更新到 Ubuntu 22.10 后,openvpn 无法使用来自 Ubuntu 22.04 LTS 的相同旧工作 ovpn 配置文件作为客户端连接到服务器。
我经常收到一个错误:
2022-10-20 20:10:04 TCPv4_CLIENT link remote: [AF_INET]xx.xxx.xxx.xxx:1194
2022-10-20 20:10:04 Connection reset, restarting [0]
2022-10-20 20:10:04 SIGUSR1[soft,connection-reset] received, process restarting
我尝试重新安装 openvpn,但没有帮助。
我的配置:
client
dev tun
proto tcp
remote xx.xxx.xxx.x 1194
user nobody
group nogroup
persist-key
persist-tun
pkcs12 /home/dyedfox/openvpn/opvn-client1.p12
auth-user-pass /home/dyedfox/openvpn/auth.cfg
askpass /home/dyedfox/openvpn/keypass.cfg
remote-cert-tls server
route 10.0.0.0 255.255.0.0 10.8.8.1
route 10.176.64.16 255.255.255.248 10.8.8.1
route 10.210.4.200 255.255.255.248 10.8.8.1
cipher AES-256-CBC
你能帮我解决这个问题吗?
PS完整输出:
2022-10-20 21:36:40 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.
2022-10-20 21:36:40 WARNING: file '/home/dyedfox/openvpn/opvn-client1.p12' is group or others accessible
2022-10-20 21:36:40 WARNING: file '/home/dyedfox/openvpn/keypass.cfg' is group or others accessible
2022-10-20 21:36:40 WARNING: file '/home/dyedfox/openvpn/auth.cfg' is group or others accessible
2022-10-20 21:36:40 OpenVPN 2.6_git x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2022-10-20 21:36:40 library versions: OpenSSL 3.0.5 5 Jul 2022, LZO 2.10
2022-10-20 21:36:40 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2022-10-20 21:36:40 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:40 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:40 TCP connection established with [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:40 TCPv4_CLIENT link local: (not bound)
2022-10-20 21:36:40 TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:40 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
2022-10-20 21:36:41 Connection reset, restarting [0]
2022-10-20 21:36:41 SIGUSR1[soft,connection-reset] received, process restarting
2022-10-20 21:36:46 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:46 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:46 TCP connection established with [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:46 TCPv4_CLIENT link local: (not bound)
2022-10-20 21:36:46 TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:47 Connection reset, restarting [0]
2022-10-20 21:36:47 SIGUSR1[soft,connection-reset] received, process restarting
2022-10-20 21:36:52 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:52 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:52 TCP connection established with [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:52 TCPv4_CLIENT link local: (not bound)
2022-10-20 21:36:52 TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:53 Connection reset, restarting [0]
2022-10-20 21:36:53 SIGUSR1[soft,connection-reset] received, process restarting
2022-10-20 21:36:58 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:58 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:58 TCP connection established with [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:58 TCPv4_CLIENT link local: (not bound)
2022-10-20 21:36:58 TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:58 Connection reset, restarting [0]
2022-10-20 21:36:58 SIGUSR1[soft,connection-reset] received, process restarting
答案1
这是造成 一个错误在network-manager-openvpn。
Ubuntu 22.10 已更新到较新版本的 OpenVPN (2.6),它不支持该cipher选项,将忽略它并期望较新的data-ciphers选项,如此处的输出所示:
2022-10-20 21:36:40 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.
问题是旧选项是硬编码的network-manager-openvpn,因此重写新选项将不起作用,除非您使用命令行传递它。
目前,您应该降级到 OpenVPN 2.5.5。以下是基于此答案的步骤,这对我帮助很大:https://askubuntu.com/a/1406472/1589545
如果已安装,请卸载当前的 OpenVPN 版本:
sudo apt remove openvpn安装 OpenVPN 2.5.5
- 去https://launchpad.net/ubuntu/jammy/amd64/openvpn/2.5.5-1ubuntu3
openvpn_2.5.5-1ubuntu3_amd64.deb在“可下载文件”部分下载文件- 双击该文件并使用软件安装(GUI)打开
可选:标记 OpenVPN 不更新:
sudo apt-mark hold openvpn重新安装 NetworkManager OpenVPN GUI:
sudo apt install network-manager-openvpn-gnome
答案2
我刚刚添加
data-ciphers=AES-128-CBC
原始 chipher 条目下方
/etc/NetworkManager/system-connections/MYVPN.nmconnection
并且它正在发挥作用。
cipher=AES-128-CBC
data-ciphers=AES-128-CBC
答案3
我找到了一种无需降级 OpenVPN 版本即可使其运行的方法,使用 OpenVPN 2.6。
看起来 NetworkManager 不会data-ciphers从 ovpn 文件中读取所有选项(如选项)。想法是将所需的选项手动直接放入 NetworkManager 配置文件中。
以下是说明:
您的 OpenVPN 连接应该已显示在网络管理器的 VPN 连接列表中。如果您的 OpenVPN 连接未显示在网络管理器中,您可以使用“从文件导入...”菜单项 (
Settings->Network->VPN-> VPN+->Import from file...)创建它运行 gnome-terminal:按下
Alt-F2键盘上的gnome-terminal,然后按Enter在终端应用程序中,请运行以下命令来编辑 NetworkManager 连接文件:
sudo nano /etc/NetworkManager/system-connections/*your_connection_name*.nmconnection当系统要求输入密码时,输入您的 Ubuntu 用户密码并按 Enter(密码或星号不会显示在终端中)。
将以下行添加到该
[vpn]部分:data-ciphers=AES-256-CBC请
AES-256-CBC设置您的 OpenVPN 服务器或 OpenVPN 服务供应商支持的数据密码值。您应该能够在 VPN 服务供应商提供的 ovpn 文件中找到此值。按下
F2键盘上的 ,然后按y和Enter保存文件。通过运行以下命令重新启动 NetworkManager 服务:
sudo systemctl restart NetworkManager尝试从网络管理器连接 OpenVPN 连接。
答案4
在我的例子中,我在 /etc/NetworkManager/system-connections/xxxx.nmconnection 中的新 vpn 配置文件中设置了 cipher=AES-256-CBC
在 cipher=AES-256-CBC 下方添加 data-ciphers=AES-256-CBC 像这样 cipher=AES-256-CBC data-ciphers=AES-256-CBC
使用 sudo service NetworkManager restart 重新启动,VPN 连接按预期工作。在 Ubuntu 22.10 openvpn 2.6 上测试