当我在服务器(Ubuntu Server 20.04)上使用 OpenVPN 2.4.7 并从 2.5.6 客户端(也是 Ubuntu 20.04)连接时,我可以毫无问题地连接。但是,当我尝试在服务器上使用 OpenVPN 2.5.6 时,我遇到了一个大问题,即在看似随机的时间间隔内我重新连接,因此在重新连接的几秒钟内丢失了网络连接。当使用完全相同的服务器和客户端配置时会发生这种情况,唯一的区别是 2.4.7 服务器不会断开连接(我想升级到 2.5 服务器以利用其 IPv6 功能)。
这是我的完整服务器日志,包含此错误发生时的情况(重新连接后我最后手动断开连接):
DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
WARNING: POTENTIALLY DANGEROUS OPTION --verify-client-cert none|optional may accept clients which do not present a certificate
Current Parameter Settings:
config = 'server2.conf'
mode = 1
persist_config = DISABLED
persist_mode = 1
show_ciphers = DISABLED
show_digests = DISABLED
show_engines = DISABLED
genkey = DISABLED
genkey_filename = '[UNDEF]'
key_pass_file = '[UNDEF]'
show_tls_ciphers = DISABLED
connect_retry_max = 0
Connection profiles [0]:
proto = tcp-server
local = '192.168.0.27'
local_port = '443'
remote = '[UNDEF]'
remote_port = '443'
remote_float = DISABLED
bind_defined = DISABLED
bind_local = ENABLED
bind_ipv6_only = DISABLED
connect_retry_seconds = 5
connect_timeout = 120
socks_proxy_server = '[UNDEF]'
socks_proxy_port = '[UNDEF]'
tun_mtu = 1500
tun_mtu_defined = ENABLED
link_mtu = 1500
link_mtu_defined = DISABLED
tun_mtu_extra = 0
tun_mtu_extra_defined = DISABLED
mtu_discover_type = -1
fragment = 0
mssfix = 1450
explicit_exit_notification = 0
tls_auth_file = '[UNDEF]'
key_direction = not set
tls_crypt_file = '[INLINE]'
tls_crypt_v2_file = '[UNDEF]'
Connection profiles END
remote_random = DISABLED
ipchange = '[UNDEF]'
dev = 'tun1'
dev_type = '[UNDEF]'
dev_node = '[UNDEF]'
lladdr = '[UNDEF]'
topology = 3
ifconfig_local = '10.8.2.1'
ifconfig_remote_netmask = '255.255.254.0'
ifconfig_noexec = DISABLED
ifconfig_nowarn = DISABLED
ifconfig_ipv6_local = '[UNDEF]'
ifconfig_ipv6_netbits = 0
ifconfig_ipv6_remote = '[UNDEF]'
shaper = 0
mtu_test = 0
mlock = DISABLED
keepalive_ping = 0
keepalive_timeout = 0
inactivity_timeout = 0
inactivity_minimum_bytes = 0
ping_send_timeout = 10
ping_rec_timeout = 120
ping_rec_timeout_action = 2
ping_timer_remote = ENABLED
remap_sigusr1 = 0
persist_tun = ENABLED
persist_local_ip = DISABLED
persist_remote_ip = DISABLED
persist_key = ENABLED
passtos = DISABLED
resolve_retry_seconds = 1000000000
resolve_in_advance = DISABLED
username = '[UNDEF]'
groupname = '[UNDEF]'
chroot_dir = '[UNDEF]'
cd_dir = '[UNDEF]'
writepid = '[UNDEF]'
up_script = '[UNDEF]'
down_script = '[UNDEF]'
down_pre = DISABLED
up_restart = DISABLED
up_delay = DISABLED
daemon = DISABLED
inetd = 0
log = ENABLED
suppress_timestamps = ENABLED
machine_readable_output = DISABLED
nice = 0
verbosity = 5
mute = 0
status_file = 'openvpn-status2.log'
status_file_version = 2
status_file_update_freq = 60
occ = ENABLED
rcvbuf = 0
sndbuf = 0
mark = 0
sockflags = 0
fast_io = DISABLED
comp.alg = 0
comp.flags = 0
route_script = '[UNDEF]'
route_default_gateway = '10.8.2.2'
route_default_metric = 0
route_noexec = DISABLED
route_delay = 0
route_delay_window = 30
route_delay_defined = DISABLED
route_nopull = DISABLED
route_gateway_via_dhcp = DISABLED
allow_pull_fqdn = DISABLED
management_addr = 'localhost'
management_port = '7506'
management_user_pass = '[UNDEF]'
management_log_history_cache = 250
management_echo_buffer_size = 100
management_write_peer_info_file = '[UNDEF]'
management_client_user = '[UNDEF]'
management_client_group = '[UNDEF]'
management_flags = 0
shared_secret_file = '[UNDEF]'
key_direction = not set
ciphername = 'AES-256-CBC'
ncp_enabled = ENABLED
ncp_ciphers = 'AES-256-GCM:AES-128-GCM:AES-256-CBC'
authname = 'SHA512'
prng_hash = 'SHA1'
prng_nonce_secret_len = 16
keysize = 0
engine = DISABLED
replay = ENABLED
mute_replay_warnings = DISABLED
replay_window = 64
replay_time = 15
packet_id_file = '[UNDEF]'
test_crypto = DISABLED
tls_server = ENABLED
tls_client = DISABLED
ca_file = 'ca.crt'
ca_path = '[UNDEF]'
dh_file = 'dh.pem'
cert_file = 'server.crt'
extra_certs_file = '[UNDEF]'
priv_key_file = 'server.key'
pkcs12_file = '[UNDEF]'
cipher_list = '[UNDEF]'
cipher_list_tls13 = '[UNDEF]'
tls_cert_profile = '[UNDEF]'
tls_verify = '[UNDEF]'
tls_export_cert = '[UNDEF]'
verify_x509_type = 0
verify_x509_name = '[UNDEF]'
crl_file = 'crl.pem'
ns_cert_type = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_eku = '[UNDEF]'
ssl_flags = 1
tls_timeout = 2
renegotiate_bytes = -1
renegotiate_packets = 0
renegotiate_seconds = 3600
handshake_window = 60
transition_window = 3600
single_session = DISABLED
push_peer_info = DISABLED
tls_exit = DISABLED
tls_crypt_v2_metadata = '[UNDEF]'
pkcs11_protected_authentication = DISABLED
pkcs11_protected_authentication = DISABLED
pkcs11_protected_authentication = DISABLED
pkcs11_protected_authentication = DISABLED
pkcs11_protected_authentication = DISABLED
pkcs11_protected_authentication = DISABLED
pkcs11_protected_authentication = DISABLED
pkcs11_protected_authentication = DISABLED
pkcs11_protected_authentication = DISABLED
pkcs11_protected_authentication = DISABLED
pkcs11_protected_authentication = DISABLED
pkcs11_protected_authentication = DISABLED
pkcs11_protected_authentication = DISABLED
pkcs11_protected_authentication = DISABLED
pkcs11_protected_authentication = DISABLED
pkcs11_protected_authentication = DISABLED
pkcs11_private_mode = 00000000
pkcs11_private_mode = 00000000
pkcs11_private_mode = 00000000
pkcs11_private_mode = 00000000
pkcs11_private_mode = 00000000
pkcs11_private_mode = 00000000
pkcs11_private_mode = 00000000
pkcs11_private_mode = 00000000
pkcs11_private_mode = 00000000
pkcs11_private_mode = 00000000
pkcs11_private_mode = 00000000
pkcs11_private_mode = 00000000
pkcs11_private_mode = 00000000
pkcs11_private_mode = 00000000
pkcs11_private_mode = 00000000
pkcs11_private_mode = 00000000
pkcs11_cert_private = DISABLED
pkcs11_cert_private = DISABLED
pkcs11_cert_private = DISABLED
pkcs11_cert_private = DISABLED
pkcs11_cert_private = DISABLED
pkcs11_cert_private = DISABLED
pkcs11_cert_private = DISABLED
pkcs11_cert_private = DISABLED
pkcs11_cert_private = DISABLED
pkcs11_cert_private = DISABLED
pkcs11_cert_private = DISABLED
pkcs11_cert_private = DISABLED
pkcs11_cert_private = DISABLED
pkcs11_cert_private = DISABLED
pkcs11_cert_private = DISABLED
pkcs11_cert_private = DISABLED
pkcs11_pin_cache_period = -1
pkcs11_id = '[UNDEF]'
pkcs11_id_management = DISABLED
server_network = 10.8.2.0
server_netmask = 255.255.254.0
server_network_ipv6 = ::
server_netbits_ipv6 = 0
server_bridge_ip = 0.0.0.0
server_bridge_netmask = 0.0.0.0
server_bridge_pool_start = 0.0.0.0
server_bridge_pool_end = 0.0.0.0
push_entry = 'dhcp-option DNS 1.1.1.1'
push_entry = 'dhcp-option DNS 1.0.0.1'
push_entry = 'redirect-gateway def1 bypass-dhcp'
push_entry = 'route 192.168.0.0 255.255.0.0 net_gateway'
push_entry = 'route 172.16.0.0 255.240.0.0 net_gateway'
push_entry = 'ping 10'
push_entry = 'ping-restart 120'
push_entry = 'route-gateway 10.8.2.1'
push_entry = 'topology subnet'
ifconfig_pool_defined = ENABLED
ifconfig_pool_start = 10.8.2.2
ifconfig_pool_end = 10.8.3.254
ifconfig_pool_netmask = 255.255.254.0
ifconfig_pool_persist_filename = '[UNDEF]'
ifconfig_pool_persist_refresh_freq = 600
ifconfig_ipv6_pool_defined = DISABLED
ifconfig_ipv6_pool_base = ::
ifconfig_ipv6_pool_netbits = 0
n_bcast_buf = 256
tcp_queue_limit = 64
real_hash_size = 256
virtual_hash_size = 256
client_connect_script = '[UNDEF]'
learn_address_script = '[UNDEF]'
client_disconnect_script = '[UNDEF]'
client_config_dir = '[UNDEF]'
ccd_exclusive = DISABLED
tmp_dir = '/tmp'
push_ifconfig_defined = DISABLED
push_ifconfig_local = 0.0.0.0
push_ifconfig_remote_netmask = 0.0.0.0
push_ifconfig_ipv6_defined = DISABLED
push_ifconfig_ipv6_local = ::/0
push_ifconfig_ipv6_remote = ::
enable_c2c = DISABLED
duplicate_cn = DISABLED
cf_max = 0
cf_per = 0
max_clients = 100
max_routes_per_client = 256
auth_user_pass_verify_script = '/etc/openvpn/server/clientCheck.sh'
auth_user_pass_verify_script_via_file = DISABLED
auth_token_generate = DISABLED
auth_token_lifetime = 0
auth_token_secret_file = '[UNDEF]'
port_share_host = '[UNDEF]'
port_share_port = '[UNDEF]'
vlan_tagging = DISABLED
vlan_accept = all
vlan_pvid = 1
client = DISABLED
pull = DISABLED
auth_user_pass_file = '[UNDEF]'
OpenVPN 2.5.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 1 2022
library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10
MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:7506
WARNING: --keepalive option is missing from server config
NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Diffie-Hellman initialized with 2048 bit key
CRL: loaded 1 CRLs from file crl.pem
Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
TLS-Auth MTU parms [ L:1623 D:1154 EF:96 EB:0 ET:0 EL:3 ]
TUN/TAP device tun1 opened
do_ifconfig, ipv4=1, ipv6=0
/sbin/ip link set dev tun1 up mtu 1500
/sbin/ip link set dev tun1 up
/sbin/ip addr add dev tun1 10.8.2.1/23
Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
Could not determine IPv4/IPv6 protocol. Using AF_INET
Socket Buffers: R=[131072->131072] S=[16384->16384]
Listening for incoming TCP connection on [AF_INET]192.168.0.27:443
TCPv4_SERVER link local (bound): [AF_INET]192.168.0.27:443
TCPv4_SERVER link remote: [AF_UNSPEC]
MULTI: multi_init called, r=256 v=256
IFCONFIG POOL IPv4: base=10.8.2.2 size=509
MULTI: TCP INIT maxclients=100 maxevents=104
Initialization Sequence Completed
MULTI: multi_create_instance called
Re-using SSL/TLS context
Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Control Channel MTU parms [ L:1623 D:1154 EF:96 EB:0 ET:0 EL:3 ]
Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1603,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1603,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
TCP connection established with [AF_INET]192.168.0.23:33260
TCPv4_SERVER link local: (not bound)
TCPv4_SERVER link remote: [AF_INET]192.168.0.23:33260
R192.168.0.23:33260 TLS: Initial packet from [AF_INET]192.168.0.23:33260, sid=88a1a810 57e425e0
WRRWWWRRR192.168.0.23:33260 peer info: IV_VER=2.5.6
192.168.0.23:33260 peer info: IV_PLAT=linux
192.168.0.23:33260 peer info: IV_PROTO=6
192.168.0.23:33260 peer info: IV_NCP=2
192.168.0.23:33260 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:AES-256-CBC
192.168.0.23:33260 peer info: IV_LZ4=1
192.168.0.23:33260 peer info: IV_LZ4v2=1
192.168.0.23:33260 peer info: IV_LZO=1
192.168.0.23:33260 peer info: IV_COMP_STUB=1
192.168.0.23:33260 peer info: IV_COMP_STUBv2=1
192.168.0.23:33260 peer info: IV_TCPNL=1
192.168.0.23:33260 TLS: Username/Password authentication succeeded for username 'user'
WWRR192.168.0.23:33260 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384
192.168.0.23:33260 [] Peer Connection Initiated with [AF_INET]192.168.0.23:33260
192.168.0.23:33260 MULTI_sva: pool returned IPv4=10.8.2.2, IPv6=(Not enabled)
192.168.0.23:33260 MULTI: Learn: 10.8.2.2 -> 192.168.0.23:33260
192.168.0.23:33260 MULTI: primary virtual IP for 192.168.0.23:33260: 10.8.2.2
192.168.0.23:33260 Data Channel: using negotiated cipher 'AES-256-GCM'
192.168.0.23:33260 Data Channel MTU parms [ L:1551 D:1450 EF:51 EB:406 ET:0 EL:3 ]
192.168.0.23:33260 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
192.168.0.23:33260 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
192.168.0.23:33260 SENT CONTROL [UNDEF]: 'PUSH_REPLY,dhcp-option DNS 1.1.1.1,dhcp-option DNS 1.0.0.1,redirect-gateway def1 bypass-dhcp,route 192.168.0.0 255.255.0.0 net_gateway,route 172.16.0.0 255.240.0.0 net_gateway,ping 10,ping-restart 120,route-gateway 10.8.2.1,topology subnet,ifconfig 10.8.2.2 255.255.254.0,peer-id 0,cipher AES-256-GCM' (status=1)
WRRwrWRwrWRwrWRwrWRwrWW192.168.0.23:33260 Connection reset, restarting [0]
192.168.0.23:33260 SIGUSR1[soft,connection-reset] received, client-instance restarting
TCP/UDP: Closing socket
在客户端我收到以下消息:
2022-04-01 11:56:18 us=284484 Connection reset command was pushed by server ('')
2022-04-01 11:56:18 us=284568 TCP/UDP: Closing socket
2022-04-01 11:56:18 us=284588 SIGUSR1[soft,server-pushed-connection-reset] received, process restarting
2022-04-01 11:56:18 us=284599 Restart pause, 5 second(s)
因此,由于某种原因,服务器导致连接重置,但我的服务器或客户端配置没有任何变化。
我的 2.4.7 和 2.5.6 版本的服务器配置如下:
local 192.168.0.27
port 69
proto udp
dev tun0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.254.0
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"
push "redirect-gateway def1 bypass-dhcp"
push "route 192.168.0.0 255.255.0.0 net_gateway"
push "route 172.16.0.0 255.240.0.0 net_gateway"
push "explicit-exit-notify 2"
cipher AES-256-CBC
persist-key
persist-tun
ping-exit 150
ping 10
ping-restart 120
push "ping 10"
push "ping-restart 120"
ping-timer-rem
status openvpn-status.log
verb 4
crl-verify crl.pem
explicit-exit-notify
management localhost 7505
script-security 3
max-clients 100
auth-user-pass-verify /etc/openvpn/server/clientCheck.sh via-env
verify-client-cert none
我的客户端配置(2.5.6)如下:
client
dev tun
proto udp
remote 192.168.0.27 69
resolv-retry infinite
ignore-unknown-option block-outside-dns block-ipv6
nobind
persist-key
persist-tun
remote-random
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
explicit-exit-notify 2
verb 4
auth-user-pass
pull
<ca>
</ca>
<cert>
</cert>
<key>
</key>
<tls-crypt>
</tls-crypt>
我可以尝试什么来阻止这种重新连接?