成功连接到 VPN 后,我认为为 ping(保持活动参数)完成的 TLS 握手总是失败,因此一段时间后我总是断开连接。我的连接完全正常,当我通过 SSH 连接到没有延迟的机器时,连接断开了。
该服务器在 AWS 上运行,并充当我的私有子网的 NAT 服务器。
Sat Oct 4 20:54:28 2014 us=612885 MULTI: multi_create_instance called
Sat Oct 4 20:54:28 2014 us=612922 177.33.165.204:51127 Re-using SSL/TLS context
Sat Oct 4 20:54:28 2014 us=612945 177.33.165.204:51127 LZO compression initialized
Sat Oct 4 20:54:28 2014 us=613030 177.33.165.204:51127 Control Channel MTU parms [ L:1602 D:210 EF:110 EB:0 ET:0 EL:0 ]
Sat Oct 4 20:54:28 2014 us=613040 177.33.165.204:51127 Data Channel MTU parms [ L:1602 D:1450 EF:102 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Oct 4 20:54:28 2014 us=613062 177.33.165.204:51127 Local Options String: 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
Sat Oct 4 20:54:28 2014 us=613068 177.33.165.204:51127 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
Sat Oct 4 20:54:28 2014 us=613080 177.33.165.204:51127 Local Options hash (VER=V4): '14d315e7'
Sat Oct 4 20:54:28 2014 us=613090 177.33.165.204:51127 Expected Remote Options hash (VER=V4): 'a5d50645'
Sat Oct 4 20:54:28 2014 us=613111 177.33.165.204:51127 TLS: Initial packet from [AF_INET]177.33.165.204:51127, sid=99a6083b f78502f1
Sat Oct 4 20:54:51 2014 us=264934 erico/177.33.165.204:49469 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Oct 4 20:54:51 2014 us=264972 erico/177.33.165.204:49469 TLS Error: TLS handshake failed
Sat Oct 4 20:55:28 2014 us=517801 177.33.165.204:51127 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Oct 4 20:55:28 2014 us=517832 177.33.165.204:51127 TLS Error: TLS handshake failed
Sat Oct 4 20:55:28 2014 us=517895 177.33.165.204:51127 SIGUSR1[soft,tls-error] received, client-instance restarting
Sat Oct 4 20:56:07 2014 us=112801 erico/177.33.165.204:49469 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Oct 4 20:56:07 2014 us=112844 erico/177.33.165.204:49469 TLS Error: TLS handshake failed
Sat Oct 4 20:57:22 2014 us=413564 erico/177.33.165.204:49469 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Oct 4 20:57:22 2014 us=413604 erico/177.33.165.204:49469 TLS Error: TLS handshake failed
Sat Oct 4 20:58:37 2014 us=812742 erico/177.33.165.204:49469 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Oct 4 20:58:37 2014 us=812770 erico/177.33.165.204:49469 TLS Error: TLS handshake failed
Sat Oct 4 20:59:52 2014 us=617363 erico/177.33.165.204:49469 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Oct 4 20:59:52 2014 us=617420 erico/177.33.165.204:49469 TLS Error: TLS handshake failed
Sat Oct 4 21:01:07 2014 us=372955 erico/177.33.165.204:49469 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Oct 4 21:01:07 2014 us=372985 erico/177.33.165.204:49469 TLS Error: TLS handshake failed
Sat Oct 4 21:02:23 2014 us=7862 erico/177.33.165.204:49469 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Oct 4 21:02:23 2014 us=7909 erico/177.33.165.204:49469 TLS Error: TLS handshake failed
Sat Oct 4 21:02:33 2014 us=743366 erico/177.33.165.204:49469 [UNDEF] Inactivity timeout (--ping-restart), restarting
Sat Oct 4 21:02:33 2014 us=743389 erico/177.33.165.204:49469 SIGUSR1[soft,ping-restart] received, client-instance restarting
我的服务器配置文件:
mode server
local 10.0.0.4
port 1194
proto udp
dev tun
ca keys/ca.crt
cert keys/vpn.crt
key keys/vpn.key
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
username-as-common-name
dh keys/dh2048.pem
server 10.10.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 30 1800
tls-auth keys/ta.key 0
cipher AES-256-CBC
auth SHA512
comp-lzo
max-clients 30
user nobody
group nogroup
script-security 3
persist-key
persist-tun
status openvpn-status.log
log-append /var/log/openvpn.log
verb 4
mute 20
reneg-sec 0
我的客户端配置文件:
##############################################
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Client mode
client
# Device name, same as server, don’t change it.
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
proto udp
# VPN IP on port 1194
remote xx.xxx.xxx.xxx 1194
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
# resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
user nobody
group nobody
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
mute-replay-warnings
# Certificates
ca ca.crt
cert erico.crt
key erico.key
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server
# TLS static key
tls-auth ta.key 1
# Same cipher from server
cipher AES-256-CBC
auth SHA512
# Compression mode
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
mute 20
auth-user-pass
auth-nocache
答案1
好的,我找到问题了。
这是因为我使用了密码 + OTP 代码(Google Authenticator),并且它尝试使用以前的凭据重新协商连接,但显然由于 OTP 代码,它无法工作。
reneg-sec 0
两边的配置文件都添加进去就可以了。服务器和客户。我只在服务器端进行了配置。