我在使用 openvpn 服务器时遇到了问题...每次我尝试连接到 VPN 时,都会出现一个带有登录名和密码框的窗口,因此我输入了登录名和密码(登录名 = 通用名称(用户 1)并且密码来自客户端证书中的质询密码。
日志:
Jun 7 17:03:05 test ovpn-openvpn[5618]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Jun 7 17:03:05 test ovpn-openvpn[5618]: TLS Error: incoming packet authentication failed from [AF_INET]80.**.**.***:54179
客户端.ovpn:
client
remote [My server IP]
ca ca.crt
cert client.crt
key client.key
cipher DES-EDE3-CBC
comp-lzo yes
dev tap
proto udp
tls-auth ta.key 1
nobind
auth-nocache
persist-key
persist-tun
user nobody
group nogroup
我的server.conf:
port 1194
proto udp
dev tap
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server-name.crt
key /etc/openvpn/certs/server-name.key
dh /etc/openvpn/certs/dh2048.pem
tls-auth /etc/openvpn/certs/ta.key 0
server 192.168.88.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 1800 4000
cipher DES-EDE3-CBC # Triple-DES
comp-lzo
max-clients 10
user nobody
group nogroup
persist-key
persist-tun
#log openvpn.log
#status openvpn-status.log
verb 5
mute 20
系统控制:
net.ipv4.ip_forward=1
服务器上的 ta.key:
root@VPN:/etc/openvpn/certs# cat ta.key
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
5f13488b8805396dc85ea2bd5a806902
162fe561cd27026a6d29c6371069cf9a
dab884a4ac85378661fe3f42589084ea
a5d1acd5b151336657f240b4d89caf75
4369765c66fb97393e2ab4e7bc568f7e
4750*0a*b4ffd1e2941ada9*af566c75
33f3*858504ecb3e0004b4690d91eeac
5f9ffbb9473c3*0ffa003b5834fbe379
445e2bf2fb984ebfdf8c2cb84fb349b6
7b75*f15f23fcc0d64585bc*3876e893
e34c0*a4*de*7540846c37a5c565e588
63a66397818d542ad311228*cd9b42e2
2b14a4dcc7d0d9e5b188b7fbf4bed7ed
da1ca2dbe2dcc51eacfe8546aa3d5f18
4dcc4aa4469a2d099016813e308b07b6
5c0a6bdbf835704c3954d7c097b49bac
-----END OpenVPN Static key V1-----
ta.key-客户端:
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
5f13488b8805396dc85ea2bd5a806902
162fe561cd27026a6d29c6371069cf9a
dab884a4ac85378661fe3f42589084ea
a5d1acd5b151336657f240b4d89caf75
4369765c66fb97393e2ab4e7bc568f7e
4750*0a*b4ffd1e2941ada9*af566c75
33f3*858504ecb3e0004b4690d91eeac
5f9ffbb9473c3*0ffa003b5834fbe379
445e2bf2fb984ebfdf8c2cb84fb349b6
7b75*f15f23fcc0d64585bc*3876e893
e34c0*a4*de*7540846c37a5c565e588
63a66397818d542ad311228*cd9b42e2
2b14a4dcc7d0d9e5b188b7fbf4bed7ed
da1ca2dbe2dcc51eacfe8546aa3d5f18
4dcc4aa4469a2d099016813e308b07b6
5c0a6bdbf835704c3954d7c097b49bac
-----END OpenVPN Static key V1-----
完整日志文件:
root@VPN:/etc/openvpn# cat openvpn.log
Sun Jun 8 09:50:27 2014 us=88526 Current Parameter Settings:
Sun Jun 8 09:50:27 2014 us=88598 config = '/etc/openvpn/server.conf'
Sun Jun 8 09:50:27 2014 us=88617 mode = 1
Sun Jun 8 09:50:27 2014 us=88634 persist_config = DISABLED
Sun Jun 8 09:50:27 2014 us=88650 persist_mode = 1
Sun Jun 8 09:50:27 2014 us=88667 show_ciphers = DISABLED
Sun Jun 8 09:50:27 2014 us=88684 show_digests = DISABLED
Sun Jun 8 09:50:27 2014 us=88700 show_engines = DISABLED
Sun Jun 8 09:50:27 2014 us=88717 genkey = DISABLED
Sun Jun 8 09:50:27 2014 us=88735 key_pass_file = '[UNDEF]'
Sun Jun 8 09:50:27 2014 us=88752 show_tls_ciphers = DISABLED
Sun Jun 8 09:50:27 2014 us=88768 Connection profiles [default]:
Sun Jun 8 09:50:27 2014 us=88783 proto = udp
Sun Jun 8 09:50:27 2014 us=88797 local = '[UNDEF]'
Sun Jun 8 09:50:27 2014 us=88813 local_port = 1194
Sun Jun 8 09:50:27 2014 us=88830 remote = '[UNDEF]'
Sun Jun 8 09:50:27 2014 us=88846 remote_port = 1194
Sun Jun 8 09:50:27 2014 us=88859 remote_float = DISABLED
Sun Jun 8 09:50:27 2014 us=88874 bind_defined = DISABLED
Sun Jun 8 09:50:27 2014 us=88890 bind_local = ENABLED
Sun Jun 8 09:50:27 2014 us=88907 NOTE: --mute triggered...
Sun Jun 8 09:50:27 2014 us=88941 259 variation(s) on previous 20 message(s) sup pressed by --mute
Sun Jun 8 09:50:27 2014 us=88964 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [E POLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] bui lt on Jun 18 2013
Sun Jun 8 09:50:27 2014 us=89172 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sun Jun 8 09:50:27 2014 us=98076 Diffie-Hellman initialized with 2048 bit key
Sun Jun 8 09:50:27 2014 us=98914 Control Channel Authentication: using '/etc/op envpn/certs/ta.key' as a OpenVPN static key file
Sun Jun 8 09:50:27 2014 us=98939 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Jun 8 09:50:27 2014 us=98952 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Jun 8 09:50:27 2014 us=98970 TLS-Auth MTU parms [ L:1574 D:166 EF:66 EB:0 E T:0 EL:0 ]
Sun Jun 8 09:50:27 2014 us=98998 Socket Buffers: R=[229376->131072] S=[229376-> 131072]
Sun Jun 8 09:50:27 2014 us=100231 TUN/TAP device tap0 opened
Sun Jun 8 09:50:27 2014 us=100261 TUN/TAP TX queue length set to 100
Sun Jun 8 09:50:27 2014 us=100283 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv 6_setup=0
Sun Jun 8 09:50:27 2014 us=100306 /sbin/ifconfig tap0 192.168.88.1 netmask 255. 255.255.0 mtu 1500 broadcast 192.168.88.255
Sun Jun 8 09:50:27 2014 us=102933 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Sun Jun 8 09:50:27 2014 us=105919 GID set to nogroup
Sun Jun 8 09:50:27 2014 us=105998 UID set to nobody
Sun Jun 8 09:50:27 2014 us=106039 UDPv4 link local (bound): [undef]
Sun Jun 8 09:50:27 2014 us=106058 UDPv4 link remote: [undef]
Sun Jun 8 09:50:27 2014 us=106083 MULTI: multi_init called, r=256 v=256
Sun Jun 8 09:50:27 2014 us=106193 IFCONFIG POOL: base=192.168.88.2 size=253, ip v6=0
Sun Jun 8 09:50:27 2014 us=106222 IFCONFIG POOL LIST
Sun Jun 8 09:50:27 2014 us=106278 Initialization Sequence Completed
Sun Jun 8 09:50:37 2014 us=644154 Authenticate/Decrypt packet error: packet HMA C authentication failed
Sun Jun 8 09:50:37 2014 us=644242 TLS Error: incoming packet authentication fai led from [AF_INET]80.***.**.*:63584
Sun Jun 8 09:50:39 2014 us=692080 Authenticate/Decrypt packet error: packet HMA C authentication failed
Sun Jun 8 09:50:39 2014 us=692218 TLS Error: incoming packet authentication fai led from [AF_INET]80.***.**.*:63584
Sun Jun 8 09:50:42 2014 us=780366 Authenticate/Decrypt packet error: packet HMA C authentication failed
Sun Jun 8 09:50:42 2014 us=780446 TLS Error: incoming packet authentication fai led from [AF_INET]80.***.**.*:63584
Sun Jun 8 09:50:51 2014 us=516357 Authenticate/Decrypt packet error: packet HMA C authentication failed
Sun Jun 8 09:50:51 2014 us=516441 TLS Error: incoming packet authentication fai led from [AF_INET]80.***.**.*:63584
答案1
您的tls-auth客户端配置不同。尝试复制/etc/openvpn/keys/ta.key到客户端计算机,然后替换
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
d1e0...
-----END OpenVPN Static key V1-----
</tls-auth>
和:
tls-auth path-to/ta.key 1
链接的另一端必须使用ta.key with 1,另一端带0参数。
答案2
dh= 必须在两侧设置!将 dh2048.pem 复制到您的客户端。