1 |
On Wednesday, 8 March 2023 18:30:55 GMT Dale wrote: |
2 |
|
3 |
> It starts at about 13:54. It seems to try to reconnect but can't. I got this |
4 |
> by using tail -n and then grep openvpn on the end. |
5 |
> |
6 |
> |
7 |
> Mar 1 13:53:32 fireball openvpn[27908]: |
8 |
> [us-hou-v029.prod.surfshark.com] Inactivity timeout (--ping-restart), |
9 |
> restarting |
10 |
> Mar 1 13:53:32 fireball openvpn[27908]: /etc/openvpn/down.sh tun0 1500 |
11 |
> 1584 10.8.8.9 255.255.255.0 restart |
12 |
> Mar 1 13:53:32 fireball openvpn[27908]: SIGUSR1[soft,ping-restart] |
13 |
> received, process restarting |
14 |
> Mar 1 13:53:32 fireball openvpn[27908]: Restart pause, 5 second(s) |
15 |
> Mar 1 13:53:37 fireball openvpn[27908]: NOTE: the current |
16 |
> --script-security setting may allow this configuration to call |
17 |
> user-defined scripts |
18 |
> Mar 1 13:53:37 fireball openvpn[27908]: Outgoing Control Channel |
19 |
> Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication |
20 |
> Mar 1 13:53:37 fireball openvpn[27908]: Incoming Control Channel |
21 |
> Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication |
22 |
> Mar 1 13:53:37 fireball openvpn[27908]: TCP/UDP: Preserving recently |
23 |
> used remote address: [AF_INET]37.19.221.71:1194 |
24 |
> Mar 1 13:53:37 fireball openvpn[27908]: Socket Buffers: |
25 |
> R=[212992->425984] S=[212992->425984] |
26 |
> Mar 1 13:53:37 fireball openvpn[27908]: UDP link local: (not bound) |
27 |
> Mar 1 13:53:37 fireball openvpn[27908]: UDP link remote: |
28 |
> [AF_INET]37.19.221.71:1194 |
29 |
> Mar 1 13:54:37 fireball openvpn[27908]: TLS Error: TLS key negotiation |
30 |
> failed to occur within 60 seconds (check your network connectivity) |
31 |
|
32 |
Here's your problem ^^^ |
33 |
|
34 |
> Mar 1 13:54:37 fireball openvpn[27908]: TLS Error: TLS handshake failed |
35 |
|
36 |
This is your error. |
37 |
|
38 |
|
39 |
> Mar 1 13:54:37 fireball openvpn[27908]: /etc/openvpn/down.sh tun0 1500 |
40 |
> 1653 10.8.8.9 255.255.255.0 restart |
41 |
> Mar 1 13:54:37 fireball openvpn[27908]: SIGUSR1[soft,tls-error] |
42 |
> received, process restarting |
43 |
> Mar 1 13:54:37 fireball openvpn[27908]: Restart pause, 5 second(s) |
44 |
> Mar 1 13:54:42 fireball openvpn[27908]: NOTE: the current |
45 |
> --script-security setting may allow this configuration to call |
46 |
> user-defined scripts |
47 |
> Mar 1 13:54:42 fireball openvpn[27908]: Outgoing Control Channel |
48 |
> Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication |
49 |
> Mar 1 13:54:42 fireball openvpn[27908]: Incoming Control Channel |
50 |
> Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication |
51 |
> Mar 1 13:54:42 fireball openvpn[27908]: TCP/UDP: Preserving recently |
52 |
> used remote address: [AF_INET]107.179.20.179:1194 |
53 |
> Mar 1 13:54:42 fireball openvpn[27908]: Socket Buffers: |
54 |
> R=[212992->425984] S=[212992->425984] |
55 |
> Mar 1 13:54:42 fireball openvpn[27908]: UDP link local: (not bound) |
56 |
> Mar 1 13:54:42 fireball openvpn[27908]: UDP link remote: |
57 |
> [AF_INET]107.179.20.179:1194 |
58 |
> Mar 1 13:55:42 fireball openvpn[27908]: TLS Error: TLS key negotiation |
59 |
> failed to occur within 60 seconds (check your network connectivity) |
60 |
> Mar 1 13:55:42 fireball openvpn[27908]: TLS Error: TLS handshake failed |
61 |
|
62 |
Have a look here for suggestions: |
63 |
|
64 |
https://openvpn.net/faq/tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds-check-your-network-connectivity/ |
65 |
|
66 |
|
67 |
> The weird thing, I can stop openvpn, then start it again just seconds later |
68 |
> and it works fine for a good long while. |
69 |
|
70 |
Right, the problem is with renegotiating a connection, after it times out and |
71 |
it fails to agree TLS keys. I seem to recall a bug with this, but I think it |
72 |
would/should have been fixed by now. |
73 |
|
74 |
|
75 |
> I got this config file from Surfshark. I think it's public so I guess |
76 |
> there's no harm posting as is. |
77 |
> |
78 |
> |
79 |
> client |
80 |
> dev tun |
81 |
> proto udp |
82 |
> remote us-hou.prod.surfshark.com 1194 |
83 |
> resolv-retry infinite |
84 |
> remote-random |
85 |
> nobind |
86 |
> tun-mtu 1500 |
87 |
> tun-mtu-extra 32 |
88 |
> mssfix 1450 |
89 |
> persist-key |
90 |
> persist-tun |
91 |
> ping 15 |
92 |
> ping-restart 0 |
93 |
> ping-timer-rem |
94 |
> reneg-sec 0 |
95 |
> |
96 |
> remote-cert-tls server |
97 |
> |
98 |
> auth-user-pass /etc/openvpn/login.conf |
99 |
> mute-replay-warnings |
100 |
> |
101 |
> #comp-lzo |
102 |
> verb 3 |
103 |
> pull |
104 |
> fast-io |
105 |
> cipher AES-256-CBC |
106 |
> |
107 |
> auth SHA512 |
108 |
> |
109 |
> |
110 |
> I don't see anything about DNS/nameserver/resolv.conf there but I may be |
111 |
> missing it. When I tried to add that detail, it refused to start at all |
112 |
> and puked on my keyboard. It was very unhappy with me telling it what DNS |
113 |
> IP to use. That up script it runs is pretty complicated looking. I'm kinda |
114 |
> nervous about messing with it. |
115 |
|
116 |
There is no DNS problem at all. The problem is related to your client |
117 |
renegotiating keys to encrypt the tunnel with and failing to do so. Have a |
118 |
look at the above URL and see if any of the solutions suggested there points |
119 |
you in the right direction. |