我有一个 Ubuntu 客户端 OpenVPN,它连接到 Debian OpenVPN 服务器。
有一段时间,我使用 udp 在默认端口 1194 上进行设置,并且我从一个没有过滤连接的网络上进行连接。一切正常。
然后我需要从仅允许端口 80 和 443 的网络连接到它,因此我切换配置以在端口 443 上使用 tcp。它再次运行良好。
现在我在另一个不直接连接到互联网的网络上,我可以使用 http 代理进行访问。所以我将客户端的配置切换为使用 http 代理。从那时起,连接就变得不稳定。它连接到服务器,在很短的一段时间内,连接似乎工作正常(我可以访问互联网上的所有端口,ping 工作正常……)然后突然断开连接。如果我什么都不做,连接就不会断开!它在传递一些数据包后会断开,所以如果我使用 ssh,我还需要一些时间才能断开,但如果我尝试加载网页,它会很快断开。我使用 ubuntu 网络管理器进行配置。路由正常,一切都按预期进行。
编辑 1:我在同一台服务器上还有一个 www 服务器。可能是 OpenVPN 正在接收一些非预期的数据包,但我使用“共享端口”选项,该选项应将所有这些数据包重定向到 www 服务器。
据我了解,TCP 数据包可能会在传输过程中损坏(很可能是通过 http 代理),这会损坏 HMAC。
编辑 2:运行 Zenmap 我可以看到代理是 squid 并且操作系统是 MikroTik。
编辑 3:只是为了好玩,我尝试在第一个 openVPN 上运行另一个 openVPN,第二个配置为使用 UDP。但在重新配置路由并尝试加载网页后,第一个仍然以同样的方式崩溃。
编辑4:我已经在服务器上安装了sslh,作为端口443上的多路复用器,因此当它接收到ssh或openvpn或https的流量时,它会将其重定向到相应的服务,现在我正尝试通过corkscrew通过ssh进行连接,但它也失败了(远程主机关闭连接,服务器实际上接收到连接但将其丢弃)。
编辑 5:我能够通过 ssh 配置服务器,这要感谢我通过 DNS 服务器用碘建立的隧道。这听起来很愚蠢,但实际上它运行良好,非常稳定,唯一的问题是它非常慢,仅对 ssh 来说还算不错。
编辑 6:我可以使用另一个 http 代理,它可以立即工作,而且非常稳定,所以我现在会坚持使用那个。我仍然不知道第一个有什么问题。
客户端上的日志显示:(所有这一切都发生在启用vpn和加载半个网页的不到2分钟内)
NetworkManager[1249]: <info> Starting VPN service 'openvpn'...
NetworkManager[1249]: <info> VPN service 'openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 12305
NetworkManager[1249]: <info> VPN service 'openvpn' appeared; activating connections
NetworkManager[1249]: <info> VPN plugin state changed: starting (3)
NetworkManager[1249]: <info> VPN connection 'domain.com' (Connect) reply received.
nm-openvpn[12311]: OpenVPN 2.2.1 i686-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Feb 13 2013
nm-openvpn[12311]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
nm-openvpn[12311]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
nm-openvpn[12311]: WARNING: file '/home/user/openvpn-client-conf/ta.key' is group or others accessible
nm-openvpn[12311]: Control Channel Authentication: using '/home/user/openvpn-client-conf/ta.key' as a OpenVPN static key file
nm-openvpn[12311]: LZO compression initialized
nm-openvpn[12311]: Attempting to establish TCP connection with [AF_INET]x.x.x.x:xxxx(http proxy) [nonblock]
nm-openvpn[12311]: TCP connection established with [AF_INET]x.x.x.x:xxxx(http proxy)
nm-openvpn[12311]: TCPv4_CLIENT link local: [undef]
nm-openvpn[12311]: TCPv4_CLIENT link remote: [AF_INET]x.x.x.x:xxxx(http proxy)
nm-openvpn[12311]: [domain.com] Peer Connection Initiated with [AF_INET]x.x.x.x:xxxx(http proxy)
nm-openvpn[12311]: TUN/TAP device tun0 opened
nm-openvpn[12311]: /usr/lib/NetworkManager/nm-openvpn-service-openvpn-helper tun0 1500 1544 10.8.0.2 255.255.255.0 init
NetworkManager[1249]: SCPlugin-Ifupdown: devices added (path: /sys/devices/virtual/net/tun0, iface: tun0)
NetworkManager[1249]: SCPlugin-Ifupdown: device added (path: /sys/devices/virtual/net/tun0, iface: tun0): no ifupdown configuration found.
NetworkManager[1249]: <warn> /sys/devices/virtual/net/tun0: couldn't determine device driver; ignoring...
NetworkManager[1249]: <info> VPN connection 'domain.com' (IP4 Config Get) reply received from old-style plugin.
NetworkManager[1249]: <info> VPN Gateway: x.x.x.x(http proxy)
NetworkManager[1249]: <info> Tunnel Device: tun0
NetworkManager[1249]: <info> IPv4 configuration:
NetworkManager[1249]: <info> Internal Gateway: 10.8.0.1
NetworkManager[1249]: <info> Internal Address: 10.8.0.2
NetworkManager[1249]: <info> Internal Prefix: 24
NetworkManager[1249]: <info> Internal Point-to-Point Address: 0.0.0.0
NetworkManager[1249]: <info> Maximum Segment Size (MSS): 0
NetworkManager[1249]: <info> Forbid Default Route: no
NetworkManager[1249]: <info> Internal DNS: x.x.x.x(dns server)
NetworkManager[1249]: <info> DNS Domain: '(none)'
NetworkManager[1249]: <info> No IPv6 configuration
nm-openvpn[12311]: Initialization Sequence Completed
NetworkManager[1249]: <info> VPN connection 'domain.com' (IP Config Get) complete.
NetworkManager[1249]: <info> Policy set 'domain.com' (tun0) as default for IPv4 routing and DNS.
NetworkManager[1249]: <info> Writing DNS information to /sbin/resolvconf
dbus[975]: [system] Activating service name='org.freedesktop.nm_dispatcher' (using servicehelper)
NetworkManager[1249]: <info> VPN plugin state changed: started (4)
dbus[975]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
ntpdate[12428]: step time server 84.104.189.253 offset 1.749623 sec
nm-openvpn[12311]: Authenticate/Decrypt packet error: packet HMAC authentication failed
nm-openvpn[12311]: Fatal decryption error (process_incoming_link), restarting
nm-openvpn[12311]: SIGUSR1[soft,decryption-error] received, process restarting
nm-openvpn[12311]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
nm-openvpn[12311]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
nm-openvpn[12311]: Re-using SSL/TLS context
nm-openvpn[12311]: LZO compression initialized
nm-openvpn[12311]: Attempting to establish TCP connection with [AF_INET]x.x.x.x:xxxx(http proxy) [nonblock]
nm-openvpn[12311]: TCP connection established with [AF_INET]x.x.x.x:xxxx(http proxy)
nm-openvpn[12311]: TCPv4_CLIENT link local: [undef]
nm-openvpn[12311]: TCPv4_CLIENT link remote: [AF_INET]x.x.x.x:xxxx(http proxy)
nm-openvpn[12311]: [domain.com] Peer Connection Initiated with [AF_INET]x.x.x.x:xxxx(http proxy)
nm-openvpn[12311]: Preserving previous TUN/TAP instance: tun0
nm-openvpn[12311]: /usr/lib/NetworkManager/nm-openvpn-service-openvpn-helper tun0 1500 1544 10.8.0.2 255.255.255.0 restart
NetworkManager[1249]: <warn> VPN plugin failed: 2
nm-openvpn[12311]: WARNING: Failed running command (--up/--down): external program exited with error status: 1
nm-openvpn[12311]: Exiting
avahi-daemon[1176]: Withdrawing workstation service for tun0.
NetworkManager[1249]: SCPlugin-Ifupdown: devices removed (path: /sys/devices/virtual/net/tun0, iface: tun0)
NetworkManager[1249]: <warn> VPN plugin failed: 1
NetworkManager[1249]: <info> VPN plugin state changed: stopped (6)
NetworkManager[1249]: <info> VPN plugin state change reason: 0
avahi-daemon[1176]: Withdrawing address record for x.x.x.x(local ip) on eth0.
avahi-daemon[1176]: Leaving mDNS multicast group on interface eth0.IPv4 with address x.x.x.x(local ip).
avahi-daemon[1176]: Joining mDNS multicast group on interface eth0.IPv4 with address x.x.x.x(second local ip).
avahi-daemon[1176]: Withdrawing address record for x.x.x.x(second local ip) on eth0.
avahi-daemon[1176]: Leaving mDNS multicast group on interface eth0.IPv4 with address x.x.x.x(second local ip).
avahi-daemon[1176]: Interface eth0.IPv4 no longer relevant for mDNS.
avahi-daemon[1176]: Joining mDNS multicast group on interface eth0.IPv4 with address x.x.x.x(local ip).
avahi-daemon[1176]: New relevant interface eth0.IPv4 for mDNS.
avahi-daemon[1176]: Registering new address record for x.x.x.x(local ip) on eth0.IPv4.
avahi-daemon[1176]: Registering new address record for x.x.x.x(second local ip) on eth0.IPv4.
NetworkManager[1249]: <info> Policy set 'Wired connection 1' (eth0) as default for IPv4 routing and DNS.
NetworkManager[1249]: <info> Writing DNS information to /sbin/resolvconf
dbus[975]: [system] Activating service name='org.freedesktop.nm_dispatcher' (using servicehelper)
NetworkManager[1249]: <warn> error disconnecting VPN: Could not process the request because no VPN connection was active.
NetworkManager[1249]: <warn> (7) failed to find interface name for index
NetworkManager[1249]: nm_system_iface_flush_routes: assertion `iface != NULL' failed
NetworkManager[1249]: <warn> (7) failed to find interface name for index
dbus[975]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
NetworkManager[1249]: <info> VPN service 'openvpn' disappeared