VPN issues

 

TLS handshake failed

Operating System: Windows, Network: University/Institute

The most common cause is a firewall with blocked ports or network problems on the client.

Try or recheck following things:

  • Windows firewall is blocking access for the openvpn.exe binary. You need to whitelist it for OpenVPN to work

  • Your University's firewall blocks incoming UDP ports

    • To solve that problem you may want to ask the administrators to open following UDP ports:

permit udp 131.234.195.0/24 range 1194 1300 any permit udp 2001:638:502:195::/64 range 1194 1300 any 

(any can also stand for your computer or institute network)

Operating System: Linux, Network: University/Institute

The most common cause is a firewall with blocked ports or network problems on the client.

Try or recheck following things:

  • Your University's firewall blocks incoming UDP ports

    • To solve that problem you may want to ask your administrators to open following UDP ports:

permit udp 131.234.195.0/24 range 1194 1300 any permit udp 2001:638:502:195::/64 range 1194 1300 any 

(any can also stand for your computer or institute network)

  • A local firewall (iptables, firewalld (RedHat/Fedora), ufw (Ubuntu), ...) blocks incoming UDP ports

    • Allow following UDP ports/IP ranges:

IPv4: 131.234.195.0/24 - port range 1194-1300 IPv6: 2001:638:502:195::/64 - port range 1194-1300

mac verify failure

Operating System: Windows/Linux/macOS

This error message can appear on following things:

  • Incorrect password entered for the user certificate

    • Please use the created “Import password” directly after creating the user certificate

  • Certificate file is corrupt

    • Try out creating a new certificate

This error message appears when an incorrect password is entered for the user certificate.

Operating System: Linux

The error message may also occur with OpenSSL versions newer than version 3 as used by recent Linux distributions.

Example message:

The reason is the format of the user certificate. Most recent OpenSSL versions don’t accept the old format, but old OpenSSL versions do not accept the new format. Therefore, there is no format that works for everyone.

There are two solutions:

  • Extract the certificate and key portions from the the pkcs12 file, as explained in this IMT article, and specify them separately in the OpenVPN configuration file using the key and cert options instead of the pkcs12option

  • An alternative is to export the key and certificate portions from the pkcs12 file and repackage them as a new pkcs12 file with a new password using the following command (it will ask for the original password and afterwards twice for the new password). Finally, change the OpenVPN configuration file to use the new pkcs12 file.