Gentoo Archives: gentoo-user

From: Michael <confabulate@××××××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Setting a fixed nameserver for openvpn
Date: Wed, 08 Mar 2023 20:33:39
Message-Id: 2275878.ElGaqSPkdT@lenovo.localdomain
In Reply to: Re: [gentoo-user] Setting a fixed nameserver for openvpn by Dale
1 On Wednesday, 8 March 2023 18:30:55 GMT Dale wrote:
2
3 > It starts at about 13:54. It seems to try to reconnect but can't. I got this
4 > by using tail -n and then grep openvpn on the end.
5 >
6 >
7 > Mar 1 13:53:32 fireball openvpn[27908]:
8 > [us-hou-v029.prod.surfshark.com] Inactivity timeout (--ping-restart),
9 > restarting
10 > Mar 1 13:53:32 fireball openvpn[27908]: /etc/openvpn/down.sh tun0 1500
11 > 1584 10.8.8.9 255.255.255.0 restart
12 > Mar 1 13:53:32 fireball openvpn[27908]: SIGUSR1[soft,ping-restart]
13 > received, process restarting
14 > Mar 1 13:53:32 fireball openvpn[27908]: Restart pause, 5 second(s)
15 > Mar 1 13:53:37 fireball openvpn[27908]: NOTE: the current
16 > --script-security setting may allow this configuration to call
17 > user-defined scripts
18 > Mar 1 13:53:37 fireball openvpn[27908]: Outgoing Control Channel
19 > Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
20 > Mar 1 13:53:37 fireball openvpn[27908]: Incoming Control Channel
21 > Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
22 > Mar 1 13:53:37 fireball openvpn[27908]: TCP/UDP: Preserving recently
23 > used remote address: [AF_INET]37.19.221.71:1194
24 > Mar 1 13:53:37 fireball openvpn[27908]: Socket Buffers:
25 > R=[212992->425984] S=[212992->425984]
26 > Mar 1 13:53:37 fireball openvpn[27908]: UDP link local: (not bound)
27 > Mar 1 13:53:37 fireball openvpn[27908]: UDP link remote:
28 > [AF_INET]37.19.221.71:1194
29 > Mar 1 13:54:37 fireball openvpn[27908]: TLS Error: TLS key negotiation
30 > failed to occur within 60 seconds (check your network connectivity)
31
32 Here's your problem ^^^
33
34 > Mar 1 13:54:37 fireball openvpn[27908]: TLS Error: TLS handshake failed
35
36 This is your error.
37
38
39 > Mar 1 13:54:37 fireball openvpn[27908]: /etc/openvpn/down.sh tun0 1500
40 > 1653 10.8.8.9 255.255.255.0 restart
41 > Mar 1 13:54:37 fireball openvpn[27908]: SIGUSR1[soft,tls-error]
42 > received, process restarting
43 > Mar 1 13:54:37 fireball openvpn[27908]: Restart pause, 5 second(s)
44 > Mar 1 13:54:42 fireball openvpn[27908]: NOTE: the current
45 > --script-security setting may allow this configuration to call
46 > user-defined scripts
47 > Mar 1 13:54:42 fireball openvpn[27908]: Outgoing Control Channel
48 > Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
49 > Mar 1 13:54:42 fireball openvpn[27908]: Incoming Control Channel
50 > Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
51 > Mar 1 13:54:42 fireball openvpn[27908]: TCP/UDP: Preserving recently
52 > used remote address: [AF_INET]107.179.20.179:1194
53 > Mar 1 13:54:42 fireball openvpn[27908]: Socket Buffers:
54 > R=[212992->425984] S=[212992->425984]
55 > Mar 1 13:54:42 fireball openvpn[27908]: UDP link local: (not bound)
56 > Mar 1 13:54:42 fireball openvpn[27908]: UDP link remote:
57 > [AF_INET]107.179.20.179:1194
58 > Mar 1 13:55:42 fireball openvpn[27908]: TLS Error: TLS key negotiation
59 > failed to occur within 60 seconds (check your network connectivity)
60 > Mar 1 13:55:42 fireball openvpn[27908]: TLS Error: TLS handshake failed
61
62 Have a look here for suggestions:
63
64 https://openvpn.net/faq/tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds-check-your-network-connectivity/
65
66
67 > The weird thing, I can stop openvpn, then start it again just seconds later
68 > and it works fine for a good long while.
69
70 Right, the problem is with renegotiating a connection, after it times out and
71 it fails to agree TLS keys. I seem to recall a bug with this, but I think it
72 would/should have been fixed by now.
73
74
75 > I got this config file from Surfshark. I think it's public so I guess
76 > there's no harm posting as is.
77 >
78 >
79 > client
80 > dev tun
81 > proto udp
82 > remote us-hou.prod.surfshark.com 1194
83 > resolv-retry infinite
84 > remote-random
85 > nobind
86 > tun-mtu 1500
87 > tun-mtu-extra 32
88 > mssfix 1450
89 > persist-key
90 > persist-tun
91 > ping 15
92 > ping-restart 0
93 > ping-timer-rem
94 > reneg-sec 0
95 >
96 > remote-cert-tls server
97 >
98 > auth-user-pass /etc/openvpn/login.conf
99 > mute-replay-warnings
100 >
101 > #comp-lzo
102 > verb 3
103 > pull
104 > fast-io
105 > cipher AES-256-CBC
106 >
107 > auth SHA512
108 >
109 >
110 > I don't see anything about DNS/nameserver/resolv.conf there but I may be
111 > missing it. When I tried to add that detail, it refused to start at all
112 > and puked on my keyboard. It was very unhappy with me telling it what DNS
113 > IP to use. That up script it runs is pretty complicated looking. I'm kinda
114 > nervous about messing with it.
115
116 There is no DNS problem at all. The problem is related to your client
117 renegotiating keys to encrypt the tunnel with and failing to do so. Have a
118 look at the above URL and see if any of the solutions suggested there points
119 you in the right direction.

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies

Subject Author
Re: [gentoo-user] Setting a fixed nameserver for openvpn Dale <rdalek1967@×××××.com>