Linux

OpenVPN 上的 TLS 錯誤

  • July 22, 2014

客戶端:OpenVPN 2.3.4 64bit(在家連接到我的 pfSense 可以正常工作) 伺服器:通過 yum 安裝的 OpenVPN 2.2.2

遵循本指南:http: //blog.solidshellsecurity.com/2013/01/15/openvpn-installation-configuration-setup-centos-5-6-32-64bit-openvz-xen-kvm/

伺服器日誌:

tail -f /var/log/openvpn.log

Tue Jul 22 15:22:20 2014 us=550107 MULTI: multi_create_instance called
Tue Jul 22 15:22:20 2014 us=550157 MEIP:7969 Re-using SSL/TLS context
Tue Jul 22 15:22:20 2014 us=550170 MEIP:7969 LZO compression initialized
Tue Jul 22 15:22:20 2014 us=550208 MEIP:7969 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Jul 22 15:22:20 2014 us=550216 MEIP:7969 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Jul 22 15:22:20 2014 us=550234 MEIP:7969 Local Options String: 'V4,dev-type tun,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Tue Jul 22 15:22:20 2014 us=550239 MEIP:7969 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Tue Jul 22 15:22:20 2014 us=550248 MEIP:7969 Local Options hash (VER=V4): '5b1533a2'
Tue Jul 22 15:22:20 2014 us=550255 MEIP:7969 Expected Remote Options hash (VER=V4): 'd3a7571a'
Tue Jul 22 15:22:20 2014 us=550271 MEIP:7969 TLS: Initial packet from MEIP:7969, sid=0dfede6a 99560dda
Tue Jul 22 15:23:20 2014 us=508541 MEIP:7969 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Jul 22 15:23:20 2014 us=508582 MEIP:7969 TLS Error: TLS handshake failed
Tue Jul 22 15:23:20 2014 us=508632 MEIP:7969 SIGUSR1[soft,tls-error] received, client-instance restarting
Tue Jul 22 15:23:22 2014 us=455521 MULTI: multi_create_instance called
Tue Jul 22 15:23:22 2014 us=455569 MEIP:24021 Re-using SSL/TLS context
Tue Jul 22 15:23:22 2014 us=455581 MEIP:24021 LZO compression initialized
Tue Jul 22 15:23:22 2014 us=455618 MEIP:24021 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Jul 22 15:23:22 2014 us=455626 MEIP:24021 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Jul 22 15:23:22 2014 us=455644 MEIP:24021 Local Options String: 'V4,dev-type tun,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Tue Jul 22 15:23:22 2014 us=455649 MEIP:24021 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Tue Jul 22 15:23:22 2014 us=455659 MEIP:24021 Local Options hash (VER=V4): '5b1533a2'
Tue Jul 22 15:23:22 2014 us=455666 MEIP:24021 Expected Remote Options hash (VER=V4): 'd3a7571a'
Tue Jul 22 15:23:22 2014 us=455681 MEIP:24021 TLS: Initial packet from MEIP:24021, sid=dd084ab8 21aa78a2
Tue Jul 22 15:24:22 2014 us=804481 MEIP:24021 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Jul 22 15:24:22 2014 us=804522 MEIP:24021 TLS Error: TLS handshake failed
Tue Jul 22 15:24:22 2014 us=804571 MEIP:24021 SIGUSR1[soft,tls-error] received, client-instance restarting

客戶日誌

Tue Jul 22 15:50:53 2014   pkcs11_protected_authentication = DISABLED
Tue Jul 22 15:50:53 2014   pkcs11_protected_authentication = DISABLED
Tue Jul 22 15:50:53 2014   pkcs11_protected_authentication = DISABLED
Tue Jul 22 15:50:53 2014   pkcs11_protected_authentication = DISABLED
Tue Jul 22 15:50:53 2014   pkcs11_private_mode = 00000000
Tue Jul 22 15:50:53 2014   pkcs11_private_mode = 00000000
Tue Jul 22 15:50:53 2014   pkcs11_private_mode = 00000000
Tue Jul 22 15:50:53 2014   pkcs11_private_mode = 00000000
Tue Jul 22 15:50:53 2014   pkcs11_private_mode = 00000000
Tue Jul 22 15:50:53 2014   pkcs11_private_mode = 00000000
Tue Jul 22 15:50:53 2014   pkcs11_private_mode = 00000000
Tue Jul 22 15:50:53 2014   pkcs11_private_mode = 00000000
Tue Jul 22 15:50:53 2014   pkcs11_private_mode = 00000000
Tue Jul 22 15:50:53 2014   pkcs11_private_mode = 00000000
Tue Jul 22 15:50:53 2014   pkcs11_private_mode = 00000000
Tue Jul 22 15:50:53 2014   pkcs11_private_mode = 00000000
Tue Jul 22 15:50:53 2014   pkcs11_private_mode = 00000000
Tue Jul 22 15:50:53 2014   pkcs11_private_mode = 00000000
Tue Jul 22 15:50:53 2014   pkcs11_private_mode = 00000000
Tue Jul 22 15:50:53 2014   pkcs11_private_mode = 00000000
Tue Jul 22 15:50:53 2014   pkcs11_cert_private = DISABLED
Tue Jul 22 15:50:53 2014   pkcs11_cert_private = DISABLED
Tue Jul 22 15:50:53 2014   pkcs11_cert_private = DISABLED
Tue Jul 22 15:50:53 2014   pkcs11_cert_private = DISABLED
Tue Jul 22 15:50:53 2014   pkcs11_cert_private = DISABLED
Tue Jul 22 15:50:53 2014   pkcs11_cert_private = DISABLED
Tue Jul 22 15:50:53 2014   pkcs11_cert_private = DISABLED
Tue Jul 22 15:50:53 2014   pkcs11_cert_private = DISABLED
Tue Jul 22 15:50:53 2014   pkcs11_cert_private = DISABLED
Tue Jul 22 15:50:53 2014   pkcs11_cert_private = DISABLED
Tue Jul 22 15:50:53 2014   pkcs11_cert_private = DISABLED
Tue Jul 22 15:50:53 2014   pkcs11_cert_private = DISABLED
Tue Jul 22 15:50:53 2014   pkcs11_cert_private = DISABLED
Tue Jul 22 15:50:53 2014   pkcs11_cert_private = DISABLED
Tue Jul 22 15:50:53 2014   pkcs11_cert_private = DISABLED
Tue Jul 22 15:50:53 2014   pkcs11_cert_private = DISABLED
Tue Jul 22 15:50:53 2014   pkcs11_pin_cache_period = -1
Tue Jul 22 15:50:53 2014   pkcs11_id = '[UNDEF]'
Tue Jul 22 15:50:53 2014   pkcs11_id_management = DISABLED
Tue Jul 22 15:50:53 2014   server_network = 0.0.0.0
Tue Jul 22 15:50:53 2014   server_netmask = 0.0.0.0
Tue Jul 22 15:50:53 2014   server_network_ipv6 = ::
Tue Jul 22 15:50:53 2014   server_netbits_ipv6 = 0
Tue Jul 22 15:50:53 2014   server_bridge_ip = 0.0.0.0
Tue Jul 22 15:50:53 2014   server_bridge_netmask = 0.0.0.0
Tue Jul 22 15:50:53 2014   server_bridge_pool_start = 0.0.0.0
Tue Jul 22 15:50:53 2014   server_bridge_pool_end = 0.0.0.0
Tue Jul 22 15:50:53 2014   ifconfig_pool_defined = DISABLED
Tue Jul 22 15:50:53 2014   ifconfig_pool_start = 0.0.0.0
Tue Jul 22 15:50:53 2014   ifconfig_pool_end = 0.0.0.0
Tue Jul 22 15:50:53 2014   ifconfig_pool_netmask = 0.0.0.0
Tue Jul 22 15:50:53 2014   ifconfig_pool_persist_filename = '[UNDEF]'
Tue Jul 22 15:50:53 2014   ifconfig_pool_persist_refresh_freq = 600
Tue Jul 22 15:50:53 2014   ifconfig_ipv6_pool_defined = DISABLED
Tue Jul 22 15:50:53 2014   ifconfig_ipv6_pool_base = ::
Tue Jul 22 15:50:53 2014   ifconfig_ipv6_pool_netbits = 0
Tue Jul 22 15:50:53 2014   n_bcast_buf = 256
Tue Jul 22 15:50:53 2014   tcp_queue_limit = 64
Tue Jul 22 15:50:53 2014   real_hash_size = 256
Tue Jul 22 15:50:53 2014   virtual_hash_size = 256
Tue Jul 22 15:50:53 2014   client_connect_script = '[UNDEF]'
Tue Jul 22 15:50:53 2014   learn_address_script = '[UNDEF]'
Tue Jul 22 15:50:53 2014   client_disconnect_script = '[UNDEF]'
Tue Jul 22 15:50:53 2014   client_config_dir = '[UNDEF]'
Tue Jul 22 15:50:53 2014   ccd_exclusive = DISABLED
Tue Jul 22 15:50:53 2014   tmp_dir = 'C:\Users\me\AppData\Local\Temp\'
Tue Jul 22 15:50:53 2014   push_ifconfig_defined = DISABLED
Tue Jul 22 15:50:53 2014   push_ifconfig_local = 0.0.0.0
Tue Jul 22 15:50:53 2014   push_ifconfig_remote_netmask = 0.0.0.0
Tue Jul 22 15:50:53 2014   push_ifconfig_ipv6_defined = DISABLED
Tue Jul 22 15:50:53 2014   push_ifconfig_ipv6_local = ::/0
Tue Jul 22 15:50:53 2014   push_ifconfig_ipv6_remote = ::
Tue Jul 22 15:50:53 2014   enable_c2c = DISABLED
Tue Jul 22 15:50:53 2014   duplicate_cn = DISABLED
Tue Jul 22 15:50:53 2014   cf_max = 0
Tue Jul 22 15:50:53 2014   cf_per = 0
Tue Jul 22 15:50:53 2014   max_clients = 1024
Tue Jul 22 15:50:53 2014   max_routes_per_client = 256
Tue Jul 22 15:50:53 2014   auth_user_pass_verify_script = '[UNDEF]'
Tue Jul 22 15:50:53 2014   auth_user_pass_verify_script_via_file = DISABLED
Tue Jul 22 15:50:53 2014   client = ENABLED
Tue Jul 22 15:50:53 2014   pull = ENABLED
Tue Jul 22 15:50:53 2014   auth_user_pass_file = 'stdin'
Tue Jul 22 15:50:53 2014   show_net_up = DISABLED
Tue Jul 22 15:50:53 2014   route_method = 0
Tue Jul 22 15:50:53 2014   ip_win32_defined = DISABLED
Tue Jul 22 15:50:53 2014   ip_win32_type = 3
Tue Jul 22 15:50:53 2014   dhcp_masq_offset = 0
Tue Jul 22 15:50:53 2014   dhcp_lease_time = 31536000
Tue Jul 22 15:50:53 2014   tap_sleep = 0
Tue Jul 22 15:50:53 2014   dhcp_options = DISABLED
Tue Jul 22 15:50:53 2014   dhcp_renew = DISABLED
Tue Jul 22 15:50:53 2014   dhcp_pre_release = DISABLED
Tue Jul 22 15:50:53 2014   dhcp_release = DISABLED
Tue Jul 22 15:50:53 2014   domain = '[UNDEF]'
Tue Jul 22 15:50:53 2014   netbios_scope = '[UNDEF]'
Tue Jul 22 15:50:53 2014   netbios_node_type = 0
Tue Jul 22 15:50:53 2014   disable_nbt = DISABLED
Tue Jul 22 15:50:53 2014 OpenVPN 2.3.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Jun  5 2014
Tue Jul 22 15:50:53 2014 library versions: OpenSSL 1.0.1h 5 Jun 2014, LZO 2.05
Tue Jul 22 15:50:53 2014 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Tue Jul 22 15:50:53 2014 Need hold release from management interface, waiting...
Tue Jul 22 15:50:53 2014 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Tue Jul 22 15:50:54 2014 MANAGEMENT: CMD 'state on'
Tue Jul 22 15:50:54 2014 MANAGEMENT: CMD 'log all on'
Tue Jul 22 15:50:54 2014 MANAGEMENT: CMD 'hold off'
Tue Jul 22 15:50:54 2014 MANAGEMENT: CMD 'hold release'
Tue Jul 22 15:51:02 2014 MANAGEMENT: CMD 'username "Auth" "devvpn"'
Tue Jul 22 15:51:02 2014 MANAGEMENT: CMD 'password [...]'
Tue Jul 22 15:51:02 2014 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue Jul 22 15:51:02 2014 LZO compression initialized
Tue Jul 22 15:51:02 2014 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Jul 22 15:51:02 2014 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Jul 22 15:51:02 2014 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Jul 22 15:51:02 2014 Local Options String: 'V4,dev-type tun,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Tue Jul 22 15:51:02 2014 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Tue Jul 22 15:51:02 2014 Local Options hash (VER=V4): 'd3a7571a'
Tue Jul 22 15:51:02 2014 Expected Remote Options hash (VER=V4): '5b1533a2'
Tue Jul 22 15:51:02 2014 UDPv4 link local: [undef]
Tue Jul 22 15:51:02 2014 UDPv4 link remote: [AF_INET]108.61.141.195:1194
Tue Jul 22 15:51:02 2014 MANAGEMENT: >STATE:1406058662,WAIT,,,
Tue Jul 22 15:52:02 2014 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Jul 22 15:52:02 2014 TLS Error: TLS handshake failed
Tue Jul 22 15:52:02 2014 TCP/UDP: Closing socket
Tue Jul 22 15:52:02 2014 SIGUSR1[soft,tls-error] received, process restarting
Tue Jul 22 15:52:02 2014 MANAGEMENT: >STATE:1406058722,RECONNECTING,tls-error,,
Tue Jul 22 15:52:02 2014 Restart pause, 2 second(s)
Tue Jul 22 15:52:04 2014 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue Jul 22 15:52:04 2014 Re-using SSL/TLS context
Tue Jul 22 15:52:04 2014 LZO compression initialized
Tue Jul 22 15:52:04 2014 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Jul 22 15:52:04 2014 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Jul 22 15:52:04 2014 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Jul 22 15:52:04 2014 Local Options String: 'V4,dev-type tun,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Tue Jul 22 15:52:04 2014 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Tue Jul 22 15:52:04 2014 Local Options hash (VER=V4): 'd3a7571a'
Tue Jul 22 15:52:04 2014 Expected Remote Options hash (VER=V4): '5b1533a2'
Tue Jul 22 15:52:04 2014 UDPv4 link local: [undef]
Tue Jul 22 15:52:04 2014 UDPv4 link remote: [AF_INET]108.61.141.195:1194
Tue Jul 22 15:52:04 2014 MANAGEMENT: >STATE:1406058724,WAIT,,,

伺服器配置文件

port 1194 #- port
proto udp #- protocol
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
reneg-sec 0
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login #- Comment this line if you are using FreeRADIUS
#plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf #- Uncomment this line if you are using FreeRADIUS
client-cert-not-required
username-as-common-name
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status 1194.log
verb 4
log-append /var/log/openvpn.log

客戶:

client
dev tun
proto udp
remote SERVERIP 1194 # - Your server IP and OpenVPN Port
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ca ca.crt
auth-user-pass
comp-lzo
reneg-sec 0
verb 3

我還做了 service iptables stop 以確保沒有任何阻塞。

想法?

問題是您必須指向伺服器的主 IP。我錯過了。我以為我在客戶端配置文件中有主 IP。將其設置為主要後,我能夠連接。

引用自:https://serverfault.com/questions/614635