Results 1 to 6 of 6
  1. #1
    Untangle Ninja proactivens's Avatar
    Join Date
    Sep 2008
    Location
    Greensburg, Pa
    Posts
    2,372

    Default Tunnel VPN with PIA failed state

    Tunnel VPN is not working today with PIA. Ive tried US East and US West and seeing the same behavior on both.

    Tunnel VPN logs
    Thu Nov 19 09:52:25 2020 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
    Thu Nov 19 09:52:25 2020 library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10
    Thu Nov 19 09:52:25 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Thu Nov 19 09:52:25 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]184.170.242.135:1198
    Thu Nov 19 09:52:25 2020 UDP link local: (not bound)
    Thu Nov 19 09:52:25 2020 UDP link remote: [AF_INET]184.170.242.135:1198
    Thu Nov 19 09:53:25 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Thu Nov 19 09:53:25 2020 TLS Error: TLS handshake failed
    Thu Nov 19 09:53:25 2020 SIGUSR1[soft,tls-error] received, process restarting
    Thu Nov 19 09:53:30 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Thu Nov 19 09:53:30 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]184.170.241.194:1198
    Thu Nov 19 09:53:30 2020 UDP link local: (not bound)
    Thu Nov 19 09:53:30 2020 UDP link remote: [AF_INET]184.170.241.194:1198

    Here is the VPN config
    client
    dev tun
    remote us-west.privateinternetaccess.com 1198 udp
    remote us-west.privateinternetaccess.com 502 tcp
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    setenv CLIENT_CERT 0

    <ca>
    -----BEGIN CERTIFICATE-----
    Removed cert because its not relevant and makes the post too long
    -----END CERTIFICATE-----
    </ca>

    cipher aes-128-cbc
    auth sha1
    tls-client
    remote-cert-tls server
    auth-user-pass
    comp-lzo no
    verb 1
    reneg-sec 0
    www.nexgenappliances.com
    Toll Free: 866-794-8879
    UNTANGLE STAR PARTNER
    Follow us at spiceworks!

  2. #2
    Untangle Ninja proactivens's Avatar
    Join Date
    Sep 2008
    Location
    Greensburg, Pa
    Posts
    2,372

    Default

    To provide some more color; The PIA page shows a bunch of connections with the verbiage (Client update needed) and these connection do not work.
    https://www.privateinternetaccess.com/pages/openvpn-ios
    The ones that do not have the verbiage (client update needed) do work. I have connected to Houston and Washington, DC. So it seems as though an updated OVPN client may be needed to connect to a majority of PIA connections??
    www.nexgenappliances.com
    Toll Free: 866-794-8879
    UNTANGLE STAR PARTNER
    Follow us at spiceworks!

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,304

    Default

    One... you didn't call me?!? That's odd!

    Two, Untangle v16 runs OpenVPN 2.4.7-1, which is the most recent version of OpenVPN available via the Debian repos...

    Stay tuned folks while I smack my business partner with a fish...

    *edit* Dug through PIA's support docks and they support 2.3 onward, though they recommend 2.4.7. This isn't a version thing, this is a client or server configured incorrectly thing.
    Last edited by sky-knight; 11-19-2020 at 10:01 AM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Newbie
    Join Date
    Nov 2020
    Posts
    2

    Default

    Hi,

    I was having the same problem and I think it will be related to the new "NextGen VPN network" that PIA launched.
    Looking at the settings that proactivens put up there, I would say that you are using the old configuration file, just as I was.

    What I did to get it working was to use the new configuration files. I found them at the following link:
    h**ps://**w.privateinternetaccess.com/pages/download

    You will have an option that says "View OpenVPN Configurations".
    In the window that opens will be the new configuration files. I used the ones that say "NextGen".

    I see only 3 differences, no more "comp-lzo no" and new "compress" and "disable-occ".
    I have no experience with OpenVPN. I hope that one of you can confirm that this is correct and properly configured.

    PS: Sorry for the link only with one post.
    proactivens likes this.

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,304

    Default

    Oh yes I think you're right!

    But the change I see that's most significant is the remote lines, there are completely different DNS names in the NextGen files relative to the others. I suspect the old servers are simply not online anymore, and the new ones are active. That would explain the above error, since TLS Error: TLS key negotiation failed to occur within 60 seconds basically means HELP SOMETHING WENT WRONG!

    It's usually a connection error, as in the server isn't responding.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Newbie
    Join Date
    Nov 2020
    Posts
    2

    Default

    Yes, it's true, I didn't even notice the domain changed even though I changed the subdomain to the server I normally use because it wasn't in the zip file

    It's late for me, going to sleep

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2