By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

TLS Handshake Error - Creating VPN Client Connection

0

We are attempting to create a VPN Endpoint to enable client connections to our VPC using the AWS VPN client.

When attempting to connect, I receive a TLS Handshake error.

I suspect I either created the certificate or endpoint incorrectly.

I am using a self signed certificate created using easyRSA. I have tried several instructions from the re:Post site. The certificate appears to create fine. Do I need to provide a 'specific' host name when creating? I have provided a value; however, the value has nothing to do with our configuration. The instructions do not appear to provide any guidance or restriction on the host name for the certificate. I attempted to use the VPC VPN Endpoint id; however, the value is too long.

I added certficate to certificate manager. Now..I uploaded the server.crt and server.key information. I did not fill in the chain information...I'm uncertain if I should.

Should I have used the CA information or added that?

I downloaded the client connection file from the VPN. I modified the OVPN file. I tried inserted the information from both the server and client keys. The AWS article appears to indicate to use the server information if the VPN was configured to use the same certificate. I did that. Neither setup appears to work.

My client log shows the following - 2024-05-11 11:13:29.945 -04:00 [DBG] CM processsing: >LOG:1715440409,N,TLS Error: TLS object -> incoming plaintext read error 2024-05-11 11:13:29.945 -04:00 [DBG] CM processsing: >LOG:1715440409,N,TLS Error: TLS handshake failed 2024-05-11 11:13:29.945 -04:00 [DBG] Connection state changed for CVPN endpoint id: cvpn-endpoint-07c8c7ee5dc919694 2024-05-11 11:13:29.984 -04:00 [DBG] Inserted event UI_APP_VPN_CONNECT_GENERAL_ERROR 0 to MetricsTable 2024-05-11 11:13:30.005 -04:00 [DBG] Inserted event LOCAL_NETWORK_CIDR_EMPTY_ERROR 0 to MetricsTable 2024-05-11 11:13:30.023 -04:00 [DBG] Inserted event WCF_COMM_EXCEPTION 0 to MetricsTable 2024-05-11 11:13:30.023 -04:00 [DBG] Set connection state for CVPN endpoint id: cvpn-endpoint-07c8c7ee5dc919694 2024-05-11 11:13:30.023 -04:00 [INF] Terminating connection 2024-05-11 11:13:30.023 -04:00 [DBG] 🏞 Ending connection details reporting. 2024-05-11 11:13:30.023 -04:00 [WRN] We are calling GracefulKill in a method that is not supposed to change Connection state. 2024-05-11 11:13:30.023 -04:00 [DBG] GracefulKill 2024-05-11 11:13:30.023 -04:00 [DBG] Stopping openvpn process 2024-05-11 11:13:30.023 -04:00 [DBG] Sending SIGTERM to gracefully shut down the OpenVPN process 2024-05-11 11:13:30.449 -04:00 [DBG] IsAlive thread is exiting. Closing wcfOvpnStatusCheckingChannel 2024-05-11 11:13:31.069 -04:00 [DBG] Cancelling socket listen token 2024-05-11 11:13:31.069 -04:00 [DBG] Dispose socket 2024-05-11 11:13:31.069 -04:00 [DBG] Checking wcfOvpnStopChannel status 2024-05-11 11:13:31.069 -04:00 [DBG] No existing WCF channel 2024-05-11 11:13:31.069 -04:00 [DBG] Creating a WCF channel 2024-05-11 11:13:31.072 -04:00 [DBG] WCF channel opened successfully. Ready for communication 2024-05-11 11:13:31.072 -04:00 [DBG] CM processsing: 2024-05-11 11:13:31.072 -04:00 [DBG] 🥶 APPEND line 2024-05-11 11:13:31.390 -04:00 [DBG] Release process manager lock 2024-05-11 11:13:31.390 -04:00 [DBG] Stop OpenVPN WCF call finished. Closing wcfOvpnStopChannel 2024-05-11 11:13:31.390 -04:00 [DBG] Disconnected 2024-05-11 11:13:31.391 -04:00 [DBG] Connection state changed for CVPN endpoint id: cvpn-endpoint-07c8c7ee5dc919694 2024-05-11 11:13:31.391 -04:00 [DBG] Received exception for connection state Disconnected. Show error message to user 2024-05-11 11:13:31.391 -04:00 [ERR] Exception recieved by connect window view model ACVC.Core.OpenVpn.OvpnTlsHandshakeException: Terminating connection because of a TLS error.

  • Jason
    5 months ago

    I have the same problem, did you find out why it suddenly started working? I've added the ca.crt to the chain section of the ACM import...

Topics
Security, Identity, & ComplianceNetworking & Content Delivery
Tags
AWS Certificate ManagerAWS Client VPN
Language
English
Chuck
asked 10 months ago963 views
2 Answers
0

Hello

Please check the solution mentioned in the AWS Document https://docs.aws.amazon.com/vpn/latest/clientvpn-user/common-troubleshooting.html

profile picture
EXPERT
Ganesh Kudikala
answered 10 months ago
profile picture
EXPERT
Osvaldo Marte
reviewed 10 months ago
0

Thanks.

I reviewed this previously. My firewall logs do not appear to show a block on the 2 referenced ports.

I will readily admit that I may have either the certificate or the ovpn file configuration wrong. I have repeated the steps several times; however, that still doesn't mean that I have not made a mistake.

Intriguingly, my connection appears to work today. The AWS VPN client shows connected.

My OVPN file is using the client rather than the server certificate information. One of my iterations used only the server certificate since the instructions for configuring the VPC VPN Endpoint indicated you could use the same. I likely read that wrong.

While connected, I do not appear to be able to RDP or ping the systems in the VPC. I suspect that indicates an issue with my network configuration / routing table in the VPC.

Chuck
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content