This problem occurs because when you restart the server, there is nothing to
trigger a new TLS key exchange. The server can't trigger it because it
doesn't have a --remote option giving it the address of its peer, so it wants
to sit and wait for a client to connect. The client doesn't trigger it
because it doesn't know the server was restarted (remember that UDP is
There are several ways to fix this problem, listed in the order of preference:
(1) Add a --remote option to the server which points to the client, making the
connection peer-to-peer rather than client/server. When one peer restarts, it
will force a new key exchange with the other peer.
(2) Use the --ping and --ping-restart options to force a key negotiation any
time that packets are not getting through the tunnel. Restarts always trigger
a new key exchange.
(3) Use static keys which allow OpenVPN to run in an essentially stateless manner.
(4) Use TCP rather than UDP as your tunnel transport (available currently in
the 1.5 beta series with the --proto option). TCP is a connection-oriented
protocol, and as such, either side of the connection knows immediately when
the other side has disconnected.
Tacio Santos <tacio_santos@...> said:
> I'm trying to migrate to openvpn, but I got the following problem. I'm using
> TLS mode. When I start the server then the client it works ok. I can restart
> the client with no problem, but if I restart the server and the client is
> connected I get the following problem:
> TLS Error: Unknown data channel key ID or IP address received from the
> In this case I need to restart the client again to make it work.
> Do you know what the problem is?
> Thanks for your attention,
> PS: My config files
> /usr/local/sbin/openvpn --tls-auth tls_pass --replay-persist replay_file
> --lport 10203 --ifconfig 10.2.0.3 10.2.3.1 --config
> dev tun
> dh /etc/network/openvpn/ssl/server/dh1024.pem
> ca /etc/network/openvpn/ssl/server/psmi-vpn-cacrt.pem
> cert /etc/network/openvpn/ssl/server/varsovia.crt
> key /etc/network/openvpn/ssl/server/varsovia.key
> up /etc/network/openvpn/psmi-vpn.up
> ping 15
> verb 4
> CLIENT Configuration
> remote 184.108.40.206
> dev tun
> ifconfig 10.2.3.1 10.2.0.3
> up /etc/network/openvpn/everest-psmi.up
> ca /etc/network/openvpn/ssl/psmi-vpn-cacrt.pem
> cert /etc/network/openvpn/ssl/everest-psmi.crt
> key /etc/network/openvpn/ssl/everest-psmi.key
> port 10203
> tls-auth /etc/network/openvpn/tls_pass
> ping 5
> verb 4
> This SF.Net email sponsored by: Free pre-built ASP.NET sites including
> Data Reports, E-commerce, Portals, and Forums are available now.
> Download today and enter to win an XBOX or Visual Studio .NET.
> Openvpn-users mailing list