我有一位用户无法从国外连接到我的 OpenVPN 服务器。我的服务器位于葡萄牙,而我的客户端正在尝试连接缅甸。从用户端来看,连接总是重新启动。他现在通过 PPTP 使用旧的备用 VPN。
该服务器对于使用 Windows 10、Linux 和 MacOS 的用户来说运行良好,其中一些用户每天使用连接 8 小时,并且运行良好,经过数月的使用后仍未检测到问题。
我正在通过端口 TCP 51184 使用非标准连接,以避免 ISP 对默认端口的服务阻塞和流量整形。
从用户端日志来看,除了这部分之外,其他都很好:
Fri Jul 28 09:35:32 2017 Attempting to establish TCP connection with [AF_INET]x:51194 [nonblock]
Fri Jul 28 09:35:33 2017 TCP connection established with [AF_INET]x:51194
Fri Jul 28 09:35:33 2017 TCP_CLIENT link local (bound): [AF_INET][undef]:0
Fri Jul 28 09:35:33 2017 TCP_CLIENT link remote: [AF_INET]x:51194
Fri Jul 28 09:36:14 2017 read TCP_CLIENT: Connection timed out (WSAETIMEDOUT) (code=10060)
Fri Jul 28 09:36:14 2017 Connection reset, restarting [-1]
Fri Jul 28 09:36:14 2017 Unblocking outside dns using service succeeded.
Fri Jul 28 09:36:14 2017 SIGUSR1[soft,connection-reset] received, process restarting
从服务器端日志来看,一般发生的情况如下:
Jul 28 04:13:23 openvpn 90566 rui.m/103.x.205.111:63802 SIGUSR1[soft,ping-restart] received, client-instance restarting
Jul 28 04:13:23 openvpn 90566 rui.m/103.x.205.111:63802 [rui.m] Inactivity timeout (--ping-restart), restarting
Jul 28 04:13:18 openvpn 90566 MANAGEMENT: Client disconnected
Jul 28 04:13:18 openvpn 90566 MANAGEMENT: CMD 'quit'
Jul 28 04:13:18 openvpn 90566 MANAGEMENT: CMD 'status 2'
Jul 28 04:13:18 openvpn 90566 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Jul 28 04:12:16 openvpn 90566 MANAGEMENT: Client disconnected
Jul 28 04:12:16 openvpn 90566 MANAGEMENT: CMD 'quit'
Jul 28 04:12:16 openvpn 90566 MANAGEMENT: CMD 'status 2'
Jul 28 04:12:16 openvpn 90566 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Jul 28 04:11:58 openvpn 90566 rui.m/103.x.205.111:63835 SENT CONTROL [rui.m]: 'PUSH_REPLY,route 10.0.0.0 255.255.255.0,dhcp-option DOMAIN x.local,dhcp-option DNS 10.0.0.2,block-outside-dns,register-dns,redirect-gateway def1,route-gateway 10.0.8.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.0.8.2 255.255.255.0' (status=1)
服务器端配置:
dev ovpns1
verb 3
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher AES-128-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local x
engine cryptodev
tls-server
server 10.0.8.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/server1
username-as-common-name
auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user TG9YWwRGF0YWJhcU= false server1 51194" via-env
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'xVPNca' 1"
lport 51194
management /var/etc/openvpn/server1.sock unix
push "route 10.0.0.0 255.255.255.0"
push "dhcp-option DOMAIN x.local"
push "dhcp-option DNS 10.0.0.2"
push "block-outside-dns"
push "register-dns"
push "redirect-gateway def1"
client-to-client
duplicate-cn
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo adaptive
topology subnet
用户配置文件:
dev tun
persist-tun
persist-key
cipher AES-128-CBC
auth SHA256
tls-client
client
resolv-retry infinite
remote x.dyndns.biz 51194 tcp-client
lport 0
verify-x509-name "xVPNca" name
auth-user-pass
pkcs12 pfSense-TCP-51194-x.p12
tls-auth pfSense-TCP-51194-x-tls.key 1
remote-cert-tls server
comp-lzo adaptive