Firewall
OpenVPN 伺服器路由/防火牆設置
簡短描述:將 Rasp pi 3 作為客戶端連接到數據中心專用伺服器,以通過 rsync 拉取備份。獲取“錯誤:無法 ioctl TUNSETIFF tun0:設備或資源忙(errno=16)”
Long Desc: 配置後,我一直在嘗試使用我的客戶端連接到伺服器,但我從客戶端得到以下資訊。我想我可能搞砸了在 UFW 中設置 before.rules 的內容。
請注意以下事項:
- 我沒有在伺服器上啟用拓撲
- 我僅將其用於 rsync,沒有網際網路流量等
- 不知道為什麼伺服器嘗試通過 10.255.255.1 路由
- dh /etc/openvpn/dh2048.pem 僅在伺服器上,不在客戶端
Tue May 12 09:54:40 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]Server.IP.address:1194 Tue May 12 09:54:40 2020 Socket Buffers: R=[163840->163840] S=[163840->163840] Tue May 12 09:54:40 2020 UDP link local: (not bound) Tue May 12 09:54:40 2020 UDP link remote: [AF_INET]Server.IP.address:1194 Tue May 12 09:55:40 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Tue May 12 09:55:40 2020 TLS Error: TLS handshake failed
所以我檢查了openvpn.log,它顯示:
Tue May 12 05:40:42 2020 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2019 Tue May 12 05:40:42 2020 library versions: OpenSSL 1.1.1 11 Sep 2018, LZO 2.08 Tue May 12 05:40:42 2020 Diffie-Hellman initialized with 2048 bit key Tue May 12 05:40:42 2020 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Tue May 12 05:40:42 2020 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Tue May 12 05:40:42 2020 ROUTE_GATEWAY 10.255.255.1 Tue May 12 05:40:42 2020 ERROR: Cannot ioctl TUNSETIFF tun0: Device or resource busy (errno=16) Tue May 12 05:40:42 2020 Exiting due to fatal error
所以這裡是所有的配置數據。
伺服器(注意拓撲沒有啟用,沒想到一定要啟用):
;local a.b.c.d port 1194 proto udp dev tun0 ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/server.crt key /etc/openvpn/keys/server.key # This file should be kept secret dh /etc/openvpn/dh2048.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist /var/log/openvpn/ipp.txt keepalive 10 120 tls-auth /etc/openvpn/keys/ta.key 0 # This file is secret cipher AES-256-CBC user nobody group nogroup persist-key persist-tun status /var/log/openvpn/openvpn-status.log log-append /var/log/openvpn/openvpn.log verb 3 explicit-exit-notify 1 ;dev-node MyTap ;topology subnet ;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 ;server-bridge ;push "route 192.168.10.0 255.255.255.0" ;push "route 192.168.20.0 255.255.255.0" ;client-config-dir ccd ;route 192.168.40.128 255.255.255.248 ;client-config-dir ccd ;route 10.9.0.0 255.255.255.252 ;learn-address ./script ;push "redirect-gateway def1 bypass-dhcp" ;push "dhcp-option DNS 208.67.222.222" ;push "dhcp-option DNS 208.67.220.220" ;client-to-client ;duplicate-cn ;log /var/log/openvpn/openvpn.log ;mute 20 ;compress lz4-v2 ;push "compress lz4-v2" ;comp-lzo ;max-clients 100
客戶:
client dev tun0 proto udp remote server.ip.address 1194 resolv-retry infinite nobind user nobody group nogroup persist-key persist-tun ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/backupclient.crt key /etc/openvpn/keys/backupclient.key remote-cert-tls server tls-auth /etc/openvpn/keys/ta.key 1 cipher AES-256-CBC verb 3 ;dev-node MyTap ;proto tcp ;http-proxy-retry ;http-proxy [proxy server] [proxy port #] ;mute-replay-warnings ;remote my-server-2 1194 ;remote-random ;mute 20
網路統計伺服器:
netstat -uapn | grep openvpn udp 192768 0 0.0.0.0:1194 0.0.0.0:* 27185/openvpn
/etc/default/ufw
DEFAULT_FORWARD_POLICY=”ACCEPT”
/etc/ufw/before.rules
# START OPENVPN RULES # NAT table rules #nat :POSTROUTING ACCEPT [0:0] # Allow traffic from OpenVPN client to eth0 -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE COMMIT # END OPENVPN RULES
ifconfig 顯示我的設備是 eth0,這裡是啟動的 tun0 介面
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 inet 10.8.0.1 netmask 255.255.255.255 destination 10.8.0.2 inet6 fe80::7af3:d22d:86c3:1cd7 prefixlen 64 scopeid 0x20<link> unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 3 bytes 144 (144.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
這是顯示連接嘗試的 openvpn.log 文件,但我無法再次出現(可能是因為 ip 路由更改為 10.8.0.2
Tue May 12 05:24:36 2020 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2019 Tue May 12 05:24:36 2020 library versions: OpenSSL 1.1.1 11 Sep 2018, LZO 2.08 Tue May 12 05:24:36 2020 Diffie-Hellman initialized with 2048 bit key Tue May 12 05:24:36 2020 ROUTE_GATEWAY 10.255.255.1 Tue May 12 05:24:36 2020 TUN/TAP device tun0 opened Tue May 12 05:24:36 2020 TUN/TAP TX queue length set to 100 Tue May 12 05:24:36 2020 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Tue May 12 05:24:36 2020 /sbin/ip link set dev tun0 up mtu 1500 Tue May 12 05:24:36 2020 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2 Tue May 12 05:24:36 2020 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2 Tue May 12 05:24:36 2020 Could not determine IPv4/IPv6 protocol. Using AF_INET Tue May 12 05:24:36 2020 Socket Buffers: R=[212992->212992] S=[212992->212992] Tue May 12 05:24:36 2020 UDPv4 link local (bound): [AF_INET][undef]:1194 Tue May 12 05:24:36 2020 UDPv4 link remote: [AF_UNSPEC] Tue May 12 05:24:36 2020 GID set to nogroup Tue May 12 05:24:36 2020 UID set to nobody Tue May 12 05:24:36 2020 MULTI: multi_init called, r=256 v=256 Tue May 12 05:24:36 2020 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0 Tue May 12 05:24:36 2020 IFCONFIG POOL LIST Tue May 12 05:24:38 2020 Client.Ip.Address:42834 TLS: Initial packet from [AF_INET]Client.Ip.Address:42834, sid=3a994a10 3f4eea3d Tue May 12 05:24:38 2020 Client.Ip.Address:42834 TLS Error: reading acknowledgement record from packet Tue May 12 05:24:48 2020 Client.Ip.Address:53172 TLS: Initial packet from [AF_INET]Client.Ip.Address:53172, sid=9af273bb 28096ff1 Tue May 12 05:24:48 2020 Client.Ip.Address:53172 TLS Error: reading acknowledgement record from packet Tue May 12 05:24:49 2020 Client.Ip.Address:46930 TLS: Initial packet from [AF_INET]Client.Ip.Address:46930, sid=26c7325a 33df4e52 Tue May 12 05:24:49 2020 Client.Ip.Address:46930 VERIFY OK: depth=1, C=US, ST=WA, L=City, O=CompanyName, OU=Developer, CN=DS CA, name=EasyRSA, emailAddress=CompanyName@gmail.com Tue May 12 05:24:49 2020 Client.Ip.Address:46930 VERIFY OK: depth=0, C=US, ST=WA, L=City, O=CompanyName, OU=Developer, CN=backupclient, name=EasyRSA, emailAddress=CompanyName@gmail.com Tue May 12 05:24:49 2020 Client.Ip.Address:46930 peer info: IV_VER=2.4.4 Tue May 12 05:24:49 2020 Client.Ip.Address:46930 peer info: IV_PLAT=linux Tue May 12 05:24:49 2020 Client.Ip.Address:46930 peer info: IV_PROTO=2 Tue May 12 05:24:49 2020 Client.Ip.Address:46930 peer info: IV_NCP=2 Tue May 12 05:24:49 2020 Client.Ip.Address:46930 peer info: IV_LZ4=1 Tue May 12 05:24:49 2020 Client.Ip.Address:46930 peer info: IV_LZ4v2=1 Tue May 12 05:24:49 2020 Client.Ip.Address:46930 peer info: IV_LZO=1 Tue May 12 05:24:49 2020 Client.Ip.Address:46930 peer info: IV_COMP_STUB=1 Tue May 12 05:24:49 2020 Client.Ip.Address:46930 peer info: IV_COMP_STUBv2=1 Tue May 12 05:24:49 2020 Client.Ip.Address:46930 peer info: IV_TCPNL=1 Tue May 12 05:24:50 2020 Client.Ip.Address:46930 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA Tue May 12 05:24:50 2020 Client.Ip.Address:46930 [backupclient] Peer Connection Initiated with [AF_INET]Client.Ip.Address:46930 Tue May 12 05:24:50 2020 backupclient/Client.Ip.Address:46930 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled) Tue May 12 05:24:50 2020 backupclient/Client.Ip.Address:46930 MULTI: Learn: 10.8.0.6 -> backupclient/Client.Ip.Address:46930 Tue May 12 05:24:50 2020 backupclient/Client.Ip.Address:46930 MULTI: primary virtual IP for backupclient/Client.Ip.Address:46930: 10.8.0.6 Tue May 12 05:24:50 2020 Client.Ip.Address:53172 TLS Error: reading acknowledgement record from packet Tue May 12 05:24:51 2020 backupclient/Client.Ip.Address:46930 PUSH: Received control message: 'PUSH_REQUEST' Tue May 12 05:24:51 2020 backupclient/Client.Ip.Address:46930 SENT CONTROL [backupclient]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 2,cipher AES-256-GCM' (status=1) Tue May 12 05:24:51 2020 backupclient/Client.Ip.Address:46930 Data Channel: using negotiated cipher 'AES-256-GCM' Tue May 12 05:24:51 2020 backupclient/Client.Ip.Address:46930 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Tue May 12 05:24:51 2020 backupclient/Client.Ip.Address:46930 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Tue May 12 05:24:54 2020 Client.Ip.Address:42834 TLS Error: reading acknowledgement record from packet Tue May 12 05:24:54 2020 Client.Ip.Address:53172 TLS Error: reading acknowledgement record from packet
為什麼你有
dev tun0
而不是dev tun
(或什dev tun_a
至或其他)。我認為您應該避免明確使用列舉名稱。該錯誤似乎表明您已經有了一些tun0
。