将 OpenVPN 2.4.7 升级到 2.5.6 会导致频繁断开连接

将 OpenVPN 2.4.7 升级到 2.5.6 会导致频繁断开连接

当我在服务器(Ubuntu Server 20.04)上使用 OpenVPN 2.4.7 并从 2.5.6 客户端(也是 Ubuntu 20.04)连接时,我可以毫无问题地连接。但是,当我尝试在服务器上使用 OpenVPN 2.5.6 时,我遇到了一个大问题,即在看似随机的时间间隔内我重新连接,因此在重新连接的几秒钟内丢失了网络连接。当使用完全相同的服务器和客户端配置时会发生这种情况,唯一的区别是 2.4.7 服务器不会断开连接(我想升级到 2.5 服务器以利用其 IPv6 功能)。

这是我的完整服务器日志,包含此错误发生时的情况(重新连接后我最后手动断开连接):

DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
WARNING: POTENTIALLY DANGEROUS OPTION --verify-client-cert none|optional may accept clients which do not present a certificate
Current Parameter Settings:
  config = 'server2.conf'
  mode = 1
  persist_config = DISABLED
  persist_mode = 1
  show_ciphers = DISABLED
  show_digests = DISABLED
  show_engines = DISABLED
  genkey = DISABLED
  genkey_filename = '[UNDEF]'
  key_pass_file = '[UNDEF]'
  show_tls_ciphers = DISABLED
  connect_retry_max = 0
Connection profiles [0]:
  proto = tcp-server
  local = '192.168.0.27'
  local_port = '443'
  remote = '[UNDEF]'
  remote_port = '443'
  remote_float = DISABLED
  bind_defined = DISABLED
  bind_local = ENABLED
  bind_ipv6_only = DISABLED
  connect_retry_seconds = 5
  connect_timeout = 120
  socks_proxy_server = '[UNDEF]'
  socks_proxy_port = '[UNDEF]'
  tun_mtu = 1500
  tun_mtu_defined = ENABLED
  link_mtu = 1500
  link_mtu_defined = DISABLED
  tun_mtu_extra = 0
  tun_mtu_extra_defined = DISABLED
  mtu_discover_type = -1
  fragment = 0
  mssfix = 1450
  explicit_exit_notification = 0
  tls_auth_file = '[UNDEF]'
  key_direction = not set
  tls_crypt_file = '[INLINE]'
  tls_crypt_v2_file = '[UNDEF]'
Connection profiles END
  remote_random = DISABLED
  ipchange = '[UNDEF]'
  dev = 'tun1'
  dev_type = '[UNDEF]'
  dev_node = '[UNDEF]'
  lladdr = '[UNDEF]'
  topology = 3
  ifconfig_local = '10.8.2.1'
  ifconfig_remote_netmask = '255.255.254.0'
  ifconfig_noexec = DISABLED
  ifconfig_nowarn = DISABLED
  ifconfig_ipv6_local = '[UNDEF]'
  ifconfig_ipv6_netbits = 0
  ifconfig_ipv6_remote = '[UNDEF]'
  shaper = 0
  mtu_test = 0
  mlock = DISABLED
  keepalive_ping = 0
  keepalive_timeout = 0
  inactivity_timeout = 0
  inactivity_minimum_bytes = 0
  ping_send_timeout = 10
  ping_rec_timeout = 120
  ping_rec_timeout_action = 2
  ping_timer_remote = ENABLED
  remap_sigusr1 = 0
  persist_tun = ENABLED
  persist_local_ip = DISABLED
  persist_remote_ip = DISABLED
  persist_key = ENABLED
  passtos = DISABLED
  resolve_retry_seconds = 1000000000
  resolve_in_advance = DISABLED
  username = '[UNDEF]'
  groupname = '[UNDEF]'
  chroot_dir = '[UNDEF]'
  cd_dir = '[UNDEF]'
  writepid = '[UNDEF]'
  up_script = '[UNDEF]'
  down_script = '[UNDEF]'
  down_pre = DISABLED
  up_restart = DISABLED
  up_delay = DISABLED
  daemon = DISABLED
  inetd = 0
  log = ENABLED
  suppress_timestamps = ENABLED
  machine_readable_output = DISABLED
  nice = 0
  verbosity = 5
  mute = 0
  status_file = 'openvpn-status2.log'
  status_file_version = 2
  status_file_update_freq = 60
  occ = ENABLED
  rcvbuf = 0
  sndbuf = 0
  mark = 0
  sockflags = 0
  fast_io = DISABLED
  comp.alg = 0
  comp.flags = 0
  route_script = '[UNDEF]'
  route_default_gateway = '10.8.2.2'
  route_default_metric = 0
  route_noexec = DISABLED
  route_delay = 0
  route_delay_window = 30
  route_delay_defined = DISABLED
  route_nopull = DISABLED
  route_gateway_via_dhcp = DISABLED
  allow_pull_fqdn = DISABLED
  management_addr = 'localhost'
  management_port = '7506'
  management_user_pass = '[UNDEF]'
  management_log_history_cache = 250
  management_echo_buffer_size = 100
  management_write_peer_info_file = '[UNDEF]'
  management_client_user = '[UNDEF]'
  management_client_group = '[UNDEF]'
  management_flags = 0
  shared_secret_file = '[UNDEF]'
  key_direction = not set
  ciphername = 'AES-256-CBC'
  ncp_enabled = ENABLED
  ncp_ciphers = 'AES-256-GCM:AES-128-GCM:AES-256-CBC'
  authname = 'SHA512'
  prng_hash = 'SHA1'
  prng_nonce_secret_len = 16
  keysize = 0
  engine = DISABLED
  replay = ENABLED
  mute_replay_warnings = DISABLED
  replay_window = 64
  replay_time = 15
  packet_id_file = '[UNDEF]'
  test_crypto = DISABLED
  tls_server = ENABLED
  tls_client = DISABLED
  ca_file = 'ca.crt'
  ca_path = '[UNDEF]'
  dh_file = 'dh.pem'
  cert_file = 'server.crt'
  extra_certs_file = '[UNDEF]'
  priv_key_file = 'server.key'
  pkcs12_file = '[UNDEF]'
  cipher_list = '[UNDEF]'
  cipher_list_tls13 = '[UNDEF]'
  tls_cert_profile = '[UNDEF]'
  tls_verify = '[UNDEF]'
  tls_export_cert = '[UNDEF]'
  verify_x509_type = 0
  verify_x509_name = '[UNDEF]'
  crl_file = 'crl.pem'
  ns_cert_type = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_eku = '[UNDEF]'
  ssl_flags = 1
  tls_timeout = 2
  renegotiate_bytes = -1
  renegotiate_packets = 0
  renegotiate_seconds = 3600
  handshake_window = 60
  transition_window = 3600
  single_session = DISABLED
  push_peer_info = DISABLED
  tls_exit = DISABLED
  tls_crypt_v2_metadata = '[UNDEF]'
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_pin_cache_period = -1
  pkcs11_id = '[UNDEF]'
  pkcs11_id_management = DISABLED
  server_network = 10.8.2.0
  server_netmask = 255.255.254.0
  server_network_ipv6 = ::
  server_netbits_ipv6 = 0
  server_bridge_ip = 0.0.0.0
  server_bridge_netmask = 0.0.0.0
  server_bridge_pool_start = 0.0.0.0
  server_bridge_pool_end = 0.0.0.0
  push_entry = 'dhcp-option DNS 1.1.1.1'
  push_entry = 'dhcp-option DNS 1.0.0.1'
  push_entry = 'redirect-gateway def1 bypass-dhcp'
  push_entry = 'route 192.168.0.0 255.255.0.0 net_gateway'
  push_entry = 'route 172.16.0.0 255.240.0.0 net_gateway'
  push_entry = 'ping 10'
  push_entry = 'ping-restart 120'
  push_entry = 'route-gateway 10.8.2.1'
  push_entry = 'topology subnet'
  ifconfig_pool_defined = ENABLED
  ifconfig_pool_start = 10.8.2.2
  ifconfig_pool_end = 10.8.3.254
  ifconfig_pool_netmask = 255.255.254.0
  ifconfig_pool_persist_filename = '[UNDEF]'
  ifconfig_pool_persist_refresh_freq = 600
  ifconfig_ipv6_pool_defined = DISABLED
  ifconfig_ipv6_pool_base = ::
  ifconfig_ipv6_pool_netbits = 0
  n_bcast_buf = 256
  tcp_queue_limit = 64
  real_hash_size = 256
  virtual_hash_size = 256
  client_connect_script = '[UNDEF]'
  learn_address_script = '[UNDEF]'
  client_disconnect_script = '[UNDEF]'
  client_config_dir = '[UNDEF]'
  ccd_exclusive = DISABLED
  tmp_dir = '/tmp'
  push_ifconfig_defined = DISABLED
  push_ifconfig_local = 0.0.0.0
  push_ifconfig_remote_netmask = 0.0.0.0
  push_ifconfig_ipv6_defined = DISABLED
  push_ifconfig_ipv6_local = ::/0
  push_ifconfig_ipv6_remote = ::
  enable_c2c = DISABLED
  duplicate_cn = DISABLED
  cf_max = 0
  cf_per = 0
  max_clients = 100
  max_routes_per_client = 256
  auth_user_pass_verify_script = '/etc/openvpn/server/clientCheck.sh'
  auth_user_pass_verify_script_via_file = DISABLED
  auth_token_generate = DISABLED
  auth_token_lifetime = 0
  auth_token_secret_file = '[UNDEF]'
  port_share_host = '[UNDEF]'
  port_share_port = '[UNDEF]'
  vlan_tagging = DISABLED
  vlan_accept = all
  vlan_pvid = 1
  client = DISABLED
  pull = DISABLED
  auth_user_pass_file = '[UNDEF]'
OpenVPN 2.5.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr  1 2022
library versions: OpenSSL 1.1.1k  25 Mar 2021, LZO 2.10
MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:7506
WARNING: --keepalive option is missing from server config
NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Diffie-Hellman initialized with 2048 bit key
CRL: loaded 1 CRLs from file crl.pem
Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
TLS-Auth MTU parms [ L:1623 D:1154 EF:96 EB:0 ET:0 EL:3 ]
TUN/TAP device tun1 opened
do_ifconfig, ipv4=1, ipv6=0
/sbin/ip link set dev tun1 up mtu 1500
/sbin/ip link set dev tun1 up
/sbin/ip addr add dev tun1 10.8.2.1/23
Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
Could not determine IPv4/IPv6 protocol. Using AF_INET
Socket Buffers: R=[131072->131072] S=[16384->16384]
Listening for incoming TCP connection on [AF_INET]192.168.0.27:443
TCPv4_SERVER link local (bound): [AF_INET]192.168.0.27:443
TCPv4_SERVER link remote: [AF_UNSPEC]
MULTI: multi_init called, r=256 v=256
IFCONFIG POOL IPv4: base=10.8.2.2 size=509
MULTI: TCP INIT maxclients=100 maxevents=104
Initialization Sequence Completed
MULTI: multi_create_instance called
Re-using SSL/TLS context
Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Control Channel MTU parms [ L:1623 D:1154 EF:96 EB:0 ET:0 EL:3 ]
Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1603,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1603,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
TCP connection established with [AF_INET]192.168.0.23:33260
TCPv4_SERVER link local: (not bound)
TCPv4_SERVER link remote: [AF_INET]192.168.0.23:33260
R192.168.0.23:33260 TLS: Initial packet from [AF_INET]192.168.0.23:33260, sid=88a1a810 57e425e0
WRRWWWRRR192.168.0.23:33260 peer info: IV_VER=2.5.6
192.168.0.23:33260 peer info: IV_PLAT=linux
192.168.0.23:33260 peer info: IV_PROTO=6
192.168.0.23:33260 peer info: IV_NCP=2
192.168.0.23:33260 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:AES-256-CBC
192.168.0.23:33260 peer info: IV_LZ4=1
192.168.0.23:33260 peer info: IV_LZ4v2=1
192.168.0.23:33260 peer info: IV_LZO=1
192.168.0.23:33260 peer info: IV_COMP_STUB=1
192.168.0.23:33260 peer info: IV_COMP_STUBv2=1
192.168.0.23:33260 peer info: IV_TCPNL=1
192.168.0.23:33260 TLS: Username/Password authentication succeeded for username 'user'
WWRR192.168.0.23:33260 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384
192.168.0.23:33260 [] Peer Connection Initiated with [AF_INET]192.168.0.23:33260
192.168.0.23:33260 MULTI_sva: pool returned IPv4=10.8.2.2, IPv6=(Not enabled)
192.168.0.23:33260 MULTI: Learn: 10.8.2.2 -> 192.168.0.23:33260
192.168.0.23:33260 MULTI: primary virtual IP for 192.168.0.23:33260: 10.8.2.2
192.168.0.23:33260 Data Channel: using negotiated cipher 'AES-256-GCM'
192.168.0.23:33260 Data Channel MTU parms [ L:1551 D:1450 EF:51 EB:406 ET:0 EL:3 ]
192.168.0.23:33260 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
192.168.0.23:33260 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
192.168.0.23:33260 SENT CONTROL [UNDEF]: 'PUSH_REPLY,dhcp-option DNS 1.1.1.1,dhcp-option DNS 1.0.0.1,redirect-gateway def1 bypass-dhcp,route 192.168.0.0 255.255.0.0 net_gateway,route 172.16.0.0 255.240.0.0 net_gateway,ping 10,ping-restart 120,route-gateway 10.8.2.1,topology subnet,ifconfig 10.8.2.2 255.255.254.0,peer-id 0,cipher AES-256-GCM' (status=1)
WRRwrWRwrWRwrWRwrWRwrWW192.168.0.23:33260 Connection reset, restarting [0]
192.168.0.23:33260 SIGUSR1[soft,connection-reset] received, client-instance restarting
TCP/UDP: Closing socket

在客户端我收到以下消息:

2022-04-01 11:56:18 us=284484 Connection reset command was pushed by server ('')
2022-04-01 11:56:18 us=284568 TCP/UDP: Closing socket
2022-04-01 11:56:18 us=284588 SIGUSR1[soft,server-pushed-connection-reset] received, process restarting
2022-04-01 11:56:18 us=284599 Restart pause, 5 second(s)

因此,由于某种原因,服务器导致连接重置,但我的服务器或客户端配置没有任何变化。

我的 2.4.7 和 2.5.6 版本的服务器配置如下:

local 192.168.0.27
port 69
proto udp
dev tun0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.254.0
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"
push "redirect-gateway def1 bypass-dhcp"
push "route 192.168.0.0 255.255.0.0 net_gateway"
push "route 172.16.0.0 255.240.0.0 net_gateway"
push "explicit-exit-notify 2"
cipher AES-256-CBC
persist-key
persist-tun
ping-exit 150
ping 10
ping-restart 120
push "ping 10"
push "ping-restart 120"
ping-timer-rem
status openvpn-status.log
verb 4
crl-verify crl.pem
explicit-exit-notify
management localhost 7505
script-security 3
max-clients 100
auth-user-pass-verify /etc/openvpn/server/clientCheck.sh via-env
verify-client-cert none

我的客户端配置(2.5.6)如下:

client
dev tun
proto udp
remote 192.168.0.27 69
resolv-retry infinite
ignore-unknown-option block-outside-dns block-ipv6
nobind
persist-key
persist-tun
remote-random
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
explicit-exit-notify 2
verb 4
auth-user-pass
pull
<ca>

</ca>
<cert>

</cert>
<key>

</key>
<tls-crypt>

</tls-crypt>

我可以尝试什么来阻止这种重新连接?

相关内容