OpenVPN Windows 10 客户端与 OpenVPN Arch Linux 服务器之间的 TLS 密钥协商失败

OpenVPN Windows 10 客户端与 OpenVPN Arch Linux 服务器之间的 TLS 密钥协商失败

我无法设置OpenVPN客户端,服务器在VPSArch Linux 上,并且有另一个可以正常运行的 Arch Linux 客户端。

我尝试将 Windows 10 客户端添加到网络OpenVPN,使用与 Arch 客户端相同的 .conf。我还尝试将服务器更改为 TCP 和端口 443,但发生了同样的事情。

server.conf

port 1194
proto udp
dev tun
ca ca.crt
cert servername.crt
key servername.key
dh none
ecdh-curve secp521r1
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
tls-crypt ta.key # tls-auth ta.key 0
#cipher AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1
cipher AES-256-GCM
auth SHA512
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

client.conf

client
dev tun
proto udp
remote IPADDRESS 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert proyectapc.crt
key proyectapc.key
remote-cert-tls server
tls-crypt ta.key # tls-auth ta.key 1
cipher AES-256-CBC
#cipher AES-256-GCM
auth SHA512
#tls-version-min 1.2
#tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
verb 3

服务器的初始化日志OpenVPN

Wed Dec 18 04:10:15 2019 OpenVPN 2.4.8 [git:makepkg/3976acda9bf10b5e+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 30 2019
Wed Dec 18 04:10:15 2019 library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Wed Dec 18 04:10:15 2019 ECDH curve secp521r1 added
Wed Dec 18 04:10:15 2019 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Wed Dec 18 04:10:15 2019 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Dec 18 04:10:15 2019 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Wed Dec 18 04:10:15 2019 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Dec 18 04:10:15 2019 ROUTE_GATEWAY 192.99.152.1
Wed Dec 18 04:10:15 2019 TUN/TAP device tun0 opened
Wed Dec 18 04:10:15 2019 TUN/TAP TX queue length set to 100
Wed Dec 18 04:10:15 2019 /usr/bin/ip link set dev tun0 up mtu 1500
Wed Dec 18 04:10:16 2019 /usr/bin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Wed Dec 18 04:10:16 2019 /usr/bin/ip route add 10.8.0.0/24 via 10.8.0.2
Wed Dec 18 04:10:16 2019 Could not determine IPv4/IPv6 protocol. Using AF_INET
Wed Dec 18 04:10:16 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Dec 18 04:10:16 2019 UDPv4 link local (bound): [AF_INET][undef]:1194
Wed Dec 18 04:10:16 2019 UDPv4 link remote: [AF_UNSPEC]
Wed Dec 18 04:10:16 2019 MULTI: multi_init called, r=256 v=256
Wed Dec 18 04:10:16 2019 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Wed Dec 18 04:10:16 2019 ifconfig_pool_read(), in='terminator,10.8.0.4', TODO: IPv6
Wed Dec 18 04:10:16 2019 succeeded -> ifconfig_pool_set()
Wed Dec 18 04:10:16 2019 IFCONFIG POOL LIST
Wed Dec 18 04:10:16 2019 terminator,10.8.0.4
Wed Dec 18 04:10:16 2019 Initialization Sequence Completed

客户端的初始化日志OpenVPN

Wed Dec 18 10:12:02 2019 OpenVPN 2.4.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 31 2019
Wed Dec 18 10:12:02 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Wed Dec 18 10:12:02 2019 library versions: OpenSSL 1.1.0l  10 Sep 2019, LZO 2.10
Wed Dec 18 10:12:02 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Wed Dec 18 10:12:02 2019 Need hold release from management interface, waiting...
Wed Dec 18 10:12:03 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Wed Dec 18 10:12:03 2019 MANAGEMENT: CMD 'state on'
Wed Dec 18 10:12:03 2019 MANAGEMENT: CMD 'log all on'
Wed Dec 18 10:12:03 2019 MANAGEMENT: CMD 'echo all on'
Wed Dec 18 10:12:03 2019 MANAGEMENT: CMD 'bytecount 5'
Wed Dec 18 10:12:03 2019 MANAGEMENT: CMD 'hold off'
Wed Dec 18 10:12:03 2019 MANAGEMENT: CMD 'hold release'
Wed Dec 18 10:12:03 2019 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Wed Dec 18 10:12:03 2019 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Dec 18 10:12:03 2019 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Wed Dec 18 10:12:03 2019 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Dec 18 10:12:03 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]IPADDRESS:1194
Wed Dec 18 10:12:03 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed Dec 18 10:12:03 2019 UDP link local: (not bound)
Wed Dec 18 10:12:03 2019 UDP link remote: [AF_INET]192.99.152.152:1194
Wed Dec 18 10:12:03 2019 MANAGEMENT: >STATE:1576660323,WAIT,,,,,,
Wed Dec 18 10:12:03 2019 MANAGEMENT: >STATE:1576660323,AUTH,,,,,,
Wed Dec 18 10:12:03 2019 TLS: Initial packet from [AF_INET]192.99.152.152:1194, sid=580c2d02 8fcff9b9

因此,这会在服务器上引发:

Wed Dec 18 04:12:03 2019 IPCLIENT:55713 TLS: Initial packet from [AF_INET]IPCLIENT:55713, sid=73a94d7c de9e850e
Wed Dec 18 04:12:03 2019 IPCLIENT:55713 TLS error: The server has no TLS ciphersuites in common with the client. Your --tls-cipher setting might be too restrictive.
Wed Dec 18 04:12:03 2019 IPCLIENT:55713 OpenSSL: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher
Wed Dec 18 04:12:03 2019 IPCLIENT:55713 TLS_ERROR: BIO read tls_read_plaintext error
Wed Dec 18 04:12:03 2019 IPCLIENT:55713 TLS Error: TLS object -> incoming plaintext read error
Wed Dec 18 04:12:03 2019 IPCLIENT:55713 TLS Error: TLS handshake failed
Wed Dec 18 04:12:03 2019 IPCLIENT:55713 SIGUSR1[soft,tls-error] received, client-instance restarting

一分钟后,客户端:

Wed Dec 18 10:13:03 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Dec 18 10:13:03 2019 TLS Error: TLS handshake failed

答案1

除非您确实需要特定的密码,否则您可以从客户端和服务器配置中注释掉cipher和参数。tls-cipher

然后,OpenVPN 将使用标准安全密码集进行协商。

相关内容