.png)
我在使用 pfsense 连接到 openvpn 服务器时遇到一些问题。
对于我的测试,我的 pfsense openvpn 服务器和 Windows 10 openvpn 客户端上都有 2 个网络接口。
在我的 pfsense 上,我在 WAN 上有 1 个网络接口,配置为 DHCP:-WAN 192.168.0.28/24 -LAN 接口静态 192.168.10.10/24
在我的 Windows 10 客户端上: -WAN DHCP 192.168.0.30/24 -LAN 接口静态 192.168.10.15/24
我第一次尝试使用 udp 但出现“tls 密钥协商未能在 60 秒内发生 tls 握手失败”,因此我尝试使用 tcp 连接,但收到此错误:
我的 OpenVPN 配置是:
Server mode Remote Access (SSL/TLS + User Auth)
Backend for authentication Local Database
Protocol TCP
Device mode tun
Interface WAN
Local port 1194
Description VPN
TLS authentication Enable authentication of TLS packets
Key ...
Peer Certificate Authority OpenVPN CA
Server certificate ServerCertificate (Server: Yes, CA: OpenVPN CA, In Use)
DH Parameter length 2048
Encryption Algorithm AES-256-CBC(256 bit key, 128 bit block)
Auth digest algorithm SHA1(160-bit)
Hardware Crypto No Hardware Crypto Acceleration
Certificate Depth One(Client+Server)
IPv4 Tunnel Network 192.168.15.0/24
IPv4 Local network 192.168.10.0/24
Concurrent connections 5
Compression No Preference
Dynamic IP Allow connected client to retain their connections if their IP address changes
Address Pool Provide a virtual adapter IP address to clients
DNS Server enable Provide a DNS server list to clients
DNS Server 1 8.8.8.8
Force DNS cache update Run "net stop dnscache" ...
我的客户端配置是:
client
dev tun
proto tcp
remote 192.168.0.28 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca OpenVPN+CA.crt
cert UserCertificate.crt
key UserCertificate.key
cipher AES-256-CBC
verb 5
我创建了证书颁发机构和服务器/用户证书:
然后我有一些防火墙和 NAT 规则:
我检查了 pfsense 上的防火墙,端口 1194 似乎已打开:
我的 Windows 客户端上的防火墙也已关闭。
提前致谢 !
编辑 20:42 :
我搜索了服务器和客户端上的日志,我觉得登录失败后我在服务器上没有收到任何日志,我只是在启动/重新启动服务时收到日志
这是我在服务器上的日志:
Apr 7 18:34:54 openvpn 13595 OpenVPN 2.3.14 i386-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Feb 15 2017
Apr 7 18:34:54 openvpn 13595 library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09
Apr 7 18:34:54 openvpn 13883 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 7 18:34:54 openvpn 13883 Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
Apr 7 18:34:54 openvpn 13883 TUN/TAP device ovpns1 exists previously, keep at program end
Apr 7 18:34:54 openvpn 13883 TUN/TAP device /dev/tun1 opened
Apr 7 18:34:54 openvpn 13883 ioctl(TUNSIFMODE): Device busy: Device busy (errno=16)
Apr 7 18:34:54 openvpn 13883 do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Apr 7 18:34:54 openvpn 13883 /sbin/ifconfig ovpns1 192.168.15.1 192.168.15.2 mtu 1500 netmask 255.255.255.0 up
Apr 7 18:34:54 openvpn 13883 /usr/local/sbin/ovpn-linkup ovpns1 1500 1559 192.168.15.1 255.255.255.0 init
Apr 7 18:34:54 openvpn 13883 Listening for incoming TCP connection on [AF_INET]192.168.0.25:1194
Apr 7 18:34:54 openvpn 13883 TCPv4_SERVER link local (bound): [AF_INET]192.168.0.25:1194
Apr 7 18:34:54 openvpn 13883 TCPv4_SERVER link remote: [undef]
Apr 7 18:34:54 openvpn 13883 Initialization Sequence Completed
登录客户端:
Sat Apr 07 20:31:33 2018 OpenVPN 2.4.5 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Mar 1 2018
Sat Apr 07 20:31:33 2018 Windows version 6.2 (Windows 8 or greater) 64bit
Sat Apr 07 20:31:33 2018 library versions: OpenSSL 1.1.0f 25 May 2017, LZO 2.10
Enter Management Password:
Sat Apr 07 20:31:33 2018 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sat Apr 07 20:31:33 2018 Need hold release from management interface, waiting...
Sat Apr 07 20:31:33 2018 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sat Apr 07 20:31:33 2018 MANAGEMENT: CMD 'state on'
Sat Apr 07 20:31:33 2018 MANAGEMENT: CMD 'log all on'
Sat Apr 07 20:31:33 2018 MANAGEMENT: CMD 'echo all on'
Sat Apr 07 20:31:33 2018 MANAGEMENT: CMD 'bytecount 5'
Sat Apr 07 20:31:33 2018 MANAGEMENT: CMD 'hold off'
Sat Apr 07 20:31:33 2018 MANAGEMENT: CMD 'hold release'
Sat Apr 07 20:31:33 2018 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sat Apr 07 20:31:33 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.0.28:1194
Sat Apr 07 20:31:33 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sat Apr 07 20:31:33 2018 Attempting to establish TCP connection with [AF_INET]192.168.0.28:1194 [nonblock]
Sat Apr 07 20:31:33 2018 MANAGEMENT: >STATE:1523125893,TCP_CONNECT,,,,,,
Sat Apr 07 20:33:34 2018 TCP: connect to [AF_INET]192.168.0.28:1194 failed: Unknown error
Sat Apr 07 20:33:34 2018 SIGUSR1[connection failed(soft),init_instance] received, process restarting
Sat Apr 07 20:33:34 2018 MANAGEMENT: >STATE:1523126014,RECONNECTING,init_instance,,,,,
Sat Apr 07 20:33:34 2018 Restart pause, 5 second(s)
Sat Apr 07 20:33:39 2018 SIGTERM[hard,init_instance] received, process exiting
Sat Apr 07 20:33:39 2018 MANAGEMENT: >STATE:1523126019,EXITING,init_instance,,,,,
答案1
创建 VPN 隧道后,PFsense 有一个名为 OpenVPN 导出工具的选项,您可以通过电子邮件将文件发送到要连接的 PC。它将下载连接到 VPN 所需的证书和客户端。你试过这个吗?
使用导出工具应该可以更轻松地将您的 PC 连接到 VPN。