几个月前,经过一番努力,我设置了一个 openVPN 服务器和客户端,以便远程连接到我的第一台 PC。一切都运行着 Ubuntu 20。到目前为止,它运行良好,允许我从我尝试过的每个远程位置进行连接。我用本教程来自 Digital Ocean进行初始设置。我现在遇到了 TLS 问题,不知道该如何处理,所以我在这里发帖。
我没有明确接触任何与 openVPN 相关的东西,也没有在我的服务器机器上进行任何其他大规模安装,但我无法再从我的笔记本电脑客户端连接到它。我尝试设置第二个笔记本电脑客户端,看看是否可能是客户端错误,但第二台笔记本电脑也没有工作。然后我openvpn在两端卸载并重新安装,并从头开始创建新密钥和一切。我仍然收到此客户端输出中显示的相同 TLS 握手错误。
线索 1:正如 Nikita 指出的那样,服务器输出没有显示任何客户端尝试连接。过去,我曾在服务器输出中看到过尝试。openvpn *conf在服务器和客户端上发出命令后,我tcpdump在服务器上发出了一些命令(尽管我对此知之甚少)
~$ sudo tcpdump -D
[sudo] password for adnan:
1.enp5s0 [Up, Running]
2.tun0 [Up, Running]
3.lo [Up, Running, Loopback]
4.any (Pseudo-device that captures on all interfaces) [Up, Running]
5.wlo1 [Up]
6.docker0 [Up]
7.br-d2c78a773ae5 [Up]
8.br-4b07fa21428c [Up]
9.bluetooth-monitor (Bluetooth Linux Monitor) [none]
10.nflog (Linux netfilter log (NFLOG) interface) [none]
11.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none]
12.bluetooth0 (Bluetooth adapter number 0) [none]
~$ sudo tcpdump -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
和客户
~$ sudo tcpdump -D
1.wlo1 [Up, Running]
2.lo [Up, Running, Loopback]
3.any (Pseudo-device that captures on all interfaces) [Up, Running]
4.docker0 [Up]
5.br-4fe775d77579 [Up]
6.bluetooth-monitor (Bluetooth Linux Monitor) [none]
7.nflog (Linux netfilter log (NFLOG) interface) [none]
8.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none]
9.bluetooth0 (Bluetooth adapter number 0) [none]
线索 2?:当我再次学习教程时,我确实注意到的一件事是,的输出ip route list default似乎已从 更改为enp4s0,enp5s0但我不知道这是否相关。
线索 3: 上面的教程建议systemd-resolve --status tun0在客户端运行,但它返回Failed to resolve interface "tun0", ignoring: No such device。但我不知道该如何认真对待这个问题... 进一步阅读后,我猜这只有在我尝试通过 VPN 推送所有流量时才会有意义,而我并没有这样做。所以也许这无关紧要。
客户端输出是
client$ openvpn laptop_client.conf
Sun Jan 29 08:12:29 2023 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
Sun Jan 29 08:12:29 2023 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10
Sun Jan 29 08:12:29 2023 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun Jan 29 08:12:29 2023 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sun Jan 29 08:12:29 2023 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Jan 29 08:12:29 2023 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sun Jan 29 08:12:29 2023 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Jan 29 08:12:29 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]140.141.196.45:11111
Sun Jan 29 08:12:29 2023 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sun Jan 29 08:12:29 2023 UDP link local: (not bound)
Sun Jan 29 08:12:29 2023 UDP link remote: [AF_INET]140.141.196.45:11111
Sun Jan 29 08:12:29 2023 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Sun Jan 29 08:13:29 2023 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Jan 29 08:13:29 2023 TLS Error: TLS handshake failed
Sun Jan 29 08:13:29 2023 SIGUSR1[soft,tls-error] received, process restarting
Sun Jan 29 08:13:29 2023 Restart pause, 5 second(s)
Sun Jan 29 08:13:34 2023 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun Jan 29 08:13:34 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]140.141.196.45:11111
Sun Jan 29 08:13:34 2023 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sun Jan 29 08:13:34 2023 UDP link local: (not bound)
Sun Jan 29 08:13:34 2023 UDP link remote: [AF_INET]140.141.196.45:11111
Sun Jan 29 08:14:34 2023 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Jan 29 08:14:34 2023 TLS Error: TLS handshake failed
Sun Jan 29 08:14:34 2023 SIGUSR1[soft,tls-error] received, process restarting
Sun Jan 29 08:14:34 2023 Restart pause, 5 second(s)
Sun Jan 29 08:14:39 2023 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun Jan 29 08:14:39 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]140.141.196.45:11111
Sun Jan 29 08:14:39 2023 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sun Jan 29 08:14:39 2023 UDP link local: (not bound)
Sun Jan 29 08:14:39 2023 UDP link remote: [AF_INET]140.141.196.45:11111
服务器输出是
root@build1:/etc/openvpn/server# openvpn server_build1.conf
Sat Jan 28 21:48:58 2023 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
Sat Jan 28 21:48:58 2023 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10
Sat Jan 28 21:48:58 2023 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sat Jan 28 21:48:58 2023 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sat Jan 28 21:48:58 2023 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sat Jan 28 21:48:58 2023 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sat Jan 28 21:48:58 2023 ROUTE_GATEWAY 10.1.2.1/255.255.255.0 IFACE=enp5s0 HWADDR=d8:bb:c1:d9:d3:33
Sat Jan 28 21:48:58 2023 TUN/TAP device tun0 opened
Sat Jan 28 21:48:58 2023 TUN/TAP TX queue length set to 100
Sat Jan 28 21:48:58 2023 /sbin/ip link set dev tun0 up mtu 1500
Sat Jan 28 21:48:58 2023 /sbin/ip addr add dev tun0 local 10.8.1.1 peer 10.8.1.2
Sat Jan 28 21:48:58 2023 /sbin/ip route add 10.8.1.0/24 via 10.8.1.2
Sat Jan 28 21:48:58 2023 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sat Jan 28 21:48:58 2023 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sat Jan 28 21:48:58 2023 UDPv4 link local (bound): [AF_INET][undef]:11111
Sat Jan 28 21:48:58 2023 UDPv4 link remote: [AF_UNSPEC]
Sat Jan 28 21:48:58 2023 GID set to nogroup
Sat Jan 28 21:48:58 2023 UID set to nobody
Sat Jan 28 21:48:58 2023 MULTI: multi_init called, r=256 v=256
Sat Jan 28 21:48:58 2023 IFCONFIG POOL: base=10.8.1.4 size=62, ipv6=0
Sat Jan 28 21:48:58 2023 IFCONFIG POOL LIST
Sat Jan 28 21:48:58 2023 Initialization Sequence Completed
该laptop_client.conf文件包含以下内容(我删除了我认为应该删除的内容)
client
dev tun
proto udp
remote REDACTED 11111
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
auth SHA256
verb 3
key-direction 1
script-security 2
up /etc/openvpn/update-systemd-resolved
down /etc/openvpn/update-systemd-resolved
down-pre
dhcp-option DOMAIN-ROUTE .
<ca>
-----BEGIN CERTIFICATE-----
REDACTED
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
Data:
REDACTED
...
-----BEGIN CERTIFICATE-----
REDACTED
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
REDACTED
-----END PRIVATE KEY-----
</key>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
REDACTED
-----END OpenVPN Static key V1-----
</tls-crypt>
并且该server_build1.conf文件是
port 11111
proto udp
dev tun
ca ca.crt
cert server_build1.crt
key server_build1.key # This file should be kept secret
dh none
server 10.8.1.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "route 10.1.2.0 255.255.255.0"
keepalive 10 120
tls-crypt ta.key
cipher AES-256-GCM
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1
如果相关的话,服务器防火墙似乎正在运行
root@build1:/etc/openvpn/server# ufw status
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
11111/udp ALLOW Anywhere
5900/tcp ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
11111/udp (v6) ALLOW Anywhere (v6)
5900/tcp (v6) ALLOW Anywhere (v6)
答案1
这个答案不太可能对其他人有帮助,但问题与我使用 为no-ip.com我提供一个跟随我的动态 IP 的域名有关。我更改了帐户密码,因为我忘记了密码,但后来又忘记了我的路由器需要密码才能与 通信no-ip。即使在 上更改密码后no-ip,IP 也没有更新,no-ip所以我不得不点击网站上的几个按钮来更新它。然后一切都开始正常工作了!