshake failed
Sun Dec 31 17:47:40 2023 Closing DCO interface
Sun Dec 31 17:47:40 2023 SIGUSR1[soft,tls-error] received, process restarting
Sun Dec 31 17:47:40 2023 MANAGEMENT: >STATE:1576127565,RECONNECTING,tls-error,,,,,
Sun Dec 31 17:47:40 2023 Restart pause, 1 second(s)
Sun Dec 31 17:47:41 2023 Re-using SSL/TLS context
Sun Dec 31 17:47:41 2023 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Dec 31 17:47:41 2023 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Dec 31 17:47:41 2023 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
Sun Dec 31 17:47:41 2023 MANAGEMENT: >STATE:1576127566,RESOLVE,,,,,,
Sun Dec 31 17:47:41 2023 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
Sun Dec 31 17:47:41 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]11.22.33.44:1199
Sun Dec 31 17:47:41 2023 ovpn-dco device [OpenVPN Data Channel Offload] opened
Sun Dec 31 17:47:41 2023 UDPv4 link local: (not bound)
Sun Dec 31 17:47:41 2023 UDPv4 link remote: [AF_INET]11.22.33.44:1199
Sun Dec 31 17:47:41 2023 MANAGEMENT: >STATE:1576127566,WAIT,,,,,,
Sun Dec 31 17:47:41 2023 MANAGEMENT: >STATE:1576127566,AUTH,,,,,,
Sun Dec 31 17:47:41 2023 TLS: Initial packet from [AF_INET]11.22.33.44:1199, sid=e0156c02 4725b724
Sun Dec 31 17:48:41 2023 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Dec 31 17:48:41 2023 TLS Error: TLS handshake failed
Sun Dec 31 17:48:41 2023 Closing DCO interface
Sun Dec 31 17:48:41 2023 SIGUSR1[soft,tls-error] received, process restarting
Sun Dec 31 17:48:41 2023 MANAGEMENT: >STATE:1576127626,RECONNECTING,tls-error,,,,,
Sun Dec 31 17:48:41 2023 Restart pause, 1 second(s)
Sun Dec 31 17:48:42 2023 Re-using SSL/TLS context
Sun Dec 31 17:48:42 2023 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Dec 31 17:48:42 2023 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Dec 31 17:48:42 2023 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
Sun Dec 31 17:48:42 2023 MANAGEMENT: >STATE:1576127627,RESOLVE,,,,,,
Sun Dec 31 17:48:42 2023 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
Sun Dec 31 17:48:42 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]11.22.33.44:1199
Sun Dec 31 17:48:42 2023 ovpn-dco device [OpenVPN Data Channel Offload] opened
Sun Dec 31 17:48:42 2023 UDPv4 link local: (not bound)
Sun Dec 31 17:48:42 2023 UDPv4 link remote: [AF_INET]11.22.33.44:1199
Sun Dec 31 17:48:42 2023 MANAGEMENT: >STATE:1704041322,WAIT,,,,,,
Sun Dec 31 17:48:42 2023 MANAGEMENT: >STATE:1704041322,AUTH,,,,,,
Sun Dec 31 17:48:42 2023 TLS: Initial packet from [AF_INET]11.22.33.44:1199, sid=7c8f6057 11b79541
I take this opportunity to wish everyone a happy new year!
Happy new year!
Caused by this most likely.
You can verify if the connection is established by run command on A1300
cat /proc/net/nf_conntrack|grep 1199
If it prints nothing, then traffic does not even reach A1300.
Hi, thank you for your suggestion. The command prints nothing! Maybe we are getting to the solution of the problem… If the traffic doesn’t reach GL-A1300, how can I resolve this issue? I think it’s impossible to add any routes on provider router…
This is an example of my network with IP addresses:
Can you screen shot the port forward rules of A1300 and provider router?
Please also turn off DMZ on A1300 which will override its port forward rules.
This is not needed.