Never completes connecting

Got a problem with Viscosity or need help? Ask here!

JonathansCorner.com

Posts: 1
Joined: Sat Dec 20, 2008 2:20 am

Post by JonathansCorner.com » Sat Dec 20, 2008 3:07 am
I am trying to connect with my company's VPN and can never quite finish getting connected. Viscosity says that it is "Connecting" but never gets any further. I cannot ping my company's DNS (or telnet to port 53), or otherwise get responses from their network from tools outside of Viscosity. Viscosity does ask me for username/password credentials to connect, which may indicate some connectivity as the network is set up to request credentials on attempts to connect.

The instructions which I am able to use to connect from an Ubuntu VM are:
Installing the client under Ubuntu
--------------------------------------------
1) Ensure that you have tun/tap support built into your kernel. (Device
Drivers->Network device support->Universal TUN/TAP device driver support)
2) apt-get install openvpn
3) unzip openvpn.zip.
4) Copy everything from the config folder in the zip file to /etc/openvpn
5) Rename Chicago.ovpn to server.conf
6) /etc/init.d/openvpn.chicago start
The structure of the ZIP file is:
$ ls -LR
README.txt config install_configs.vbs
_vpnv211.exe install.vbs

./config:
Chicago.ovpn ca-chicago.crt client.crt client.key ta-chicago.key
To try and adapt this to Viscosity, I have set the server to be the one specified in the .ovpn file, port 1194, protocol udp, device tun, checked "Connect when Viscosity opens", set a type of "SSL/TLS Client", uploaded certificates from the zipfile (CA of ca-chicago.crt, cert of client.crt, key of client.key, tls-auth of ta-chicago.key), direction of "Default", left the options/networking/proxy tabs alone, and initially left the "Advanced" alone, then tried pasting in the contents of Chicago.ovpn, and on the next attempt stripped out the lines that contained a filename:
persist-key
remote [deleted] 1194
ns-cert-type server
resolv-retry infinite
proto udp
nobind
persist-tun
verb 4
dev tun
Whether I had nothing in the Advanced tab, or the whole contents of the ovpn file, or stripped out the parts giving a filename for the certificates, the behavior is the same: it prompts me for a username and password, and then hangs indefinitely on "Connecting", and I haven't been able to confirm traffic from within the VPN.

The diagnostics under Viscosity's "Details" repeat (?once every 60 seconds?):
Fri Dec 19 10:01:27 2008: IMPORTANT: OpenVPN's default port number is now 1194
Fri Dec 19 10:01:27 2008: Re-using SSL/TLS context
Fri Dec 19 10:01:27 2008: LZO compression initialized
Fri Dec 19 10:01:27 2008: Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Fri Dec 19 10:01:27 2008: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Dec 19 10:01:27 2008: Local Options String: 'V4
Fri Dec 19 10:01:27 2008: Expected Remote Options String: 'V4
Fri Dec 19 10:01:27 2008: Local Options hash (VER=V4): '02af3434'
Fri Dec 19 10:01:27 2008: Expected Remote Options hash (VER=V4): '3f08d474'
Fri Dec 19 10:01:27 2008: Socket Buffers: R=[42080->65536] S=[9216->65536]
Fri Dec 19 10:01:27 2008: UDPv4 link local: [undef]
Fri Dec 19 10:01:27 2008: UDPv4 link remote: [deleted]:1194
Fri Dec 19 10:02:27 2008: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Dec 19 10:02:27 2008: TLS Error: TLS handshake failed
Fri Dec 19 10:02:27 2008: TCP/UDP: Closing socket
Fri Dec 19 10:02:27 2008: SIGUSR1[soft
Any suggestions on what I might do to fix the TLS handshake? So far as I know, the materials I was provided allow TLS connections from Ubuntu and possibly other OS'es.

TIA,

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Fri Jan 02, 2009 8:01 pm
Any suggestions on what I might do to fix the TLS handshake? So far as I know, the materials I was provided allow TLS connections from Ubuntu and possibly other OS'es.
This error is common when the wrong certificate/key files are used, or direction/verify commands are missing. Your best bet is to get Viscosity to import the connection, rather than creating it from scratch. To do this, open the Preferences window, click the "+" button, and select Import Connection. Select the .ovpn file, and Viscosity should automatically setup the connection for it. It should work immediately.

If you still run into trouble you may like to compare the config file Viscosity is using to the config file you have been given for Ubuntu. You can find the config file Viscosity uses at (open it using a text editor such as TextEdit):
Your Home Directory->Library->Application Support->Viscosity->OpenVPN->#->config.conf

Check to make sure there are no major differences. If the config file Viscosity is using is missing commands, you can copy-paste them in if you need to.

Cheers
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

ericsondr

Posts: 2
Joined: Tue Mar 17, 2009 12:32 pm

Post by ericsondr » Tue Mar 17, 2009 12:53 pm
Ok let me first-off qualify this with the fact that I'm entirely new to openVPN and have been reading some guides to help me set it up, on that note, I've got the correct port on my router opened and the host machine is a PC and the server configuration appears to be running properly.
Mon Mar 16 18:50:09 2009: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Mar 16 18:50:09 2009: LZO compression initialized
Mon Mar 16 18:50:09 2009: UDPv4 link local: [undef]
Mon Mar 16 18:50:09 2009: UDPv4 link remote: [edited]:1194
Mon Mar 16 18:51:09 2009: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Mar 16 18:51:09 2009: TLS Error: TLS handshake failed
Mon Mar 16 18:51:09 2009: SIGUSR1[soft
I am getting the above message. My connection seems to be fine and I went through all the basic help steps you provide before entering the forums. I've imported my connection and connected to the keys as well as trying to set it up manually and have read through countless openvpn helps as well as as much help as I could find on your forums and I'm stuck. Any suggestions for me? I plan on purchasing this once I get it up and going.

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Tue Mar 17, 2009 7:02 pm
Hi ericsondr,

Well first off you'll probably want to run through the suggestions on the OpenVPN website. I've included them below:
You get the error message: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity). This error indicates that the client was unable to establish a network connection with the server.

Solutions:
• Make sure the client is using the correct hostname/IP address and port number which will allow it to reach the OpenVPN server.
• If the OpenVPN server machine is a single-NIC box inside a protected LAN, make sure you are using a correct port forward rule on the server's gateway firewall. For example, suppose your OpenVPN box is at 192.168.4.4 inside the firewall, listening for client connections on UDP port 1194. The NAT gateway servicing the 192.168.4.x subnet should have a port forward rule that says forward UDP port 1194 from my public IP address to 192.168.4.4.
• Open up the server's firewall to allow incoming connections to UDP port 1194 (or whatever TCP/UDP port you have configured in the server config file).
If it still doesn't work you may want to look and see if you could have a MTU issue on your hands. See this post for information on how to troubleshoot this.

Basically you appear to be getting an initial connection, however traffic is unable to flow correctly between the client and the server. In home environments this is typically due to a port-forwarding or firewall misconfiguration. Depending on your Internet connection you could also have a MTU/fragmentation issue on your hands, which the above should address. If you are in control of the OpenVPN server you could also try changing to TCP (instead of UDP) and see if you have the same issue.

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

ericsondr

Posts: 2
Joined: Tue Mar 17, 2009 12:32 pm

Post by ericsondr » Wed Mar 18, 2009 10:33 am
Hmmm it appears you may be correct. I have an Xcelerator IP (VoIP business phone system). It seems that it doesn't want to work even though I have it set properly. It also seems to pull up little information that is relevant on google... lovely.

Anyhow, I appreciate your response and will look into the issue and post again if I have further questions.
5 posts Page 1 of 1