我正在跟进类似的用户请求: QNAP TS-419p 作为 VPN 网关?
我有一台 QNAP TS-419 II,固件版本为 4.1.2。我有一个 VPN 服务提供商,他们使用 OpenVPN 连接到他们的 VPN 服务。在给出的文件中,我有 ca.crt、myUser.crt、myUser.key 和一堆用于代理或完全路由 VPN 连接的 opvn 配置文件。
我宁愿遵循以下说明: http://support.purevpn.com/qnap-nas-qts-4-x-openvpn-setup-guide
当我单击连接时,几分钟后失败了。以下是日志中的输出:
Sun Aug 9 00:40:02 2015 OpenVPN 2.2.1-8+deb7u3 arm-none-linux-gnueabi [SSL] [LZO2] [EPOLL] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 4 2015
Sun Aug 9 00:40:02 2015 WARNING: file '/share/MD0_DATA/Download/vpn/pass1.txt' is group or others accessible
Sun Aug 9 00:40:02 2015 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sun Aug 9 00:40:02 2015 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun Aug 9 00:40:02 2015 WARNING: file '/share/MD0_DATA/Download/vpn/vpn.key' is group or others accessible
Sun Aug 9 00:40:02 2015 Control Channel Authentication: using '/share/MD0_DATA/Download/vpn/vpn.key' as a free-form passphrase file
Sun Aug 9 00:40:02 2015 Key file '/share/MD0_DATA/Download/vpn/vpn.key' used in --tls-auth contains insufficient key material [keys found=1 required=2] -- try generating a new key file with 'openvpn --genkey --secret [file]', or use the existing key file in bidirectional mode by specifying --tls-auth without a key direction parameter
对于警告,我理解这是一个文件权限问题,有人可以告诉我它应该是什么吗?
对于注意事项和 OpenVPN 安全建议,是否有人知道从那时起我应该做什么才能使其正常工作?
我的客户端配置文件:
client
dev tun
proto tcp
tls-client
remote <remote IP> 80
persist-key
persist-tun
ca /share/MD0_DATA/Download/vpn/ca.crt
tls-auth /share/MD0_DATA/Download/vpn/key.key
cert /share/MD0_DATA/Download/vpn/cert.crt
cipher AES-256-CBC
comp-lzo
auth-user-pass /share/MD0_DATA/Download/vpn/pass1.txt
auth-retry interact
script-security 3
log-append /share/MD0_DATA/Download/vpn/openvpn.log
verb 3
mute 20
keepalive 10 60
writepid /var/run/openvpn.client.pid
up /etc/openvpn/openvpn_up
down /etc/openvpn/openvpn_down
explicit-exit-notify 2
ifconfig-nowarn
auth-nocache
答案1
根据第一个警告,你应该将以下内容添加ns-cert-type server
到你的客户端配置中 [OpenVPN 手册][1]
根据最后一行,你需要重新生成一个密钥,或者更改您的配置:
openvpn --genkey --secret /share/MD0_DATA/Download/vpn/vpn.key ;
或者--tls-auth
从客户端配置中删除后面的数字。
然后您需要从这两个密钥文件中删除权限Group
:Other
chmod go= /share/MD0_DATA/Download/vpn/pass1.txt ;
chmod go= /share/MD0_DATA/Download/vpn/vpn.key ;
这将处理“群组或其他可访问的人”
[1][https://openvpn.net/index.php/open-source/documentation/howto.html#mitm]