{"id":2486,"date":"2015-04-30T07:22:39","date_gmt":"2015-04-30T06:22:39","guid":{"rendered":"http:\/\/kudzia.eu\/b\/?p=2486"},"modified":"2015-05-03T11:44:57","modified_gmt":"2015-05-03T10:44:57","slug":"openvpn-tls-error-localremote-tls-keys-are-out-of-sync-and-vpn-restarts","status":"publish","type":"post","link":"https:\/\/kudzia.eu\/b\/2015\/04\/openvpn-tls-error-localremote-tls-keys-are-out-of-sync-and-vpn-restarts\/","title":{"rendered":"openvpn – TLS Error: local\/remote TLS keys are out of sync and VPN restarts"},"content":{"rendered":"

one day an openvpn that used to carry traffic for the last 7 years started to misbehave. openvpn’s own built in watchdog was restarting it every few minutes. one of the tunnels endpoints – a- is behind NAT that we don’t control, another – b – is a host with public ip address.
\n<\/p>\n

server b was claiming that keys are out of sync:
\n
\nApr 29 08:25:16 brtr0 openvpn-a-B[27745]: TLS Error: local\/remote TLS keys are out of sync: [AF_INET]93.1.2.158:41408 [0]
\nApr 29 08:25:17 brtr0 openvpn-a-B[27745]: TLS Error: local\/remote TLS keys are out of sync: [AF_INET]93.1.2.158:41408 [0]
\nApr 29 08:25:18 brtr0 openvpn-a-B[27745]: TLS Error: local\/remote TLS keys are out of sync: [AF_INET]93.1.2.158:41408 [0]
\nApr 29 08:25:19 brtr0 openvpn-a-B[27745]: TLS Error: local\/remote TLS keys are out of sync: [AF_INET]93.1.2.158:41408 [0]
\nApr 29 08:25:20 brtr0 openvpn-a-B[27745]: TLS Error: local\/remote TLS keys are out of sync: [AF_INET]93.1.2.158:41408 [0]
\nApr 29 08:25:21 brtr0 openvpn-a-B[27745]: TLS Error: local\/remote TLS keys are out of sync: [AF_INET]93.1.2.158:41408 [0]
\nApr 29 08:25:22 brtr0 openvpn-a-B[27745]: TLS Error: local\/remote TLS keys are out of sync: [AF_INET]93.1.2.158:41408 [0]
\nApr 29 08:25:23 brtr0 openvpn-a-B[27745]: TLS Error: local\/remote TLS keys are out of sync: [AF_INET]93.1.2.158:41408 [0]
\nApr 29 08:25:24 brtr0 openvpn-a-B[27745]: TLS Error: local\/remote TLS keys are out of sync: [AF_INET]93.1.2.158:41408 [0]
\nApr 29 08:25:25 brtr0 openvpn-a-B[27745]: TLS Error: local\/remote TLS keys are out of sync: [AF_INET]93.1.2.158:41408 [0]
\nApr 29 08:25:26 brtr0 openvpn-a-B[27745]: TLS Error: local\/remote TLS keys are out of sync: [AF_INET]93.1.2.158:41408 [0]
\nApr 29 08:25:27 brtr0 openvpn-a-B[27745]: TLS Error: local\/remote TLS keys are out of sync: [AF_INET]93.1.2.158:41408 [0]
\nApr 29 08:25:27 brtr0 openvpn-a-B[27745]: TLS Error: local\/remote TLS keys are out of sync: [AF_INET]93.1.2.158:41408 [0]
\nApr 29 08:25:30 brtr0 openvpn-a-B[27745]: [a-c] Peer Connection Initiated with [AF_INET]93.1.2.158:41408
\nApr 29 08:26:31 brtr0 openvpn-a-B[27745]: TLS Error: local\/remote TLS keys are out of sync: [AF_INET]93.1.2.158:49193 [0]
\nApr 29 08:26:36 brtr0 openvpn-a-B[27745]: TLS Error: local\/remote TLS keys are out of sync: [AF_INET]93.1.2.158:49193 [0]
\nApr 29 08:26:41 brtr0 openvpn-a-B[27745]: TLS Error: local\/remote TLS keys are out of sync: [AF_INET]93.1.2.158:49193 [0]
\nApr 29 08:26:42 brtr0 openvpn-a-B[27745]: TLS Error: local\/remote TLS keys are out of sync: [AF_INET]93.1.2.158:49193 [0]
\nApr 29 08:26:42 brtr0 openvpn-a-B[27745]: TLS Error: local\/remote TLS keys are out of sync: [AF_INET]93.1.2.158:49193 [0]
\nApr 29 08:26:43 brtr0 openvpn-a-B[27745]: TLS Error: local\/remote TLS keys are out of sync: [AF_INET]93.1.2.158:49193 [0]
\nApr 29 08:26:45 brtr0 openvpn-a-B[27745]: TLS Error: local\/remote TLS keys are out of sync: [AF_INET]93.1.2.158:49193 [0]
\nApr 29 08:26:47 brtr0 openvpn-a-B[27745]: [a-c] Inactivity timeout (--ping-restart), restarting
\nApr 29 08:26:47 brtr0 openvpn-a-B[27745]: SIGUSR1[soft,ping-restart] received, process restarting
\nApr 29 08:26:49 brtr0 openvpn-a-B[27745]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
\nApr 29 08:26:49 brtr0 openvpn-a-B[27745]: Re-using SSL\/TLS context
\nApr 29 08:26:49 brtr0 openvpn-a-B[27745]: LZO compression initialized
\nApr 29 08:26:49 brtr0 openvpn-a-B[27745]: Preserving previous TUN\/TAP instance: tun2
\nApr 29 08:26:49 brtr0 openvpn-a-B[27745]: UDPv4 link local (bound): [AF_INET]213.1.2.10:1779
\nApr 29 08:26:49 brtr0 openvpn-a-B[27745]: UDPv4 link remote: [undef]
\nApr 29 08:26:51 brtr0 openvpn-a-B[27745]: [a-c] Peer Connection Initiated with [AF_INET]93.1.2.158:49193
\nApr 29 08:26:52 brtr0 openvpn-a-B[27745]: Initialization Sequence Completed
\nApr 29 08:28:04 brtr0 openvpn-a-B[27745]: TLS Error: local\/remote TLS keys are out of sync: [AF_INET]93.1.2.158:15472 [0]
\nApr 29 08:28:06 brtr0 openvpn-a-B[27745]: TLS Error: local\/remote TLS keys are out of sync: [AF_INET]93.1.2.158:15472 [0]
\nApr 29 08:28:12 brtr0 openvpn-a-B[27745]: TLS Error: local\/remote TLS keys are out of sync: [AF_INET]93.1.2.158:15472 [0]
\nApr 29 08:28:13 brtr0 openvpn-a-B[27745]: TLS Error: local\/remote TLS keys are out of sync: [AF_INET]93.1.2.158:15472 [0]
\nApr 29 08:28:19 brtr0 openvpn-a-B[27745]: [a-c] Inactivity timeout (--ping-restart), restarting
\nApr 29 08:28:19 brtr0 openvpn-a-B[27745]: SIGUSR1[soft,ping-restart] received, process restarting
\nApr 29 08:28:21 brtr0 openvpn-a-B[27745]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
\nApr 29 08:28:21 brtr0 openvpn-a-B[27745]: Re-using SSL\/TLS context
\nApr 29 08:28:21 brtr0 openvpn-a-B[27745]: LZO compression initialized
\nApr 29 08:28:21 brtr0 openvpn-a-B[27745]: Preserving previous TUN\/TAP instance: tun2
\nApr 29 08:28:21 brtr0 openvpn-a-B[27745]: UDPv4 link local (bound): [AF_INET]213.1.2.10:1779
\nApr 29 08:28:21 brtr0 openvpn-a-B[27745]: UDPv4 link remote: [undef]
\nApr 29 08:28:22 brtr0 openvpn-a-B[27745]: [a-c] Peer Connection Initiated with [AF_INET]93.1.2.158:15472
\nApr 29 08:28:23 brtr0 openvpn-a-B[27745]: Initialization Sequence Completed
\n<\/code><\/p>\n

which led to restarts of the vpn on the server a:
\n
\nApr 29 08:25:28 artr0 openvpn-A-b[5011]: [b-s] Inactivity timeout (--ping-restart), restarting
\nApr 29 08:25:28 artr0 openvpn-A-b[5011]: SIGUSR1[soft,ping-restart] received, process restarting
\nApr 29 08:25:30 artr0 openvpn-A-b[5011]: WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
\nApr 29 08:25:30 artr0 openvpn-A-b[5011]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
\nApr 29 08:25:30 artr0 openvpn-A-b[5011]: Re-using SSL\/TLS context
\nApr 29 08:25:30 artr0 openvpn-A-b[5011]: LZO compression initialized
\nApr 29 08:25:30 artr0 openvpn-A-b[5011]: Preserving previous TUN\/TAP instance: tun1
\nApr 29 08:25:30 artr0 openvpn-A-b[5011]: UDPv4 link local (bound): [undef]
\nApr 29 08:25:30 artr0 openvpn-A-b[5011]: UDPv4 link remote: [AF_INET]213.1.2.10:1779
\nApr 29 08:25:30 artr0 openvpn-A-b[5011]: [b-s] Peer Connection Initiated with [AF_INET]213.1.2.10:1779
\nApr 29 08:25:31 artr0 openvpn-A-b[5011]: Initialization Sequence Completed
\nApr 29 08:26:49 artr0 openvpn-A-b[5011]: [b-s] Inactivity timeout (--ping-restart), restarting
\nApr 29 08:26:49 artr0 openvpn-A-b[5011]: SIGUSR1[soft,ping-restart] received, process restarting
\nApr 29 08:26:51 artr0 openvpn-A-b[5011]: WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
\nApr 29 08:26:51 artr0 openvpn-A-b[5011]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
\nApr 29 08:26:51 artr0 openvpn-A-b[5011]: Re-using SSL\/TLS context
\nApr 29 08:26:51 artr0 openvpn-A-b[5011]: LZO compression initialized
\nApr 29 08:26:51 artr0 openvpn-A-b[5011]: Preserving previous TUN\/TAP instance: tun1
\nApr 29 08:26:51 artr0 openvpn-A-b[5011]: UDPv4 link local (bound): [undef]
\nApr 29 08:26:51 artr0 openvpn-A-b[5011]: UDPv4 link remote: [AF_INET]213.1.2.10:1779
\nApr 29 08:26:51 artr0 openvpn-A-b[5011]: [b-s] Peer Connection Initiated with [AF_INET]213.1.2.10:1779
\nApr 29 08:26:52 artr0 openvpn-A-b[5011]: Initialization Sequence Completed
\nApr 29 08:28:17 artr0 openvpn-A-b[5011]: [b-s] Inactivity timeout (--ping-restart), restarting
\nApr 29 08:28:17 artr0 openvpn-A-b[5011]: SIGUSR1[soft,ping-restart] received, process restarting
\nApr 29 08:28:19 artr0 openvpn-A-b[5011]: WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
\nApr 29 08:28:19 artr0 openvpn-A-b[5011]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
\nApr 29 08:28:19 artr0 openvpn-A-b[5011]: Re-using SSL\/TLS context
\nApr 29 08:28:19 artr0 openvpn-A-b[5011]: LZO compression initialized
\nApr 29 08:28:19 artr0 openvpn-A-b[5011]: Preserving previous TUN\/TAP instance: tun1
\nApr 29 08:28:19 artr0 openvpn-A-b[5011]: UDPv4 link local (bound): [undef]
\nApr 29 08:28:19 artr0 openvpn-A-b[5011]: UDPv4 link remote: [AF_INET]213.1.2.10:1779
\nApr 29 08:28:19 artr0 openvpn-A-b[5011]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
\nApr 29 08:28:22 artr0 openvpn-A-b[5011]: [b-s] Peer Connection Initiated with [AF_INET]213.1.2.10:1779
\nApr 29 08:28:23 artr0 openvpn-A-b[5011]: Initialization Sequence Completed
\n<\/code><\/p>\n

both a and b had in their configs:
\n
\nping 5
\nping-restart 20
\n<\/code>
\nwhich lead to the restarts on the server a after communication breakdowns.<\/p>\n

i still don’t understand real culprit of the problems. i suspect it might have something to do with the NAT behind which machine a is connected. but increasing the ping frequency from every 5s to every 1s has resolved the issue. for now at least:
\n
\nping 1
\nping-restart 20
\n<\/code><\/p>\n

i had 409 vpn restarts 2 days ago, after applying this change.<\/p>\n","protected":false},"excerpt":{"rendered":"

one day an openvpn that used to carry traffic for the last 7 years started to misbehave. openvpn’s own built in watchdog was restarting it every few minutes. one of the tunnels endpoints – a- is behind NAT that we don’t control, another – b – is a host with public ip address.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[17,51],"tags":[47,89],"class_list":["post-2486","post","type-post","status-publish","format-standard","hentry","category-tech","category-unimportant","tag-linux-networking","tag-openvpn"],"_links":{"self":[{"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/posts\/2486","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/comments?post=2486"}],"version-history":[{"count":3,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/posts\/2486\/revisions"}],"predecessor-version":[{"id":2500,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/posts\/2486\/revisions\/2500"}],"wp:attachment":[{"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/media?parent=2486"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/categories?post=2486"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/tags?post=2486"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}