我在家里运行一个 Openvpn 服务器,并且已经运行了很多年。
我的每台设备都有一个证书,它总能满足我的需要。
今天早上,我将我的个人手机(Oneplus Nord 2)更新到 Android 13,自更新以来,当我使用移动数据时,我无法连接到我的服务器。
当我连接到 Wi-Fi 时,连接正常。
我的工作手机(三星 S22 Ultra)已经运行 Android 13 一段时间了,运行正常。
我清除了 WiFi/蓝牙/网络设置并重新安装了 Openvpn 客户端。之后,我的 VPN 短暂地连接,但很快又拒绝连接。它也没有显示任何错误,只是超时了。
幸运的是,我有工作电话。我换了 SIM 卡,问题仍然出现在我自己的手机上。将自己的 SIM 卡插入工作电话后,可以正常连接,所以我知道这要么是手机问题(不太可能,因为 WiFi 连接正常),要么是设置问题,只是由于升级才出现。
我在我的 S22 和 Nord 2 上安装了相同的配置文件,并记录了通过 S22 成功连接和通过 Nord 2 失败连接的情况
S22 ultra
Share OpenVPN log file: [Sept 27, 2023, 15:55:43] ----- OpenVPN Start -----
[Sept 27, 2023, 15:55:43] EVENT: CORE_THREAD_ACTIVE
[Sept 27, 2023, 15:55:43] OpenVPN core 3.git::081bfebe:RelWithDebInfo android arm64 64-bit PT_PROXY
[Sept 27, 2023, 15:55:43] Frame=512/2048/512 mssfix-ctrl=1250
[Sept 27, 2023, 15:55:43] UNUSED OPTIONS
5 [resolv-retry] [infinite]
7 [nobind]
9 [verb] [3]
[Sept 27, 2023, 15:55:43] EVENT: RESOLVE
[Sept 27, 2023, 15:55:43] Contacting myip.address:8457 via UDP
[Sept 27, 2023, 15:55:43] EVENT: WAIT
[Sept 27, 2023, 15:55:43] Connecting to [tensoon. mydomain.co.uk]:8457 ( myip.address) via UDPv4
[Sept 27, 2023, 15:55:43] EVENT: CONNECTING
[Sept 27, 2023, 15:55:43] Tunnel Options:V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client
[Sept 27, 2023, 15:55:43] Creds: UsernameEmpty/PasswordEmpty
[Sept 27, 2023, 15:55:43] Peer Info:
IV_VER=3.git::081bfebe:RelWithDebInfo
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:BF-CBC
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_AUTO_SESS=1
IV_GUI_VER=net.openvpn.connect.android_3.3.4-9290
IV_SSO=webauth,openurl,crtext
IV_BS64DL=1
[Sept 27, 2023, 15:55:43] VERIFY OK: depth=1, /C=US/ST=CA/L=San Francisco/O=TurnKey Linux/OU=OpenVPN/CN=server/name=openvpn/[email protected], signature: RSA-SHA256
[Sept 27, 2023, 15:55:43] VERIFY OK: depth=0, /C=US/ST=CA/L=San Francisco/O=TurnKey Linux/OU=OpenVPN/CN=server/name=openvpn/[email protected], signature: RSA-SHA256
[Sept 27, 2023, 15:55:43] SSL Handshake: peer certificate: CN=server, 2048 bit RSA, cipher: TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
[Sept 27, 2023, 15:55:43] Session is ACTIVE
[Sept 27, 2023, 15:55:43] Sending PUSH_REQUEST to server...
[Sept 27, 2023, 15:55:43] EVENT: GET_CONFIG
[Sept 27, 2023, 15:55:43] OPTIONS:
0 [route] [10.10.10.0] [255.255.254.0]
1 [route] [10.10.25.0] [255.255.255.0]
2 [route] [10.10.40.0] [255.255.255.0]
3 [route] [ myip.address] [255.255.255.255]
4 [route] [10.10.50.0] [255.255.255.0]
5 [dhcp-option] [DNS] [10.10.10.99]
6 [dhcp-option] [DNS] [10.10.10.1]
7 [redirect-gateway] [def1] [bypass-dhcp]
8 [route] [10.8.0.1]
9 [topology] [net30]
10 [ping] [10]
11 [ping-restart] [120]
12 [ifconfig] [10.8.0.6] [10.8.0.5]
13 [peer-id] [1]
14 [cipher] [AES-256-GCM]
[Sept 27, 2023, 15:55:43] PROTOCOL OPTIONS:
cipher: AES-256-GCM
digest: NONE
key-derivation: OpenVPN PRF
compress: LZO_STUB
peer ID: 1
control channel: tls-auth enabled
[Sept 27, 2023, 15:55:43] EVENT: ASSIGN_IP
[Sept 27, 2023, 15:55:43] Connected via tun
[Sept 27, 2023, 15:55:43] LZO-ASYM init swap=0 asym=1
[Sept 27, 2023, 15:55:43] Comp-stub init swap=0
[Sept 27, 2023, 15:55:43] EVENT: CONNECTED info='tensoon. mydomain.co.uk:8457 ( myip.address) via /UDPv4 on tun/10.8.0.6/ gw=[10.8.0.5/]'
One plus nord 2
[Sept 27, 2023, 15:57:16] ----- OpenVPN Start -----
[Sept 27, 2023, 15:57:16] EVENT: CORE_THREAD_ACTIVE
[Sept 27, 2023, 15:57:16] OpenVPN core 3.git::081bfebe:RelWithDebInfo android arm64 64-bit PT_PROXY
[Sept 27, 2023, 15:57:16] Frame=512/2048/512 mssfix-ctrl=1250
[Sept 27, 2023, 15:57:16] UNUSED OPTIONS
5 [resolv-retry] [infinite]
7 [nobind]
9 [verb] [3]
[Sept 27, 2023, 15:57:16] EVENT: RESOLVE
[Sept 27, 2023, 15:57:16] Contacting myip.address:8457 via UDP
[Sept 27, 2023, 15:57:16] EVENT: WAIT
[Sept 27, 2023, 15:57:16] Connecting to [tensoon. mydomain.co.uk]:8457 ( myip.address) via UDPv4
[Sept 27, 2023, 15:57:16] EVENT: CONNECTING
[Sept 27, 2023, 15:57:16] Tunnel Options:V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client
[Sept 27, 2023, 15:57:16] Creds: UsernameEmpty/PasswordEmpty
[Sept 27, 2023, 15:57:16] Peer Info:
IV_VER=3.git::081bfebe:RelWithDebInfo
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:BF-CBC
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_AUTO_SESS=1
IV_GUI_VER=net.openvpn.connect.android_3.3.4-9290
IV_SSO=webauth,openurl,crtext
IV_BS64DL=1
[Sept 27, 2023, 15:57:16] VERIFY OK: depth=1, /C=US/ST=CA/L=San Francisco/O=TurnKey Linux/OU=OpenVPN/CN=server/name=openvpn/[email protected], signature: RSA-SHA256
[Sept 27, 2023, 15:57:16] VERIFY OK: depth=0, /C=US/ST=CA/L=San Francisco/O=TurnKey Linux/OU=OpenVPN/CN=server/name=openvpn/[email protected], signature: RSA-SHA256
[Sept 27, 2023, 15:58:16] EVENT: CONNECTION_TIMEOUT info=' BYTES_IN : 3888
BYTES_OUT : 157487
PACKETS_IN : 8
PACKETS_OUT : 127
CONNECTION_TIMEOUT : 1
'
[Sept 27, 2023, 15:58:16] EVENT: DISCONNECTED
[Sept 27, 2023, 15:58:16] Tunnel bytes per CPU second: 0
[Sept 27, 2023, 15:58:16] ----- OpenVPN Stop -----
[Sept 27, 2023, 15:58:16] EVENT: CORE_THREAD_DONE
这是我的 server.conf。persist-tun 选项已启用,但我读过几篇文章,指出它可能会导致 Android 13 客户端出现问题,因此我将其注释掉,但并没有什么不同。
#PUBLIC_ADDRESS: tensoon.mydomain.co.uk (used by openvpn-addclient)
port 1194
proto udp
dev tun
comp-lzo
keepalive 10 120
persist-key
#persist-tun
user nobody
group nogroup
chroot /etc/openvpn/easy-rsa/keys/crl.jail
crl-verify crl.pem
ca /etc/openvpn/easy-rsa/keys/ca.crt
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
key /etc/openvpn/easy-rsa/keys/server.key
cert /etc/openvpn/easy-rsa/keys/server.crt
ifconfig-pool-persist /var/lib/openvpn/server.ipp
client-config-dir /etc/openvpn/server.ccd
status /var/log/openvpn/server.log
verb 4
# virtual subnet unique for openvpn to draw client addresses from
# the server will be configured with x.x.x.1
# important: must not be used on your network
server 10.8.0.0 255.255.255.0
# push routes to clients to allow them to reach private subnets
#push "route 10.10.20.0 255.255.255.0"
push "route 10.10.10.0 255.255.254.0"
push "route 10.10.25.0 255.255.255.0"
push "route 10.10.40.0 255.255.255.0"
push "route myip.address 255.255.255.255"
push "route 10.10.50.0 255.255.255.0"
push "dhcp-option DNS 10.10.10.99"
push "dhcp-option DNS 10.10.10.1"
#push "route 172.16.69.0 255.255.255.0"
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
push "redirect-gateway def1 bypass-dhcp"
当我输入这段内容时,我也立即在笔记本电脑上连接到同一个 VPN,但由于尝试连接时没有出现任何错误,我并没有得到太多关于问题出现的线索,我唯一能猜测的是,由于某种原因,ssl 握手超时了。
这是客户端配置,希望对您有帮助。除了证书之外,它们基本都一样。
remote tensoon.mydomain.co.uk 8457
proto udp
remote-cert-tls server
client
dev tun
resolv-retry infinite
keepalive 10 120
nobind
comp-lzo
verb 3
;user nobody
;group nogroup
<ca>
-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
xxx
-----END OpenVPN Static key V1-----
</tls-auth>
<cert>
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=CA, L=San Francisco, O=TurnKey Linux, OU=OpenVPN, CN=server/name=openvpn/[email protected]
Validity
Not Before: Oct 18 16:49:18 2020 GMT
Not After : Oct 16 16:49:18 2030 GMT
Subject: C=US, ST=CA, L=San Francisco, O=TurnKey Linux, OU=OpenVPN, CN=pixel2tensoon/name=openvpn/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
xxx
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
xxx
X509v3 Authority Key Identifier:
xxx
DirName:/C=US/ST=CA/L=San Francisco/O=TurnKey Linux/OU=OpenVPN/CN=server/name=openvpn/[email protected]
xxx
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
X509v3 Subject Alternative Name:
DNS:pixel2tensoon
Signature Algorithm: sha256WithRSAEncryption
xxx
-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
xxx
-----END ENCRYPTED PRIVATE KEY-----
</key>
我工作的地方有几个地方的 wifi 网络会屏蔽任何不在标准端口上的东西,而且使用的 DNS 无法识别我的域名,所以我还有另一个配置文件通过 IP 连接到端口 443,但我通常在路由器上屏蔽 443。我今晚打开了端口 443,甚至直接通过 IP 连接也行不通。
我使用 connectbot 通过 ssh 连接到我的服务器,并且我的手机上有一个不需要 VPN 的 Nextcloud 客户端应用程序。两者都使用域名连接,并且都已经工作了一整天,所以这似乎不是任何类型的 DNS 问题。
编辑
好吧,我想我可能已经找到这个问题了,不过解决方案还得等到另一天。
我进行了一些挖掘,似乎我的手机在使用移动数据时的 MTU 现在是 1280,这意味着我需要 1212 的 mssfix(根据指南判断,指南告诉我将 ping MTU 减少 40,由于标头等原因,它比实际 MTU 低 28)。
但是,我的 client.ovpn 中的 mssfix 似乎没有起到什么作用,在 server.conf 中也没有起作用。将协议更改为 tcp 可以在一定程度上解决问题,但我的手机始终连接到 vpn,因此 tcp 连接的开销并不是一个长期解决方案。我的工作电话的 MTU 是 1500,所以这是我目前能看到的唯一区别。在我自己手机上连接到 wifi 时,我的 MTU 为 1500。