我在我的 raspberrypi 上配置了一个 openvpn,我遵循了以下指南:https://juncotic.com/openvpn-easyrsa-3-montando-la-vpn/几周来一切都运行良好。几天前,vpn 突然停止工作并抛出 TLS 错误。我检查了端口转发是否仍然处于启用状态,确实如此,我还检查了服务器和我的机器上的所有内容是否都是最新的,一切都是最新的,还检查了 openvpn 是否运行正常,日志中没有任何内容表明它不应该工作,还尝试将 vpn 的端口更改为更高的端口,但没有用。我不知道还要寻找什么。我会附上一些信息,如果有人需要其他信息,请告诉我。
这些是我的配置文件:
服务器.conf:
port 1194
proto udp
server 192.168.10.0 255.255.255.0
client-to-client
persist-key
persist-tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/cloudAtlas.crt
dh /etc/openvpn/keys/dh.pem
key /etc/openvpn/keys/cloudAtlas.key
tls-auth /etc/openvpn/keys/ta.key 0
crl-verify /etc/openvpn/keys/crl.pem
comp-lzo adaptive
dev tun
ifconfig-pool-persist server-ipp.txt 0
keepalive 10 120
cipher AES-256-CBC
auth SHA512
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
log /var/log/openvpn/server.log
verb 3
客户端2.conf:
client
dev tun
proto udp
port 1194
remote 21e800.duckdns.org 1194
remote-cert-tls server
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
cipher AES-256-CBC
auth SHA512
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
ca /etc/openvpn/keys/ca.crt
key /etc/openvpn/keys/cliente1.key
cert /etc/openvpn/keys/cliente1.crt
key-direction 1
tls-auth /etc/openvpn/keys/ta.key 1
openvpn启动时输出的日志:
Thu Aug 19 22:10:30 2021 OpenVPN 2.4.7 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 28 2021
Thu Aug 19 22:10:30 2021 library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10
Thu Aug 19 22:10:30 2021 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Thu Aug 19 22:10:30 2021 Note: cannot open server-ipp.txt for READ
Thu Aug 19 22:10:30 2021 Diffie-Hellman initialized with 2048 bit key
Thu Aug 19 22:10:30 2021 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Aug 19 22:10:30 2021 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Aug 19 22:10:30 2021 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=eth0 HWADDR=e4:5f:01:38:49:2b
Thu Aug 19 22:10:30 2021 TUN/TAP device tun0 opened
Thu Aug 19 22:10:30 2021 TUN/TAP TX queue length set to 100
Thu Aug 19 22:10:30 2021 /sbin/ip link set dev tun0 up mtu 1500
Thu Aug 19 22:10:30 2021 /sbin/ip addr add dev tun0 local 192.168.10.1 peer 192.168.10.2
Thu Aug 19 22:10:30 2021 /sbin/ip route add 192.168.10.0/24 via 192.168.10.2
Thu Aug 19 22:10:30 2021 Could not determine IPv4/IPv6 protocol. Using AF_INET
Thu Aug 19 22:10:30 2021 Socket Buffers: R=[180224->180224] S=[180224->180224]
Thu Aug 19 22:10:30 2021 UDPv4 link local (bound): [AF_INET][undef]:1194
Thu Aug 19 22:10:30 2021 UDPv4 link remote: [AF_UNSPEC]
Thu Aug 19 22:10:30 2021 MULTI: multi_init called, r=256 v=256
Thu Aug 19 22:10:30 2021 IFCONFIG POOL: base=192.168.10.4 size=62, ipv6=0
Thu Aug 19 22:10:30 2021 IFCONFIG POOL LIST
Thu Aug 19 22:10:30 2021 Initialization Sequence Completed
客户端尝试连接时的消息:
Thu Aug 19 22:12:03 2021 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 19 2021
Thu Aug 19 22:12:03 2021 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10
Thu Aug 19 22:12:03 2021 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Aug 19 22:12:03 2021 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Aug 19 22:12:03 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]83.51.211.151:1194
Thu Aug 19 22:12:03 2021 Socket Buffers: R=[212992->212992] S=[212992->212992]
Thu Aug 19 22:12:03 2021 UDP link local: (not bound)
Thu Aug 19 22:12:03 2021 UDP link remote: [AF_INET]83.51.211.151:1194
Thu Aug 19 22:13:03 2021 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Aug 19 22:13:03 2021 TLS Error: TLS handshake failed
Thu Aug 19 22:13:03 2021 SIGUSR1[soft,tls-error] received, process restarting
Thu Aug 19 22:13:03 2021 Restart pause, 5 second(s)
Thu Aug 19 22:13:08 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]83.51.211.151:1194
Thu Aug 19 22:13:08 2021 Socket Buffers: R=[212992->212992] S=[212992->212992]
Thu Aug 19 22:13:08 2021 UDP link local: (not bound)
Thu Aug 19 22:13:08 2021 UDP link remote: [AF_INET]83.51.211.151:1194
Thu Aug 19 22:14:08 2021 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Aug 19 22:14:08 2021 TLS Error: TLS handshake failed
Thu Aug 19 22:14:08 2021 SIGUSR1[soft,tls-error] received, process restarting
Thu Aug 19 22:14:08 2021 Restart pause, 5 second(s)
Thu Aug 19 22:14:13 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]83.51.211.151:1194
Thu Aug 19 22:14:13 2021 Socket Buffers: R=[212992->212992] S=[212992->212992]
Thu Aug 19 22:14:13 2021 UDP link local: (not bound)
Thu Aug 19 22:14:13 2021 UDP link remote: [AF_INET]83.51.211.151:1194
Thu Aug 19 22:15:13 2021 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Aug 19 22:15:13 2021 TLS Error: TLS handshake failed
Thu Aug 19 22:15:13 2021 SIGUSR1[soft,tls-error] received, process restarting
Thu Aug 19 22:15:13 2021 Restart pause, 5 second(s)
Thu Aug 19 22:15:18 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]83.51.211.151:1194
我的端口转发配置(路由器):
答案:
这是我使用指定端口 ping 路由器时得到的结果:
pah@xiaomi:~$ nmap -Pn -p 1194 21e800.duckdns.org
Starting Nmap 7.80 ( https://nmap.org ) at 2021-08-19 22:58 CEST
Nmap scan report for 21e800.duckdns.org (83.51.211.151)
Host is up.
rDNS record for 83.51.211.151: 151.red-83-51-211.dynamicip.rima-tde.net
PORT STATE SERVICE
1194/tcp filtered openvpn
Nmap done: 1 IP address (1 host up) scanned in 2.34 seconds
证书有效期至 2024 年。为了防止遗漏某些内容,我重新做了所有证书,但仍然不起作用。
我还尝试使用以下命令检查是否正在接收数据包:
sudo tcpdump -i any -c5 -nn port 1194
没有任何结果,所以我怀疑问题与网络有关,但是我对此的了解很少,所以我不知道如何进一步调试它,或者除了端口转发之外问题可能出在哪里,我认为由于 ping 的响应而正常工作(?)。
无论如何,如果有人有任何想法,请告诉我。
回答:我发现问题了!是 DNS 服务的问题,不知道为什么,但它没有正确更新我的 IP,而且由于它是动态的,所以一切都停止了工作。我应该首先检查一下这一点,真丢脸。
答案1
检查您是否真的可以从互联网连接到该 IP 和端口:
也许你的服务器正在获取内部的通过 DHCP 获取 IP,并且内部的IP 已改变。
也许你的外部的IP 已改变,请仔细检查。
检查您的服务器和客户端证书是否过期,可能是因为您之前说过它之前运行良好。