过去几天我一直在尝试解决这个问题,但找不到任何具体的方法。它看起来并不复杂,但我也不知道如何从我的角度解决它。
VPNGate 提供免费 VPN 访问其他好心人的互联网。我只使用 OpenVPN 来连接这些服务器,而不是他们宣传的软件。
这是一切顺利时的日志,我能够毫无问题地连接:
Tue May 09 16:33:20 2017 OpenVPN 2.4.1 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Mar 22 2017
Tue May 09 16:33:20 2017 Windows version 6.1 (Windows 7) 64bit
Tue May 09 16:33:20 2017 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.09
Tue May 09 16:33:20 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Tue May 09 16:33:20 2017 Need hold release from management interface, waiting...
Tue May 09 16:33:21 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Tue May 09 16:33:21 2017 MANAGEMENT: CMD 'state on'
Tue May 09 16:33:21 2017 MANAGEMENT: CMD 'log all on'
Tue May 09 16:33:21 2017 MANAGEMENT: CMD 'echo all on'
Tue May 09 16:33:21 2017 MANAGEMENT: CMD 'hold off'
Tue May 09 16:33:21 2017 MANAGEMENT: CMD 'hold release'
Tue May 09 16:33:21 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Tue May 09 16:33:21 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]***:1426
Tue May 09 16:33:21 2017 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue May 09 16:33:21 2017 UDP link local: (not bound)
Tue May 09 16:33:21 2017 UDP link remote: [AF_INET]***:1426
Tue May 09 16:33:21 2017 MANAGEMENT: >STATE:1494344001,WAIT,,,,,,
Tue May 09 16:33:21 2017 MANAGEMENT: >STATE:1494344001,AUTH,,,,,,
Tue May 09 16:33:21 2017 TLS: Initial packet from [AF_INET]***:1426, sid=fcf3759f 64e4b082
Tue May 09 16:33:21 2017 VERIFY OK: depth=2, C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority
Tue May 09 16:33:21 2017 VERIFY OK: depth=1, C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA
Tue May 09 16:33:21 2017 VERIFY OK: depth=0, OU=Domain Control Validated, OU=PositiveSSL Wildcard, CN=*.opengw.net
Tue May 09 16:33:21 2017 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Tue May 09 16:33:21 2017 [*.opengw.net] Peer Connection Initiated with [AF_INET]***:1426
Tue May 09 16:33:23 2017 MANAGEMENT: >STATE:1494344003,GET_CONFIG,,,,,,
Tue May 09 16:33:23 2017 SENT CONTROL [*.opengw.net]: 'PUSH_REQUEST' (status=1)
Tue May 09 16:33:23 2017 Key [AF_INET]***:1426 [0] not initialized (yet), dropping packet.
Tue May 09 16:33:23 2017 PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 10.211.1.5 10.211.1.6,dhcp-option DNS 10.211.254.254,dhcp-option DNS 8.8.8.8,route-gateway 10.211.1.6,redirect-gateway def1'
Tue May 09 16:33:23 2017 OPTIONS IMPORT: timers and/or timeouts modified
Tue May 09 16:33:23 2017 OPTIONS IMPORT: --ifconfig/up options modified
Tue May 09 16:33:23 2017 OPTIONS IMPORT: route options modified
Tue May 09 16:33:23 2017 OPTIONS IMPORT: route-related options modified
Tue May 09 16:33:23 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue May 09 16:33:23 2017 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue May 09 16:33:23 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue May 09 16:33:23 2017 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue May 09 16:33:23 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue May 09 16:33:23 2017 interactive service msg_channel=312
Tue May 09 16:33:23 2017 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 I=11 HWADDR=***
Tue May 09 16:33:23 2017 open_tun
部分服务器存在证书错误,日志如下:
Tue May 09 16:54:53 2017 OpenVPN 2.4.1 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Mar 22 2017
Tue May 09 16:54:53 2017 Windows version 6.1 (Windows 7) 64bit
Tue May 09 16:54:53 2017 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.09
Tue May 09 16:54:53 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25342
Tue May 09 16:54:53 2017 Need hold release from management interface, waiting...
Tue May 09 16:54:53 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25342
Tue May 09 16:54:53 2017 MANAGEMENT: CMD 'state on'
Tue May 09 16:54:53 2017 MANAGEMENT: CMD 'log all on'
Tue May 09 16:54:53 2017 MANAGEMENT: CMD 'echo all on'
Tue May 09 16:54:53 2017 MANAGEMENT: CMD 'hold off'
Tue May 09 16:54:53 2017 MANAGEMENT: CMD 'hold release'
Tue May 09 16:54:53 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Tue May 09 16:54:53 2017 MANAGEMENT: >STATE:1494345293,RESOLVE,,,,,,
Tue May 09 16:54:54 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]***:1777
Tue May 09 16:54:54 2017 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue May 09 16:54:54 2017 UDP link local: (not bound)
Tue May 09 16:54:54 2017 UDP link remote: [AF_INET]***:1777
Tue May 09 16:54:54 2017 MANAGEMENT: >STATE:1494345294,WAIT,,,,,,
Tue May 09 16:54:54 2017 MANAGEMENT: >STATE:1494345294,AUTH,,,,,,
Tue May 09 16:54:54 2017 TLS: Initial packet from [AF_INET]***:1777, sid=2bd721a1 2b3738b9
Tue May 09 16:54:54 2017 VERIFY ERROR: depth=0, error=self signed certificate: CN=Kanes-pc, O=Kanes-pc, OU=Kanes-pc, C=US
Tue May 09 16:54:54 2017 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Tue May 09 16:54:54 2017 TLS_ERROR: BIO read tls_read_plaintext error
Tue May 09 16:54:54 2017 TLS Error: TLS object -> incoming plaintext read error
Tue May 09 16:54:54 2017 TLS Error: TLS handshake failed
Tue May 09 16:54:54 2017 SIGUSR1[soft,tls-error] received, process restarting
Tue May 09 16:54:54 2017 MANAGEMENT: >STATE:1494345294,RECONNECTING,tls-error,,,,,
Tue May 09 16:54:54 2017 Restart pause, 5 second(s)
两台服务器都位于英国,因此日志#1 中的证书似乎是准确的。日志#2 对我来说是不合情理的。
由此引出两个问题:
- 在 OpenVPN 中是否有一个设置可以帮助我在连接到这些服务器时抵御 MITM 攻击?(我确实阅读了提供的链接中的信息,但不明白最好使用哪种设置以及将其放在哪里)
- 关于证书错误,我可以在 OpenVPN 中使用任何设置来跳过这些错误并连接到服务器?
谢谢。
答案1
为什么在服务器上使用公共证书而在客户端上使用自签名证书?几乎每个 OpenVPN 指南都描述了如何设置内部 CA。
连接的客户端至少默认情况下需要由服务器上的--ca或选项指定的 CA 进行签名。--capath