OpenVPN TLS 密钥协商失败

tag-icon tag-icon ssl vpn iptables openvpn tls
OpenVPN TLS 密钥协商失败

我之前已经设置了 OpenVPN 服务器和客户端,上个月它运行完美

但是现在如果不更改任何配置,我就无法连接到服务器。

这是客户端日志(Win7):

Mon Feb 18 08:26:06 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Feb 18 08:26:06 2013 Re-using SSL/TLS context
Mon Feb 18 08:26:06 2013 LZO compression initialized
Mon Feb 18 08:26:06 2013 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Feb 18 08:26:06 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Mon Feb 18 08:26:06 2013 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Feb 18 08:26:06 2013 Local Options hash (VER=V4): '41690919'
Mon Feb 18 08:26:06 2013 Expected Remote Options hash (VER=V4): '530fdded'
Mon Feb 18 08:26:06 2013 UDPv4 link local: [undef]
Mon Feb 18 08:26:06 2013 UDPv4 link remote: 106.187.96.123:1194
Mon Feb 18 08:27:06 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Feb 18 08:27:06 2013 TLS Error: TLS handshake failed
Mon Feb 18 08:27:06 2013 TCP/UDP: Closing socket
Mon Feb 18 08:27:06 2013 SIGUSR1[soft,tls-error] received, process restarting
Mon Feb 18 08:27:06 2013 Restart pause, 2 second(s)
Mon Feb 18 08:27:08 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Feb 18 08:27:08 2013 Re-using SSL/TLS context
Mon Feb 18 08:27:08 2013 LZO compression initialized
Mon Feb 18 08:27:08 2013 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Feb 18 08:27:08 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Mon Feb 18 08:27:08 2013 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Feb 18 08:27:08 2013 Local Options hash (VER=V4): '41690919'
Mon Feb 18 08:27:08 2013 Expected Remote Options hash (VER=V4): '530fdded'
Mon Feb 18 08:27:08 2013 UDPv4 link local: [undef]
Mon Feb 18 08:27:08 2013 UDPv4 link remote: 106.187.96.123:1194
Mon Feb 18 08:28:08 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Feb 18 08:28:08 2013 TLS Error: TLS handshake failed
Mon Feb 18 08:28:08 2013 TCP/UDP: Closing socket
Mon Feb 18 08:28:08 2013 SIGUSR1[soft,tls-error] received, process restarting
Mon Feb 18 08:28:08 2013 Restart pause, 2 second(s)
Mon Feb 18 08:28:10 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Feb 18 08:28:10 2013 Re-using SSL/TLS context
Mon Feb 18 08:28:10 2013 LZO compression initialized
Mon Feb 18 08:28:10 2013 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Feb 18 08:28:10 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Mon Feb 18 08:28:10 2013 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Feb 18 08:28:10 2013 Local Options hash (VER=V4): '41690919'
Mon Feb 18 08:28:10 2013 Expected Remote Options hash (VER=V4): '530fdded'
Mon Feb 18 08:28:10 2013 UDPv4 link local: [undef]
Mon Feb 18 08:28:10 2013 UDPv4 link remote: 106.187.96.123:1194

这是服务器端:

Mon Feb 18 00:43:19 2013 114.249.236.187:26913 SIGUSR1[soft,tls-error] received, client-instance restarting
Mon Feb 18 00:43:21 2013 MULTI: multi_create_instance called
Mon Feb 18 00:43:21 2013 114.249.236.187:26854 Re-using SSL/TLS context
Mon Feb 18 00:43:21 2013 114.249.236.187:26854 LZO compression initialized
Mon Feb 18 00:43:21 2013 114.249.236.187:26854 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Feb 18 00:43:21 2013 114.249.236.187:26854 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Feb 18 00:43:21 2013 114.249.236.187:26854 Local Options hash (VER=V4): '530fdded'
Mon Feb 18 00:43:21 2013 114.249.236.187:26854 Expected Remote Options hash (VER=V4): '41690919'
Mon Feb 18 00:43:21 2013 114.249.236.187:26854 TLS: Initial packet from 114.249.236.187:26854, sid=d04721a3 d361dccf
Mon Feb 18 00:44:21 2013 114.249.236.187:26854 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Feb 18 00:44:21 2013 114.249.236.187:26854 TLS Error: TLS handshake failed
Mon Feb 18 00:44:21 2013 114.249.236.187:26854 SIGUSR1[soft,tls-error] received, client-instance restarting
Mon Feb 18 00:44:23 2013 MULTI: multi_create_instance called
Mon Feb 18 00:44:23 2013 114.249.236.187:26855 Re-using SSL/TLS context
Mon Feb 18 00:44:23 2013 114.249.236.187:26855 LZO compression initialized
Mon Feb 18 00:44:23 2013 114.249.236.187:26855 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Feb 18 00:44:23 2013 114.249.236.187:26855 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Feb 18 00:44:23 2013 114.249.236.187:26855 Local Options hash (VER=V4): '530fdded'
Mon Feb 18 00:44:23 2013 114.249.236.187:26855 Expected Remote Options hash (VER=V4): '41690919'
Mon Feb 18 00:44:23 2013 114.249.236.187:26855 TLS: Initial packet from 114.249.236.187:26855, sid=d46a451d f7d88d11
Mon Feb 18 00:45:23 2013 114.249.236.187:26855 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Feb 18 00:45:23 2013 114.249.236.187:26855 TLS Error: TLS handshake failed
Mon Feb 18 00:45:23 2013 114.249.236.187:26855 SIGUSR1[soft,tls-error] received, client-instance restarting
Mon Feb 18 00:45:25 2013 MULTI: multi_create_instance called
Mon Feb 18 00:45:25 2013 114.249.236.187:26925 Re-using SSL/TLS context
Mon Feb 18 00:45:25 2013 114.249.236.187:26925 LZO compression initialized
Mon Feb 18 00:45:25 2013 114.249.236.187:26925 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Feb 18 00:45:25 2013 114.249.236.187:26925 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Feb 18 00:45:25 2013 114.249.236.187:26925 Local Options hash (VER=V4): '530fdded'
Mon Feb 18 00:45:25 2013 114.249.236.187:26925 Expected Remote Options hash (VER=V4): '41690919'
Mon Feb 18 00:45:25 2013 114.249.236.187:26925 TLS: Initial packet from 114.249.236.187:26925, sid=34f4dc94 f7092f67
Mon Feb 18 00:46:25 2013 114.249.236.187:26925 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Feb 18 00:46:25 2013 114.249.236.187:26925 TLS Error: TLS handshake failed
Mon Feb 18 00:46:25 2013 114.249.236.187:26925 SIGUSR1[soft,tls-error] received, client-instance restarting
Mon Feb 18 00:46:27 2013 MULTI: multi_create_instance called
Mon Feb 18 00:46:27 2013 114.249.236.187:26926 Re-using SSL/TLS context
Mon Feb 18 00:46:27 2013 114.249.236.187:26926 LZO compression initialized
Mon Feb 18 00:46:27 2013 114.249.236.187:26926 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Feb 18 00:46:27 2013 114.249.236.187:26926 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Feb 18 00:46:27 2013 114.249.236.187:26926 Local Options hash (VER=V4): '530fdded'
Mon Feb 18 00:46:27 2013 114.249.236.187:26926 Expected Remote Options hash (VER=V4): '41690919'
Mon Feb 18 00:46:27 2013 114.249.236.187:26926 TLS: Initial packet from 114.249.236.187:26926, sid=3dfa89e1 b1ff7f3a
^C
[root@li460-123 openvpn]#

有人可以帮忙吗?

答案1

从您的日志来看,您似乎正在建立从中国 ( 114.249.236.187) 到日本 ( 106.187.96.123) 的 OpenVPN 连接。中国自 11 月以来一直在积极阻止 OpenVPN 连接,其中很多似乎都是基于协议嗅探。换句话说,他们看到带有 OpenVPN 签名的数据包通过了防火长城,然后他们过滤或更改剩余的数据包以阻止连接。通常,此行为表现为 TLS 协商序列中的超时。

简而言之,你们没有破坏任何东西,而是中国破坏了。

您可以尝试更改 OpenVPN 服务器,使其使用 TCP 而不是 UDP 进行通信,或者使用其他端口。不过,我看到有报告称,为逃避检测而进行的任何更改都很快被取消了。

答案2

我来自伊朗,问题是中国和伊朗都通过任何端口分析数据包,当他们检测到 TLS 想要建立 openvpn 连接时,它会自动损坏,我已经在 tcp 端口 80 上设置了 openvpn,它只在 iphone 和 ipad 上运行,重点就在这里,因为 iphone 和 ipad 不使用 TLS 进行身份验证,他们使用 SSL,我们应该强制 windows 和 Mac 上的客户端使用 ssl 而不是 TLS 来解决这个问题,那么他们就很难阻止它,有谁知道这是怎么可能的吗?

祝愿全世界的自由人民一切顺利:)

相关内容