我有几台蜂窝设备,它们与始终侦听传入 openvpn 连接请求的服务器建立始终在线的 openvpn 隧道。有时,蜂窝设备交付给我的客户时日期/时间设置不正确(例如 1970 年 1 月 1 日),因此 TLS 验证会失败,因为蜂窝设备上的 openvpn 认为 CA 证书尚未生效。这对我来说都没问题,只是 openvpn 会以 2 秒为间隔反复尝试重新连接,而蜂窝带宽很昂贵。使用 tcpdump,我看到服务器和蜂窝设备之间的网络流量超过 2KB/s。如果 openvpn 拒绝服务器的 CA 证书,我希望它在蜂窝客户端上退出(而不是重新启动)。这可能吗?
服务器配置:
dev tun1
topology subnet
mode server
tls-server
push "topology subnet"
ifconfig 10.0.1.1 255.255.255.0
ifconfig-pool 10.0.1.200 10.0.1.254 255.255.255.0
push "route-gateway 10.0.1.1"
route 10.0.2.0 255.255.255.0 10.0.1.12
push "route 10.0.2.0 255.255.255.0"
port 1194
proto udp
persist-key
persist-tun
comp-lzo
ca /etc/openvpn/ssl/tmvca-cacert.pem
cert /etc/openvpn/ssl/principal-cert.pem
key /etc/openvpn/ssl/principal-key.pem
dh /etc/openvpn/ssl/dh1024.pem
client-config-dir /etc/openvpn/ccd
#client-connect /usr/local/bin/cc.py
client-to-client
user nobody
group nogroup
keepalive 10 120
status /var/log/openvpn/vpn1.log
verb 3
tls-verify /usr/local/bin/tls-verify.py
script-security 2
蜂窝客户端配置:
client
remote 198.74.60.142 1194
nobind
keepalive 10 120
resolv-retry infinite
proto udp
mssfix 1400
persist-key
persist-tun
dev tun
ns-cert-type server
ca /etc/config/openvpn/gw1-ca.crt
cert /etc/config/openvpn/gw1-public.crt
key /etc/config/openvpn/gw1-private.key
dh /etc/config/openvpn/gw1-dh.pem
comp-lzo
verb 3
syslog openvpn-gw
script-security 2
up "echo $script_type $signal"
writepid "/var/run/openvpn-gw.pid"
tls-remote principal
蜂窝客户端输出:
<28>Jan 1 18:14:23 openvpn-gw[3202]: WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
<28>Jan 1 18:14:23 openvpn-gw[3202]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
<29>Jan 1 18:14:23 openvpn-gw[3202]: LZO compression initialized
<29>Jan 1 18:14:23 openvpn-gw[3202]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
<29>Jan 1 18:14:23 openvpn-gw[3202]: Data Channel MTU parms [ L:1542 D:1400 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
<29>Jan 1 18:14:23 openvpn-gw[3202]: Local Options hash (VER=V4): '41690919'
<29>Jan 1 18:14:23 openvpn-gw[3202]: Expected Remote Options hash (VER=V4): '530fdded'
<29>Jan 1 18:14:23 openvpn-gw[3202]: Socket Buffers: R=[163840->131072] S=[163840->131072]
<29>Jan 1 18:14:23 openvpn-gw[3202]: UDPv4 link local: [undef]
<29>Jan 1 18:14:23 openvpn-gw[3202]: UDPv4 link remote: 198.74.60.142:1194
<27>Jan 1 18:14:24 openvpn-gw[3202]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
<29>Jan 1 18:14:54 openvpn-gw[3202]: TLS: Initial packet from 198.74.60.142:1194, sid=38c1dcd3 f194273b
<27>Jan 1 18:14:55 openvpn-gw[3202]: VERIFY ERROR: depth=1, error=certificate is not yet valid: /C=CA/ST=ON/L=Cambridge/O=TMV_Control_Systems_Inc./OU=IT/CN=tmvca
<27>Jan 1 18:14:55 openvpn-gw[3202]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:lib(20):func(144):reason(134)
<27>Jan 1 18:14:55 openvpn-gw[3202]: TLS Error: TLS object -> incoming plaintext read error
<27>Jan 1 18:14:55 openvpn-gw[3202]: TLS Error: TLS handshake failed
<29>Jan 1 18:14:55 openvpn-gw[3202]: TCP/UDP: Closing socket
<29>Jan 1 18:14:55 openvpn-gw[3202]: SIGUSR1[soft,tls-error] received, process restarting
<29>Jan 1 18:14:55 openvpn-gw[3202]: Restart pause, 2 second(s)
<28>Jan 1 18:14:57 openvpn-gw[3202]: WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
<28>Jan 1 18:14:57 openvpn-gw[3202]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
<29>Jan 1 18:14:57 openvpn-gw[3202]: Re-using SSL/TLS context
<29>Jan 1 18:14:57 openvpn-gw[3202]: LZO compression initialized
<29>Jan 1 18:14:57 openvpn-gw[3202]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
<29>Jan 1 18:14:57 openvpn-gw[3202]: Data Channel MTU parms [ L:1542 D:1400 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
<29>Jan 1 18:14:57 openvpn-gw[3202]: Local Options hash (VER=V4): '41690919'
<29>Jan 1 18:14:57 openvpn-gw[3202]: Expected Remote Options hash (VER=V4): '530fdded'
<29>Jan 1 18:14:57 openvpn-gw[3202]: Socket Buffers: R=[163840->131072] S=[163840->131072]
<29>Jan 1 18:14:57 openvpn-gw[3202]: UDPv4 link local: [undef]
<29>Jan 1 18:14:57 openvpn-gw[3202]: UDPv4 link remote: 198.74.60.142:1194
<29>Jan 1 18:14:57 openvpn-gw[3202]: TLS: Initial packet from 198.74.60.142:1194, sid=944e1fb2 c074a030
<27>Jan 1 18:14:58 openvpn-gw[3202]: VERIFY ERROR: depth=1, error=certificate is not yet valid: /C=CA/ST=ON/L=Cambridge/O=TMV_Control_Systems_Inc./OU=IT/CN=tmvca
<27>Jan 1 18:14:58 openvpn-gw[3202]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:lib(20):func(144):reason(134)
<27>Jan 1 18:14:58 openvpn-gw[3202]: TLS Error: TLS object -> incoming plaintext read error
<27>Jan 1 18:14:58 openvpn-gw[3202]: TLS Error: TLS handshake failed
<29>Jan 1 18:14:58 openvpn-gw[3202]: TCP/UDP: Closing socket
<29>Jan 1 18:14:58 openvpn-gw[3202]: SIGUSR1[soft,tls-error] received, process restarting
<29>Jan 1 18:14:58 openvpn-gw[3202]: Restart pause, 2 second(s)
答案1
我认为您要找的是 --tls-exit 选项。来自 openvpn 手册页:
--tls-exit
Exit on TLS negotiation failure.