I know why "TLS handshake failed" happens

kenyloveg · August 18, 2010, 9:20am

The problem is, ROS does not recognize static.key generated by

openvpn --genkey --secret static.key

which is required on most openvpn client side (tls-auth static.key)

Below is enabled “tls-auth static.key” on client side

Aug 18 17:09:48 ? user.info kernel: Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky
Aug 18 17:09:48 ? daemon.notice openvpn[1281]: OpenVPN 2.1.1 mipsel-unknown-linux-gnu [SSL] [LZO2] built on Jan 31 2010
Aug 18 17:09:48 ? daemon.warn openvpn[1281]: WARNING: file '/tmp/up' is group or others accessible
Aug 18 17:09:48 ? daemon.warn openvpn[1281]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Aug 18 17:09:48 ? daemon.warn openvpn[1281]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 18 17:09:48 ? daemon.notice openvpn[1281]: Control Channel Authentication: using 'static.key' as a OpenVPN static key file
Aug 18 17:09:48 ? daemon.notice openvpn[1281]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Aug 18 17:09:48 ? daemon.notice openvpn[1281]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Aug 18 17:09:48 ? daemon.notice openvpn[1281]: Control Channel MTU parms [ L:1543 D:168 EF:68 EB:0 ET:0 EL:0 ]
Aug 18 17:09:48 ? daemon.notice openvpn[1281]: Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
Aug 18 17:09:48 ? daemon.notice openvpn[1283]: Attempting to establish TCP connection with 222.69.93.135:45645 [nonblock]
Aug 18 17:09:49 ? daemon.notice openvpn[1283]: TCP connection established with 222.69.93.135:45645
Aug 18 17:09:49 ? daemon.notice openvpn[1283]: Socket Buffers: R=[87380->131070] S=[16384->131070]
Aug 18 17:09:49 ? daemon.notice openvpn[1283]: TCPv4_CLIENT link local: [undef]
Aug 18 17:09:49 ? daemon.notice openvpn[1283]: TCPv4_CLIENT link remote: 222.69.93.135:45645
Aug 18 17:09:49 ? daemon.notice openvpn[1283]: TLS: Initial packet from 222.69.93.135:45645, sid=9e2c3b38 03794df8
Aug 18 17:09:49 ? daemon.err openvpn[1283]: TLS Error: cannot locate HMAC in incoming packet from 222.69.93.135:45645
Aug 18 17:09:49 ? daemon.err openvpn[1283]: Fatal TLS error (check_tls_errors_co), restarting
Aug 18 17:09:49 ? daemon.notice openvpn[1283]: TCP/UDP: Closing socket

and logs on ROS

ovpn info <ovpn-0>:termination ... -peer disconnected

Even disable “tls-auth” on client side, ROS server will reject client by THE “TLS handshake failed”

Aug 18 17:14:48 ? user.info kernel: Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky
Aug 18 17:14:49 ? daemon.notice openvpn[1350]: OpenVPN 2.1.1 mipsel-unknown-linux-gnu [SSL] [LZO2] built on Jan 31 2010
Aug 18 17:14:49 ? daemon.warn openvpn[1350]: WARNING: file '/tmp/up' is group or others accessible
Aug 18 17:14:49 ? daemon.warn openvpn[1350]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Aug 18 17:14:49 ? daemon.warn openvpn[1350]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 18 17:14:49 ? daemon.notice openvpn[1350]: Control Channel MTU parms [ L:1543 D:140 EF:40 EB:0 ET:0 EL:0 ]
Aug 18 17:14:49 ? daemon.notice openvpn[1350]: Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
Aug 18 17:14:49 ? daemon.notice openvpn[1354]: Attempting to establish TCP connection with 222.69.93.135:45645 [nonblock]
Aug 18 17:14:50 ? daemon.notice openvpn[1354]: TCP connection established with 222.69.93.135:45645
Aug 18 17:14:50 ? daemon.notice openvpn[1354]: Socket Buffers: R=[87380->131070] S=[16384->131070]
Aug 18 17:14:50 ? daemon.notice openvpn[1354]: TCPv4_CLIENT link local: [undef]
Aug 18 17:14:50 ? daemon.notice openvpn[1354]: TCPv4_CLIENT link remote: 222.69.93.135:45645
Aug 18 17:14:50 ? daemon.notice openvpn[1354]: TLS: Initial packet from 222.69.93.135:45645, sid=d4991844 b26033b8
Aug 18 17:14:50 ? daemon.warn openvpn[1354]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Aug 18 17:14:52 ? daemon.notice openvpn[1354]: VERIFY OK: depth=1, /C=CN/ST=SH/L=Shanghai/O=ZGQC/CN=ZGQC-SY/Email=admin@zg-sh.com
Aug 18 17:14:52 ? daemon.notice openvpn[1354]: VERIFY OK: depth=0, /C=CN/ST=SH/O=ZGQC/CN=ZGQC-SY/Email=admin@zg-sh.com
Aug 18 17:14:59 ? daemon.err openvpn[1354]: Connection reset, restarting [0]
Aug 18 17:14:59 ? daemon.notice openvpn[1354]: TCP/UDP: Closing socket

and logs on ROS

ovpn info <ovpn-0>:termination ... TLS handshake failed

Come on Mikrotik, please get me out of it.

Thank you from a new RB493 and RB493AH user.

kenyloveg · August 18, 2010, 9:28am

here is a normal log without any problem, but no ROS involved.
Just planning to replace OpenVPN server with ROS 4.11

Aug 18 08:08:07 ? daemon.warn openvpn[325]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Aug 18 08:08:07 ? daemon.warn openvpn[325]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 18 08:08:08 ? daemon.notice openvpn[325]: Control Channel Authentication: using 'static.key' as a OpenVPN static key file
Aug 18 08:08:08 ? daemon.notice openvpn[325]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Aug 18 08:08:08 ? daemon.notice openvpn[325]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Aug 18 08:08:08 ? daemon.notice openvpn[325]: LZO compression initialized
Aug 18 08:08:08 ? daemon.notice openvpn[325]: Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Aug 18 08:08:08 ? daemon.notice openvpn[325]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Aug 18 08:08:08 ? daemon.notice openvpn[329]: Socket Buffers: R=[65535->131070] S=[65535->131070]
Aug 18 08:08:08 ? daemon.notice openvpn[329]: UDPv4 link local: [undef]
Aug 18 08:08:08 ? daemon.notice openvpn[329]: UDPv4 link remote: 112.65.176.174:45646
Aug 18 08:08:08 ? daemon.notice openvpn[329]: TLS: Initial packet from 112.65.176.174:45646, sid=359bba1f e908c70c
Aug 18 08:08:11 ? daemon.notice openvpn[329]: VERIFY OK: depth=1, /C=CN/ST=SH/L=Shanghai/O=ZGQC/CN=ZGQC-SY/Email=vpn@zgqc.3322.org
Aug 18 08:08:11 ? daemon.notice openvpn[329]: VERIFY OK: depth=0, /C=CN/ST=SH/O=ZGQC/CN=ZGQC-SY/Email=vpn@zgqc.3322.org
Aug 18 08:08:21 ? daemon.notice openvpn[329]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Aug 18 08:08:21 ? daemon.notice openvpn[329]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Aug 18 08:08:21 ? daemon.notice openvpn[329]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Aug 18 08:08:21 ? daemon.notice openvpn[329]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Aug 18 08:08:21 ? daemon.notice openvpn[329]: Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 2048 bit RSA
Aug 18 08:08:21 ? daemon.notice openvpn[329]: [ZGQC-SY] Peer Connection Initiated with 112.65.176.174:45646
Aug 18 08:08:23 ? daemon.notice openvpn[329]: SENT CONTROL [ZGQC-SY]: 'PUSH_REQUEST' (status=1)
Aug 18 08:08:23 ? daemon.notice openvpn[329]: PUSH: Received control message: 'PUSH_REPLY,route 192.168.10.0 255.255.255.0,dhcp-option DOMAIN zgqc.3322.org,dhcp-option WINS 192.168.10.254,dhcp-option DNS 192.168.10.1,route 10.8.0.0 255.255.255.0,topology net30,ping 1
Aug 18 08:08:23 ? daemon.notice openvpn[329]: OPTIONS IMPORT: timers and/or timeouts modified
Aug 18 08:08:23 ? daemon.notice openvpn[329]: OPTIONS IMPORT: --ifconfig/up options modified
Aug 18 08:08:23 ? daemon.notice openvpn[329]: OPTIONS IMPORT: route options modified
Aug 18 08:08:23 ? daemon.notice openvpn[329]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Aug 18 08:08:23 ? daemon.notice openvpn[329]: TUN/TAP device tun11 opened
Aug 18 08:08:23 ? daemon.notice openvpn[329]: TUN/TAP TX queue length set to 100
Aug 18 08:08:23 ? daemon.notice openvpn[329]: /sbin/ifconfig tun11 10.8.0.10 pointopoint 10.8.0.9 mtu 1500
Aug 18 08:08:23 ? daemon.notice openvpn[329]: updown.sh tun11 1500 1542 10.8.0.10 10.8.0.9 init

Chupaka · August 20, 2010, 4:51pm

enable debug logs for ovpn in RouterOS