我在 Ubuntu 18.04 客户端上配置 OpenVPN,如下所示:
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
proto tcp
;proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote c 80
;remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
# user nobody
# group nogroup
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert client.crt
key client.key
# Verify server certificate by checking that the
# certicate has the correct key usage set.
# This is an important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the keyUsage set to
# digitalSignature, keyEncipherment
# and the extendedKeyUsage to
# serverAuth
# EasyRSA can do this for you.
remote-cert-tls server
# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
# Note that v2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
cipher AES-256-CBC
auth SHA256
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
#comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
key-direction 1
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
<ca>
...
</ca>
<cert>
...
</cert>
<key>
...
<tls-auth>
...
</tls-auth>
openvpn /etc/openvpn/client.conf结果为:
Tue Jul 21 15:59:09 2020 us=191135 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2019
Tue Jul 21 15:59:09 2020 us=191150 library versions: OpenSSL 1.1.1 11 Sep 2018, LZO 2.08
Tue Jul 21 15:59:09 2020 us=191222 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Jul 21 15:59:09 2020 us=191609 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Jul 21 15:59:09 2020 us=191634 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Jul 21 15:59:09 2020 us=191721 Control Channel MTU parms [ L:1623 D:1170 EF:80 EB:0 ET:0 EL:3 ]
Tue Jul 21 15:59:09 2020 us=191758 Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
Tue Jul 21 15:59:09 2020 us=191790 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1571,tun-mtu 1500,proto TCPv4_CLIENT,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
Tue Jul 21 15:59:09 2020 us=191802 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1571,tun-mtu 1500,proto TCPv4_SERVER,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
Tue Jul 21 15:59:09 2020 us=191816 TCP/UDP: Preserving recently used remote address: [AF_INET]c:80
Tue Jul 21 15:59:09 2020 us=191842 Socket Buffers: R=[131072->131072] S=[16384->16384]
Tue Jul 21 15:59:09 2020 us=191855 Attempting to establish TCP connection with [AF_INET]c:80 [nonblock]
Tue Jul 21 15:59:10 2020 us=192033 TCP connection established with [AF_INET]c:80
Tue Jul 21 15:59:10 2020 us=192077 TCP_CLIENT link local: (not bound)
Tue Jul 21 15:59:10 2020 us=192086 TCP_CLIENT link remote: [AF_INET]c:80
Tue Jul 21 15:59:10 2020 us=192940 TLS: Initial packet from [AF_INET]c:80, sid=1262c750 4c7a1222
Tue Jul 21 15:59:10 2020 us=236253 VERIFY OK: depth=1, CN=vpn.xxxxxx.com
Tue Jul 21 15:59:10 2020 us=236402 VERIFY KU OK
Tue Jul 21 15:59:10 2020 us=236422 Validating certificate extended key usage
Tue Jul 21 15:59:10 2020 us=236438 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Jul 21 15:59:10 2020 us=236447 VERIFY EKU OK
Tue Jul 21 15:59:10 2020 us=236455 VERIFY OK: depth=0, CN=vpn.xxxxxx.com
Tue Jul 21 15:59:10 2020 us=241649 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Tue Jul 21 15:59:10 2020 us=241680 [vpn.xxxxx.com] Peer Connection Initiated with [AF_INET]c:80
Tue Jul 21 15:59:11 2020 us=504067 SENT CONTROL [vpn.xxxxx.com]: 'PUSH_REQUEST' (status=1)
Tue Jul 21 15:59:11 2020 us=506069 PUSH: Received control message: 'PUSH_REPLY,route 10.0.0.0 255.0.0.0,dhcp-option DNS b,dhcp-option DNS a,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.25 10.8.0.26,peer-id 0,cipher AES-256-GCM'
Tue Jul 21 15:59:11 2020 us=506158 OPTIONS IMPORT: timers and/or timeouts modified
Tue Jul 21 15:59:11 2020 us=506174 OPTIONS IMPORT: --ifconfig/up options modified
Tue Jul 21 15:59:11 2020 us=506181 OPTIONS IMPORT: route options modified
Tue Jul 21 15:59:11 2020 us=506192 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Jul 21 15:59:11 2020 us=506199 OPTIONS IMPORT: peer-id set
Tue Jul 21 15:59:11 2020 us=506206 OPTIONS IMPORT: adjusting link_mtu to 1626
Tue Jul 21 15:59:11 2020 us=506216 OPTIONS IMPORT: data channel crypto options modified
Tue Jul 21 15:59:11 2020 us=506224 Data Channel: using negotiated cipher 'AES-256-GCM'
Tue Jul 21 15:59:11 2020 us=506239 Data Channel MTU parms [ L:1554 D:1450 EF:54 EB:406 ET:0 EL:3 ]
Tue Jul 21 15:59:11 2020 us=506310 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Jul 21 15:59:11 2020 us=506325 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Jul 21 15:59:11 2020 us=506444 ROUTE_GATEWAY 172.31.32.1/255.255.240.0 IFACE=eth0 HWADDR=0a:c3:78:f1:6c:f4
Tue Jul 21 15:59:11 2020 us=506701 TUN/TAP device tun0 opened
Tue Jul 21 15:59:11 2020 us=506738 TUN/TAP TX queue length set to 100
Tue Jul 21 15:59:11 2020 us=506760 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Jul 21 15:59:11 2020 us=506784 /sbin/ip link set dev tun0 up mtu 1500
Tue Jul 21 15:59:11 2020 us=508154 /sbin/ip addr add dev tun0 local 10.8.0.25 peer 10.8.0.26
Tue Jul 21 15:59:11 2020 us=509257 /etc/openvpn/update-resolv-conf tun0 1500 1554 10.8.0.25 10.8.0.26 init
dhcp-option DNS a
dhcp-option DNS b
Too few arguments.
Too few arguments.
Tue Jul 21 15:59:11 2020 us=552185 /sbin/ip route add 10.0.0.0/8 via 10.8.0.26
Tue Jul 21 15:59:11 2020 us=553483 /sbin/ip route add 10.8.0.1/32 via 10.8.0.26
Tue Jul 21 15:59:11 2020 us=554437 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Jul 21 15:59:11 2020 us=554471 Initialization Sequence Completed
人们会认为该过程是成功的,并且客户端现在已连接到 VPN,但是,tun0 接口没有获取 IP,也没有路由。
当同一进程退出时:
^CTue Jul 21 16:06:19 2020 us=140846 event_wait : Interrupted system call (code=4)
Tue Jul 21 16:06:19 2020 us=141061 TCP/UDP: Closing socket
Tue Jul 21 16:06:19 2020 us=141125 /sbin/ip route del 10.0.0.0/8
RTNETLINK answers: No such process
Tue Jul 21 16:06:19 2020 us=142360 ERROR: Linux route delete command failed: external program exited with error status: 2
Tue Jul 21 16:06:19 2020 us=142395 /sbin/ip route del 10.8.0.1/32
RTNETLINK answers: No such process
Tue Jul 21 16:06:19 2020 us=143403 ERROR: Linux route delete command failed: external program exited with error status: 2
Tue Jul 21 16:06:19 2020 us=143438 Closing TUN/TAP interface
Tue Jul 21 16:06:19 2020 us=143461 /sbin/ip addr del dev tun0 local 10.8.0.25 peer 10.8.0.26
RTNETLINK answers: Cannot assign requested address
Tue Jul 21 16:06:19 2020 us=144445 Linux ip addr del failed: external program exited with error status: 2
Tue Jul 21 16:06:19 2020 us=172551 /etc/openvpn/update-resolv-conf tun0 1500 1554 10.8.0.25 10.8.0.26 init
Too few arguments.
Too few arguments.
Tue Jul 21 16:06:19 2020 us=202598 SIGINT[hard,] received, process exiting
找不到原因,其他客户端运行正常。
如果在服务启动后手动运行 ip addr 和 ip route 操作,一切工作正常。但是,服务无法从断开连接问题中恢复,原因与未自动连接的原因相同。
系统日志:
Jul 22 08:08:35 ip-172-31-32-67 systemd-networkd[7024]: tun0: Link DOWN
Jul 22 08:08:35 ip-172-31-32-67 systemd-networkd[7024]: tun0: Lost carrier
Jul 22 08:08:35 ip-172-31-32-67 systemd-timesyncd[690]: Network configuration changed, trying to establish connection.
Jul 22 08:08:35 ip-172-31-32-67 systemd[1]: Stopping Netscript ifup for tun0...
Jul 22 08:08:35 ip-172-31-32-67 systemd-timesyncd[690]: Synchronized to time server b:123 (ntp.ubuntu.com).
Jul 22 08:08:35 ip-172-31-32-67 netscript[21167]: Usage: netscript ifup|ifdown|ifqos|ifreload
Jul 22 08:08:35 ip-172-31-32-67 netscript[21167]: {eth0|eth2|eth1|all}
Jul 22 08:08:35 ip-172-31-32-67 systemd[1]: [email protected]: Control process exited, code=exited status=1
Jul 22 08:08:35 ip-172-31-32-67 systemd[1]: [email protected]: Failed with result 'exit-code'.
Jul 22 08:08:35 ip-172-31-32-67 systemd[1]: Stopped Netscript ifup for tun0.
Jul 22 08:08:47 ip-172-31-32-67 systemd-udevd[21286]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
Jul 22 08:08:47 ip-172-31-32-67 systemd-networkd[7024]: tun0: Link UP
Jul 22 08:08:47 ip-172-31-32-67 networkd-dispatcher[1251]: WARNING:Unknown index 28 seen, reloading interface list
Jul 22 08:08:47 ip-172-31-32-67 systemd-networkd[7024]: tun0: Gained carrier
Jul 22 08:08:47 ip-172-31-32-67 systemd-networkd[7024]: tun0: Gained IPv6LL
Jul 22 08:08:47 ip-172-31-32-67 systemd-timesyncd[690]: Network configuration changed, trying to establish connection.
Jul 22 08:08:47 ip-172-31-32-67 systemd[1]: Unnecessary job for /sys/subsystem/net/devices/tun0 was removed.
Jul 22 08:08:47 ip-172-31-32-67 systemd[1]: Started Netscript ifup for tun0.
Jul 22 08:08:47 ip-172-31-32-67 systemd-timesyncd[690]: Synchronized to time server b:123 (ntp.ubuntu.com).
Jul 22 08:08:47 ip-172-31-32-67 systemd-timesyncd[690]: Network configuration changed, trying to establish connection.
Jul 22 08:08:47 ip-172-31-32-67 systemd-timesyncd[690]: Synchronized to time server b:123 (ntp.ubuntu.com).
Jul 22 08:08:47 ip-172-31-32-67 sh[21324]: Configuring interface:Warning: Executing wildcard deletion to stay compatible with old scripts.
Jul 22 08:08:47 ip-172-31-32-67 sh[21324]: Explicitly specify the prefix length (10.8.0.25/32) to avoid this warning.
Jul 22 08:08:47 ip-172-31-32-67 sh[21324]: This special behaviour is likely to disappear in further releases,
Jul 22 08:08:47 ip-172-31-32-67 sh[21324]: fix your scripts!
Jul 22 08:08:47 ip-172-31-32-67 systemd-timesyncd[690]: Network configuration changed, trying to establish connection.
Jul 22 08:08:47 ip-172-31-32-67 sh[21324]: tun0.
Jul 22 08:08:47 ip-172-31-32-67 systemd-timesyncd[690]: Synchronized to time server a (ntp.ubuntu.com).
还有其他人经历过这样的事吗?
答案1
我遇到了一个问题,导致我在 Ubuntu 20.04.2 上通过卸载软件包netscript-2.4
并安装软件包解决了该问题ifupdown
。
答案2
所以,我理解你的意思,在 openvpn 启动后,你有一个没有 ip 的 tun0 接口?你检查过这里发布的客户端配置是否与服务器配置匹配吗?
研究表明,其他人在网络重新连接后也遇到同样的问题,导致 IP 丢失……这是由option proto none
接口选项配置文件引起的。参考
如果这没有帮助,我建议首先禁用你的上/下脚本,那些日志条目表明这个脚本肯定坏了……这就是我的意思:
dhcp-option DNS a
dhcp-option DNS b
Too few arguments.
Too few arguments.
和:
Jul 22 08:08:47 ip-172-31-32-67 sh[21324]: Configuring interface:Warning: Executing wildcard deletion to stay compatible with old scripts.
Jul 22 08:08:47 ip-172-31-32-67 sh[21324]: Explicitly specify the prefix length (10.8.0.25/32) to avoid this warning.
Jul 22 08:08:47 ip-172-31-32-67 sh[21324]: This special behaviour is likely to disappear in further releases,
Jul 22 08:08:47 ip-172-31-32-67 sh[21324]: fix your scripts!
我注意到的另一件事是,您是否真的在将 TCP 端口 80 用于 openvpn 服务?我认为这是个坏主意...
在系统日志中,我注意到以下消息:
Jul 22 08:08:35 ip-172-31-32-67 systemd-networkd[7024]: tun0: Link DOWN Jul 22 08:08:35 ip-172-31-32-67 systemd-networkd[7024]: tun0: Lost carrier
这看起来像是主 VPN 连接(remote c 80
)在 VPN 设置期间丢失,例如由于设置了恶意路由。
并且,为了完整起见,这里是 tun0 接口获取其自己的 IP 的部分:
Tue Jul 21 15:59:11 2020 us=508154 /sbin/ip addr add dev tun0 local 10.8.0.25 peer 10.8.0.26
我希望我能为您提供研究的起点!
答案3
如同塞巴斯蒂安·施拉德回答,我在 Ubuntu 20 中使用 globalprotect vpn 时遇到了问题。
tun0尽管 VPN 已连接,但接口未接收 IPv4:
8:tun0:<POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1422 qdisc fq_codel 状态 UNKNOWN 组默认 qlen 500 链接/无 inet6 fe80::6c8c:40ff:dab3:ef5a/64 范围链接稳定隐私有效_lft 永远首选_lft 永远
Ubuntu 20.04.5 LTS
:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.5 LTS
Release: 20.04
Codename: focal
:~$ uname -a
Linux PF3812VS 5.15.0-72-generic #79~20.04.1-Ubuntu SMP
安装下拉包解决了该问题(这将卸载 netscript 包)。
sudo apt install ifupdown
安装 ifupdown 后,globlaprotect VPN 立即运行“ipv4 分配给 tun0”