Linux
OpenVPN 上的 TLS 錯誤
客戶端:OpenVPN 2.3.4 64bit(在家連接到我的 pfSense 可以正常工作) 伺服器:通過 yum 安裝的 OpenVPN 2.2.2
伺服器日誌:
tail -f /var/log/openvpn.log Tue Jul 22 15:22:20 2014 us=550107 MULTI: multi_create_instance called Tue Jul 22 15:22:20 2014 us=550157 MEIP:7969 Re-using SSL/TLS context Tue Jul 22 15:22:20 2014 us=550170 MEIP:7969 LZO compression initialized Tue Jul 22 15:22:20 2014 us=550208 MEIP:7969 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ] Tue Jul 22 15:22:20 2014 us=550216 MEIP:7969 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ] Tue Jul 22 15:22:20 2014 us=550234 MEIP:7969 Local Options String: 'V4,dev-type tun,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server' Tue Jul 22 15:22:20 2014 us=550239 MEIP:7969 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client' Tue Jul 22 15:22:20 2014 us=550248 MEIP:7969 Local Options hash (VER=V4): '5b1533a2' Tue Jul 22 15:22:20 2014 us=550255 MEIP:7969 Expected Remote Options hash (VER=V4): 'd3a7571a' Tue Jul 22 15:22:20 2014 us=550271 MEIP:7969 TLS: Initial packet from MEIP:7969, sid=0dfede6a 99560dda Tue Jul 22 15:23:20 2014 us=508541 MEIP:7969 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Tue Jul 22 15:23:20 2014 us=508582 MEIP:7969 TLS Error: TLS handshake failed Tue Jul 22 15:23:20 2014 us=508632 MEIP:7969 SIGUSR1[soft,tls-error] received, client-instance restarting Tue Jul 22 15:23:22 2014 us=455521 MULTI: multi_create_instance called Tue Jul 22 15:23:22 2014 us=455569 MEIP:24021 Re-using SSL/TLS context Tue Jul 22 15:23:22 2014 us=455581 MEIP:24021 LZO compression initialized Tue Jul 22 15:23:22 2014 us=455618 MEIP:24021 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ] Tue Jul 22 15:23:22 2014 us=455626 MEIP:24021 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ] Tue Jul 22 15:23:22 2014 us=455644 MEIP:24021 Local Options String: 'V4,dev-type tun,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server' Tue Jul 22 15:23:22 2014 us=455649 MEIP:24021 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client' Tue Jul 22 15:23:22 2014 us=455659 MEIP:24021 Local Options hash (VER=V4): '5b1533a2' Tue Jul 22 15:23:22 2014 us=455666 MEIP:24021 Expected Remote Options hash (VER=V4): 'd3a7571a' Tue Jul 22 15:23:22 2014 us=455681 MEIP:24021 TLS: Initial packet from MEIP:24021, sid=dd084ab8 21aa78a2 Tue Jul 22 15:24:22 2014 us=804481 MEIP:24021 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Tue Jul 22 15:24:22 2014 us=804522 MEIP:24021 TLS Error: TLS handshake failed Tue Jul 22 15:24:22 2014 us=804571 MEIP:24021 SIGUSR1[soft,tls-error] received, client-instance restarting
客戶日誌
Tue Jul 22 15:50:53 2014 pkcs11_protected_authentication = DISABLED Tue Jul 22 15:50:53 2014 pkcs11_protected_authentication = DISABLED Tue Jul 22 15:50:53 2014 pkcs11_protected_authentication = DISABLED Tue Jul 22 15:50:53 2014 pkcs11_protected_authentication = DISABLED Tue Jul 22 15:50:53 2014 pkcs11_private_mode = 00000000 Tue Jul 22 15:50:53 2014 pkcs11_private_mode = 00000000 Tue Jul 22 15:50:53 2014 pkcs11_private_mode = 00000000 Tue Jul 22 15:50:53 2014 pkcs11_private_mode = 00000000 Tue Jul 22 15:50:53 2014 pkcs11_private_mode = 00000000 Tue Jul 22 15:50:53 2014 pkcs11_private_mode = 00000000 Tue Jul 22 15:50:53 2014 pkcs11_private_mode = 00000000 Tue Jul 22 15:50:53 2014 pkcs11_private_mode = 00000000 Tue Jul 22 15:50:53 2014 pkcs11_private_mode = 00000000 Tue Jul 22 15:50:53 2014 pkcs11_private_mode = 00000000 Tue Jul 22 15:50:53 2014 pkcs11_private_mode = 00000000 Tue Jul 22 15:50:53 2014 pkcs11_private_mode = 00000000 Tue Jul 22 15:50:53 2014 pkcs11_private_mode = 00000000 Tue Jul 22 15:50:53 2014 pkcs11_private_mode = 00000000 Tue Jul 22 15:50:53 2014 pkcs11_private_mode = 00000000 Tue Jul 22 15:50:53 2014 pkcs11_private_mode = 00000000 Tue Jul 22 15:50:53 2014 pkcs11_cert_private = DISABLED Tue Jul 22 15:50:53 2014 pkcs11_cert_private = DISABLED Tue Jul 22 15:50:53 2014 pkcs11_cert_private = DISABLED Tue Jul 22 15:50:53 2014 pkcs11_cert_private = DISABLED Tue Jul 22 15:50:53 2014 pkcs11_cert_private = DISABLED Tue Jul 22 15:50:53 2014 pkcs11_cert_private = DISABLED Tue Jul 22 15:50:53 2014 pkcs11_cert_private = DISABLED Tue Jul 22 15:50:53 2014 pkcs11_cert_private = DISABLED Tue Jul 22 15:50:53 2014 pkcs11_cert_private = DISABLED Tue Jul 22 15:50:53 2014 pkcs11_cert_private = DISABLED Tue Jul 22 15:50:53 2014 pkcs11_cert_private = DISABLED Tue Jul 22 15:50:53 2014 pkcs11_cert_private = DISABLED Tue Jul 22 15:50:53 2014 pkcs11_cert_private = DISABLED Tue Jul 22 15:50:53 2014 pkcs11_cert_private = DISABLED Tue Jul 22 15:50:53 2014 pkcs11_cert_private = DISABLED Tue Jul 22 15:50:53 2014 pkcs11_cert_private = DISABLED Tue Jul 22 15:50:53 2014 pkcs11_pin_cache_period = -1 Tue Jul 22 15:50:53 2014 pkcs11_id = '[UNDEF]' Tue Jul 22 15:50:53 2014 pkcs11_id_management = DISABLED Tue Jul 22 15:50:53 2014 server_network = 0.0.0.0 Tue Jul 22 15:50:53 2014 server_netmask = 0.0.0.0 Tue Jul 22 15:50:53 2014 server_network_ipv6 = :: Tue Jul 22 15:50:53 2014 server_netbits_ipv6 = 0 Tue Jul 22 15:50:53 2014 server_bridge_ip = 0.0.0.0 Tue Jul 22 15:50:53 2014 server_bridge_netmask = 0.0.0.0 Tue Jul 22 15:50:53 2014 server_bridge_pool_start = 0.0.0.0 Tue Jul 22 15:50:53 2014 server_bridge_pool_end = 0.0.0.0 Tue Jul 22 15:50:53 2014 ifconfig_pool_defined = DISABLED Tue Jul 22 15:50:53 2014 ifconfig_pool_start = 0.0.0.0 Tue Jul 22 15:50:53 2014 ifconfig_pool_end = 0.0.0.0 Tue Jul 22 15:50:53 2014 ifconfig_pool_netmask = 0.0.0.0 Tue Jul 22 15:50:53 2014 ifconfig_pool_persist_filename = '[UNDEF]' Tue Jul 22 15:50:53 2014 ifconfig_pool_persist_refresh_freq = 600 Tue Jul 22 15:50:53 2014 ifconfig_ipv6_pool_defined = DISABLED Tue Jul 22 15:50:53 2014 ifconfig_ipv6_pool_base = :: Tue Jul 22 15:50:53 2014 ifconfig_ipv6_pool_netbits = 0 Tue Jul 22 15:50:53 2014 n_bcast_buf = 256 Tue Jul 22 15:50:53 2014 tcp_queue_limit = 64 Tue Jul 22 15:50:53 2014 real_hash_size = 256 Tue Jul 22 15:50:53 2014 virtual_hash_size = 256 Tue Jul 22 15:50:53 2014 client_connect_script = '[UNDEF]' Tue Jul 22 15:50:53 2014 learn_address_script = '[UNDEF]' Tue Jul 22 15:50:53 2014 client_disconnect_script = '[UNDEF]' Tue Jul 22 15:50:53 2014 client_config_dir = '[UNDEF]' Tue Jul 22 15:50:53 2014 ccd_exclusive = DISABLED Tue Jul 22 15:50:53 2014 tmp_dir = 'C:\Users\me\AppData\Local\Temp\' Tue Jul 22 15:50:53 2014 push_ifconfig_defined = DISABLED Tue Jul 22 15:50:53 2014 push_ifconfig_local = 0.0.0.0 Tue Jul 22 15:50:53 2014 push_ifconfig_remote_netmask = 0.0.0.0 Tue Jul 22 15:50:53 2014 push_ifconfig_ipv6_defined = DISABLED Tue Jul 22 15:50:53 2014 push_ifconfig_ipv6_local = ::/0 Tue Jul 22 15:50:53 2014 push_ifconfig_ipv6_remote = :: Tue Jul 22 15:50:53 2014 enable_c2c = DISABLED Tue Jul 22 15:50:53 2014 duplicate_cn = DISABLED Tue Jul 22 15:50:53 2014 cf_max = 0 Tue Jul 22 15:50:53 2014 cf_per = 0 Tue Jul 22 15:50:53 2014 max_clients = 1024 Tue Jul 22 15:50:53 2014 max_routes_per_client = 256 Tue Jul 22 15:50:53 2014 auth_user_pass_verify_script = '[UNDEF]' Tue Jul 22 15:50:53 2014 auth_user_pass_verify_script_via_file = DISABLED Tue Jul 22 15:50:53 2014 client = ENABLED Tue Jul 22 15:50:53 2014 pull = ENABLED Tue Jul 22 15:50:53 2014 auth_user_pass_file = 'stdin' Tue Jul 22 15:50:53 2014 show_net_up = DISABLED Tue Jul 22 15:50:53 2014 route_method = 0 Tue Jul 22 15:50:53 2014 ip_win32_defined = DISABLED Tue Jul 22 15:50:53 2014 ip_win32_type = 3 Tue Jul 22 15:50:53 2014 dhcp_masq_offset = 0 Tue Jul 22 15:50:53 2014 dhcp_lease_time = 31536000 Tue Jul 22 15:50:53 2014 tap_sleep = 0 Tue Jul 22 15:50:53 2014 dhcp_options = DISABLED Tue Jul 22 15:50:53 2014 dhcp_renew = DISABLED Tue Jul 22 15:50:53 2014 dhcp_pre_release = DISABLED Tue Jul 22 15:50:53 2014 dhcp_release = DISABLED Tue Jul 22 15:50:53 2014 domain = '[UNDEF]' Tue Jul 22 15:50:53 2014 netbios_scope = '[UNDEF]' Tue Jul 22 15:50:53 2014 netbios_node_type = 0 Tue Jul 22 15:50:53 2014 disable_nbt = DISABLED Tue Jul 22 15:50:53 2014 OpenVPN 2.3.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Jun 5 2014 Tue Jul 22 15:50:53 2014 library versions: OpenSSL 1.0.1h 5 Jun 2014, LZO 2.05 Tue Jul 22 15:50:53 2014 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341 Tue Jul 22 15:50:53 2014 Need hold release from management interface, waiting... Tue Jul 22 15:50:53 2014 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341 Tue Jul 22 15:50:54 2014 MANAGEMENT: CMD 'state on' Tue Jul 22 15:50:54 2014 MANAGEMENT: CMD 'log all on' Tue Jul 22 15:50:54 2014 MANAGEMENT: CMD 'hold off' Tue Jul 22 15:50:54 2014 MANAGEMENT: CMD 'hold release' Tue Jul 22 15:51:02 2014 MANAGEMENT: CMD 'username "Auth" "devvpn"' Tue Jul 22 15:51:02 2014 MANAGEMENT: CMD 'password [...]' Tue Jul 22 15:51:02 2014 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Tue Jul 22 15:51:02 2014 LZO compression initialized Tue Jul 22 15:51:02 2014 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ] Tue Jul 22 15:51:02 2014 Socket Buffers: R=[65536->65536] S=[65536->65536] Tue Jul 22 15:51:02 2014 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ] Tue Jul 22 15:51:02 2014 Local Options String: 'V4,dev-type tun,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client' Tue Jul 22 15:51:02 2014 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server' Tue Jul 22 15:51:02 2014 Local Options hash (VER=V4): 'd3a7571a' Tue Jul 22 15:51:02 2014 Expected Remote Options hash (VER=V4): '5b1533a2' Tue Jul 22 15:51:02 2014 UDPv4 link local: [undef] Tue Jul 22 15:51:02 2014 UDPv4 link remote: [AF_INET]108.61.141.195:1194 Tue Jul 22 15:51:02 2014 MANAGEMENT: >STATE:1406058662,WAIT,,, Tue Jul 22 15:52:02 2014 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Tue Jul 22 15:52:02 2014 TLS Error: TLS handshake failed Tue Jul 22 15:52:02 2014 TCP/UDP: Closing socket Tue Jul 22 15:52:02 2014 SIGUSR1[soft,tls-error] received, process restarting Tue Jul 22 15:52:02 2014 MANAGEMENT: >STATE:1406058722,RECONNECTING,tls-error,, Tue Jul 22 15:52:02 2014 Restart pause, 2 second(s) Tue Jul 22 15:52:04 2014 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Tue Jul 22 15:52:04 2014 Re-using SSL/TLS context Tue Jul 22 15:52:04 2014 LZO compression initialized Tue Jul 22 15:52:04 2014 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ] Tue Jul 22 15:52:04 2014 Socket Buffers: R=[65536->65536] S=[65536->65536] Tue Jul 22 15:52:04 2014 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ] Tue Jul 22 15:52:04 2014 Local Options String: 'V4,dev-type tun,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client' Tue Jul 22 15:52:04 2014 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server' Tue Jul 22 15:52:04 2014 Local Options hash (VER=V4): 'd3a7571a' Tue Jul 22 15:52:04 2014 Expected Remote Options hash (VER=V4): '5b1533a2' Tue Jul 22 15:52:04 2014 UDPv4 link local: [undef] Tue Jul 22 15:52:04 2014 UDPv4 link remote: [AF_INET]108.61.141.195:1194 Tue Jul 22 15:52:04 2014 MANAGEMENT: >STATE:1406058724,WAIT,,,
伺服器配置文件
port 1194 #- port proto udp #- protocol dev tun tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 reneg-sec 0 ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt cert /etc/openvpn/easy-rsa/2.0/keys/server.crt key /etc/openvpn/easy-rsa/2.0/keys/server.key dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login #- Comment this line if you are using FreeRADIUS #plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf #- Uncomment this line if you are using FreeRADIUS client-cert-not-required username-as-common-name server 10.8.0.0 255.255.255.0 push "redirect-gateway def1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 5 30 comp-lzo persist-key persist-tun status 1194.log verb 4 log-append /var/log/openvpn.log
客戶:
client dev tun proto udp remote SERVERIP 1194 # - Your server IP and OpenVPN Port resolv-retry infinite nobind tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 persist-key persist-tun ca ca.crt auth-user-pass comp-lzo reneg-sec 0 verb 3
我還做了 service iptables stop 以確保沒有任何阻塞。
想法?
問題是您必須指向伺服器的主 IP。我錯過了。我以為我在客戶端配置文件中有主 IP。將其設置為主要後,我能夠連接。