How to debug OpenVPN platform-specific connection issues

BreakfastBrett93

New Member
Jan 25, 2021
5
0
1
UK
My previous experience with VPN configuration has been configuring OpenVPN in a proprietary interface for a home router and I am now testing out a pfSense setup. I have things configured the way I want - with a VPN pushing through from WAN to LAN - port forwarding and everything. Server configuration was set up via the OpenVPN wizard and client configuration exported via the Client Export package.

However that is only the case for one of three clients I have tried - all on the same network, same user credentials, same base .ovpn file. The only discernible difference is OS and client used to form the connection. All three machines are still able to connect via the same client to the before-mentioned home router VPN - although that one is configured as TAP rather than the TUN configuration created by the wizard and exported here. Other TUN configurations (Proton VPN .ovpn files) do work on all clients. All three clients are fully up to date.

The fully working client is Tunnelblick running on macOS. The first non-working client is OpenVPN GUI running on Windows 10. Second non-working client is the OpenVPN network manager plugin on Ubuntu 20.04.

Both the Windows and Ubuntu setup fail in the same way: Timing out on the TLS key negotiation. Snippet from the Windows machine:
Code:
Sun Jan 31 06:49:04 2021 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-128-CBC' to --data-ciphers or change --cipher 'AES-128-CBC' to --data-ciphers-fallback 'AES-128-CBC' to silence this warning.
- OpenVPN 2.5.0 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 28 2020
- Windows version 10.0 (Windows 10 or greater) 64bit
- library versions: OpenSSL 1.1.1h  22 Sep 2020, LZO 2.10
- TCP/UDP: Preserving recently used remote address: [AF_INET]----------:********
- UDP link local (bound): [AF_INET][undef]:0
- UDP link remote: [AF_INET]----------:********
- TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
- TLS Error: TLS handshake failed
- SIGUSR1[soft,tls-error] received, process restarting
- TCP/UDP: Preserving recently used remote address: [AF_INET]----------:********
- UDP link local (bound): [AF_INET][undef]:0
- UDP link remote: [AF_INET]----------:********
- TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
- TLS Error: TLS handshake failed
The .ovpn configuration file (excluding keys) reads:
Code:
dev tun
persist-tun
persist-key
cipher AES-128-CBC
auth SHA512
tls-client
client
resolv-retry infinite
remote ---------- ********* udp
lport 0
verify-x509-name "XXXXXXXXXX" name
auth-user-pass
remote-cert-tls server
I have looked the configuration over for hours and tried various permutations with no difference in results. All machines are on the same network, but just as well I have verified that they can not only ping and trace to the host, but also that they are able to connect to the forwarded WAN port. Any and all advice on how to debug the difference between whatever the Tunnelblick client is doing to make things work and the others would be greatly appreciated.