问题
大家好:
我买了一个 VPS 并建立了自己的 OpenVPN 服务器。我想用它来满足我的一些需求。然后我通过各种渠道(包括但不限于官方文档、Google等)配置了客户端。它在 Windows 上运行得很好,但是当我使用相同的方法(相同的客户端证书颁发、相同的配置文件)来配置我的 Linux 机器时,出现了问题。我的Linux机器系统是Rocky Linux 9,我一开始以为是我的一些操作出错了(毕竟这个有点麻烦而且我也不是很熟悉),然后我配置了我的Windows机器的客户端(不变) ,在Windows上运行正常)当我在Linux机器上使用它时,我发现错误仍然存在。我查了很多资料还是没找到问题所在。
我的VPS服务器的系统是Ubuntu 22.04,我使用OpenVPN 2.6.9源码编译安装。我的Linux机器(Rocky Linux 9)使用与服务器相同的一套源代码编译和安装。 Windows 使用 OpenVPN Connect。
相关配置信息
OpenVPN 服务器配置
以下是我的 OpenVPN 服务器配置:
$ grep -Pv '^$|^#|^;' /opt/openvpn/conf/server_strict-ca.conf
port 21222
proto udp
dev tun
topology subnet
ca /opt/openvpn/ssl/strict-ca/A_B-chain.crt
cert /opt/openvpn/ssl/strict-ca/server.crt
key /opt/openvpn/ssl/strict-ca/server.key
dh none
server 172.16.110.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
tls-crypt /opt/openvpn/ssl/ta.key
cipher AES-256-GCM
data-ciphers AES-256-GCM:AES-128-GCM
auth SHA384
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
user nobody
group nogroup
persist-key
persist-tun
client-to-client
crl-verify /opt/openvpn/ssl/strict-ca/crl/crl.pem
status /var/log/openvpn/openvpn-status.log
verb 3
log-append /var/log/openvpn/openvpn-info.log
explicit-exit-notify 1
OpenVPN 客户端配置
以下是我的 OpenVPN 客户端配置:
$ grep -Pv '^$|^#|^;' client.ovpn
client
dev tun
proto udp
remote 1.2.3.4 21222 # I have randomly replaced the IP address here.
resolv-retry infinite
nobind
user nobody
group nobody # This item is nogroup in Windows.
persist-key
persist-tun
ca A_B-chain.crt
cert client.crt
key client.key
tls-crypt ta.key
cipher AES-256-GCM
ncp-ciphers AES-256-GCM:AES-128-GCM
auth SHA384
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
verb 3
script-security 2
keepalive 10 120
证书部分
CA
以下是我的证书的部分: A 是根 CA。
$ openssl x509 -text -noout -in A.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
1f:12:fa:84:28:68:d0:78:e5:90:22:19:2f:60:ce:78:c9:8d:92:18
Signature Algorithm: ecdsa-with-SHA384
Issuer: (A.crt, self-signed)
Validity
Not Before: Dec 18 12:54:52 2023 GMT
Not After : Jan 18 12:54:52 2033 GMT
Subject: (A.crt, self-signed)
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:f0:d2:70:b1:dd:88:7d:45:8e:da:7a:30:c7:84:
e0:5e:20:c6:86:27:0a:61:69:b1:72:d6:ef:1b:e5:
00:21:09:8f:53:6b:a3:43:80:af:10:0e:69:49:d0:
fe:f2:fb:2e:48:e3:be:d2:7e:fd:8e:64:32:c1:11:
b8:92:81:dd:f8:6e:33:1c:78:d3:ee:98:8a:db:80:
3a:57:3e:13:0e:1b:43:dc:25:89:29:b4:11:d4:28:
97:d2:bd:22:08:ef:bb
ASN1 OID: secp384r1
NIST CURVE: P-384
X509v3 extensions:
X509v3 Subject Key Identifier:
97:21:6A:46:A0:F4:AA:95:D2:9B:6F:86:FB:4D:13:49:FA:59:95:97
X509v3 Authority Key Identifier:
keyid:97:21:6A:46:A0:F4:AA:95:D2:9B:6F:86:FB:4D:13:49:FA:59:95:97
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: ecdsa-with-SHA384
30:64:02:30:7f:3a:2f:85:42:bf:09:df:f7:7b:44:bb:b9:cd:
18:2f:67:83:14:6a:1f:d6:cb:7c:bd:b1:55:a0:ce:e6:b5:8f:
d3:cf:11:43:4d:fd:a5:6b:e1:14:d1:35:af:44:3d:f3:02:30:
74:b4:6a:09:4b:3e:1d:67:ec:2e:69:99:5c:59:d4:19:61:02:
57:23:e8:a1:33:9a:99:0d:23:7b:88:0a:89:93:a9:da:6a:3c:
16:fa:76:5c:ef:4f:10:f7:41:c1:e2:c9
B由A颁发。B是下级CA,仅负责颁发OpenVPN相关证书。
$ openssl x509 -text -noout -in B.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
09:fc:6c:73:25:7d:aa:8b:41:d6:cf:1f:91:68:a4:02:94:98:17:c0
Signature Algorithm: ecdsa-with-SHA256
Issuer: (A.crt)
Validity
Not Before: Mar 13 15:25:55 2024 GMT
Not After : Mar 14 15:25:55 2029 GMT
Subject: (B.crt)
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:ef:c9:fa:cb:61:37:54:82:e6:bc:a1:66:e8:be:
df:88:08:23:1a:f9:6e:94:29:30:b8:81:29:01:50:
be:e1:a9:82:48:fa:28:03:06:2c:8b:65:3d:d0:35:
d4:50:10:1b:33:f9:6d:a4:6b:ce:5e:f4:61:6c:31:
16:7f:70:a3:08:ae:90:0c:a2:c1:49:ca:e4:6b:80:
ea:f4:96:82:e8:ff:bb:f7:9b:d0:2d:37:80:0a:d1:
c7:0f:b1:1d:73:aa:2a
ASN1 OID: secp384r1
NIST CURVE: P-384
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
AE:50:63:28:D1:4B:01:A4:CC:B3:7C:7B:58:09:1C:19:2B:B7:62:89
X509v3 Authority Key Identifier:
keyid:97:21:6A:46:A0:F4:AA:95:D2:9B:6F:86:FB:4D:13:49:FA:59:95:97
Signature Algorithm: ecdsa-with-SHA256
30:64:02:30:76:ce:62:23:0e:41:df:2a:0c:50:71:93:e6:58:
1b:4a:06:94:71:e5:a4:4a:a1:a2:9f:ee:aa:5c:0b:8f:5d:83:
d7:8d:f4:b6:f3:c8:bd:0b:ef:2c:0f:1c:65:76:74:3d:02:30:
47:74:84:74:e7:b2:10:26:b0:48:35:b4:f7:30:7d:9d:87:a3:
fd:46:be:fa:18:4b:e7:c5:c3:06:6f:fd:09:ac:cb:25:8b:8c:
68:81:a6:70:cc:26:ed:68:33:73:4b:f1
OpenVPN 服务器证书
$ openssl x509 -text -noout -in server.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4096 (0x1000)
Signature Algorithm: ecdsa-with-SHA256
Issuer: (B.crt)
Validity
Not Before: Mar 13 15:32:58 2024 GMT
Not After : Mar 13 15:32:58 2028 GMT
Subject: (Server.crt)
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:ff:91:e0:be:f4:d6:fc:99:f4:c5:9a:05:0e:0d:
87:e5:9b:e1:9f:1b:60:b8:b1:12:75:99:7b:0a:c3:
27:df:2b:5e:44:b4:5e:f0:fd:ec:27:d4:37:2c:ea:
1c:77:e8:06:e3:71:bc:41:1f:fa:82:52:29:4a:33:
a6:df:93:9f:63:25:41:e3:99:ce:9b:24:92:97:d4:
3b:56:e5:f2:8d:2a:ff:e9:af:6c:75:c5:4c:3f:e4:
75:60:b6:e6:c8:aa:ff
ASN1 OID: secp384r1
NIST CURVE: P-384
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
96:16:D5:02:57:F3:0D:23:C2:D5:94:11:5A:C5:0F:15:3A:2F:32:B5
X509v3 Authority Key Identifier:
AE:50:63:28:D1:4B:01:A4:CC:B3:7C:7B:58:09:1C:19:2B:B7:62:89
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:66:02:31:00:bf:80:59:d2:c1:7b:d8:b3:74:e0:e8:ea:2c:
09:ac:68:22:a6:ba:e9:13:e8:72:00:a4:82:0d:be:fe:30:d1:
be:2f:46:4f:a2:c1:fb:64:ff:e4:09:1c:1c:9b:70:6d:3c:02:
31:00:95:84:93:6a:e4:7e:e0:3a:78:ee:14:d9:4c:b1:e6:85:
ca:22:36:48:60:39:40:38:be:98:0c:43:2d:33:50:00:c4:8f:
5d:76:96:64:e4:a2:66:ca:f7:1d:43:5a:9d:57
OpenVPN 客户端证书
$ openssl x509 -text -noout -in client.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4097 (0x1001)
Signature Algorithm: ecdsa-with-SHA256
Issuer: (B.crt)
Validity
Not Before: Mar 13 15:35:37 2024 GMT
Not After : Jun 13 15:35:37 2024 GMT
Subject: (client.crt)
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:23:89:52:7c:0e:e7:e5:35:18:65:f6:5b:eb:53:
a1:c6:05:ed:c3:94:5f:98:5e:d1:49:bc:4a:48:b9:
07:a8:f3:a8:75:d3:00:9a:f4:56:69:08:f9:56:af:
ea:7e:d5:38:22:03:d9:4b:5b:fa:b8:1f:c0:ee:8a:
5c:bd:e0:46:8a
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
E1:64:90:F7:FB:42:A9:23:FB:E2:9F:91:FB:E1:21:1A:BC:C0:56:2C
X509v3 Authority Key Identifier:
AE:50:63:28:D1:4B:01:A4:CC:B3:7C:7B:58:09:1C:19:2B:B7:62:89
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:66:02:31:00:cf:51:17:83:0c:24:ba:e5:b8:93:c6:d9:42:
ae:a8:49:b1:82:72:e3:70:b4:4c:43:df:cb:57:b2:cc:a0:ab:
0e:39:ef:9b:98:8b:90:55:b0:f6:d7:af:f3:5a:65:44:14:02:
31:00:b9:e0:88:88:c1:5a:c5:ef:1c:75:38:46:3c:0d:04:fb:
46:ec:55:ad:fa:79:8b:8e:c3:25:0d:7b:04:e1:84:86:7a:29:
c8:76:c8:3d:cd:1b:94:f2:95:ce:f2:c2:3a:ce
日志
我使用openvpn --client --config cliet.ovpn
This is client连接时遇到的错误日志:
$ /opt/openvpn-2.6.9/sbin/openvpn --client --config client-chain.ovpn
2024-03-16 15:25:23 Note: Treating option '--ncp-ciphers' as '--data-ciphers' (renamed in OpenVPN 2.5).
2024-03-16 15:25:23 Note: Kernel support for ovpn-dco missing, disabling data channel offload.
2024-03-16 15:25:23 OpenVPN 2.6.9 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] [DCO]
2024-03-16 15:25:23 library versions: OpenSSL 3.0.7 1 Nov 2022, LZO 2.10
2024-03-16 15:25:23 DCO version: N/A
2024-03-16 15:25:23 TCP/UDP: Preserving recently used remote address: [AF_INET]1.2.3.4:21222
2024-03-16 15:25:23 Socket Buffers: R=[212992->212992] S=[212992->212992]
2024-03-16 15:25:23 UDPv4 link local: (not bound)
2024-03-16 15:25:23 UDPv4 link remote: [AF_INET]1.2.3.4:21222
2024-03-16 15:25:23 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
2024-03-16 15:25:23 TLS: Initial packet from [AF_INET]1.2.3.4:21222, sid=ea0416e2 1f7df5e8
2024-03-16 15:25:23 VERIFY OK: (A.crt)
2024-03-16 15:25:23 VERIFY OK: (B.crt)
2024-03-16 15:25:23 Certificate does not have key usage extension
2024-03-16 15:25:23 VERIFY KU ERROR
2024-03-16 15:25:23 Sent fatal SSL alert: internal error
2024-03-16 15:25:23 OpenSSL: error:0A000086:SSL routines::certificate verify failed:
2024-03-16 15:25:23 TLS_ERROR: BIO read tls_read_plaintext error
2024-03-16 15:25:23 TLS Error: TLS object -> incoming plaintext read error
2024-03-16 15:25:23 TLS Error: TLS handshake failed
2024-03-16 15:25:23 SIGUSR1[soft,tls-error] received, process restarting
2024-03-16 15:25:23 Restart pause, 1 second(s)
2024-03-16 15:25:23 SIGINT[hard,init_instance] received, process exiting
这是服务器:
# Assume the client IP is 5.6.7.8
2024-03-16 15:25:23 5.6.7.8:14601 CRL: loaded 1 CRLs from file /opt/openvpn/ssl/strict-ca/crl/crl.pem
2024-03-16 15:25:25 read UDPv4 [ECONNREFUSED]: Connection refused (fd=6,code=111)
2024-03-16 15:25:29 read UDPv4 [ECONNREFUSED]: Connection refused (fd=6,code=111)
2024-03-16 15:25:37 read UDPv4 [ECONNREFUSED]: Connection refused (fd=6,code=111)
2024-03-16 15:25:53 read UDPv4 [ECONNREFUSED]: Connection refused (fd=6,code=111)
2024-03-16 15:26:23 5.6.7.8:14601 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2024-03-16 15:26:23 5.6.7.8:14601 TLS Error: TLS handshake failed
2024-03-16 15:26:23 5.6.7.8:14601 SIGUSR1[soft,tls-error] received, client-instance restarting
我在Linux客户端的日志中发现了这样几句话:
2024-03-16 15:25:23 Certificate does not have key usage extension
2024-03-16 15:25:23 VERIFY KU ERROR
也许如果我解决这个问题,整个问题就会解决,但我不知道它是什么,有人可以告诉我吗?谢谢。
补充内容
当我去掉这个remote-cert-tls server选项后,Linux客户端就可以连接了,但是我看到有人说去掉这个选项好像会带来安全风险?