OpenVPN 连接延迟,服务器日志 PUSH:多次收到控制消息:“PUSH_REQUEST”

OpenVPN 连接延迟,服务器日志 PUSH:多次收到控制消息:“PUSH_REQUEST”

我正在对 OpenVPN 服务器的连接延迟进行故障排除,该延迟发生在我的客户端连接和断开几次(2-3 次通常会导致所描述的行为)时。这篇文章的服务器/客户端名称和 IP 地址已被修改。

客户只需挂起连接后,查看日志如下:

Fri Mar  3 14:39:34 2017 OpenVPN 2.4.0 [git:master/f5bf296bacce76a8+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Dec 29 2016                                                                                             
Fri Mar  3 14:39:34 2017 library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.08
Fri Mar  3 14:39:34 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]127.0.0.2:443                                      
Fri Mar  3 14:39:34 2017 UDP link local (bound): [AF_INET][undef]:443                                                                 
Fri Mar  3 14:39:34 2017 UDP link remote: [AF_INET]127.0.0.2:443                                                                       
Fri Mar  3 14:39:34 2017 [SERVERNAME] Peer Connection Initiated with [AF_INET]127.0.0.2:443

在此延迟期间,服务器日志显示以下内容:

Fri Mar  3 15:05:02 2017 CLIENTNAME/127.0.0.2:443 TLS: new session incoming connection from [AF_INET]127.0.0.2:443
Fri Mar  3 15:05:02 2017 CLIENTNAME/127.0.0.2:443 VERIFY OK: ~redacted
Fri Mar  3 15:05:02 2017 CLIENTNAME/127.0.0.2:443 VERIFY OK: ~redacted
Fri Mar  3 15:05:02 2017 CLIENTNAME/127.0.0.2:443 peer info: IV_VER=2.4.0       
Fri Mar  3 15:05:02 2017 CLIENTNAME/127.0.0.2:443 peer info: IV_PLAT=linux      
Fri Mar  3 15:05:02 2017 CLIENTNAME/127.0.0.2:443 peer info: IV_PROTO=2  
Fri Mar  3 15:05:02 2017 CLIENTNAME/127.0.0.2:443 peer info: IV_NCP=2
Fri Mar  3 15:05:02 2017 CLIENTNAME/127.0.0.2:443 peer info: IV_LZ4=1
Fri Mar  3 15:05:02 2017 CLIENTNAME/127.0.0.2:443 peer info: IV_LZ4v2=1  
Fri Mar  3 15:05:02 2017 CLIENTNAME/127.0.0.2:443 peer info: IV_LZO=1
Fri Mar  3 15:05:02 2017 CLIENTNAME/127.0.0.2:443 peer info: IV_COMP_STUB=1                                  
Fri Mar  3 15:05:02 2017 CLIENTNAME/127.0.0.2:443 peer info: IV_COMP_STUBv2=1                                                           
Fri Mar  3 15:05:02 2017 CLIENTNAME/127.0.0.2:443 peer info: IV_TCPNL=1
Fri Mar  3 15:05:02 2017 CLIENTNAME/127.0.0.2:443 TLS: move_session: dest=TM_ACTIVE src=TM_UNTRUSTED reinit_src=1                      
Fri Mar  3 15:05:02 2017 CLIENTNAME/127.0.0.2:443 TLS: tls_multi_process: untrusted session promoted to semi-trusted
Fri Mar  3 15:05:02 2017 CLIENTNAME/127.0.0.2:443 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4069 bit RSA
Fri Mar  3 15:05:03 2017 CLIENTNAME/127.0.0.2:443 PUSH: Received control message: 'PUSH_REQUEST'
Fri Mar  3 15:05:08 2017 CLIENTNAME/127.0.0.2:443 PUSH: Received control message: 'PUSH_REQUEST'
Fri Mar  3 15:05:13 2017 CLIENTNAME/127.0.0.2:443 PUSH: Received control message: 'PUSH_REQUEST'
Fri Mar  3 15:05:18 2017 CLIENTNAME/127.0.0.2:443 PUSH: Received control message: 'PUSH_REQUEST'
Fri Mar  3 15:05:23 2017 CLIENTNAME/127.0.0.2:443 PUSH: Received control message: 'PUSH_REQUEST'
Fri Mar  3 15:05:28 2017 CLIENTNAME/127.0.0.2:443 PUSH: Received control message: 'PUSH_REQUEST'

服务器配置文件如下所示:

port 443
proto udp
dev tun
server 172.16.0.0 255.255.255.0
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh4096.pem
tls-crypt /etc/openvpn/server/tls-crypt.key
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
cipher AES-256-CBC
auth SHA512
verb 3
comp-lzo
duplicate-cn

双方在 Debian 上均使用 OpenVPN 2.4.0 和 OpenSSL 1.0.2k。

是什么导致了这种延迟以及如何避免/减少这种延迟?

相关内容