我有两个站点需要通过 OpenVPN 隧道连接。我已使用 TCP 作为传输协议运行设置,但由于这会影响性能,因此我想将其更改为 UDP。但设置失败。
站点 A 有一个带双栈的 DSL 上行链路,适用于 v4 和 v6。直接连接的是 Fritzbox,之后我有一台运行 Ubuntu 作为防火墙的计算机。同时还运行着一个 OpenVPN 服务器,其配置如下:
port 1194
proto udp
dev tun2
ca /etc/openvpn/server-fw/ca.crt
cert /etc/openvpn/server-fw/server.crt
key /etc/openvpn/server-fw/server.key
dh /etc/openvpn/server-fw/dh2048.pem
server 192.168.42.0 255.255.255.0
ifconfig-pool-persist server-fw-udp-ipp.txt
client-to-client
keepalive 10 120
comp-lzo
user openvpn
group openvpn
persist-key
persist-tun
status openvpn-status-fw-udp.log
verb 4
cipher AES-256-CBC
auth SHA384
tun-mtu 1500
fragment 1300
mssfix
client-config-dir server-fw-ccd
此外,Fritzbox 还具有 UDP 端口 1194 的端口转发,并且 Ubuntu 机器防火墙具有允许该流量的规则。
在 BI 站点上,有一个带有 Unitymedia ConnectBox(由我的有线电视提供商提供的路由器)的电视电缆连接,之后有一个 Ubiquity EdgeRouter X,其 VPN 配置如下。
mode client
openvpn-option "--cipher AES-256-CBC"
openvpn-option "--comp-lzo yes"
openvpn-option "--remote-cert-tls server"
openvpn-option --nobind
openvpn-option --auth-nocache
openvpn-option "--user nobody"
openvpn-option "--group nogroup"
openvpn-option --persist-key
openvpn-option --persist-tun
openvpn-option "--auth SHA384"
openvpn-option "--tun-mtu 1500"
openvpn-option "--fragment 1300"
openvpn-option --mssfix
protocol udp
remote-host siteA.example.com
remote-port 1194
tls {
ca-cert-file /config/auth/ca.crt
cert-file /config/auth/siteB.crt
key-file /config/auth/siteB.key
}
在我看来,这应该可以按预期工作,但事实并非如此。在服务器上我得到:
Sep 29 19:35:39 firewall ovpn-server-fw-udp[18467]: 46.223.1.89:65349 Re-using SSL/TLS context
Sep 29 19:35:39 firewall ovpn-server-fw-udp[18467]: 46.223.1.89:65349 LZO compression initialized
Sep 29 19:35:39 firewall ovpn-server-fw-udp[18467]: 46.223.1.89:65349 Control Channel MTU parms [ L:1590 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sep 29 19:35:39 firewall ovpn-server-fw-udp[18467]: 46.223.1.89:65349 Data Channel MTU parms [ L:1590 D:1300 EF:90 EB:135 ET:0 EL:0 AF:3/1 ]
Sep 29 19:35:39 firewall ovpn-server-fw-udp[18467]: 46.223.1.89:65349 Fragmentation MTU parms [ L:1590 D:1300 EF:89 EB:135 ET:1 EL:0 AF:3/1 ]
Sep 29 19:35:39 firewall ovpn-server-fw-udp[18467]: 46.223.1.89:65349 Local Options String: 'V4,dev-type tun,link-mtu 1590,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,cipher AES-256-CBC,auth SHA384,keysize 256,key-method 2,tls-server'
Sep 29 19:35:39 firewall ovpn-server-fw-udp[18467]: 46.223.1.89:65349 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1590,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,cipher AES-256-CBC,auth SHA384,keysize 256,key-method 2,tls-client'
Sep 29 19:35:39 firewall ovpn-server-fw-udp[18467]: 46.223.1.89:65349 Local Options hash (VER=V4): '1ef2d687'
Sep 29 19:35:39 firewall ovpn-server-fw-udp[18467]: 46.223.1.89:65349 Expected Remote Options hash (VER=V4): '98978d60'
Sep 29 19:35:39 firewall ovpn-server-fw-udp[18467]: 46.223.1.89:65349 TLS: Initial packet from [AF_INET]46.223.1.89:65349, sid=b15d42d0 78edefc1
Sep 29 19:36:39 firewall ovpn-server-fw-udp[18467]: 46.223.1.89:65349 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sep 29 19:36:39 firewall ovpn-server-fw-udp[18467]: 46.223.1.89:65349 TLS Error: TLS handshake failed
Sep 29 19:36:39 firewall ovpn-server-fw-udp[18467]: 46.223.1.89:65349 SIGUSR1[soft,tls-error] received, client-instance restarting
Sep 29 19:36:42 firewall ovpn-server-fw-udp[18467]: MULTI: multi_create_instance called
在 EdgeRouter 上我得到:
Sep 29 19:35:35 edgerouter openvpn[15093]: Socket Buffers: R=[180224->131072] S=[180224->131072]
Sep 29 19:35:35 edgerouter openvpn[15093]: UDPv4 link local: [undef]
Sep 29 19:35:35 edgerouter openvpn[15093]: UDPv4 link remote: [AF_INET]217.11.153.95:1194
Sep 29 19:36:36 edgerouter openvpn[15093]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sep 29 19:36:36 edgerouter openvpn[15093]: TLS Error: TLS handshake failed
Sep 29 19:36:36 edgerouter openvpn[15093]: SIGUSR1[soft,tls-error] received, process restarting
Sep 29 19:36:36 edgerouter openvpn[15093]: Restart pause, 2 second(s)
如果我将两种配置中的协议都更改为 TCP,隧道就会按预期工作。这里可能有什么问题?您对如何调试或解决此问题有什么建议吗?