OpenVPN 和 pfSense 端口配置

OpenVPN 和 pfSense 端口配置

我想在 pfSense 中配置 OpenVpn 以连接虚拟服务器内的专用网络,我遵循一些说明,阅读了很多内容,但我遇到了同样的问题,这就是我所做的:

  • 生成 CA 证书
  • 生成服务器证书
  • 创建用户并为该用户生成证书
  • 将 nat 中的出站配置为 vpn 网络(10.0.0.0/24)然后应用向导
  • 安装创建防火墙规则以允许 VPN
  • 安装 openvpn 导出插件并下载配置
  • 我尝试了粘度、openvpn客户端和tunnelblick

现在客户端的问题在于握手,但我认为问题出在 pfSense 防火墙上,即使我尝试连接,控制 vpn 端口的规则也是 0/0。

如果我使用 nmap 扫描端口,我会得到以下结果:

1194/tcp filtered      openvpn
1194/udp open|filtered openvpn

有任何想法吗?

嗯,openvpn.log 向我展示了这个

Dec 21 13:50:55 Firewall openvpn[6124]: OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Jul 19 2016
Dec 21 13:50:55 Firewall openvpn[6124]: library versions: OpenSSL 1.0.1s-freebsd  1 Mar 2016, LZO 2.09
Dec 21 13:50:55 Firewall openvpn[6222]: WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
Dec 21 13:50:55 Firewall openvpn[6222]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 21 13:50:55 Firewall openvpn[6222]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
Dec 21 13:50:55 Firewall openvpn[6222]: TUN/TAP device ovpns1 exists previously, keep at program end
Dec 21 13:50:55 Firewall openvpn[6222]: TUN/TAP device /dev/tun1 opened
Dec 21 13:50:55 Firewall openvpn[6222]: ioctl(TUNSIFMODE): Device busy: Device busy (errno=16)
Dec 21 13:50:55 Firewall openvpn[6222]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Dec 21 13:50:55 Firewall openvpn[6222]: /sbin/ifconfig ovpns1 10.0.0.1 10.0.0.2 mtu 1500 netmask 255.255.255.0 up
Dec 21 13:50:55 Firewall openvpn[6222]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1557 10.0.0.1 255.255.255.0 init
Dec 21 13:50:55 Firewall openvpn[6222]: UDPv4 link local (bound): [AF_INET]XX.XXX.XXX.XXX:1194
Dec 21 13:50:55 Firewall openvpn[6222]: UDPv4 link remote: [undef]
Dec 21 13:50:55 Firewall openvpn[6222]: Initialization Sequence Completed

您可以看到一个警告,但我不明白这意味着什么,另一个日志文件 filter.log 显示了很多信息,但我通过 vpn、1194 进行 grep,却什么也没得到,我到底在寻找什么?很抱歉,但这是我第一次尝试使用 vpn,我不知道该怎么做。

尝试后:

tcpdump -n -e -ttt -i pflog0

尝试 openvpn 客户端 15 分钟后,我什么也没得到:

tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 65535 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

但是如果使用 nmap 进行端口扫描,我会采取以下措施:

tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 65535 bytes
00:00:00.000000 rule 5..16777216/0(match): block in on vmx0: IP8 bad-len 0
00:00:00.002001 rule 5..16777216/0(match): block in on vmx0: IP1 bad-len 0
00:01:09.092480 rule 5..16777216/0(match): block in on vmx0: IP10 bad-len 0
00:00:00.001754 rule 5..16777216/0(match): block in on vmx0: IP12 bad-len 0

8 packets captured
8 packets received by filter
0 packets dropped by kernel

防火墙在监听 openvpn 服务器的 1194 端口没有收到任何数据包,有什么方法可以测试该端口吗?或者有什么方法可以将数据包发送到 1194 端口并查看是否有效?

好吧,我检查了配置,我认为没问题,这是:

dev ovpns1
verb 1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local XXX.XXX.XXX.XXX #public ip
tls-server
server 10.0.0.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/server1
username-as-common-name
auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' false server1" via-env
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'Server_CRT' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 2
push "route 192.168.0.0 255.255.255.0"
push "redirect-gateway def1"
client-to-client
ca /var/etc/openvpn/server1.ca 
cert /var/etc/openvpn/server1.cert 
key /var/etc/openvpn/server1.key 
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server1.tls-auth 0
persist-remote-ip
float
topology subnet

如果执行 sockstat | grep 1194 的工作方式如下:

root     openvpn    84783 6  udp4   XXX.XXX.XXX.XXX:1194    *:*

我想我们继续吧,现在在 openvpn 日志中,当我尝试连接客户端时,我看到了以下内容:

Jan 14 22:30:16 Firewall openvpn[73374]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Jan 14 22:30:16 Firewall openvpn[73374]: MANAGEMENT: CMD 'status 2'
Jan 14 22:30:17 Firewall openvpn[73374]: MULTI: REAP range 176 -> 192
Jan 14 22:30:17 Firewall openvpn[73374]: MANAGEMENT: CMD 'quit'
Jan 14 22:30:17 Firewall openvpn[73374]: MANAGEMENT: Client disconnected

在客户端我看到的是:

Jan 14 22:31:14: UDPv4 link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
Jan 14 22:32:14: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 14 22:32:14: TLS Error: TLS handshake failed
Jan 14 22:32:14: SIGUSR1[soft,tls-error] received, process restarting
Jan 14 22:32:15: UDPv4 link local (bound): [undef]
Jan 14 22:32:15: UDPv4 link remote: [AF_INET]xxx.xxx.xxx.xxx:1194

答案1

找出是否是防火墙的最佳方法是查看其日志。

编辑:我的意思是你应该看看 pf 日志。pf 应该记录它所做的任何拒绝,这可能会证实或拒绝你对防火墙的怀疑。我没有使用过 pfsense,但查看 FreeBSD 上的 pf 日志会像这样:tcpdump -n -e -ttt -r /var/log/pflog或者你可以使用tcpdump -n -e -ttt -i pflog0

答案2

好吧,在与我的服务器提供商交谈并检查他的网络一切运行正常后,他们在我的服务器前面使用了防火墙,谢谢大家的帮助!

相关内容