Linux Client fail to connect to OpenVPN server on AWS or GCP with TLS Error

gszpiniak · Wed Feb 02, 2022 3:54 pm

Hi,

I'm configuring an AWS instance of Mikrotik RouterOS for OpenvVPN server purposes.
At this moment I'm using an RB1100 as OpenVPN server and works fantastic for our needs, but as this service is becoming critical I have decided to install it in the cloud.

Most of the VPN clients are other Mikrotik Routers, but we have also Linux Servers, Windows Workstations and Android Smartphones.

After a simple configuration of the openvpn server, Mikrotik Routers clients and Windows clients connect without problems to the Cloud where RouterOS runs the OpenVPN Server.
Instead, the clients of the linux servers fail to connect. And they show a TLS Error.

TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network>
TLS Error: TLS handshake failed
Fatal TLS error (check_tls_errors_co), restarting

After many tests, I have cloned the server and installed locally and I have noticed that the linux client connects without problems if it is in the same LAN as the OpenVPN Server, but not when it is installed behind a NAT or in the cloud like Amazon or Google Cloud.

Any idea why it is not possible to connect linux clients on an Openvpn Server with RouterOS in the cloud? The rest of windows clients or routers do not have connection problems.

If anyone has any suggestions to solve my problem I would greatly appreciate it!

MickeyT · Sat Feb 05, 2022 10:21 am

Have you enabled TLS-Crypt or TLS-Auth for the VPN configuration on the Linux client? If you have, you will need to disable it as RoS 6 doesn't support it (I don't know if RoS 7 does).

Take a look at the screenshots if you don't know where to find the setting.

Linux-OpenVPN-Config.png

Linux-OpenVPN-Config-Advanced.png

gszpiniak · Thu Feb 10, 2022 11:46 am

Thank you for your response!

As I don't have GUI in my linux client, do you mind to show me the conf file to check how to disable TLS from command line ?

MickeyT · Fri Feb 11, 2022 1:21 pm

There are several ways that TLS-Crypt and TLS-Auth can be set up in the configuration file.

Delete or disable (comment out) any lines that start with the following that appear in your OpenVPN configuration file:

key-direction (e.g.: key-direction 1)
tls-auth (e.g.: tls-auth ta.key 1)
tls-crypt (e.g.: tls-crypt ta.key 1)

Also delete or comment out these sections (including their opening and closing tags) if they appear in your configuration file:

<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
  ...
-----END OpenVPN Static key V1-----
</tls-crypt>

or

<tls-auth>
-----BEGIN OpenVPN Static key V1-----
  ...
-----END OpenVPN Static key V1-----
</tls-auth>

It would also be worth checking that your proto and dev settings are correct.

Dev should be: dev tun
Proto should be: proto tcp for RouterOS < 7
Proto could be: proto udp or proto tcp for RouterOS >= 7 (check your Router OS setting for the correct value)

The following is an example of a working OpenVPN configuration file to connect to RouterOS < 7:

client
dev tun
proto tcp
remote vpn.server.example.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
cipher AES-128-CBC
auth SHA1
auth-user-pass
redirect-gateway def1
verb 3

I hope this helps.

Linux Client fail to connect to OpenVPN server on AWS or GCP with TLS Error

Linux Client fail to connect to OpenVPN server on AWS or GCP with TLS Error

Re: Linux Client fail to connect to OpenVPN server on AWS or GCP with TLS Error

Re: Linux Client fail to connect to OpenVPN server on AWS or GCP with TLS Error

Re: Linux Client fail to connect to OpenVPN server on AWS or GCP with TLS Error