我有一个 VPN,它给出了一个奇怪的结果。我在 Fedora 29(KDE spin,如果这很重要)上的 NetworkManager 中设置了它。当我尝试连接时,日志显示当它尝试建立 TCP 连接时发出了“连接被拒绝”错误。但是,我还设置了一个包含我的用户名/密码的凭据文件,如果我从命令行运行 openvpn,如下所示:
sudo nohup openvpn --config ${ovpnfile} --auth-user-pass ${credentials}
这很好用。使用 telnet 测试连接时,我发现在执行以下操作时会得到相同的“连接被拒绝”错误:
telnet ${vpn_server_ip_address} 1194
但是,如果我在 telnet 之前使用“sudo”,我的连接就会成功。另一方面,如果我使用“su -”以 root 身份登录,相同的 telnet 命令也会显示“连接被拒绝”。
什么可以解释这种行为?我需要在 NetworkManager 中配置某些内容才能使其正常运行吗?
编辑:
我花了些时间再次尝试。看来初始 TLS 协商没有成功。以下是日志文件摘录。
命令行(有效):
Thu Sep 19 11:37:20 2019 OpenVPN 2.4.7 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Thu Sep 19 11:37:20 2019 library versions: OpenSSL 1.1.1c FIPS 28 May 2019, LZO 2.08
Thu Sep 19 11:37:20 2019 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Thu Sep 19 11:37:20 2019 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Sep 19 11:37:20 2019 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Sep 19 11:37:20 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]54.173.95.252:1194
Thu Sep 19 11:37:20 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Thu Sep 19 11:37:20 2019 UDP link local: (not bound)
Thu Sep 19 11:37:20 2019 UDP link remote: [AF_INET]54.173.95.252:1194
Thu Sep 19 11:37:20 2019 TLS: Initial packet from [AF_INET]54.173.95.252:1194, sid=68d69c50 0283b14b
Thu Sep 19 11:37:20 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Sep 19 11:37:20 2019 VERIFY OK: depth=1, CN=OpenVPN CA
Thu Sep 19 11:37:20 2019 VERIFY OK: nsCertType=SERVER
Thu Sep 19 11:37:20 2019 VERIFY OK: depth=0, CN=OpenVPN Server
Thu Sep 19 11:37:20 2019 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Thu Sep 19 11:37:20 2019 [OpenVPN Server] Peer Connection Initiated with [AF_INET]54.173.95.252:1194
Thu Sep 19 11:37:22 2019 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
Thu Sep 19 11:37:27 2019 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
Thu Sep 19 11:37:27 2019 PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 12,ping-restart 50,compress stub-v2,redirect-private def1,redirect-private bypass-dhcp,redirect-private autolocal,route-gateway 172.27.236.1,route 172.27.224.0 255.255.240.0,route 10.32.0.0 255.255.128.0,dhcp-option DNS 10.32.0.2,register-dns,block-ipv6,ifconfig 172.27.239.182 255.255.252.0,peer-id 2,auth-tokenSESS_ID,cipher AES-256-GCM'
Thu Sep 19 11:37:27 2019 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: dhcp-pre-release (2.4.7)
Thu Sep 19 11:37:27 2019 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:5: dhcp-renew (2.4.7)
Thu Sep 19 11:37:27 2019 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:6: dhcp-release (2.4.7)
Thu Sep 19 11:37:27 2019 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:18: register-dns (2.4.7)
Thu Sep 19 11:37:27 2019 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:19: block-ipv6 (2.4.7)
Thu Sep 19 11:37:27 2019 OPTIONS IMPORT: timers and/or timeouts modified
Thu Sep 19 11:37:27 2019 OPTIONS IMPORT: explicit notify parm(s) modified
Thu Sep 19 11:37:27 2019 OPTIONS IMPORT: compression parms modified
Thu Sep 19 11:37:27 2019 OPTIONS IMPORT: --ifconfig/up options modified
Thu Sep 19 11:37:27 2019 OPTIONS IMPORT: route options modified
Thu Sep 19 11:37:27 2019 OPTIONS IMPORT: route-related options modified
Thu Sep 19 11:37:27 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Sep 19 11:37:27 2019 OPTIONS IMPORT: peer-id set
Thu Sep 19 11:37:27 2019 OPTIONS IMPORT: adjusting link_mtu to 1625
Thu Sep 19 11:37:27 2019 OPTIONS IMPORT: data channel crypto options modified
Thu Sep 19 11:37:27 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Sep 19 11:37:27 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Sep 19 11:37:27 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Sep 19 11:37:27 2019 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=enp6s0 HWADDR=d8:cb:8a:13:09:59
Thu Sep 19 11:37:27 2019 TUN/TAP device tun0 opened
Thu Sep 19 11:37:27 2019 TUN/TAP TX queue length set to 100
Thu Sep 19 11:37:27 2019 /sbin/ip link set dev tun0 up mtu 1500
Thu Sep 19 11:37:27 2019 /sbin/ip addr add dev tun0 172.27.239.182/22 broadcast 172.27.239.255
Thu Sep 19 11:37:32 2019 ROUTE remote_host is NOT LOCAL
Thu Sep 19 11:37:32 2019 /sbin/ip route add 54.173.95.252/32 via 192.168.1.1
Thu Sep 19 11:37:32 2019 /sbin/ip route add 172.27.224.0/20 metric 101 via 172.27.236.1
Thu Sep 19 11:37:32 2019 /sbin/ip route add 10.32.0.0/17 metric 101 via 172.27.236.1
Thu Sep 19 11:37:32 2019 Initialization Sequence Completed
网络管理器(失败):
Sep 19 14:05:03 x501 nm-openvpn[2398]: OpenVPN 2.4.7 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Sep 19 14:05:03 x501 nm-openvpn[2398]: library versions: OpenSSL 1.1.1c FIPS 28 May 2019, LZO 2.08
Sep 19 14:05:04 x501 nm-openvpn[2398]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep 19 14:05:04 x501 nm-openvpn[2398]: TCP/UDP: Preserving recently used remote address: [AF_INET]54.173.95.252:1194
Sep 19 14:05:04 x501 nm-openvpn[2398]: Attempting to establish TCP connection with [AF_INET]54.173.95.252:1194 [nonblock]
Sep 19 14:05:05 x501 nm-openvpn[2398]: TCP: connect to [AF_INET]54.173.95.252:1194 failed: Connection refused
Sep 19 14:05:05 x501 nm-openvpn[2398]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Sep 19 14:05:05 x501 nm-openvpn[2398]: SIGUSR1[connection failed(soft),init_instance] received, process restarting
你怎么看?谢谢,Dave