OpenVPN 适用于 TCP,但不适用于 UDP

tag-icon tag-icon ubuntu openvpn tcp udp ubiquiti-edgerouter
OpenVPN 适用于 TCP,但不适用于 UDP

我有两个站点需要通过 OpenVPN 隧道连接。我已使用 TCP 作为传输协议运行设置,但由于这会影响性能,因此我想将其更改为 UDP。但设置失败。

站点 A 有一个带双栈的 DSL 上行链路,适用于 v4 和 v6。直接连接的是 Fritzbox,之后我有一台运行 Ubuntu 作为防火墙的计算机。同时还运行着一个 OpenVPN 服务器,其配置如下:

port 1194
proto udp

dev tun2

ca /etc/openvpn/server-fw/ca.crt
cert /etc/openvpn/server-fw/server.crt
key /etc/openvpn/server-fw/server.key

dh /etc/openvpn/server-fw/dh2048.pem

server 192.168.42.0 255.255.255.0

ifconfig-pool-persist server-fw-udp-ipp.txt

client-to-client

keepalive 10 120

comp-lzo

user openvpn
group openvpn

persist-key
persist-tun

status openvpn-status-fw-udp.log

verb 4

cipher AES-256-CBC
auth SHA384

tun-mtu 1500
fragment 1300
mssfix

client-config-dir server-fw-ccd

此外,Fritzbox 还具有 UDP 端口 1194 的端口转发,并且 Ubuntu 机器防火墙具有允许该流量的规则。

在 BI 站点上,有一个带有 Unitymedia ConnectBox(由我的有线电视提供商提供的路由器)的电视电缆连接,之后有一个 Ubiquity EdgeRouter X,其 VPN 配置如下。

mode client
 openvpn-option "--cipher AES-256-CBC"
 openvpn-option "--comp-lzo yes"
 openvpn-option "--remote-cert-tls server"
 openvpn-option --nobind
 openvpn-option --auth-nocache
 openvpn-option "--user nobody"
 openvpn-option "--group nogroup"
 openvpn-option --persist-key
 openvpn-option --persist-tun
 openvpn-option "--auth SHA384"
 openvpn-option "--tun-mtu 1500"
 openvpn-option "--fragment 1300"
 openvpn-option --mssfix
 protocol udp
 remote-host siteA.example.com
 remote-port 1194
 tls {
     ca-cert-file /config/auth/ca.crt
     cert-file /config/auth/siteB.crt
     key-file /config/auth/siteB.key
 }

在我看来,这应该可以按预期工作,但事实并非如此。在服务器上我得到:

Sep 29 19:35:39 firewall ovpn-server-fw-udp[18467]: 46.223.1.89:65349 Re-using SSL/TLS context
Sep 29 19:35:39 firewall ovpn-server-fw-udp[18467]: 46.223.1.89:65349 LZO compression initialized
Sep 29 19:35:39 firewall ovpn-server-fw-udp[18467]: 46.223.1.89:65349 Control Channel MTU parms [ L:1590 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sep 29 19:35:39 firewall ovpn-server-fw-udp[18467]: 46.223.1.89:65349 Data Channel MTU parms [ L:1590 D:1300 EF:90 EB:135 ET:0 EL:0 AF:3/1 ]
Sep 29 19:35:39 firewall ovpn-server-fw-udp[18467]: 46.223.1.89:65349 Fragmentation MTU parms [ L:1590 D:1300 EF:89 EB:135 ET:1 EL:0 AF:3/1 ]
Sep 29 19:35:39 firewall ovpn-server-fw-udp[18467]: 46.223.1.89:65349 Local Options String: 'V4,dev-type tun,link-mtu 1590,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,cipher AES-256-CBC,auth SHA384,keysize 256,key-method 2,tls-server'
Sep 29 19:35:39 firewall ovpn-server-fw-udp[18467]: 46.223.1.89:65349 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1590,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,cipher AES-256-CBC,auth SHA384,keysize 256,key-method 2,tls-client'
Sep 29 19:35:39 firewall ovpn-server-fw-udp[18467]: 46.223.1.89:65349 Local Options hash (VER=V4): '1ef2d687'
Sep 29 19:35:39 firewall ovpn-server-fw-udp[18467]: 46.223.1.89:65349 Expected Remote Options hash (VER=V4): '98978d60'
Sep 29 19:35:39 firewall ovpn-server-fw-udp[18467]: 46.223.1.89:65349 TLS: Initial packet from [AF_INET]46.223.1.89:65349, sid=b15d42d0 78edefc1
Sep 29 19:36:39 firewall ovpn-server-fw-udp[18467]: 46.223.1.89:65349 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sep 29 19:36:39 firewall ovpn-server-fw-udp[18467]: 46.223.1.89:65349 TLS Error: TLS handshake failed
Sep 29 19:36:39 firewall ovpn-server-fw-udp[18467]: 46.223.1.89:65349 SIGUSR1[soft,tls-error] received, client-instance restarting
Sep 29 19:36:42 firewall ovpn-server-fw-udp[18467]: MULTI: multi_create_instance called

在 EdgeRouter 上我得到:

Sep 29 19:35:35 edgerouter openvpn[15093]: Socket Buffers: R=[180224->131072] S=[180224->131072]
Sep 29 19:35:35 edgerouter openvpn[15093]: UDPv4 link local: [undef]
Sep 29 19:35:35 edgerouter openvpn[15093]: UDPv4 link remote: [AF_INET]217.11.153.95:1194
Sep 29 19:36:36 edgerouter openvpn[15093]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sep 29 19:36:36 edgerouter openvpn[15093]: TLS Error: TLS handshake failed
Sep 29 19:36:36 edgerouter openvpn[15093]: SIGUSR1[soft,tls-error] received, process restarting
Sep 29 19:36:36 edgerouter openvpn[15093]: Restart pause, 2 second(s)

如果我将两种配置中的协议都更改为 TCP,隧道就会按预期工作。这里可能有什么问题?您对如何调试或解决此问题有什么建议吗?

相关内容