Ошибка sigusr1 soft tls error received process restarting - ErrorsMaster.ru - большая энциклопедия ошибок и их решений

I’m configuring an OpenVPN (version 2.3.10) server on a Windows 2012 server but I cannot make it to work.

The server is behind a router and I opened the 1194 port and created a rule to forward traffic on this port to the server.

Here is the log I see on the server when I try to connect from a client:

Mon Mar 21 11:11:47 2016 XX.XX.XX.XX:57804 TLS: Initial packet from [AF_INET]XX.XX.XX.XX:57804, sid=fdf7a7ac 0264c7f3
Mon Mar 21 11:12:38 2016 XX.XX.XX.XX:55938 TLS: Initial packet from [AF_INET]XX.XX.XX.XX:55938, sid=1f242a3f e454a525
Mon Mar 21 11:12:48 2016 XX.XX.XX.XX:57804 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Mar 21 11:12:48 2016 XX.XX.XX.XX:57804 TLS Error: TLS handshake failed
Mon Mar 21 11:12:48 2016 XX.XX.XX.XX:57804 SIGUSR1[soft,tls-error] received, client-instance restarting

Where XX.XX.XX.XX is the ip of the client. So I understand from this that the client at least is able to arrive at the server, so there’s no routing or firewall issues.

I followed the description provided here Easy Windows Guide Any ideas?

MadHatter

79.6k20 gold badges183 silver badges231 bronze badges

asked Mar 23, 2016 at 7:04

What’s interesting is how the port number changes mid-stream:

Mon Mar 21 11:11:47 2016 XX.XX.XX.XX:57804 TLS: Initial packet from [AF_INET]XX.XX.XX.XX:57804, sid=fdf7a7ac 0264c7f3

Mon Mar 21 11:12:38 2016 XX.XX.XX.XX:55938 TLS: Initial packet from [AF_INET]XX.XX.XX.XX:55938, sid=1f242a3f e454a525

This makes me think that, somewhere between client and server, there is a misbehaving NAT device, a device with very short-lived state table entries, which is changing the source port number that it applies to the client’s established stream, causing the server to think that two short-lived communications are in progress, instead of one continuous one.

Such devices generally only do this with UDP, so I have advised you to confirm that you are using UDP, and try TCP instead. This you have done, and found that it fixes the problem. The next step is to identify the misbehaving NAT device, hit it with a club hammer, and replace it with one that doesn’t make the cardinal mistake of assuming that all UDP communications are ephemeral; but you have indicated that you’re happy with changing to TCP as a workaround, and so the matter is concluded.

answered Mar 23, 2016 at 10:39

MadHatterMadHatter

79.6k20 gold badges183 silver badges231 bronze badges

This is one of the most common error in setting up Openvpn and there is a FAQ entry for this. I’m going to quote this here:

TLS Error: TLS key negotiation failed to occur within 60 seconds
(check your network connectivity)

One of the most common problems in setting up OpenVPN is that the two
OpenVPN daemons on either side of the connection are unable to
establish a TCP or UDP connection with each other.

This is almost a result of:

A perimeter firewall on the server’s network is filtering out incoming OpenVPN packets (by default OpenVPN uses UDP or TCP port
number 1194).

A software firewall running on the OpenVPN server machine itself is filtering incoming connections on port 1194. Be aware that many
OSes will block incoming connections by default, unless configured
otherwise.

A NAT gateway on the server’s network does not have a port forward rule for TCP/UDP 1194 to the internal address of the OpenVPN server
machine.

The OpenVPN client config does not have the correct server address in its config file. The remote directive in the client config file
must point to either the server itself or the public IP address of the
server network’s gateway.

Another possible cause is that the windows firewall is blocking access for the openvpn.exe binary. You may need to whitelist (add it
to the «Exceptions» list) it for OpenVPN to work.

It’s highly likely that any of these is causing the same problem in your case too. So just go through the list one by one to resolve it.

Ref: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

MadHatter

79.6k20 gold badges183 silver badges231 bronze badges

answered Mar 23, 2016 at 8:23

DiamondDiamond

8,9713 gold badges24 silver badges38 bronze badges

I was getting TLS key negotiation timeouts like this. But in my case I realised that the remote link was a local IP address.

The VPN on our pfSense firewall had mistakenly been put on the LAN interface instead of the WAN interface, and so the exported config was set to try and connect to the firewall’s LAN IP address — which was never going to work with the client naturally being on a different LAN.

I think the main takeaways from this are:

Getting a key negotiation timeout does not necessarily mean you’ve even managed to connect to anything.

So at this stage it may still be worth checking you’re actually connecting to the right place, and there are no firewall rules blocking the connection, etc. Particularly if your configuration has been automatically generated.

Note that getting a login prompt does not mean that you’re connected, since OpenVPN asks for your credentials before trying to connect.
Make sure your VPN server is listening on the right interface.

(Of course, this is one of a number of server-side misconfigurations that could occur, such as firewall rules, putting the wrong port number, intermixing TCP and UDP, etc.)

answered Mar 21, 2017 at 12:18

mwfearnleymwfearnley

8021 gold badge11 silver badges21 bronze badges

I had the same error and no advice helped, everything seemed to be fine: IPs, ports, firewall, everything. Gone insane for 2 hours.

Solution was to change the protocol from UDP to TCP in the client config (apparently I disabled UDP on purpose a long while ago).

Hope this helps someone

LE: this solved my problem but it’s not the best approach as per below comments. You should use UDP instead of TCP. It helped me because I had different settings between the client and the server configs.

answered Jun 1, 2017 at 20:11

boschbosch

1856 bronze badges

None of the solutions mentioned earlier worked. In my case, even though the client log showed same error TLS Error: TLS key negotiation failed to occur within 60 seconds, the server logs showed VERIFY ERROR: depth=0, error=CRL has expired.

On the server, following steps resolved the connection issue:

# cd <easyrsa folder>
# ./easyrsa gen-crl
above command generates new crl.pem file (in my case in pki folder)
using chown/chmod make sure 'pki/crl.pem' is readable by openvpn server (for example: chmod 640 pki/crl.pem)
# systemctl restart openvpn

answered Dec 5, 2018 at 3:49

mpprdevmpprdev

1511 gold badge1 silver badge5 bronze badges

Note that you can get a TLS key negotiation error, without successfully connecting to the OpenVPN server — or even successfully connecting to anything at all!

I modified a VPN config to connect to localhost, on a port that wasn’t listening on anything:

OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Windows version 6.2 (Windows 8 or greater) 64bit
library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
TCP/UDP: Preserving recently used remote address: [AF_INET]127.0.0.1:12345
UDP link local (bound): [AF_INET][undef]:0
UDP link remote: [AF_INET]127.0.0.1:12345
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed
SIGUSR1[soft,tls-error] received, process restarting
...

The error can lull you into a false sense that you’re talking to a VPN server.

You may even get prompted for credentials first, but nothing outside your computer has actually asked for them.

answered Aug 10, 2018 at 15:21

mwfearnleymwfearnley

8021 gold badge11 silver badges21 bronze badges

I ran into this error in AWS, where OpenVPN was installed on a server with a public IP, but on an instance which was in a private subnet, i.e. a subnet which didn’t have a route to an internet gateway.

Once I deployed OpenVPN on a server within a public subnet, it all worked nicely

On public/private subnets in AWS: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html

answered Aug 29, 2018 at 15:15

ZoltánZoltán

2172 silver badges6 bronze badges

I also came across the TLS key negotiation failed to occur within 60 seconds problem.

From the official suggestion, as Diamant post, there must be something wrong in the network connection. However, neither the firewall nor the NAT cause the problem.

In my case, I first checked the connection by nc -uvz xxx.xxx.xxx.xxx 1194. The link is OK.

Besides, several other vpn clients within the same LAN work fine.

From somewhere I noticed that udp connection has some problems in response or port forward.

So I stop the running vpn clients from the largest ip to the hanging client, e.g, from «10.8.0.100» to «10.8.0.50».

Then start the stopped vpn clients in reverse.

Bang! All the vpn clients work propoerly.

In conclusion, there is a chance leads to TLS key negotiation failed to occur within 60 seconds problem that multiple vpn clients within a LAN starting in a wrong sequence.

answered May 30, 2019 at 6:18

One possible reason is if the server requires TLS version newer then the TLS supported by the client. i.e 1.2 vs 1.0.

The obvious thing to try is to update the OpenVPN client, or modify the server side to accept TLS 1.0.

kenlukas

3,0712 gold badges15 silver badges25 bronze badges

answered Mar 24, 2020 at 17:45

You should create a SSL/TLS certificate on OMV and then enable secure connection SSL/TLS and add the created certificate.
So simple!

answered May 28, 2020 at 3:50

Are there more than two NetCards on your OVPN-Server?

In UDP, the source IP is not checked when responding. OVPN-Server will use the default configuration to send UDP data, so we need to specify the NetCard in server.conf.

local the-IP-in-client.ovpn

answered Aug 21, 2020 at 4:03

eulermateeulermate

11 silver badge1 bronze badge

There seems to be a lot of different causes for the error — I was seeing this on the server for one client, but successfully connecting with another (the latter client being an android device using the OpenVPN Connect App).

What it turned out to be in my case is that I’d neglected to include a CommonName value when creating the server certificate — the app was ignoring this mistake but the other clients (OpenVPN plugin for Network Manager and pfSense) were validating this and refusing to continue the connection. This could be found within the client logs, but all that was visible on the server-side logs was:

TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed

answered Apr 29, 2021 at 5:03

Источник

Describe the problem
For some unknown reason my Transmission OpenVPN setup stopped working. I am using FastestVPN with server Sweden, and I have never had any issues before. I can access the Transmission UI, but downloads are not working.

Logs
Fri Dec 13 15:03:28 2019 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Fri Dec 13 15:03:28 2019 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Fri Dec 13 15:03:28 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]128.127.104.201:4443 Fri Dec 13 15:03:28 2019 UDP link local (bound): [AF_INET][undef]:1194 Fri Dec 13 15:03:28 2019 UDP link remote: [AF_INET] hiddenipadress:4443 Fri Dec 13 15:03:53 2019 TLS Error: local/remote TLS keys are out of sync: [AF_INET]hiddenipadress:4443 [0] Fri Dec 13 15:04:28 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Fri Dec 13 15:04:28 2019 TLS Error: TLS handshake failed Fri Dec 13 15:04:28 2019 SIGUSR1[soft,tls-error] received, process restarting

Host system:
Debian 9, Docker 19.03.5

Источник

Модераторы: GRooVE, alexco

Правила форума
Убедительная просьба юзать теги [code] при оформлении листингов.
Сообщения не оформленные должным образом имеют все шансы быть незамеченными.

Гость: проходил мимо

OpenVPN не заводиться

Доброго времени суток ВСЕМ
Можете мне подсказать что не так ?

У клиента в логах openvpn.log ругань:

Код: Выделить всё

##########################################################
event_wait : Interrupted system call (code=4)
TCP/UDP: Closing socket
SIGTERM[hard,] received, process exiting
OpenVPN 2.0.6 i386-portbld-freebsd4.8 [SSL] [LZO] built on Sep 17 2008
Control Channel Authentication: using '/usr/local/etc/openvpn/keys/ta.key' as a OpenVPN static key file
Outgoing Control Channel Authentication: Using 128 bit message hash 'MD5' for HMAC authentication
Incoming Control Channel Authentication: Using 128 bit message hash 'MD5' for HMAC authentication
LZO compression initialized
Control Channel MTU parms [ L:1538 D:162 EF:62 EB:0 ET:0 EL:0 ]
Data Channel MTU parms [ L:1538 D:1450 EF:38 EB:135 ET:0 EL:0 AF:3/1 ]
Local Options hash (VER=V4): '03fa487d'
Expected Remote Options hash (VER=V4): '1056bce3'
UDPv4 link local (bound): [undef]:2000
UDPv4 link remote: xxx.xxx.xxx.xxx:2000
[b]TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed[/b]
TCP/UDP: Closing socket
SIGUSR1[soft,tls-error] received, process restarting
Restart pause, 2 second(s)
Re-using SSL/TLS context
LZO compression initialized
Control Channel MTU parms [ L:1538 D:162 EF:62 EB:0 ET:0 EL:0 ]
Data Channel MTU parms [ L:1538 D:1450 EF:38 EB:135 ET:0 EL:0 AF:3/1 ]
Local Options hash (VER=V4): '03fa487d'
Expected Remote Options hash (VER=V4): '1056bce3'
UDPv4 link local (bound): [undef]:2000
UDPv4 link remote: xxx.xxx.xxx.xxx:2000

А в логах сервера вот такая ругань:
##########################################################

Код: Выделить всё

[b]xx.xx.xx.xx:2000 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed
xx.xx.xx.xx:2000 SIGUSR1[soft,tls-error] received, client-instance restarting
MULTI: multi_create_instance called[/b]
Re-using SSL/TLS context
LZO compression initialized
Control Channel MTU parms [ L:1538 D:162 EF:62 EB:0 ET:0 EL:0 ]
xx.xx.xx.xx:2000 Data Channel MTU parms [ L:1538 D:1450 EF:38 EB:135 ET:0 EL:0 AF:3/1 ]
xx.xx.xx.xx:2000 Local Options hash (VER=V4): '1056bce3'
xx.xx.xx.xx:2000 Expected Remote Options hash (VER=V4): '03fa487d'
xx.xx.xx.xx:2000 TLS: Initial packet from 62.80.178.22:2000, sid=ede7e96a 84c81a85
xx.xx.xx.xx:2000 write UDPv4: Permission denied (code=13)
xx.xx.xx.xx:2000 write UDPv4: Permission denied (code=13)

ifconfig сервера:

Код: Выделить всё

##########################################################
tun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
       inet 10.10.200.1 --> 10.10.200.2 netmask 0xffffffff
       Opened by PID 19690

##########################################################

Сертификаты готовились на сервере, ось FreeBSD6.2 и OpenVPN 2.0.6
Клиент живет на FreeBSD4.8 и OpenVPN 2.0.6

Подскажите что не так.
Спасибо!

Последний раз редактировалось zingel 2008-09-19 12:45:26, всего редактировалось 1 раз.

Причина: юзай [code][/code]

Хостинг HostFood.ru

Услуги хостинговой компании Host-Food.ru

Хостинг HostFood.ru

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

hizel: дядя поня; Сообщения: 9032; Зарегистрирован: 2007-06-29 10:05:02; Откуда: Выборг

Re: OpenVPN не заводиться

Непрочитанное сообщение

hizel » 2008-09-19 12:41:22

Код: Выделить всё

xx.xx.xx.xx:2000 write UDPv4: Permission denied (code=13)
xx.xx.xx.xx:2000 write UDPv4: Permission denied (code=13)

эти строчки мне не нравятся
фаервол?

В дурацкие игры он не играет. Он просто жуткий, чу-чу, паровозик, и зовут его Блейн. Блейн — это Боль.

BI_J: сержант; Сообщения: 154; Зарегистрирован: 2008-09-19 12:21:10

Re: OpenVPN не заводиться

Непрочитанное сообщение

BI_J » 2008-09-19 12:52:58

Все делалось по статье уважаемого mak_v_.
http://www.lissyara.su/?id=1685&comment … mment_4718

После совета проверить firewal, в логах клиента ситуация немного изменилась:

У клиента в логах openvpn.log ругань:
##########################################################
OpenVPN 2.0.6 i386-portbld-freebsd4.8 [SSL] [LZO] built on Sep 17 2008
Control Channel Authentication: using ‘/usr/local/etc/openvpn/keys/ta.key’ as a OpenVPN static key file
Outgoing Control Channel Authentication: Using 128 bit message hash ‘MD5’ for HMAC authentication
Incoming Control Channel Authentication: Using 128 bit message hash ‘MD5’ for HMAC authentication
LZO compression initialized
Control Channel MTU parms [ L:1538 D:162 EF:62 EB:0 ET:0 EL:0 ]
Data Channel MTU parms [ L:1538 D:1450 EF:38 EB:135 ET:0 EL:0 AF:3/1 ]
Local Options hash (VER=V4): ’03fa487d’
Expected Remote Options hash (VER=V4): ‘1056bce3’
UDPv4 link local (bound): [undef]:2000
UDPv4 link remote: ip.ser.ve.ra:2000
TLS Error: Unroutable control packet received from ip.ser.ve.ra:2000 (si=3 op=P_ACK_V1)
TLS Error: Unroutable control packet received from ip.ser.ve.ra:2000 (si=3 op=P_ACK_V1)
.
.
.
VERIFY nsCertType ERROR: /C=UA/ST=Kiev/L=Kiev/O=server/OU=server/CN=server/emailAddress=admin@domen.com.ua, require nsCertType=SERVER
TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
TCP/UDP: Closing socket
SIGUSR1[soft,tls-error] received, process restarting
Restart pause, 2 second(s)

У сервера ругань почти не изменилась:
##########################################################
ip.cli.en.ta:2000 TLS: new session incoming connection from 62.80.178.22:2000
ip.cli.en.ta:2000 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
ip.cli.en.ta:2000 TLS Error: TLS handshake failed
ip.cli.en.ta:2000 SIGUSR1[soft,tls-error] received, client-instance restarting
MULTI: multi_create_instance called

как я понимаю что то с сертификатами. Генерил как написано

serge: майор; Сообщения: 2133; Зарегистрирован: 2006-07-30 15:34:14; Откуда: Саратов; Контактная информация:

Re: OpenVPN не заводиться

Непрочитанное сообщение

serge » 2008-09-19 14:52:30

Случаем не в клетке OpenVPN сидит?
Вот это смущает…

Unroutable control packet received from ip.ser.ve.ra:2000

hizel: дядя поня; Сообщения: 9032; Зарегистрирован: 2007-06-29 10:05:02; Откуда: Выборг

Re: OpenVPN не заводиться

Непрочитанное сообщение

hizel » 2008-09-19 14:57:22

и всетаки попробуйте ище раз пегенерировать сертификаты
у вас тип сертификата не совпадает

В дурацкие игры он не играет. Он просто жуткий, чу-чу, паровозик, и зовут его Блейн. Блейн — это Боль.

serge: майор; Сообщения: 2133; Зарегистрирован: 2006-07-30 15:34:14; Откуда: Саратов; Контактная информация:

Re: OpenVPN не заводиться

Непрочитанное сообщение

serge » 2008-09-19 15:08:49

TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

дословно гуглом

TLS ключевые переговоры «не произойдет в течение 60 секунд (проверьте ваши сетевые подключения)

имхо, главная часть

проверьте ваши сетевые подключения

BI_J: сержант; Сообщения: 154; Зарегистрирован: 2008-09-19 12:21:10

Re: OpenVPN не заводиться

Непрочитанное сообщение

BI_J » 2008-09-19 15:14:23

Спасибо за подсказки.
После очередной перегенирации сертификатов ситуация резко улучшилась
Но VPN так и не поднялся.
Теперь проблема кажеться в маршрутах со стороны клиента.

У клиента в логах openvpn.log
##########################################################

Код: Выделить всё

[server] Peer Connection Initiated with  ip.ser.ve.ra:2000
SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
PUSH: Received control message: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,route 10.10.200.1,ping 10,ping-      
   restart 120,ifconfig 10.10.200.2 10.10.200.1'
OPTIONS IMPORT: timers and/or timeouts modified
OPTIONS IMPORT: --ifconfig/up options modified
OPTIONS IMPORT: route options modified
gw ip.pro.vay.da
TUN/TAP device /dev/tun1 opened
/sbin/ifconfig tun1 10.10.200.2 10.10.200.1 mtu 1500 netmask 255.255.255.255 up
/usr/local/etc/openvpn/openvpn_up.sh tun1 1500 1538 10.10.200.2 10.10.200.1 init
/usr/local/etc/openvpn/openvpn_up.sh: permission denied
script failed: shell command exited with error status: 126
Fri Sep 19 14:02:08 2008 Exiting

##########################################################

Интернет удаленный клиент получает через модем провайдера через вот такое соединение:

ifconfig:

Код: Выделить всё

tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1492
        inet ip.cli.en.ta --> ip.pro.vay.da netmask 0xffffffff
        Opened by PID 88

нужно как то рулить это дело

zingel: beastie; Сообщения: 6204; Зарегистрирован: 2007-10-30 3:56:49; Откуда: Moscow; Контактная информация:

Re: OpenVPN не заводиться

Непрочитанное сообщение

zingel » 2008-09-19 15:14:47

TLS ключевые переговоры «не произойдет в течение 60 секунд (проверьте ваши сетевые подключения)

Это гугловский переводчик такую ересь выдал? Я в шоке…

Z301171463546 — можно пожертвовать мне денег

BI_J: сержант; Сообщения: 154; Зарегистрирован: 2008-09-19 12:21:10

Re: OpenVPN не заводиться

Непрочитанное сообщение

BI_J » 2008-09-19 17:03:49

Сижу, смотрю на ошибку и в упор не замечаю грабли (стыдно белое перо ):

Код: Выделить всё

usr/local/etc/openvpn/openvpn_up.sh tun1 1500 1538 10.10.200.2 10.10.200.1 init
/usr/local/etc/openvpn/openvpn_up.sh: permission denied
script failed: shell command exited with error status: 126

после выполнения:
chmod 755 /usr/local/etc/openvpn/openvpn_up.sh
положение улучшилось

пинг пошол между 10.10.200.2 и 10.10.200.1

хух

makihtow: проходил мимо; Сообщения: 8; Зарегистрирован: 2009-02-05 14:18:31

OpenVPN не заводиться

Непрочитанное сообщение

makihtow » 2009-02-05 14:23:37

Здрасти ребята. У меня такая вот проблема. Что делать? Подскажите пожалуйста.

Thu Feb 05 13:22:02 2009 Data Channel MTU parms [ L:1538 D:1450 EF:38 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Feb 05 13:22:02 2009 Local Options hash (VER=V4): ’03fa487d’
Thu Feb 05 13:22:02 2009 Expected Remote Options hash (VER=V4): ‘1056bce3’
Thu Feb 05 13:22:02 2009 UDPv4 link local (bound): [undef]:2000
Thu Feb 05 13:22:02 2009 UDPv4 link remote: 22.22.22.22:2000
Thu Feb 05 13:23:01 2009 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Feb 05 13:23:01 2009 TLS Error: TLS handshake failed
Thu Feb 05 13:23:01 2009 TCP/UDP: Closing socket
Thu Feb 05 13:23:01 2009 SIGUSR1[soft,tls-error] received, process restarting
Thu Feb 05 13:23:01 2009 Restart pause, 2 second(s)
Thu Feb 05 13:23:03 2009 Re-using SSL/TLS context
Thu Feb 05 13:23:03 2009 LZO compression initialized
Thu Feb 05 13:23:03 2009 Control Channel MTU parms [ L:1538 D:162 EF:62 EB:0 ET:0 EL:0 ]
Thu Feb 05 13:23:03 2009 Data Channel MTU parms [ L:1538 D:1450 EF:38 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Feb 05 13:23:03 2009 Local Options hash (VER=V4): ’03fa487d’
Thu Feb 05 13:23:03 2009 Expected Remote Options hash (VER=V4): ‘1056bce3’
Thu Feb 05 13:23:03 2009 UDPv4 link local (bound): [undef]:2000
Thu Feb 05 13:23:03 2009 UDPv4 link remote: 22.22.22.22:2000

hizel: дядя поня; Сообщения: 9032; Зарегистрирован: 2007-06-29 10:05:02; Откуда: Выборг

Re: OpenVPN не заводиться

Непрочитанное сообщение

hizel » 2009-02-05 14:36:05

check your network connectivity
перевод требуется ?

В дурацкие игры он не играет. Он просто жуткий, чу-чу, паровозик, и зовут его Блейн. Блейн — это Боль.

hizel: дядя поня; Сообщения: 9032; Зарегистрирован: 2007-06-29 10:05:02; Откуда: Выборг

Re: OpenVPN не заводиться

Непрочитанное сообщение

hizel » 2009-02-05 14:42:50

фаервол прверить
tcpdump-ом посмотреть

В дурацкие игры он не играет. Он просто жуткий, чу-чу, паровозик, и зовут его Блейн. Блейн — это Боль.

makihtow: проходил мимо; Сообщения: 8; Зарегистрирован: 2009-02-05 14:18:31

Re: OpenVPN не заводиться

Непрочитанное сообщение

makihtow » 2009-02-05 14:44:35

tcpdump -om
tcpdump version 3.9.4
libpcap version 0.9.4
Usage: tcpdump [-aAdDeflLnNOpqRStuUvxX] [-c count] [ -C file_size ]
[ -E algo:secret ] [ -F file ] [ -i interface ] [ -M secret ]
[ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
[ -W filecount ] [ -y datalinktype ] [ -Z user ]
[ expression ]

hizel: дядя поня; Сообщения: 9032; Зарегистрирован: 2007-06-29 10:05:02; Откуда: Выборг

Re: OpenVPN не заводиться

Непрочитанное сообщение

hizel » 2009-02-05 14:46:45

где <int> интерфейс через который openvpn ломится в интернет
2000 порт и можно еще приписать

В дурацкие игры он не играет. Он просто жуткий, чу-чу, паровозик, и зовут его Блейн. Блейн — это Боль.

makihtow: проходил мимо; Сообщения: 8; Зарегистрирован: 2009-02-05 14:18:31

Re: OpenVPN не заводиться

Непрочитанное сообщение

makihtow » 2009-02-05 15:10:00

#tcpdump -i fxp0 -np port 2000 and udp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on fxp0, link-type EN10MB (Ethernet), capture size 96 bytes

hizel: дядя поня; Сообщения: 9032; Зарегистрирован: 2007-06-29 10:05:02; Откуда: Выборг

Re: OpenVPN не заводиться

Непрочитанное сообщение

hizel » 2009-02-05 15:11:41

ну и при запущенном tcpdump рестартануть openvpn

В дурацкие игры он не играет. Он просто жуткий, чу-чу, паровозик, и зовут его Блейн. Блейн — это Боль.

makihtow: проходил мимо; Сообщения: 8; Зарегистрирован: 2009-02-05 14:18:31

Re: OpenVPN не заводиться

Непрочитанное сообщение

makihtow » 2009-02-05 15:40:25

Запустил tcpdump и сделал рестарт openvpn. Вот результат.

Код: Выделить всё

#tcpdump -i fxp0 -np port 2000 and udp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on fxp0, link-type EN10MB (Ethernet), capture size 96 bytes

Код: Выделить всё

38 packets captured
4492 packets received by filter
0 packets dropped by kernel

hizel: дядя поня; Сообщения: 9032; Зарегистрирован: 2007-06-29 10:05:02; Откуда: Выборг

Re: OpenVPN не заводиться

Непрочитанное сообщение

hizel » 2009-02-05 15:47:18

у вас openvpn точно работает на 2000 порту udp?
если да то проверяйте фаервол

В дурацкие игры он не играет. Он просто жуткий, чу-чу, паровозик, и зовут его Блейн. Блейн — это Боль.

hz: проходил мимо; Сообщения: 4; Зарегистрирован: 2009-03-24 9:59:09

Re: OpenVPN не заводиться

Непрочитанное сообщение

hz » 2009-03-24 10:27:16

День добрый.Помогите советом куда копать.Трабл в следующем:всё поднималось по описанию mac_v (отдельное спасибо).Туннель поднялся.Но проблема в следующем-внутрення сеть «филиала» видит внутреннее пространство за сервером впн.В обратную же сторону,т.е. то что находится внутри «головного офиса» не видит сетку «филиала».Выдаёт на ping ошибку ping: sendto: Invalid argument.Маршуты все прописаны.Руками прописывать пробывал маршрут до подсети «филиала» — ответ маршрут сущ-т.

zingel: beastie; Сообщения: 6204; Зарегистрирован: 2007-10-30 3:56:49; Откуда: Moscow; Контактная информация:

Re: OpenVPN не заводиться

Непрочитанное сообщение

zingel » 2009-03-24 13:29:05

отдельную тему лучше

Z301171463546 — можно пожертвовать мне денег

Sanya0413: проходил мимо; Сообщения: 2; Зарегистрирован: 2010-03-30 15:30:44

Re: OpenVPN не заводиться

Непрочитанное сообщение

Sanya0413 » 2010-03-30 16:31:46

# !/bin/sh
/bin/sh: Event not found.
# /sbin/route add -net 192.168.1.0 10.10.200.1
route: writing to routing socket: Network is unreachable
add net 193.168.1.0: gateway 10.10.200.1: Network is unreachable

при создании файла openvpn_up.sh пишет вот такую ругню.
все создал по статье, sockstat ‘ ом проверил openvpn поднялся на сервере и на клиенте, но пинги не идут((

Источник

Hello, I have installed the openvpn server and configured the client, but I am facing this issue, when it try to connect I receive this error on the client machine

* Server *
Operating system:
CODE: SELECT ALL

LSB Version: :core-4.1-amd64:core-4.1-noarch:cxx-4.1-amd64:cxx-4.1-noarch:desktop-4.1-amd64:desktop-4.1-noarch:languages-4.1-amd64:languages-4.1-noarch:printing-4.1-amd64:printing-4.1-noarch
Distributor ID: CentOS
Description: CentOS Linux release 7.6.1810 (Core)
Release: 7.6.1810
Codename: Core

Network setup:
CODE: SELECT ALL

$ ifconfig
enp3s0f0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet x.x.x.x netmask 255.255.255.248 broadcast x.x.x.x
inet6 fe80::8c1:42dd:2438:33b4 prefixlen 64 scopeid 0x20<link>
ether b4:99:ba:07:1b:84 txqueuelen 1000 (Ethernet)
RX packets 1161835498 bytes 1459231492304 (1.3 TiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 667329446 bytes 153826520663 (143.2 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

enp3s0f1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.4.1 netmask 255.255.255.0 broadcast 192.168.4.255
inet6 fe80::d457:788:5e4e:fdc8 prefixlen 64 scopeid 0x20<link>
ether b4:99:ba:07:1b:86 txqueuelen 1000 (Ethernet)
RX packets 3498011573 bytes 2413765553200 (2.1 TiB)
RX errors 0 dropped 1007900 overruns 0 frame 0
TX packets 3699755715 bytes 3682487028580 (3.3 TiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

enp3s0f1:1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255
ether b4:99:ba:07:1b:86 txqueuelen 1000 (Ethernet)

enp3s0f1:2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.0.1 netmask 255.255.255.0 broadcast 10.0.0.255
ether b4:99:ba:07:1b:86 txqueuelen 1000 (Ethernet)

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 8148153 bytes 993519222 (947.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8148153 bytes 993519222 (947.4 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.0 destination 10.8.0.1
inet6 fe80::9768:215b:334:edbd prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3 bytes 144 (144.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Server config file:
server.conf

server

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
remote-cert-eku «TLS Web Client Authentication»
dh dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push «redirect-gateway def1 bypass-dhcp»
push «dhcp-option DNS 8.8.8.8»
push «dhcp-option DNS 8.8.4.4»
keepalive 10 120
tls-crypt mybussines.tlsauth
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 4
explicit-exit-notify 1

Server log (at —verb 4 and client IP address removed)
CODE: SELECT ALL

Fri Jan 25 10:38:07 2019 us=162325 x.x.x.x:1194 Control Channel MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Fri Jan 25 10:38:07 2019 us=162351 x.x.x.x:1194 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Fri Jan 25 10:38:07 2019 us=162398 x.x.x.x:1194 Local Options String (VER=V4): ‘V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server’
Fri Jan 25 10:38:07 2019 us=162415 x.x.x.x:1194 Expected Remote Options String (VER=V4): ‘V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client’
Fri Jan 25 10:38:07 2019 us=162475 x.x.x.x:1194 TLS: Initial packet from [AF_INET]x.x.x.x:1194, sid=f2b09be7 3399c056
Fri Jan 25 10:38:12 2019 us=289603 x.x.x.x:1194 TLS: new session incoming connection from [AF_INET]x.x.x.x:1194
Fri Jan 25 10:38:17 2019 us=435251 x.x.x.x:1194 TLS: new session incoming connection from [AF_INET]x.x.x.x:1194
Fri Jan 25 10:39:07 2019 us=419880 x.x.x.x:1194 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Jan 25 10:39:07 2019 us=419929 x.x.x.x:1194 TLS Error: TLS handshake failed
Fri Jan 25 10:39:07 2019 us=420064 x.x.x.x:1194 SIGUSR1[soft,tls-error] received, client-instance restarting
Fri Jan 25 10:39:22 2019 us=204116 MULTI: multi_create_instance called
Fri Jan 25 10:39:22 2019 us=204218 x.x.x.x:1194 Re-using SSL/TLS context
Fri Jan 25 10:39:22 2019 us=204316 x.x.x.x:1194 Control Channel MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Fri Jan 25 10:39:22 2019 us=204346 x.x.x.x:1194 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Fri Jan 25 10:39:22 2019 us=204397 x.x.x.x:1194 Local Options String (VER=V4): ‘V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server’
Fri Jan 25 10:39:22 2019 us=204418 x.x.x.x:1194 Expected Remote Options String (VER=V4): ‘V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client’
Fri Jan 25 10:39:22 2019 us=204465 x.x.x.x:1194 TLS: Initial packet from [AF_INET]x.x.x.x:1194, sid=22a744a4 fb0fcfbb
Fri Jan 25 10:39:27 2019 us=328519 x.x.x.x:1194 TLS: new session incoming connection from [AF_INET]x.x.x.x:1194
Fri Jan 25 10:39:37 2019 us=532014 x.x.x.x:1194 TLS: new session incoming connection from [AF_INET]x.x.x.x:1194

* Client *

Operating system:
C:UsersCarlos>ver
Microsoft Windows [Versión 10.0.17134.523]

Network setup:
CODE: SELECT ALL
C:UsersCarlos>ipconfig /all
Configuración IP de Windows

Nombre de host. . . . . . . . . : CarlosLap
Sufijo DNS principal . . . . . :
Tipo de nodo. . . . . . . . . . : híbrido
Enrutamiento IP habilitado. . . : no
Proxy WINS habilitado . . . . . : no
Lista de búsqueda de sufijos DNS: xxxxxxxxxx.net

Adaptador desconocido VPN — VPN Client:

Estado de los medios. . . . . . . . . . . : medios desconectados
Sufijo DNS específico para la conexión. . :
Descripción . . . . . . . . . . . . . . . : VPN Client Adapter — VPN
Dirección física. . . . . . . . . . . . . : 5E-15-A9-D6-68-CE
DHCP habilitado . . . . . . . . . . . . . : sí
Configuración automática habilitada . . . : sí

Adaptador de Ethernet Ethernet 4:

Sufijo DNS específico para la conexión. . : xxxxxxxxxxxxx.net
Descripción . . . . . . . . . . . . . . . : Intel(R) Ethernet Connection (3) I218-LM
Dirección física. . . . . . . . . . . . . : 70-5A-0F-CB-35-FE
DHCP habilitado . . . . . . . . . . . . . : sí
Configuración automática habilitada . . . : sí
Dirección IPv6 . . . . . . . . . . : fd8c:d1d1:70d1:0:1d1c:35cb:e97c:68bc(Preferido)
Dirección IPv6 temporal. . . . . . : fd8c:d1d1:70d1:0:5c3f:704b:e4e9:93d7(Preferido)
Vínculo: dirección IPv6 local. . . : fe80::1d1c:35cb:e97c:68bc%29(Preferido)
Dirección IPv4. . . . . . . . . . . . . . : 10.10.1.130(Preferido)
Máscara de subred . . . . . . . . . . . . : 255.255.255.0
Concesión obtenida. . . . . . . . . . . . : lunes, 21 de enero de 2019 07:45:23
La concesión expira . . . . . . . . . . . : sábado, 26 de enero de 2019 09:09:05
Puerta de enlace predeterminada . . . . . : 10.10.1.1
Servidor DHCP . . . . . . . . . . . . . . : 10.10.1.1
IAID DHCPv6 . . . . . . . . . . . . . . . : 376461839
DUID de cliente DHCPv6. . . . . . . . . . : 00-01-00-01-22-A7-EF-12-F0-92-1C-5A-FD-D0
Servidores DNS. . . . . . . . . . . . . . : 8.8.8.8
8.8.4.4
10.10.1.1
NetBIOS sobre TCP/IP. . . . . . . . . . . : habilitado

Adaptador de Ethernet Ethernet 7:

Estado de los medios. . . . . . . . . . . : medios desconectados
Sufijo DNS específico para la conexión. . :
Descripción . . . . . . . . . . . . . . . : TAP-Windows Adapter V9
Dirección física. . . . . . . . . . . . . : 00-FF-40-2F-78-ED
DHCP habilitado . . . . . . . . . . . . . : sí
Configuración automática habilitada . . . : sí

Client config file:
client.ovpn

client

client
tls-client
ca ca.crt
cert laguero.crt
key laguero.key
tls-crypt mybussines.tlsauth
remote-cert-eku «TLS Web Client Authentication»
proto udp
remote x.x.x.x 1194 udp
dev tun
topology subnet
pull
user nobody
group nobody

Client log (at —verb 4 and server name and IP address removed)
CODE: SELECT ALL

Fri Jan 25 10:38:09 2019 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Fri Jan 25 10:38:09 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Fri Jan 25 10:38:09 2019 library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10
Enter Management Password:
Fri Jan 25 10:38:09 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
Fri Jan 25 10:38:09 2019 UDP link local (bound): [AF_INET][undef]:1194
Fri Jan 25 10:38:09 2019 UDP link remote: [AF_INET]x.x.x.x:1194
Fri Jan 25 10:38:09 2019 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Fri Jan 25 10:38:09 2019 TLS_ERROR: BIO read tls_read_plaintext error
Fri Jan 25 10:38:09 2019 TLS Error: TLS object -> incoming plaintext read error
Fri Jan 25 10:38:09 2019 TLS Error: TLS handshake failed
Fri Jan 25 10:38:09 2019 SIGUSR1[soft,tls-error] received, process restarting
Fri Jan 25 10:38:14 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
Fri Jan 25 10:38:14 2019 UDP link local (bound): [AF_INET][undef]:1194
Fri Jan 25 10:38:14 2019 UDP link remote: [AF_INET]x.x.x.x:1194
Fri Jan 25 10:38:14 2019 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Fri Jan 25 10:38:14 2019 TLS_ERROR: BIO read tls_read_plaintext error
Fri Jan 25 10:38:14 2019 TLS Error: TLS object -> incoming plaintext read error
Fri Jan 25 10:38:14 2019 TLS Error: TLS handshake failed
Fri Jan 25 10:38:14 2019 SIGUSR1[soft,tls-error] received, process restarting
Fri Jan 25 10:38:19 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
Fri Jan 25 10:38:19 2019 UDP link local (bound): [AF_INET][undef]:1194
Fri Jan 25 10:38:19 2019 UDP link remote: [AF_INET]x.x.x.x:1194
Fri Jan 25 10:38:19 2019 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:1194 (si=3 op=P_CONTROL_V1)
Fri Jan 25 10:38:20 2019 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:1194 (si=3 op=P_CONTROL_V1)
Fri Jan 25 10:38:22 2019 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:1194 (si=3 op=P_ACK_V1)
Fri Jan 25 10:38:24 2019 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:1194 (si=3 op=P_CONTROL_V1)
Fri Jan 25 10:38:24 2019 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:1194 (si=3 op=P_CONTROL_V1)
Fri Jan 25 10:38:25 2019 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:1194 (si=3 op=P_CONTROL_V1)
Fri Jan 25 10:38:26 2019 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:1194 (si=3 op=P_ACK_V1)
Fri Jan 25 10:38:28 2019 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:1194 (si=3 op=P_CONTROL_V1)
Fri Jan 25 10:38:31 2019 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:1194 (si=3 op=P_CONTROL_V1)
Fri Jan 25 10:38:34 2019 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:1194 (si=3 op=P_ACK_V1)
Fri Jan 25 10:38:39 2019 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:1194 (si=3 op=P_CONTROL_V1)
Fri Jan 25 10:38:41 2019 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:1194 (si=3 op=P_CONTROL_V1)
Fri Jan 25 10:38:44 2019 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:1194 (si=3 op=P_CONTROL_V1)
Fri Jan 25 10:38:47 2019 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:1194 (si=3 op=P_CONTROL_V1)
Fri Jan 25 10:38:50 2019 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:1194 (si=3 op=P_ACK_V1)
Fri Jan 25 10:39:19 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Jan 25 10:39:19 2019 TLS Error: TLS handshake failed
Fri Jan 25 10:39:19 2019 SIGUSR1[soft,tls-error] received, process restarting
Fri Jan 25 10:39:24 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
Fri Jan 25 10:39:24 2019 UDP link local (bound): [AF_INET][undef]:1194
Fri Jan 25 10:39:24 2019 UDP link remote: [AF_INET]x.x.x.x:1194
Fri Jan 25 10:39:24 2019 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Fri Jan 25 10:39:24 2019 TLS_ERROR: BIO read tls_read_plaintext error
Fri Jan 25 10:39:24 2019 TLS Error: TLS object -> incoming plaintext read error
Fri Jan 25 10:39:24 2019 TLS Error: TLS handshake failed
Fri Jan 25 10:39:24 2019 SIGUSR1[soft,tls-error] received, process restarting
Fri Jan 25 10:39:29 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
Fri Jan 25 10:39:29 2019 UDP link local (bound): [AF_INET][undef]:1194
Fri Jan 25 10:39:29 2019 UDP link remote: [AF_INET]x.x.x.x:1194
Fri Jan 25 10:39:29 2019 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Fri Jan 25 10:39:29 2019 TLS_ERROR: BIO read tls_read_plaintext error
Fri Jan 25 10:39:29 2019 TLS Error: TLS object -> incoming plaintext read error
Fri Jan 25 10:39:29 2019 TLS Error: TLS handshake failed
Fri Jan 25 10:39:29 2019 SIGUSR1[soft,tls-error] received, process restarting
Fri Jan 25 10:39:39 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
Fri Jan 25 10:39:39 2019 UDP link local (bound): [AF_INET][undef]:1194
Fri Jan 25 10:39:39 2019 UDP link remote: [AF_INET]x.x.x.x:1194
Fri Jan 25 10:39:39 2019 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:1194 (si=3 op=P_ACK_V1)
Fri Jan 25 10:39:41 2019 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:1194 (si=3 op=P_ACK_V1)
Fri Jan 25 10:39:43 2019 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:1194 (si=3 op=P_CONTROL_V1)
Fri Jan 25 10:39:44 2019 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:1194 (si=3 op=P_CONTROL_V1)
Fri Jan 25 10:39:45 2019 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:1194 (si=3 op=P_ACK_V1)
Fri Jan 25 10:39:46 2019 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:1194 (si=3 op=P_CONTROL_V1)
Fri Jan 25 10:39:53 2019 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:1194 (si=3 op=P_ACK_V1)
Fri Jan 25 10:39:54 2019 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:1194 (si=3 op=P_CONTROL_V1)
Fri Jan 25 10:39:59 2019 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:1194 (si=3 op=P_CONTROL_V1)
Fri Jan 25 10:40:00 2019 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:1194 (si=3 op=P_CONTROL_V1)
Fri Jan 25 10:40:03 2019 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:1194 (si=3 op=P_CONTROL_V1)
Fri Jan 25 10:40:09 2019 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:1194 (si=3 op=P_ACK_V1)
Fri Jan 25 10:40:40 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Jan 25 10:40:40 2019 TLS Error: TLS handshake failed
Fri Jan 25 10:40:40 2019 SIGUSR1[soft,tls-error] received, process restarting
Fri Jan 25 10:41:00 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
Fri Jan 25 10:41:00 2019 UDP link local (bound): [AF_INET][undef]:1194
Fri Jan 25 10:41:00 2019 UDP link remote: [AF_INET]x.x.x.x:1194
Fri Jan 25 10:41:00 2019 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Fri Jan 25 10:41:00 2019 TLS_ERROR: BIO read tls_read_plaintext error
Fri Jan 25 10:41:00 2019 TLS Error: TLS object -> incoming plaintext read error
Fri Jan 25 10:41:00 2019 TLS Error: TLS handshake failed
Fri Jan 25 10:41:00 2019 SIGUSR1[soft,tls-error] received, process restarting
Fri Jan 25 10:41:40 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
Fri Jan 25 10:41:40 2019 UDP link local (bound): [AF_INET][undef]:1194
Fri Jan 25 10:41:40 2019 UDP link remote: [AF_INET]x.x.x.x:1194
Fri Jan 25 10:41:40 2019 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Fri Jan 25 10:41:40 2019 TLS_ERROR: BIO read tls_read_plaintext error
Fri Jan 25 10:41:40 2019 TLS Error: TLS object -> incoming plaintext read error
Fri Jan 25 10:41:40 2019 TLS Error: TLS handshake failed
Fri Jan 25 10:41:40 2019 SIGUSR1[soft,tls-error] received, process restarting
Fri Jan 25 10:42:15 2019 SIGTERM[hard,init_instance] received, process exiting

Источник

цель соединить две сети. есть два сервера под ClearOS 6.3

основной офис с подсетью 192.168.0.0/24 и шлюзом с OpenVpn в роли сервера 192.168.0.250
Второй офис c подсетью 192.168.0.2/24 и шлюзом с Openvpn в роли клиента

Иногда коннект происходит и из сети за клиентом пингуется сеть основного офиса. при проблемах в подключении лог клиента выглядит так:

Tue Mar 26 12:31:37 2013 OpenVPN 2.2.1 i386-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Sep 12 2011
Tue Mar 26 12:31:37 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Mar 26 12:31:37 2013 WARNING: file '/etc/openvpn/new/client-st1g-key.pem' is group or others accessible
Tue Mar 26 12:31:37 2013 LZO compression initialized
Tue Mar 26 12:31:37 2013 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Mar 26 12:31:37 2013 Socket Buffers: R=[196608->131072] S=[196608->131072]
Tue Mar 26 12:31:37 2013 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Mar 26 12:31:37 2013 Local Options hash (VER=V4): '41690919'
Tue Mar 26 12:31:37 2013 Expected Remote Options hash (VER=V4): '530fdded'
Tue Mar 26 12:31:37 2013 UDPv4 link local: [undef]
Tue Mar 26 12:31:37 2013 UDPv4 link remote: XX.XX.XX.XX:1194
Tue Mar 26 12:31:37 2013 TLS: Initial packet from XX.XX.XX.XX:1194, sid=89a598f9 f7366aa5
Tue Mar 26 12:31:37 2013 VERIFY OK: depth=1, /C=RU/L=Krasnodar/O=ClearOS/OU=grand/CN=ca.clearos.grand.com/emailAddress=security@clearos.grand.com/O=grand/ST=Krasnodar
Tue Mar 26 12:31:37 2013 VERIFY OK: nsCertType=SERVER
Tue Mar 26 12:31:37 2013 VERIFY OK: depth=0, /C=RU/ST=Krasnodar/L=Krasnodar/O=ClearOS/O=grand/OU=grand/CN=clearos.grand.com/emailAddress=security@clearos.grand.com
Tue Mar 26 12:31:37 2013 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Mar 26 12:31:37 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Mar 26 12:31:37 2013 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Mar 26 12:31:37 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Mar 26 12:31:37 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Tue Mar 26 12:31:37 2013 [clearos.grand.com] Peer Connection Initiated with XX.XX.XX.XX:1194
Tue Mar 26 12:31:40 2013 SENT CONTROL [clearos.grand.com]: 'PUSH_REQUEST' (status=1)
Tue Mar 26 12:31:40 2013 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 192.168.0.250,dhcp-option WINS ,dhcp-option DOMAIN grand.com,route 192.168.0.0 255.255.255.0,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Tue Mar 26 12:31:40 2013 OPTIONS IMPORT: timers and/or timeouts modified
Tue Mar 26 12:31:40 2013 OPTIONS IMPORT: --ifconfig/up options modified
Tue Mar 26 12:31:40 2013 OPTIONS IMPORT: route options modified
Tue Mar 26 12:31:40 2013 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Mar 26 12:31:40 2013 ROUTE default_gateway=192.168.1.1
Tue Mar 26 12:31:40 2013 TUN/TAP device tun0 opened
Tue Mar 26 12:31:40 2013 TUN/TAP TX queue length set to 100
Tue Mar 26 12:31:40 2013 /sbin/ip link set dev tun0 up mtu 1500
Tue Mar 26 12:31:40 2013 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
Tue Mar 26 12:31:40 2013 /sbin/ip route add 192.168.0.0/24 via 10.8.0.5
Tue Mar 26 12:31:40 2013 /sbin/ip route add 10.8.0.1/32 via 10.8.0.5
Tue Mar 26 12:31:40 2013 Initialization Sequence Completed
Tue Mar 26 12:33:40 2013 [clearos.grand.com] Inactivity timeout (--ping-restart), restarting
Tue Mar 26 12:33:40 2013 TCP/UDP: Closing socket
Tue Mar 26 12:33:40 2013 SIGUSR1[soft,ping-restart] received, process restarting
Tue Mar 26 12:33:40 2013 Restart pause, 2 second(s)
Tue Mar 26 12:33:42 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Mar 26 12:33:42 2013 Re-using SSL/TLS context
Tue Mar 26 12:33:42 2013 LZO compression initialized
Tue Mar 26 12:33:42 2013 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Mar 26 12:33:42 2013 Socket Buffers: R=[196608->131072] S=[196608->131072]
Tue Mar 26 12:33:42 2013 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Mar 26 12:33:42 2013 Local Options hash (VER=V4): '41690919'
Tue Mar 26 12:33:42 2013 Expected Remote Options hash (VER=V4): '530fdded'
Tue Mar 26 12:33:42 2013 UDPv4 link local: [undef]
Tue Mar 26 12:33:42 2013 UDPv4 link remote: XX.XX.XX.XX:1194
Tue Mar 26 12:34:42 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Mar 26 12:34:42 2013 TLS Error: TLS handshake failed
Tue Mar 26 12:34:42 2013 TCP/UDP: Closing socket
Tue Mar 26 12:34:42 2013 SIGUSR1[soft,tls-error] received, process restarting
Tue Mar 26 12:34:42 2013 Restart pause, 2 second(s)
Tue Mar 26 12:34:44 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Mar 26 12:34:44 2013 Re-using SSL/TLS context
Tue Mar 26 12:34:44 2013 LZO compression initialized
Tue Mar 26 12:34:44 2013 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Mar 26 12:34:44 2013 Socket Buffers: R=[196608->131072] S=[196608->131072]
Tue Mar 26 12:34:44 2013 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Mar 26 12:34:44 2013 Local Options hash (VER=V4): '41690919'
Tue Mar 26 12:34:44 2013 Expected Remote Options hash (VER=V4): '530fdded'
Tue Mar 26 12:34:44 2013 UDPv4 link local: [undef]
Tue Mar 26 12:34:44 2013 UDPv4 link remote: XX.XX.XX.XX:1194
Tue Mar 26 12:35:45 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Mar 26 12:35:45 2013 TLS Error: TLS handshake failed
Tue Mar 26 12:35:45 2013 TCP/UDP: Closing socket
Tue Mar 26 12:35:45 2013 SIGUSR1[soft,tls-error] received, process restarting
Tue Mar 26 12:35:45 2013 Restart pause, 2 second(s)
Tue Mar 26 12:35:47 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Mar 26 12:35:47 2013 Re-using SSL/TLS context
Tue Mar 26 12:35:47 2013 LZO compression initialized
Tue Mar 26 12:35:47 2013 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Mar 26 12:35:47 2013 Socket Buffers: R=[196608->131072] S=[196608->131072]
Tue Mar 26 12:35:47 2013 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Mar 26 12:35:47 2013 Local Options hash (VER=V4): '41690919'
Tue Mar 26 12:35:47 2013 Expected Remote Options hash (VER=V4): '530fdded'
Tue Mar 26 12:35:47 2013 UDPv4 link local: [undef]
Tue Mar 26 12:35:47 2013 UDPv4 link remote: XX.XX.XX.XX:1194
Tue Mar 26 12:36:47 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Mar 26 12:36:47 2013 TLS Error: TLS handshake failed
Tue Mar 26 12:36:47 2013 TCP/UDP: Closing socket
Tue Mar 26 12:36:47 2013 SIGUSR1[soft,tls-error] received, process restarting
Tue Mar 26 12:36:47 2013 Restart pause, 2 second(s)
Tue Mar 26 12:36:49 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Mar 26 12:36:49 2013 Re-using SSL/TLS context
Tue Mar 26 12:36:49 2013 LZO compression initialized
Tue Mar 26 12:36:49 2013 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Mar 26 12:36:49 2013 Socket Buffers: R=[196608->131072] S=[196608->131072]
Tue Mar 26 12:36:49 2013 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Mar 26 12:36:49 2013 Local Options hash (VER=V4): '41690919'
Tue Mar 26 12:36:49 2013 Expected Remote Options hash (VER=V4): '530fdded'
Tue Mar 26 12:36:49 2013 UDPv4 link local: [undef]
Tue Mar 26 12:36:49 2013 UDPv4 link remote: XX.XX.XX.XX:1194
Tue Mar 26 12:36:49 2013 TLS: Initial packet from XX.XX.XX.XX:1194, sid=7444d74a 473b1a1f
Tue Mar 26 12:36:49 2013 VERIFY OK: depth=1, /C=RU/L=Krasnodar/O=ClearOS/OU=grand/CN=ca.clearos.grand.com/emailAddress=security@clearos.grand.com/O=grand/ST=Krasnodar
Tue Mar 26 12:36:49 2013 VERIFY OK: nsCertType=SERVER
Tue Mar 26 12:36:49 2013 VERIFY OK: depth=0, /C=RU/ST=Krasnodar/L=Krasnodar/O=ClearOS/O=grand/OU=grand/CN=clearos.grand.com/emailAddress=security@clearos.grand.com
Tue Mar 26 12:36:49 2013 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Mar 26 12:36:49 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Mar 26 12:36:49 2013 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Mar 26 12:36:49 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Mar 26 12:36:49 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Tue Mar 26 12:36:49 2013 [clearos.grand.com] Peer Connection Initiated with XX.XX.XX.XX:1194
Tue Mar 26 12:36:52 2013 SENT CONTROL [clearos.grand.com]: 'PUSH_REQUEST' (status=1)
Tue Mar 26 12:36:52 2013 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 192.168.0.250,dhcp-option WINS ,dhcp-option DOMAIN grand.com,route 192.168.0.0 255.255.255.0,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Tue Mar 26 12:36:52 2013 OPTIONS IMPORT: timers and/or timeouts modified
Tue Mar 26 12:36:52 2013 OPTIONS IMPORT: --ifconfig/up options modified
Tue Mar 26 12:36:52 2013 OPTIONS IMPORT: route options modified
Tue Mar 26 12:36:52 2013 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Mar 26 12:36:52 2013 Preserving previous TUN/TAP instance: tun0
Tue Mar 26 12:36:52 2013 Initialization Sequence Completed
Tue Mar 26 12:38:47 2013 TLS: new session incoming connection from XX.XX.XX.XX:1194
Tue Mar 26 12:38:47 2013 TLS Error: reading acknowledgement record from packet
Tue Mar 26 12:38:47 2013 TLS: new session incoming connection from XX.XX.XX.XX:1194
Tue Mar 26 12:38:47 2013 VERIFY OK: depth=1, /C=RU/L=Krasnodar/O=ClearOS/OU=grand/CN=ca.clearos.grand.com/emailAddress=security@clearos.grand.com/O=grand/ST=Krasnodar
Tue Mar 26 12:38:47 2013 VERIFY OK: nsCertType=SERVER
Tue Mar 26 12:38:47 2013 VERIFY OK: depth=0, /C=RU/ST=Krasnodar/L=Krasnodar/O=ClearOS/O=grand/OU=grand/CN=clearos.grand.com/emailAddress=security@clearos.grand.com
Tue Mar 26 12:38:47 2013 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Mar 26 12:38:47 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Mar 26 12:38:47 2013 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Mar 26 12:38:47 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Mar 26 12:38:47 2013 TLS: move_session: dest=TM_ACTIVE src=TM_UNTRUSTED reinit_src=1
Tue Mar 26 12:38:47 2013 TLS: tls_multi_process: untrusted session promoted to semi-trusted
Tue Mar 26 12:38:47 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Tue Mar 26 12:38:49 2013 TLS: new session incoming connection from XX.XX.XX.XX:1194
Tue Mar 26 12:38:49 2013 TLS: new session incoming connection from XX.XX.XX.XX:1194
Tue Mar 26 12:38:54 2013 TLS: new session incoming connection from XX.XX.XX.XX:1194
Tue Mar 26 12:39:03 2013 TLS Error: reading acknowledgement record from packet
Tue Mar 26 12:39:04 2013 TLS Error: Unroutable control packet received from XX.XX.XX.XX:1194 (si=3 op=P_ACK_V1)
Tue Mar 26 12:39:49 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Mar 26 12:39:49 2013 TLS Error: TLS handshake failed
Tue Mar 26 12:41:14 2013 [clearos.grand.com] Inactivity timeout (--ping-restart), restarting
Tue Mar 26 12:41:14 2013 TCP/UDP: Closing socket
Tue Mar 26 12:41:14 2013 SIGUSR1[soft,ping-restart] received, process restarting
Tue Mar 26 12:41:14 2013 Restart pause, 2 second(s)
Tue Mar 26 12:41:16 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Mar 26 12:41:16 2013 Re-using SSL/TLS context
Tue Mar 26 12:41:16 2013 LZO compression initialized
Tue Mar 26 12:41:16 2013 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Mar 26 12:41:16 2013 Socket Buffers: R=[196608->131072] S=[196608->131072]
Tue Mar 26 12:41:16 2013 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Mar 26 12:41:16 2013 Local Options hash (VER=V4): '41690919'
Tue Mar 26 12:41:16 2013 Expected Remote Options hash (VER=V4): '530fdded'
Tue Mar 26 12:41:16 2013 UDPv4 link local: [undef]
Tue Mar 26 12:41:16 2013 UDPv4 link remote: XX.XX.XX.XX:1194
Tue Mar 26 12:42:16 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Mar 26 12:42:16 2013 TLS Error: TLS handshake failed
Tue Mar 26 12:42:16 2013 TCP/UDP: Closing socket
Tue Mar 26 12:42:16 2013 SIGUSR1[soft,tls-error] received, process restarting
Tue Mar 26 12:42:16 2013 Restart pause, 2 second(s)
Tue Mar 26 12:42:18 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Mar 26 12:42:18 2013 Re-using SSL/TLS context
Tue Mar 26 12:42:18 2013 LZO compression initialized
Tue Mar 26 12:42:18 2013 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Mar 26 12:42:18 2013 Socket Buffers: R=[196608->131072] S=[196608->131072]
Tue Mar 26 12:42:18 2013 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Mar 26 12:42:18 2013 Local Options hash (VER=V4): '41690919'
Tue Mar 26 12:42:18 2013 Expected Remote Options hash (VER=V4): '530fdded'
Tue Mar 26 12:42:18 2013 UDPv4 link local: [undef]
Tue Mar 26 12:42:18 2013 UDPv4 link remote: XX.XX.XX.XX:1194

port 1194
proto udp
dev tun
ca /etc/pki/CA/ca-cert.pem
cert /etc/pki/CA/sys-0-cert.pem
key /etc/pki/CA/private/sys-0-key.pem
dh /etc/openvpn/ssl/dh1024.pem
server 10.8.0.0 255.255.255.0
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
ifconfig-pool-persist /var/lib/openvpn/ipp.txt
status /var/lib/openvpn/openvpn-status.log
verb 3
push "dhcp-option DNS 192.168.0.250"
push "dhcp-option WINS "
push "dhcp-option DOMAIN grand.com"
push "route 192.168.0.0 255.255.255.0"

client
remote XX.XX.XX.XX 1194
dev tun
proto udp
nobind
keepalive 10 60
tls-timeout 15
persist-key
persist-tun
ca /etc/openvpn/new/ca-cert.pem
cert /etc/openvpn/new/client-st1g-cert.pem
key /etc/openvpn/new/client-st1g-key.pem
ns-cert-type server
comp-lzo
verb 3

Источник