Prevent SSL Handshake Timeouts In OpenVPN

From Amahi Wiki
Jump to: navigation, search

Some users may experience "SSL\TLS handshake" timeouts, this may happen when somehow these packets get corrupt, regardless of their protocol (TCP/UDP) or port.
Now we're going to add "HMAC signature" to packets, so that every packet not bearing the signature can be dropped, after adding this your connection will be more secure & those timeouts will dissapear!
Here is how:

Things to do on server :
Open "Terminal" or use SSH to login into server as root, run these commands:

cd /etc/openvpn/amahi
openvpn -–genkey -–secret ta.key
  • If using Terminal:
gedit /etc/openvpn/amahi.conf
  • If using SSH:
nano /etc/openvpn/amahi.conf

Now add these lines to the end of file:

tls-auth /etc/openvpn/amahi/ta.key 0
cipher AES-256-CBC

Save the config file:

  • If using Terminal : Save the file (Ctrl+s)
  • If using SSH: press Ctrl+x , then y ,then press Enter

Let's restart openvpn service:

service openvpn restart

You'll get something like this after this command :

Shutting down openvpn.... [OK]
Starting openvpn... [OK]


OK, there is one more thing left to do on server, you need to copy "ta.key" to a shared folder, because you have to use it on VPN client. a simple way to do this is to enter the following command, it will copy "ta.key" to "Docs" share folder which is accessible via Windows Share:

cp /etc/openvpn/amahi/ta.key /var/hda/files/docs


Things to do on Client:

  • If using windows: Run HDAConnect GUI, right-click on the red "A" icon in tray & choose "Edit Config".
  • If using other OS, you need to edit OpenVpn client config file via a text editor.

Now add these lines to end of the file:

tls-auth ta.key 1
cipher AES-256-CBC

Then save it, now we need to copy "ta.key" to the folder where the config file exists.

  • On 32-bit Windows it should be copied to "C:\Program files\HDAConnect\config".
  • On 64-bit Windows copy it to "C:\Program Files (x86)\HDAConnect\config".
  • On other OS, it should be placed where the config file exists.

Done!

Everything is set, fire up Openvpn client and use your username/password to connect.
(As you know you cannot make a vpn tunnel from yourself to yourself! so you have to test it from another network.)