TLS key negotiation failed to occur within 60 seconds

[Ron]

Environment:

macOS Catalina 10.15.4

Tunnelblick 3.8.7a

pfSense Community Edition 2.5.2

I've been using Tunnelblick for some time. Recently I've been unable to connect. The problem appears to be related to this error:

2021-12-03 10:05:36.666832 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2021-12-03 10:05:36.667007 TLS Error: TLS handshake failed

I thought the trouble may have coincided with updating to Tunnelblick 3.8.7a from 3.8.6a, which I recently did. Downgrading to 3.8.6a made no difference. I also deleted my configuration and downloaded/re-added my configuration from pfSense. This also made no difference. I'm not sure what to try next and would appreciate your suggestions!

A somewhat sanitized for anonymity (public IP addresses changed, etc.) diagnostics info file is attached.

Thank you in advance,

-- 
Ron

[Tunnelblick developer]

Please post the diagnostic info obtained by following the instructions at Read Before You Post.

But note that this sort of problem is usually caused by something outside of your computer, often a problem with the VPN server. It could be a problem with the security certificate in your configuration but without the diagnostic info there's no way to determine that.

[Ron]

On Friday, December 3, 2021 at 11:04:29 AM UTC-5 Tunnelblick developer wrote:

...this sort of problem is usually caused by something outside of your computer, often a problem with the VPN server. It could be a problem with the security certificate...

 That directed me to look in the right direction, thank you! 😊

When I first tried signing on pfSense this morning to see about the trouble and re-download my OpenVPN config, I noticed an HSTS error in Chrome and Chrome wouldn't allow me to access the web configurator login page. Interestingly, Firefox (94.0.2) still allowed me to access the login page, even though it showed a certificate warning/error. It turned out the Let's Encrypt certificate in pfSense, though it wouldn't expire until January 2022, had been signed by an intermediate (Let's Encrypt) CA, which had expired in October. To resolve, I deleted my Let's Encrypt certificate and used the ACME package to request a new one. After a new certificate was issued and web configurator restarted, the certificate validated in Chrome. I hadn't considered that either the initial trouble (expired intermediate CA) or resolution would affect the OpenVPN service.

Seeing your response prompted me to check the status of the OpenVPN service. I thought I may need to restart it so it would use the new certificate. But it had stopped. All I needed to do was start it.

[Tunnelblick developer]

Thanks for your response. The same thing will probably happen to others with pfSense, so the details you provided are very helpful.