我在用着PiVPN在我的 Xubuntu 服务器上创建 VPN。我知道 PiVPN 是专门为 Raspberry Pis 设计的,但它的设置和使用非常容易,所以我决定在我的 Xubuntu x64 机器上也使用它。
在 Windows 上使用 OpenVPN 连接通过 .ovpn 文件进行连接非常顺畅,但是当尝试在我的三台 Pop!_OS(Ubuntu 22.04)机器中的任何一台上进行连接时,就是无法连接。
这是 .ovpn 文件:
client
dev tun
proto udp
remote myserv.org 1194
resolv-retry infinite
nobind
remote-cert-tls server
tls-version-min 1.2
verify-x509-name myveryspecialx509name name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 5
<ca>
-----BEGIN CERTIFICATE-----
s0m3c3rt1f1c4t3
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
s0m3d1ff3r3n7c3r71f1c473
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
s0m3pr1v473k3y
-----END ENCRYPTED PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
s0m3st4t1ck3y
-----END OpenVPN Static key V1-----
</tls-crypt>
这是当我尝试使用默认设置通过网络管理器使用 .ovpn 文件进行连接时,我的 Pop!_OS 客户端上的系统日志输出:
Aug 22 19:39:05 ben NetworkManager[821]: <info> [1661189945.9755] vpn[0xd34db33f,blahblahblah,"blah"]: starting openvpn
Aug 22 19:39:05 ben NetworkManager[821]: <info> [1661189945.9762] audit: op="connection-activate" uuid="blahblahblah" name="blah" pid=31467 uid=1000 result="success"
Aug 22 19:39:09 ben nm-openvpn[31529]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Aug 22 19:39:09 ben nm-openvpn[31529]: OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
Aug 22 19:39:09 ben nm-openvpn[31529]: library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
Aug 22 19:39:09 ben nm-openvpn[31529]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 22 19:39:09 ben nm-openvpn[31529]: TCP/UDP: Preserving recently used remote address: [AF_INET6]some:ipv6:address:1194
Aug 22 19:39:09 ben nm-openvpn[31529]: UDP link local: (not bound)
Aug 22 19:39:09 ben nm-openvpn[31529]: UDP link remote: [AF_INET6]some:ipv6:address:1194
Aug 22 19:39:09 ben nm-openvpn[31529]: NOTE: chroot will be delayed because of --client, --pull, or --up-delay
Aug 22 19:39:09 ben nm-openvpn[31529]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Aug 22 19:40:09 ben nm-openvpn[31529]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Aug 22 19:40:09 ben nm-openvpn[31529]: TLS Error: TLS handshake failed
Aug 22 19:40:09 ben nm-openvpn[31529]: SIGUSR1[soft,tls-error] received, process restarting
Aug 22 19:40:09 ben NetworkManager[821]: <warn> [1661190009.4674] vpn[0xd34db33f,blahblahblah,"blah"]: connect timeout exceeded
Aug 22 19:40:09 ben nm-openvpn-serv[31515]: Connect timer expired, disconnecting.
Aug 22 19:40:09 ben nm-openvpn[31529]: SIGTERM[hard,init_instance] received, process exiting
基本上,客户端会在 60 秒后断开连接,并抱怨 TLS 握手失败。
我可以确认这在使用 OpenVPN 连接的 Windows 机器上完美运行,并且端口 1194/UDP 在我的软件以及硬件服务器防火墙上都已打开并可访问。
任何帮助是极大的赞赏。
答案1
如果 TLS 密钥协商在 60 秒内失败,我的第一猜测是数据包在某个地方丢失了。配置文件和日志文件不会显示这一点。您需要使用 tcpdump 和/或 Wireshark 进行调查。