Windows 11 OpenVPN

suschi · 21 June 2024 20:17

Hi guys,

I have my OpenVPN server running on the IpFire machine and can connect to some Windows 10 clients via OpenVPN. It works well.

I got it working with you here back then:

Now I have a Windows 11 machine and use the same Client.zip from the Ipfire machine and the same OpenVPN client for Windows, so everything is the same.

The Windows 11 machine does not connect, however, and aborts after a while with the following error message:
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed

I have no idea what could be causing this.

suschi · 23 June 2024 20:18

no one has an idea ?

jon · 24 June 2024 02:06

must not be many Windows 11 users…

jon · 24 June 2024 02:11

Maybe this might help?

dark0ipfire · 24 June 2024 06:01

Did you use the current client version 2.6.11, download at https://swupdate.openvpn.org/community/releases/OpenVPN-2.6.11-I001-amd64.msi ?

Then you must set providers option to deal with OpenSSL 1.1 on server side as stated in New OpenVPN 2.6.0 Client (Windows 10 64bit) fails to connect - #3 by dark0ipfire

dark0ipfire · 24 June 2024 06:22

Did you check all hints in https://openvpn.net/faq/tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds-check-your-network-connectivity/ ?

raffe · 24 June 2024 08:27

I run several Win 11 with OpenVPN 2.6.10 and newer to a IPFire 2.29 (x86_64) - Core-Update 186 without any problems. Do you use the latest OpenVPN? I use Community Downloads - Open Source VPN | OpenVPN

suschi · 28 June 2024 20:26

Hi guys,
sorry couldn’t answer earlier.
So I’m using OpenVPN version 2.6.11 and have set everything up in the links above and it doesn’t work.
I don’t understand it…
Why doesn’t it work under Windows 11 but under Windows 10?

alain · 29 June 2024 17:37

I run Win11 and use OpenVPN 2.5.9 to connect roadwarrions to OpenVPN server on IPFire. Runs great and I have an absolute steady connection.

suschi · 30 June 2024 15:15

Then I don’t know what I’m doing wrong.
It works on all Windows 10 computers with the configuration shown in the screenshot

The green connection status is because I had to access it with a Windows 10 machine for the screenshots

tphz · 1 July 2024 09:56

I hope the following links will be helpful

Regards

alain · 1 July 2024 18:03

I have the almost the same settings. The only differences:

TLS-Kanalabsicherung is checked
Clients run 2.5.9 or 2.5.10 (not version 2.6.x)

suschi · 2 July 2024 04:57

So thank you first of all for your time and help,

I have installed version 2.5.9 (also on the Windows 10 machine) and have activated:

TLS channel security is checked.

Now the Windows 10 machine won’t connect, and the Windows 11 machine won’t connect either.

I’ll try the other help above this evening

suschi · 2 July 2024 05:01

I just saw that a new error has occurred:
OpenSSL provider functionality is not available
OpenSSL provider functionality is not available

suschi · 7 July 2024 17:45

I found a new error.
A user also has the same problem after a backup on a new machine.

I also used new hardware and installed a backup, but it still worked afterwards.
But here’s the error:
in /var/log/messages the following:
192.168.0.201:60758 VERIFY ERROR: depth=0, error=CRL has expired: C=DE, O=Zentrale, CN=SurfaceaufPTPraxis, serial=6

How can I fix this?

bonnietwin · 7 July 2024 18:04

The message that you have is that the CRL has expired.

Presuming that you are running with CU186, there is a bug in that version.

Follow the instructions in this post and the CRL updater will work again.

https://community.ipfire.org/t/log-summary-openvpn-no-crl-update/11816/7

Make the green change shown in the link at the end of that post on the file /etc/fcron.daily/openvpn-crl-updater and then run that script with the command

/etc/fcron.daily/openvpn-crl-updater

and it will run that script and update your crl and the connection will work again.

suschi · 7 July 2024 18:56

Thank you for your time.

I think I’m being too stupid

The error still exists:
192.168.0.201:60758 VERIFY ERROR: depth=0, error=CRL has expired: C=DE, O=Zentrale, CN=SurfaceaufPTPraxis, serial=6

bonnietwin · 7 July 2024 19:15

That error message still occurs after you ran the command

/etc/fcron.daily/openvpn-crl-updater

from the console or ssh terminal?

suschi · 7 July 2024 19:28

Sorry but Yes,

After entering:

/etc/fcron.daily/openvpn-crl-updater

nothing happens and the error remains after

grep “SurfaceaufPTPraxis” /var/log/messages

Do you have another idea ?

bonnietwin · 7 July 2024 20:25

No but maybe @ummeegge has some ideas.