Linux openvpn 服务器/客户端配置故障排除

我是 openvpn 新手。我尝试了 7、8 个Linux openvpn server/client configuration教程。没有一个教程让我无法建立连接。顺便说一句，我住在伊朗，可能由于互联网禁令，您的一些建议不起作用，但无论如何，这与故障排除无关，这是一种通用方法。

从angristan/openvpn 安装我制作了一个脚本server和client配置。还编辑/etc/openvpn/server.conf为

port 443
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 94.140.14.14"
push "dhcp-option DNS 94.140.15.15"
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_XndA1l3fZ0hDMwbd.crt
key server_XndA1l3fZ0hDMwbd.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/openvpn-status.log
log-append  /var/log/openvpn/openvpn.log
verb 3

为了添加status /var/log/openvpn/openvpn-status.log和log-append /var/log/openvpn/openvpn.log行来获得日志。

/var/log/openvpn/openvpn.log看起来像：

Fri Oct 28 11:12:47 2022 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
Fri Oct 28 11:12:47 2022 library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10
Fri Oct 28 11:12:47 2022 ECDH curve prime256v1 added
Fri Oct 28 11:12:47 2022 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Oct 28 11:12:47 2022 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Oct 28 11:12:47 2022 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Oct 28 11:12:47 2022 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Oct 28 11:12:47 2022 TUN/TAP device tun0 opened
Fri Oct 28 11:12:47 2022 TUN/TAP TX queue length set to 100
Fri Oct 28 11:12:47 2022 /sbin/ip link set dev tun0 up mtu 1500
Fri Oct 28 11:12:47 2022 /sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
Fri Oct 28 11:12:47 2022 Could not determine IPv4/IPv6 protocol. Using AF_INET
Fri Oct 28 11:12:47 2022 Socket Buffers: R=[212992->212992] S=[212992->212992]
Fri Oct 28 11:12:47 2022 UDPv4 link local (bound): [AF_INET][undef]:443
Fri Oct 28 11:12:47 2022 UDPv4 link remote: [AF_UNSPEC]
Fri Oct 28 11:12:47 2022 GID set to nogroup
Fri Oct 28 11:12:47 2022 UID set to nobody
Fri Oct 28 11:12:47 2022 MULTI: multi_init called, r=256 v=256
Fri Oct 28 11:12:47 2022 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Fri Oct 28 11:12:47 2022 IFCONFIG POOL LIST
Fri Oct 28 11:12:47 2022 Initialization Sequence Completed
Fri Oct 28 11:15:19 2022 86.55.**.**:64241 TLS: Initial packet from [AF_INET]86.55.**.**:64241, sid=649434bf e332059d
Fri Oct 28 11:16:01 2022 86.55.**.**:50796 TLS: Initial packet from [AF_INET]86.55.**.**:50796, sid=868afacd ca4fc7db
Fri Oct 28 11:16:19 2022 86.55.**.**:64241 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Oct 28 11:16:19 2022 86.55.**.**:64241 TLS Error: TLS handshake failed
Fri Oct 28 11:16:19 2022 86.55.**.**:64241 SIGUSR1[soft,tls-error] received, client-instance restarting
Fri Oct 28 11:17:01 2022 86.55.**.**:50796 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Oct 28 11:17:01 2022 86.55.**.**:50796 TLS Error: TLS handshake failed
Fri Oct 28 11:17:01 2022 86.55.**.**:50796 SIGUSR1[soft,tls-error] received, client-instance restarting

看起来/var/log/openvpn/openvpn-status.log像：

OpenVPN CLIENT LIST
Updated,Fri Oct 28 11:18:21 2022
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
GLOBAL STATS
Max bcast/mcast queue length,0
END

顺便说一下，客户端配置文件如下所示：

client
proto udp
explicit-exit-notify
remote 87.107.**.** 443
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_XndA1l3fZ0hDMwbd name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3

问题是我能得到的唯一信息是TLS handshake失败了。那么我该怎么做才能获得更多关于导致 tls 握手失败的原因的日志信息？我还能做什么。我的意思是也许尝试新的协议和端口（我已经尝试了一些，但它们的行为仍然相同）或任何其他建议以使连接发生或对其进行故障排除？任何好的演练或教程也值得赞赏。

更新

1.来自TLS 错误：TLS 密钥协商在 60 秒内失败（请检查您的网络连接）我决定添加防火墙规则sudo ufw allow 443/udp sudo ufw allow 443/tcp，sudo ufw default allow incoming但没有帮助。

2. 还有tcpdump -vnni any udp port 443（从尝试连接开始）：

tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
12:34:13.466846 IP (tos 0x38, ttl 113, id 15535, offset 0, flags [none], proto UDP (17), length 82)
    86.55.**.**.53799 > 87.107.**.**.443: UDP, length 54
12:34:13.469067 IP (tos 0x0, ttl 64, id 3827, offset 0, flags [DF], proto UDP (17), length 94)
    87.107.**.**.443 > 86.55.**.**.53799: UDP, length 66
12:34:13.569751 IP (tos 0x38, ttl 113, id 15536, offset 0, flags [none], proto UDP (17), length 371)
    86.55.**.**.53799 > 87.107.**.**.443: UDP, length 343
12:34:13.575225 IP (tos 0x0, ttl 64, id 3842, offset 0, flags [DF], proto UDP (17), length 90)
    87.107.**.**.443 > 86.55.**.**.53799: UDP, length 62
12:34:13.575419 IP (tos 0x0, ttl 64, id 3843, offset 0, flags [DF], proto UDP (17), length 1144)
    87.107.**.**.443 > 86.55.**.**.53799: UDP, length 1116
12:34:13.575582 IP (tos 0x0, ttl 64, id 3844, offset 0, flags [DF], proto UDP (17), length 1144)
    87.107.**.**.443 > 86.55.**.**.53799: UDP, length 1116
12:34:13.575676 IP (tos 0x0, ttl 64, id 3845, offset 0, flags [DF], proto UDP (17), length 345)
    87.107.**.**.443 > 86.55.**.**.53799: UDP, length 317
12:34:16.020216 IP (tos 0x0, ttl 64, id 4106, offset 0, flags [DF], proto UDP (17), length 1144)
    87.107.**.**.443 > 86.55.**.**.53798: UDP, length 1116

这表明客户端（86.55.*.*）在 2 次转发和传递之后没有应答。这可能意味着客户端停止工作，或者显示数据包被防火墙（我已允许端口ufw）或 阻止server provider。

3. 我也尝试添加

status "F:\openvpn-status.log"
log-append  "F:\openvpn.log"

到客户端配置文件，该文件没有将这些文件添加到驱动器 F。

4. 但发现C:\Program Files\OpenVPN Connect\agent.log是这样的：

Sat Oct 29 14:56:31 2022 GetBestGateway: selected gateway 192.168.74.180 on adapter 11 for destination 87.107.**.**
Sat Oct 29 14:56:31 2022 netsh interface ip delete route 87.107.**.**/32 11 192.168.74.180 store=active
Ok.

netsh interface ip add route 87.107.**.**/32 11 192.168.74.180 store=active
Ok.