Mój config : działa tu jeszcze server-openvpn na tun0
config openvpn 'xx'
option dev 'tun1'
option log '/tmp/openvpn.log'
option verb '3'
option pkcs12 '/etc/openvpn/xx/jacek.p12'
option client '1'
option remote_cert_tls 'server'
option proto 'tcp'
option remote 'ipclienta 1194'
option fast_io '1'
option persist_tun '1'
option persist_key '1'
option cipher 'AES-256-CBC'
option keepalive '5 20'
option enabled '1'
log połączenia gdy jest problem
Wed Mar 29 07:59:10 2017 OpenVPN 2.4.0 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Wed Mar 29 07:59:10 2017 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.09
Wed Mar 29 07:59:10 2017 NOTE: --fast-io is disabled since we are not using UDP
Wed Mar 29 07:59:11 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]ipclient:1194
Wed Mar 29 07:59:11 2017 Socket Buffers: R=[87380->87380] S=[16384->16384]
Wed Mar 29 07:59:11 2017 Attempting to establish TCP connection with [AF_INET]xxx:1194 [nonblock]
Wed Mar 29 07:59:12 2017 TCP connection established with [AF_INET]xxxx:1194
Wed Mar 29 07:59:12 2017 TCP_CLIENT link local: (not bound)
Wed Mar 29 07:59:12 2017 TCP_CLIENT link remote: [AF_INET]xxxxx:1194
Wed Mar 29 07:59:12 2017 TLS: Initial packet from [AF_INET]xxxx:1194, sid=1e7d9f59 e4c42222
Wed Mar 29 07:59:13 2017 VERIFY OK: depth=1, C=PL, ST=xxxxxxxx
Wed Mar 29 08:05:03 2017 Validating certificate key usage
Wed Mar 29 08:05:03 2017 ++ Certificate has key usage 00a0, expects 00a0
Wed Mar 29 08:05:03 2017 VERIFY KU OK
Wed Mar 29 08:05:03 2017 Validating certificate extended key usage
Wed Mar 29 08:05:03 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Mar 29 08:05:03 2017 VERIFY EKU OK
Wed Mar 29 08:05:03 2017 VERIFY OK: depth=0, C=PL, ST=xxxxxxxxxxxxxx
Wed Mar 29 08:05:04 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Mar 29 08:05:04 2017 TLS Error: TLS handshake failed
Wed Mar 29 08:05:04 2017 Fatal TLS error (check_tls_errors_co), restarting
Wed Mar 29 08:05:04 2017 SIGUSR1[soft,tls-error] received, process restarting
Wed Mar 29 08:05:04 2017 Restart pause, 5 second(s)'
i prawidłowe połączenie
Wed Mar 29 08:21:02 2017 Restart pause, 5 second(s)
Wed Mar 29 08:21:07 2017 NOTE: --fast-io is disabled since we are not using UDP
Wed Mar 29 08:21:07 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]ipclient:1194
Wed Mar 29 08:21:07 2017 Socket Buffers: R=[87380->87380] S=[16384->16384]
Wed Mar 29 08:21:07 2017 Attempting to establish TCP connection with [AF_INET]xxxx:1194 [nonblock]
Wed Mar 29 08:21:08 2017 TCP connection established with [AF_INET]xxxxx:1194
Wed Mar 29 08:21:08 2017 TCP_CLIENT link local: (not bound)
Wed Mar 29 08:21:08 2017 TCP_CLIENT link remote: [AF_INET]xxxx:1194
Wed Mar 29 08:21:08 2017 TLS: Initial packet from [AF_INET]xxxx:1194, sid=fc725478 278e0e63
Wed Mar 29 08:21:08 2017 VERIFY OK: depth=1, C=PL, ST=xxxxxxxxxx
Wed Mar 29 08:21:08 2017 Validating certificate key usage
Wed Mar 29 08:21:08 2017 ++ Certificate has key usage 00a0, expects 00a0
Wed Mar 29 08:21:08 2017 VERIFY KU OK
Wed Mar 29 08:21:08 2017 Validating certificate extended key usage
Wed Mar 29 08:21:08 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Mar 29 08:21:08 2017 VERIFY EKU OK
Wed Mar 29 08:21:08 2017 VERIFY OK: depth=0, C=PL, ST=xxxxxxxx
Wed Mar 29 08:21:09 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed Mar 29 08:21:09 2017 [server] Peer Connection Initiated with [AF_INET]xxxxxx:1194
Wed Mar 29 08:21:10 2017 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Mar 29 08:21:10 2017 PUSH: Received control message: 'PUSH_REPLY,route 192.168.10.0 255.255.255.0,route 10.8.8.1,topology net30,ifconfig 10.8.8.6 10.8.8.5,peer-id 0,cipher AES-256-GCM'
Wed Mar 29 08:21:10 2017 OPTIONS IMPORT: --ifconfig/up options modified
Wed Mar 29 08:21:10 2017 OPTIONS IMPORT: route options modified
Wed Mar 29 08:21:10 2017 OPTIONS IMPORT: peer-id set
Wed Mar 29 08:21:10 2017 OPTIONS IMPORT: adjusting link_mtu to 1626
Wed Mar 29 08:21:10 2017 OPTIONS IMPORT: data channel crypto options modified
Wed Mar 29 08:21:10 2017 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Mar 29 08:21:10 2017 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Mar 29 08:21:10 2017 Preserving previous TUN/TAP instance: tun1
Wed Mar 29 08:21:10 2017 Initialization Sequence Completed'
Jak widać tu leży problem
TLS Error: TLS key negotiation failed to occur within
Tak jest bez końca restart serwisu co 60 sekund i ponowna negocjacja połączenia