我尝试过几次通过 VPN 连接到我的办公室,但没有成功。我收到了公司的回复:
客户端.ovpn
#OpenVPN Server conf tls-client client dev tun proto udp tun-mtu 1400 remote server.net 1194 pkcs12 client.p12 cipher BF-CBC comp-lzo verb 3 ns-cert-type serverpcks 12 密钥。我使用 openssl 提取
CA 证书
用户证书
用户密钥
该公司通过 IPcop 运行 openvpn
在 ubuntu 16.04 中,我在我的主目录中创建了名为“Clesopenvpn”的文件,连接 100% 正常且没有中断。
实际上,我正在使用 Ubuntu 18.04,我已经安装了 OpenVPN 和网络管理器 gnome。我执行了相同的步骤,但无法连接到 VPN。当我尝试启动 openvpn 时,我收到此消息:
“连接失败
启用网络连接失败”
请帮助我解决这个问题。
这是系统日志错误
Jun 5 22:05:53 dusty-Lenovo-B50-30 systemd-resolved[819]: Grace period over, resuming full feature set (UDP+EDNS0) for DNS server 192.168.3.1.
Jun 5 22:10:06 dusty-Lenovo-B50-30 NetworkManager[1007]: <info> [1528229406.2474] audit: op="connection-activate" uuid="e1671165-1347-48cc-ab1e-0f5dd841f1fb" name="MUSTAPHA-TO-IPCop" pid=2093 uid=1000 result="success"
Jun 5 22:10:06 dusty-Lenovo-B50-30 NetworkManager[1007]: <info> [1528229406.2573] vpn-connection[0x55ca9c864560,e1671165-1347-48cc-ab1e-0f5dd841f1fb,"MUSTAPHA-TO-IPCop",0]: Started the VPN service, PID 4605
Jun 5 22:10:06 dusty-Lenovo-B50-30 NetworkManager[1007]: <info> [1528229406.2597] vpn-connection[0x55ca9c864560,e1671165-1347-48cc-ab1e-0f5dd841f1fb,"MUSTAPHA-TO-IPCop",0]: Saw the service appear; activating connection
Jun 5 22:10:06 dusty-Lenovo-B50-30 nm-openvpn[4611]: WARNING: file '/home/dusty/Clesopenvpn/MUSTAPHA.key' is group or others accessible
Jun 5 22:10:06 dusty-Lenovo-B50-30 nm-openvpn[4611]: OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 10 2018
Jun 5 22:10:06 dusty-Lenovo-B50-30 nm-openvpn[4611]: library versions: OpenSSL 1.1.0g 2 Nov 2017, LZO 2.08
Jun 5 22:10:06 dusty-Lenovo-B50-30 nm-openvpn[4611]: WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Jun 5 22:10:06 dusty-Lenovo-B50-30 nm-openvpn[4611]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun 5 22:10:06 dusty-Lenovo-B50-30 nm-openvpn[4611]: OpenSSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak
Jun 5 22:10:06 dusty-Lenovo-B50-30 nm-openvpn[4611]: Cannot load certificate file /home/dusty/Clesopenvpn/MUSTAPHA.crt
Jun 5 22:10:06 dusty-Lenovo-B50-30 nm-openvpn[4611]: Exiting due to fatal error
Jun 5 22:10:06 dusty-Lenovo-B50-30 NetworkManager[1007]: <info> [1528229406.3673] vpn-connection[0x55ca9c864560,e1671165-1347-48cc-ab1e-0f5dd841f1fb,"MUSTAPHA-TO-IPCop",0]: VPN plugin: state changed: starting (3)
Jun 5 22:10:06 dusty-Lenovo-B50-30 NetworkManager[1007]: <info> [1528229406.3675] vpn-connection[0x55ca9c864560,e1671165-1347-48cc-ab1e-0f5dd841f1fb,"MUSTAPHA-TO-IPCop",0]: VPN connection: (ConnectInteractive) reply received
Jun 5 22:10:06 dusty-Lenovo-B50-30 NetworkManager[1007]: <info> [1528229406.3699] vpn-connection[0x55ca9c864560,e1671165-1347-48cc-ab1e-0f5dd841f1fb,"MUSTAPHA-TO-IPCop",0]: VPN service disappeared
这是来自系统日志的消息
Jun 5 21:26:24 dusty-Lenovo-B50-30 NetworkManager[1007]: <info> [1528226784.5443] vpn-connection[0x55ca9c864360,e1671165-1347-48cc-ab1e-0f5dd841f1fb,"MUSTAPHA-TO-IPCop",0]: VPN connection: (ConnectInteractive) reply received
Jun 5 21:26:24 dusty-Lenovo-B50-30 nm-openvpn[4222]: library versions: OpenSSL 1.1.0g 2 Nov 2017, LZO 2.08
Jun 5 21:26:24 dusty-Lenovo-B50-30 nm-openvpn[4222]: WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Jun 5 21:26:24 dusty-Lenovo-B50-30 nm-openvpn[4222]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun 5 21:26:24 dusty-Lenovo-B50-30 nm-openvpn[4222]: OpenSSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak
Jun 5 21:26:24 dusty-Lenovo-B50-30 nm-openvpn[4222]: Cannot load certificate file /home/dusty/Clesopenvpn/MUSTAPHA.crt
Jun 5 21:26:24 dusty-Lenovo-B50-30 nm-openvpn[4222]: Exiting due to fatal error
Jun 5 21:26:24 dusty-Lenovo-B50-30 NetworkManager[1007]: <warn> [1528226784.5458] vpn-connection[0x55ca9c864360,e1671165-1347-48cc-ab1e-0f5dd841f1fb,"MUSTAPHA-TO-IPCop",0]: VPN plugin: failed: connect-failed (1)
Jun 5 21:26:24 dusty-Lenovo-B50-30 NetworkManager[1007]: <warn> [1528226784.5459] vpn-connection[0x55ca9c864360,e1671165-1347-48cc-ab1e-0f5dd841f1fb,"MUSTAPHA-TO-IPCop",0]: VPN plugin: failed: connect-failed (1)
Jun 5 21:26:24 dusty-Lenovo-B50-30 NetworkManager[1007]: <info> [1528226784.5468] vpn-connection[0x55ca9c864360,e1671165-1347-48cc-ab1e-0f5dd841f1fb,"MUSTAPHA-TO-IPCop",0]: VPN service disappeared
答案1
我按照以下说明在远程服务器上设置了自己的 OpenVPNhttps://openvpn.net/index.php/open-source/documentation/howto.html并且能够将运行 Ubuntu 18.04 的机器连接到远程服务器。
我构建的 .ovpn 配置由客户端配置、后面是 ca、cert、key 和 tls-auth 部分组成。VPN 设置允许我导入文件,并且一切都会自动设置。
您可以检查您的 client.ovpn 以查看其中有哪些部分吗?如果它只有配置,我建议您在文件末尾添加以下内容,然后尝试在 VPN 设置中导入整个文件。
(client.ovpn settings)
<ca>
(ca file content)
</ca>
<cert>
(certificate file content)
</cert>
<key>
(key file content)
</key>
将其命名为 Combine.ovpn 或其他名称,然后尝试将其导入到 VPN 设置。
(已编辑)还要确保您已经安装了 openvpn 包。
dpkg -l |grep openvpn
ii network-manager-openvpn 1.8.2-1 amd64 network management framework (OpenVPN plugin core)
ii network-manager-openvpn-gnome 1.8.2-1 amd64 network management framework (OpenVPN plugin GNOME GUI)
ii openvpn 2.4.4-2ubuntu1 amd64 virtual private network daemon
由于日志显示证书使用的是旧 md5 并且 openssl 拒绝使用它,因此此线程提供了一种绕过该问题的方法,https://forums.openvpn.net/viewtopic.php?t=23979,讨论的解决方案对您有用,来自 mavron。我在这里引用他的话:
- 找到您的网络管理器 vpn 配置文件(我的在 /etc/NetworkManager/system-connections 中;如果您有很多这样的文件,而文件名对找到正确的文件没有太大帮助,请使用 grep -i "id=yourmnemonicname" *)
- 在 [vpn] 部分下添加以下行:
tls-cipher=DEFAULT:@SECLEVEL=0 - 使用命令重新加载配置:nmcli connection reload
我自己还没有尝试过,但是它应该禁用 openssl 检查证书中过时的哈希值,从而允许使用旧证书。