OpenVPN 连接重置

tag-icon tag-icon openvpn
OpenVPN 连接重置

OpenVPN 在 Raspbian(Raspberry Pi Debian、Wheezy)上运行。

相对库存,除了安装 OpenVPN 并生成一些密钥外没有做任何事情。

服务器配置:

local 192.168.1.175
port 1194
proto udp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-to-client
duplicate-cn
keepalive 10 120
tls-auth keys/ta.key 0
cipher BF-CBC
comp-lzo
max-clients 10
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log        /var/log/openvpn.log
verb 3

客户端配置:

client
dev tun
proto udp
remote [A_GALAXY_FAR_FAR_AWAY] 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert foo.crt
key foo.key
remote-cert-tls server
cipher BF-CBC
comp-lzo
verb 3

客户端日志:

Sat Jun 27 22:17:19 2015 OpenVPN 2.3.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Jun  8 2015
Sat Jun 27 22:17:19 2015 library versions: OpenSSL 1.0.1m 19 Mar 2015, LZO 2.08
Sat Jun 27 22:17:19 2015 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sat Jun 27 22:17:19 2015 Need hold release from management interface, waiting...
Sat Jun 27 22:17:19 2015 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sat Jun 27 22:17:19 2015 MANAGEMENT: CMD 'state on'
Sat Jun 27 22:17:19 2015 MANAGEMENT: CMD 'log all on'
Sat Jun 27 22:17:19 2015 MANAGEMENT: CMD 'hold off'
Sat Jun 27 22:17:19 2015 MANAGEMENT: CMD 'hold release'
Sat Jun 27 22:17:22 2015 MANAGEMENT: CMD 'proxy NONE  '
Sat Jun 27 22:17:23 2015 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sat Jun 27 22:17:23 2015 MANAGEMENT: >STATE:1435465043,RESOLVE,,,
Sat Jun 27 22:17:23 2015 UDPv4 link local: [undef]
Sat Jun 27 22:17:23 2015 UDPv4 link remote: [AF_INET]67.177.250.212:1194
Sat Jun 27 22:17:23 2015 MANAGEMENT: >STATE:1435465043,WAIT,,,
Sat Jun 27 22:18:23 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Jun 27 22:18:23 2015 TLS Error: TLS handshake failed
Sat Jun 27 22:18:23 2015 SIGUSR1[soft,tls-error] received, process restarting
Sat Jun 27 22:18:23 2015 MANAGEMENT: >STATE:1435465103,RECONNECTING,tls-error,,

我以前从未真正配置过 OpenVPN,我想知道我是否搞砸了什么。

我已将 PI VPN 服务器分配给静态 IP 192.168.1.175

我从本地网络上的本地机器连接到它只是为了测试它。但我尝试从附近的地方(我经常去的地铁)连接它,它仍然无法工作。

服务器 ifconfig:

eth0      Link encap:Ethernet  HWaddr b8:27:eb:c6:38:f8
          inet addr:192.168.1.175  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:134472 errors:0 dropped:458 overruns:0 frame:0
          TX packets:8010 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:10519275 (10.0 MiB)  TX bytes:847593 (827.7 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:9 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:612 (612.0 B)  TX bytes:612 (612.0 B)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

我没有为 iptables 设置任何规则(我怀疑这可能是问题所在):

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

我已经在路由器中将端口 1194 正确转发到 192.168.1.175(VPN 服务器),它是可见的,或者至少在我尝试通过 tcp 使用 tap 时是可见的,现在我正在尝试通过 udp 进行调整,因为这应该更容易/更好或其他什么的。

我真的不知道我该在这里做什么。

提前致谢!

编辑:路由:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         myrouter.local  0.0.0.0         UG    0      0        0 eth0
default         myrouter.local  0.0.0.0         UG    202    0        0 eth0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
10.8.0.2        *               255.255.255.255 UH    0      0        0 tun0
192.168.1.0     *               255.255.255.0   U     202    0        0 eth0

已启用转发:

sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

答案1

客户端配置中对此进行了注释:

# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth ta.key 1

我需要 TLS 密钥,显然需要取消注释。

相关内容