OpenVPN 连接问题

tag-icon tag-icon ssl amazon-web-services openvpn
OpenVPN 连接问题

成功连接到 VPN 后,我认为为 ping(保持活动参数)完成的 TLS 握手总是失败,因此一段时间后我总是断开连接。我的连接完全正常,当我通过 SSH 连接到没有延迟的机器时,连接断开了。

该服务器在 AWS 上运行,并充当我的私有子网的 NAT 服务器。

Sat Oct  4 20:54:28 2014 us=612885 MULTI: multi_create_instance called
Sat Oct  4 20:54:28 2014 us=612922 177.33.165.204:51127 Re-using SSL/TLS context
Sat Oct  4 20:54:28 2014 us=612945 177.33.165.204:51127 LZO compression initialized
Sat Oct  4 20:54:28 2014 us=613030 177.33.165.204:51127 Control Channel MTU parms [ L:1602 D:210 EF:110 EB:0 ET:0 EL:0 ]
Sat Oct  4 20:54:28 2014 us=613040 177.33.165.204:51127 Data Channel MTU parms [ L:1602 D:1450 EF:102 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Oct  4 20:54:28 2014 us=613062 177.33.165.204:51127 Local Options String: 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
Sat Oct  4 20:54:28 2014 us=613068 177.33.165.204:51127 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
Sat Oct  4 20:54:28 2014 us=613080 177.33.165.204:51127 Local Options hash (VER=V4): '14d315e7'
Sat Oct  4 20:54:28 2014 us=613090 177.33.165.204:51127 Expected Remote Options hash (VER=V4): 'a5d50645'
Sat Oct  4 20:54:28 2014 us=613111 177.33.165.204:51127 TLS: Initial packet from [AF_INET]177.33.165.204:51127, sid=99a6083b f78502f1
Sat Oct  4 20:54:51 2014 us=264934 erico/177.33.165.204:49469 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Oct  4 20:54:51 2014 us=264972 erico/177.33.165.204:49469 TLS Error: TLS handshake failed
Sat Oct  4 20:55:28 2014 us=517801 177.33.165.204:51127 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Oct  4 20:55:28 2014 us=517832 177.33.165.204:51127 TLS Error: TLS handshake failed
Sat Oct  4 20:55:28 2014 us=517895 177.33.165.204:51127 SIGUSR1[soft,tls-error] received, client-instance restarting
Sat Oct  4 20:56:07 2014 us=112801 erico/177.33.165.204:49469 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Oct  4 20:56:07 2014 us=112844 erico/177.33.165.204:49469 TLS Error: TLS handshake failed
Sat Oct  4 20:57:22 2014 us=413564 erico/177.33.165.204:49469 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Oct  4 20:57:22 2014 us=413604 erico/177.33.165.204:49469 TLS Error: TLS handshake failed
Sat Oct  4 20:58:37 2014 us=812742 erico/177.33.165.204:49469 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Oct  4 20:58:37 2014 us=812770 erico/177.33.165.204:49469 TLS Error: TLS handshake failed
Sat Oct  4 20:59:52 2014 us=617363 erico/177.33.165.204:49469 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Oct  4 20:59:52 2014 us=617420 erico/177.33.165.204:49469 TLS Error: TLS handshake failed
Sat Oct  4 21:01:07 2014 us=372955 erico/177.33.165.204:49469 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Oct  4 21:01:07 2014 us=372985 erico/177.33.165.204:49469 TLS Error: TLS handshake failed
Sat Oct  4 21:02:23 2014 us=7862 erico/177.33.165.204:49469 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Oct  4 21:02:23 2014 us=7909 erico/177.33.165.204:49469 TLS Error: TLS handshake failed
Sat Oct  4 21:02:33 2014 us=743366 erico/177.33.165.204:49469 [UNDEF] Inactivity timeout (--ping-restart), restarting
Sat Oct  4 21:02:33 2014 us=743389 erico/177.33.165.204:49469 SIGUSR1[soft,ping-restart] received, client-instance restarting

我的服务器配置文件:

mode server

local 10.0.0.4
port 1194
proto udp
dev tun

ca keys/ca.crt
cert keys/vpn.crt
key keys/vpn.key 

plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn

username-as-common-name
dh keys/dh2048.pem
server 10.10.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

keepalive 30 1800
tls-auth keys/ta.key 0
cipher AES-256-CBC
auth SHA512
comp-lzo

max-clients 30

user nobody
group nogroup

script-security 3

persist-key
persist-tun

status openvpn-status.log
log-append   /var/log/openvpn.log
verb 4
mute 20
reneg-sec 0

我的客户端配置文件:

##############################################
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.                #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #
##############################################

# Client mode
client

# Device name, same as server, don’t change it.
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

proto udp

# VPN IP on port 1194
remote xx.xxx.xxx.xxx 1194

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
# resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
user nobody
group nobody

persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
mute-replay-warnings

# Certificates
ca ca.crt
cert erico.crt
key erico.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server

# TLS static key
tls-auth ta.key 1


# Same cipher from server
cipher AES-256-CBC

auth SHA512

# Compression mode
comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
mute 20

auth-user-pass
auth-nocache

答案1

好的,我找到问题了。

这是因为我使用了密码 + OTP 代码(Google Authenticator),并且它尝试使用以前的凭据重新协商连接,但显然由于 OTP 代码,它无法工作。

reneg-sec 0两边的配置文件都添加进去就可以了。服务器客户。我只在服务器端进行了配置。

相关内容