OpenVPN重新连接失败,手动重启有效

OpenVPN重新连接失败,手动重启有效

我在 Azure 虚拟机上设置了一个 OpenVPN 服务器。我使用了以下脚本进行设置:https://github.com/Nyr/openvpn-install

然后我使用这个连接到服务器,sudo openvpn --config client.ovpn一切正常。然后我断开客户端机器上的以太网电缆,然后重新连接。然后客户端尝试重新连接,但从未成功。然后我尝试终止客户端(ctrl+c)并使用相同的命令重新启动它 - 这有效。

客户端目前位于至少具有两个 NAT 层的办公网络中。最终,客户端将位于一个相当不稳定的客户端网络中,我无法控制网络设置。

无论我使用TCP或,都会得到相同的行为UDP

为什么重新连接的行为与停止然后启动 OpenVPN 客户端不同?

如果一切都失败了,我当然可以制作一个重新启动 OpenVPN 客户端的包装脚本,但我当然不想这样做。

服务器和客户端均运行 Ubuntu Server 18.04

该文件的标题.ovpn为:

client
dev tun
proto udp
sndbuf 0
rcvbuf 0
remote <host> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
setenv opt block-outside-dns
key-direction 1
verb 3

使用时从OpenVPN客户端登录UDPTCP看起来非常相似):

$ sudo openvpn --config client.ovpn
Mon Jan 28 13:24:35 2019 Unrecognized option or missing or extra parameter(s) in client.ovpn:14: block-outside-dns (2.4.4)
Mon Jan 28 13:24:35 2019 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep  5 2018
Mon Jan 28 13:24:35 2019 library versions: OpenSSL 1.1.0g  2 Nov 2017, LZO 2.08                        
Mon Jan 28 13:24:35 2019 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Jan 28 13:24:35 2019 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Jan 28 13:24:35 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]<server_ip>:1194
Mon Jan 28 13:24:35 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]                                             
Mon Jan 28 13:24:35 2019 UDP link local: (not bound)    
Mon Jan 28 13:24:35 2019 UDP link remote: [AF_INET]<server_ip>:1194       
Mon Jan 28 13:24:35 2019 TLS: Initial packet from [AF_INET]<server_ip>:1194, sid=<> 78915078
Mon Jan 28 13:24:35 2019 VERIFY OK: depth=1, CN=ChangeMe                                               
Mon Jan 28 13:24:35 2019 VERIFY KU OK                                         
Mon Jan 28 13:24:35 2019 Validating certificate extended key usage
Mon Jan 28 13:24:35 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Jan 28 13:24:35 2019 VERIFY EKU OK
Mon Jan 28 13:24:35 2019 VERIFY OK: depth=0, CN=server
Mon Jan 28 13:24:35 2019 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mon Jan 28 13:24:35 2019 [server] Peer Connection Initiated with [AF_INET]<server_ip>:1194
Mon Jan 28 13:24:36 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Mon Jan 28 13:24:36 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 1.1.1.1,dhcp-option DNS 1.0.0.1,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.3 255.2
55.255.0,peer-id 0,cipher AES-256-GCM'
Mon Jan 28 13:24:36 2019 OPTIONS IMPORT: timers and/or timeouts modified
Mon Jan 28 13:24:36 2019 OPTIONS IMPORT: --ifconfig/up options modified
Mon Jan 28 13:24:36 2019 OPTIONS IMPORT: route options modified
Mon Jan 28 13:24:36 2019 OPTIONS IMPORT: route-related options modified
Mon Jan 28 13:24:36 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Jan 28 13:24:36 2019 OPTIONS IMPORT: peer-id set
Mon Jan 28 13:24:36 2019 OPTIONS IMPORT: adjusting link_mtu to 1624
Mon Jan 28 13:24:36 2019 OPTIONS IMPORT: data channel crypto options modified
Mon Jan 28 13:24:36 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Mon Jan 28 13:24:36 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Jan 28 13:24:36 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Jan 28 13:24:36 2019 ROUTE_GATEWAY 192.169.0.1/255.255.255.0 IFACE=enp0s31f6 HWADDR=<mac>
Mon Jan 28 13:24:36 2019 TUN/TAP device tun0 opened
Mon Jan 28 13:24:36 2019 TUN/TAP TX queue length set to 100
Mon Jan 28 13:24:36 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Jan 28 13:24:36 2019 /sbin/ip link set dev tun0 up mtu 1500
Mon Jan 28 13:24:36 2019 /sbin/ip addr add dev tun0 10.8.0.3/24 broadcast 10.8.0.255
Mon Jan 28 13:24:36 2019 /sbin/ip route add <server_ip>/32 via 192.169.0.1
Mon Jan 28 13:24:36 2019 /sbin/ip route add 0.0.0.0/1 via 10.8.0.1
Mon Jan 28 13:24:36 2019 /sbin/ip route add 128.0.0.0/1 via 10.8.0.1
Mon Jan 28 13:24:36 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Jan 28 13:24:36 2019 Initialization Sequence Completed
Mon Jan 28 13:28:47 2019 [server] Inactivity timeout (--ping-restart), restarting
Mon Jan 28 13:28:47 2019 SIGUSR1[soft,ping-restart] received, process restarting
Mon Jan 28 13:28:47 2019 Restart pause, 5 second(s)
Mon Jan 28 13:28:52 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]<server_ip>:1194
Mon Jan 28 13:28:52 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Mon Jan 28 13:28:52 2019 UDP link local: (not bound)
Mon Jan 28 13:28:52 2019 UDP link remote: [AF_INET]<server_ip>:1194
Mon Jan 28 13:29:52 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Jan 28 13:29:52 2019 TLS Error: TLS handshake failed                                                                                                                                                                                      
Mon Jan 28 13:29:52 2019 SIGUSR1[soft,tls-error] received, process restarting                                                                                                                                                                 
Mon Jan 28 13:29:52 2019 Restart pause, 5 second(s)                                                                                                                                                                                           
Mon Jan 28 13:29:57 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]<server_ip>:1194
Mon Jan 28 13:29:57 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]                                               
Mon Jan 28 13:29:57 2019 UDP link local: (not bound)                                                                         
Mon Jan 28 13:29:57 2019 UDP link remote: [AF_INET]<server_ip>:1194                                 
Mon Jan 28 13:30:57 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Jan 28 13:30:57 2019 TLS Error: TLS handshake failed
Mon Jan 28 13:30:57 2019 SIGUSR1[soft,tls-error] received, process restarting
Mon Jan 28 13:30:57 2019 Restart pause, 5 second(s)                                                  
Mon Jan 28 13:31:02 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]<server_ip>:1194
Mon Jan 28 13:31:02 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Mon Jan 28 13:31:02 2019 UDP link local: (not bound)              
Mon Jan 28 13:31:02 2019 UDP link remote: [AF_INET]<server_ip>:1194                                                    
Mon Jan 28 13:32:02 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Jan 28 13:32:02 2019 TLS Error: TLS handshake failed
Mon Jan 28 13:32:02 2019 SIGUSR1[soft,tls-error] received, process restarting                              
Mon Jan 28 13:32:02 2019 Restart pause, 5 second(s)                                          
Mon Jan 28 13:32:07 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]<server_ip>:1194
Mon Jan 28 13:32:07 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]                                                                                                                                                                
Mon Jan 28 13:32:07 2019 UDP link local: (not bound)
Mon Jan 28 13:32:07 2019 UDP link remote: [AF_INET]<server_ip>:1194  
Mon Jan 28 13:33:07 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Jan 28 13:33:07 2019 TLS Error: TLS handshake failed       
Mon Jan 28 13:33:07 2019 SIGUSR1[soft,tls-error] received, process restarting
Mon Jan 28 13:33:07 2019 Restart pause, 5 second(s)                                      
Mon Jan 28 13:33:12 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]<server_ip>:1194
Mon Jan 28 13:33:12 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Mon Jan 28 13:33:12 2019 UDP link local: (not bound)                         
Mon Jan 28 13:33:12 2019 UDP link remote: [AF_INET]<server_ip>:1194      
Mon Jan 28 13:34:13 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Jan 28 13:34:13 2019 TLS Error: TLS handshake failed                                         
Mon Jan 28 13:34:13 2019 SIGUSR1[soft,tls-error] received, process restarting                            
Mon Jan 28 13:34:13 2019 Restart pause, 5 second(s)
Mon Jan 28 13:34:18 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]<server_ip>:1194
Mon Jan 28 13:34:18 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Mon Jan 28 13:34:18 2019 UDP link local: (not bound)           
Mon Jan 28 13:34:18 2019 UDP link remote: [AF_INET]<server_ip>:1194              
Mon Jan 28 13:35:18 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Jan 28 13:35:18 2019 TLS Error: TLS handshake failed          
Mon Jan 28 13:35:18 2019 SIGUSR1[soft,tls-error] received, process restarting
Mon Jan 28 13:35:18 2019 Restart pause, 10 second(s)                                                                             
Mon Jan 28 13:35:28 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]<server_ip>:1194
Mon Jan 28 13:35:28 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]   

答案1

我找到了解决方案。

在客户端 ovpn 文件中,通过以下方式禁用 persist-tun

;persist-tun

然后尝试一下。

参考:
-https://forums.openvpn.net/viewtopic.php?t=22020
-https://forums.openvpn.net/viewtopic.php?f=6&t=22325&p=64015#p64015

答案2

与原始问题不太相关,但如果您使用 auth-user-pass,openvpn connect 不会在重新连接时重新发送凭据,因此会失败。添加 auth-get-token 使 auth-user-pass 可以重新连接。首次身份验证后,服务器会生成一个令牌供客户端用于重新连接。重新连接时,客户端发送的是令牌而不是密码。

相关内容