OpenVPN over stunnel 在通過路由器轉發但在內部工作時不起作用
我正在嘗試在我的個人伺服器上通過 stunnel 設置 OpenVPN。
openvpn 在 tcp 中並在 stunnel 之外連接良好,即使通過路由器上的埠轉發連接也是如此。
當不通過路由器上的埠轉發連接時,包裹在 stunnel 中的 OpenVPN 工作正常,即 stunnel 發送到內部 IP 地址。
通過路由器上的轉發埠連接時,stunnel 似乎工作正常,我為 SSH 設置了一個 stunnel 並且連接正常,我什至將它留在了一段時間循環中輸出到控制台幾分鐘,看看是否會失敗。
但是,當通過 stunnel 並通過路由器上的埠轉發執行 openVPN 時,連接似乎已建立,但隨後斷開,我無法獲得網路流量。
我整天都在調試這個,任何幫助都將不勝感激。
我在 OVPN 日誌中收到以下警告:
WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1552', remote='link-mtu 1544' WARNING: 'cipher' is used inconsistently, local='cipher AES-256-GCM', remote='cipher BF-CBC' WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA1' WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
stunnel 設置伺服器(包括 ssh 測試):
[openvpn] accept = 44444 connect = 127.0.0.1:1194 ciphers = DHE-RSA-AES256-SHA256 [sslssh] accept = 55555 connect = 127.0.0.1:22
stunnel 設置客戶端:
$$ openvpn $$
client = yes accept = 127.0.0.1:11194 connect = <my_ip>:44444 ;cert = /usr/local/etc/stunnel/cert.pem ;connect = 192.168.255.25:44444 ciphers = DHE-RSA-AES256-SHA256 [sslssh] client = yes accept = 127.0.0.1:2222 connect = <my_IP>:55555
客戶端ovpn配置:
remote localhost 11194 proto tcp remote-cert-tls server client dev tun resolv-retry infinite keepalive 10 120 nobind comp-lzo verb 3
伺服器 ovpn 配置:
port 1194 proto tcp dev tun comp-lzo keepalive 10 120 persist-key persist-tun user nobody group nogroup chroot /etc/openvpn/easy-rsa/keys/crl.jail crl-verify crl.pem ca /etc/openvpn/easy-rsa/keys/ca.crt dh /etc/openvpn/easy-rsa/keys/dh2048.pem tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 key /etc/openvpn/easy-rsa/keys/server.key cert /etc/openvpn/easy-rsa/keys/server.crt ifconfig-pool-persist /var/lib/openvpn/server.ipp client-config-dir /etc/openvpn/server.ccd status /var/log/openvpn/server.log verb 4
完整的 ovpn 客戶端日誌
2019-05-27 14:10:53 *Tunnelblick: openvpnstart starting OpenVPN *Tunnelblick: OS X 10.14.6; Tunnelblick 3.7.5a (build 5011); prior version 3.4.0 (build 4007) 2019-05-27 14:10:53 *Tunnelblick: Attempting connection with mikewarde_tcp_stunnel using shadow copy; Set nameserver = 769; monitoring connection 2019-05-27 14:10:53 *Tunnelblick: openvpnstart start mikewarde_tcp_stunnel.tblk 1337 769 0 1 0 1065264 -ptADGNWradsgnw 2.4.4-openssl-1.0.2o 2019-05-27 14:10:54 *Tunnelblick: openvpnstart log: OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line): /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.4-openssl-1.0.2o/openvpn --daemon --log /Library/Application Support/Tunnelblick/Logs/-SUsers-Smikewarde-SLibrary-SApplication Support-STunnelblick-SConfigurations-Smikewarde_tcp_stunnel.tblk-SContents-SResources-Sconfig.ovpn.769_0_1_0_1065264.1337.openvpn.log --cd /Library/Application Support/Tunnelblick/Users/mikewarde/mikewarde_tcp_stunnel.tblk/Contents/Resources --setenv IV_GUI_VER "net.tunnelblick.tunnelblick 5011 3.7.5a (build 5011)" --verb 3 --config /Library/Application Support/Tunnelblick/Users/mikewarde/mikewarde_tcp_stunnel.tblk/Contents/Resources/config.ovpn --verb 3 --cd /Library/Application Support/Tunnelblick/Users/mikewarde/mikewarde_tcp_stunnel.tblk/Contents/Resources --management 127.0.0.1 1337 /Library/Application Support/Tunnelblick/fognhooiggkindigaihckcifckpilcfpnmgdikmh.mip --management-query-passwords --management-hold --script-security 2 --up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw 2019-05-27 14:10:54 *Tunnelblick: Established communication with OpenVPN 2019-05-27 14:10:54 OpenVPN 2.4.4 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Mar 27 2018 2019-05-27 14:10:54 library versions: OpenSSL 1.0.2o 27 Mar 2018, LZO 2.10 2019-05-27 14:10:54 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1337 2019-05-27 14:10:54 Need hold release from management interface, waiting... 2019-05-27 14:10:54 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1337 2019-05-27 14:10:54 MANAGEMENT: CMD 'pid' 2019-05-27 14:10:54 MANAGEMENT: CMD 'state on' 2019-05-27 14:10:54 MANAGEMENT: CMD 'state' 2019-05-27 14:10:54 MANAGEMENT: CMD 'bytecount 1' 2019-05-27 14:10:54 MANAGEMENT: CMD 'hold release' 2019-05-27 14:10:54 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 2019-05-27 14:10:54 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication 2019-05-27 14:10:54 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication 2019-05-27 14:10:54 MANAGEMENT: >STATE:1558962654,RESOLVE,,,,,, 2019-05-27 14:10:54 TCP/UDP: Preserving recently used remote address: [AF_INET]127.0.0.1:11194 2019-05-27 14:10:54 Socket Buffers: R=[131072->131072] S=[131072->131072] 2019-05-27 14:10:54 Attempting to establish TCP connection with [AF_INET]127.0.0.1:11194 [nonblock] 2019-05-27 14:10:54 MANAGEMENT: >STATE:1558962654,TCP_CONNECT,,,,,, 2019-05-27 14:10:55 TCP connection established with [AF_INET]127.0.0.1:11194 2019-05-27 14:10:55 TCP_CLIENT link local: (not bound) 2019-05-27 14:10:55 TCP_CLIENT link remote: [AF_INET]127.0.0.1:11194 2019-05-27 14:10:55 MANAGEMENT: >STATE:1558962655,WAIT,,,,,, 2019-05-27 14:10:55 MANAGEMENT: >STATE:1558962655,AUTH,,,,,, 2019-05-27 14:10:55 TLS: Initial packet from [AF_INET]127.0.0.1:11194, sid=c58c277c 5918dc12 2019-05-27 14:10:55 VERIFY OK: depth=1, C=US, ST=CA, L=San Francisco, O=TurnKey Linux, OU=OpenVPN, CN=server, name=openvpn, emailAddress=vpn@radged.com 2019-05-27 14:10:55 VERIFY KU OK 2019-05-27 14:10:55 Validating certificate extended key usage 2019-05-27 14:10:55 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication 2019-05-27 14:10:55 VERIFY EKU OK 2019-05-27 14:10:55 VERIFY OK: depth=0, C=US, ST=CA, L=San Francisco, O=TurnKey Linux, OU=OpenVPN, CN=server, name=openvpn, emailAddress=vpn@radged.com 2019-05-27 14:10:55 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA 2019-05-27 14:10:55 [server] Peer Connection Initiated with [AF_INET]127.0.0.1:11194 2019-05-27 14:10:57 MANAGEMENT: >STATE:1558962657,GET_CONFIG,,,,,, 2019-05-27 14:10:57 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) 2019-05-27 14:10:57 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.222.29.1,topology net30,ping 10,ping-restart 120,ifconfig 10.222.29.6 10.222.29.5,peer-id 0,cipher AES-256-GCM' 2019-05-27 14:10:57 OPTIONS IMPORT: timers and/or timeouts modified 2019-05-27 14:10:57 OPTIONS IMPORT: --ifconfig/up options modified 2019-05-27 14:10:57 OPTIONS IMPORT: route options modified 2019-05-27 14:10:57 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified 2019-05-27 14:10:57 OPTIONS IMPORT: peer-id set 2019-05-27 14:10:57 OPTIONS IMPORT: adjusting link_mtu to 1627 2019-05-27 14:10:57 OPTIONS IMPORT: data channel crypto options modified 2019-05-27 14:10:57 Data Channel: using negotiated cipher 'AES-256-GCM' 2019-05-27 14:10:57 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key 2019-05-27 14:10:57 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key 2019-05-27 14:10:57 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16) 2019-05-27 14:10:57 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16) 2019-05-27 14:10:57 Opened utun device utun2 2019-05-27 14:10:57 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 2019-05-27 14:10:57 MANAGEMENT: >STATE:1558962657,ASSIGN_IP,,10.222.29.6,,,, 2019-05-27 14:10:57 /sbin/ifconfig utun2 delete ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address 2019-05-27 14:10:57 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure 2019-05-27 14:10:57 /sbin/ifconfig utun2 10.222.29.6 10.222.29.5 mtu 1500 netmask 255.255.255.255 up 2019-05-27 14:10:57 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw utun2 1500 1555 10.222.29.6 10.222.29.5 init ********************************************** Start of output from client.up.tunnelblick.sh Disabled IPv6 for 'iPhone USB' Disabled IPv6 for 'Wi-Fi' Disabled IPv6 for 'Bluetooth PAN' Disabled IPv6 for 'Thunderbolt Bridge' Retrieved from OpenVPN: name server(s) [ 208.67.222.222 208.67.220.220 ], search domain(s) [ ] and SMB server(s) [ ] and using default domain name [ openvpn ] WARNING: Ignoring ServerAddresses '208.67.222.222 208.67.220.220' because ServerAddresses was set manually and '-allowChangesToManuallySetNetworkSettings' was not specified Setting search domains to 'openvpn' because running under OS X 10.6 or higher and the search domains were not set manually (or are allowed to be changed) and 'Prepend domain name to search domains' was not selected Saved the DNS and SMB configurations so they can be restored Did not change DNS ServerAddresses setting of '1.1.1.1 1.0.0.1' (but re-set it) Changed DNS SearchDomains setting from '' to 'openvpn' Changed DNS DomainName setting from '' to 'openvpn' Did not change SMB NetBIOSName setting of '' Did not change SMB Workgroup setting of '' Did not change SMB WINSAddresses setting of '' DNS servers '1.1.1.1 1.0.0.1' were set manually DNS servers '1.1.1.1 1.0.0.1' will be used for DNS queries when the VPN is active NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems. Flushed the DNS cache via dscacheutil /usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil Notified mDNSResponder that the DNS cache was flushed Setting up to monitor system configuration with process-network-changes End of output from client.up.tunnelblick.sh ********************************************** 2019-05-27 14:11:00 *Tunnelblick: No 'connected.sh' script to execute 2019-05-27 14:11:00 /sbin/route add -net 127.0.0.1 192.168.255.1 255.255.255.255 add net 127.0.0.1: gateway 192.168.255.1 2019-05-27 14:11:00 /sbin/route add -net 0.0.0.0 10.222.29.5 128.0.0.0 add net 0.0.0.0: gateway 10.222.29.5 2019-05-27 14:11:00 /sbin/route add -net 128.0.0.0 10.222.29.5 128.0.0.0 add net 128.0.0.0: gateway 10.222.29.5 2019-05-27 14:11:00 MANAGEMENT: >STATE:1558962660,ADD_ROUTES,,,,,, 2019-05-27 14:11:00 /sbin/route add -net 10.222.29.1 10.222.29.5 255.255.255.255 add net 10.222.29.1: gateway 10.222.29.5 2019-05-27 14:11:00 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this 2019-05-27 14:11:00 Initialization Sequence Completed 2019-05-27 14:11:00 MANAGEMENT: >STATE:1558962660,CONNECTED,SUCCESS,10.222.29.6,127.0.0.1,11194,127.0.0.1,55166 2019-05-27 14:11:24 Connection reset, restarting [-1] 2019-05-27 14:11:24 /sbin/route delete -net 10.222.29.1 10.222.29.5 255.255.255.255 delete net 10.222.29.1: gateway 10.222.29.5 2019-05-27 14:11:24 /sbin/route delete -net 127.0.0.1 192.168.255.1 255.255.255.255 delete net 127.0.0.1: gateway 192.168.255.1 2019-05-27 14:11:24 /sbin/route delete -net 0.0.0.0 10.222.29.5 128.0.0.0 delete net 0.0.0.0: gateway 10.222.29.5 2019-05-27 14:11:24 /sbin/route delete -net 128.0.0.0 10.222.29.5 128.0.0.0 delete net 128.0.0.0: gateway 10.222.29.5 2019-05-27 14:11:24 Closing TUN/TAP interface 2019-05-27 14:11:24 /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw utun2 1500 1555 10.222.29.6 10.222.29.5 init ********************************************** Start of output from client.down.tunnelblick.sh Cancelled monitoring of system configuration changes Restored the DNS and SMB configurations Re-enabled IPv6 (automatic) for 'iPhone USB' Re-enabled IPv6 (automatic) for 'Wi-Fi' Re-enabled IPv6 (automatic) for 'Bluetooth PAN' Re-enabled IPv6 (automatic) for 'Thunderbolt Bridge' Flushed the DNS cache via dscacheutil /usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil Notified mDNSResponder that the DNS cache was flushed End of output from client.down.tunnelblick.sh ********************************************** 2019-05-27 14:11:25 SIGUSR1[soft,connection-reset] received, process restarting 2019-05-27 14:11:25 MANAGEMENT: >STATE:1558962685,RECONNECTING,connection-reset,,,,, 2019-05-27 14:11:25 *Tunnelblick: No 'reconnecting.sh' script to execute 2019-05-27 14:11:25 MANAGEMENT: CMD 'hold release' 2019-05-27 14:11:25 MANAGEMENT: CMD 'hold release' 2019-05-27 14:11:25 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 2019-05-27 14:11:25 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication 2019-05-27 14:11:25 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication 2019-05-27 14:11:25 TCP/UDP: Preserving recently used remote address: [AF_INET]127.0.0.1:11194 2019-05-27 14:11:25 Socket Buffers: R=[131072->131072] S=[131072->131072] 2019-05-27 14:11:25 Attempting to establish TCP connection with [AF_INET]127.0.0.1:11194 [nonblock] 2019-05-27 14:11:25 MANAGEMENT: >STATE:1558962685,TCP_CONNECT,,,,,, 2019-05-27 14:11:26 TCP connection established with [AF_INET]127.0.0.1:11194 2019-05-27 14:11:26 TCP_CLIENT link local: (not bound) 2019-05-27 14:11:26 TCP_CLIENT link remote: [AF_INET]127.0.0.1:11194 2019-05-27 14:11:26 MANAGEMENT: >STATE:1558962686,WAIT,,,,,, 2019-05-27 14:11:26 MANAGEMENT: >STATE:1558962686,AUTH,,,,,, 2019-05-27 14:11:26 TLS: Initial packet from [AF_INET]127.0.0.1:11194, sid=072914d3 4912c8a0 2019-05-27 14:11:26 VERIFY OK: depth=1, C=US, ST=CA, L=San Francisco, O=TurnKey Linux, OU=OpenVPN, CN=server, name=openvpn, emailAddress=vpn@radged.com 2019-05-27 14:11:26 VERIFY KU OK 2019-05-27 14:11:26 Validating certificate extended key usage 2019-05-27 14:11:26 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication 2019-05-27 14:11:26 VERIFY EKU OK 2019-05-27 14:11:26 VERIFY OK: depth=0, C=US, ST=CA, L=San Francisco, O=TurnKey Linux, OU=OpenVPN, CN=server, name=openvpn, emailAddress=vpn@radged.com 2019-05-27 14:11:26 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1552', remote='link-mtu 1544' 2019-05-27 14:11:26 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-GCM', remote='cipher BF-CBC' 2019-05-27 14:11:26 WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA1' 2019-05-27 14:11:26 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128' 2019-05-27 14:11:26 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA 2019-05-27 14:11:26 [server] Peer Connection Initiated with [AF_INET]127.0.0.1:11194 2019-05-27 14:11:26 *Tunnelblick: Disconnecting; notification window disconnect button pressed 2019-05-27 14:11:27 *Tunnelblick: No 'pre-disconnect.sh' script to execute 2019-05-27 14:11:27 *Tunnelblick: Disconnecting using 'kill' 2019-05-27 14:11:27 event_wait : Interrupted system call (code=4) 2019-05-27 14:11:27 SIGTERM[hard,] received, process exiting 2019-05-27 14:11:27 MANAGEMENT: >STATE:1558962687,EXITING,SIGTERM,,,,, 2019-05-27 14:11:27 *Tunnelblick: No 'post-disconnect.sh' script to execute 2019-05-27 14:11:27 *Tunnelblick: Expected disconnection occurred.
希望這些日誌對您有所幫助,將警告替換為致命,因為這些是阻止連接的致命錯誤。
對於 openvpn,遠端和本地設置應該匹配,尤其是密鑰交換的設置。
對於有關 MTU 的警告,
link-mtu
在遠端和本地都設置為常見的已知良好值,例如 1500,因為這將防止碎片。WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1552', remote='link-mtu 1544'
--link-mtu n Sets an upper bound on the size of UDP packets which are sent between OpenVPN peers. It's best not to set this parameter unless you know what you're doing.
其他警告基於您的密碼,您的本地客戶端正在嘗試使用更安全的版本而不是較舊且已棄用
AES-256-GCM
的遠端版本。BF-CBC
WARNING: 'cipher' is used inconsistently, local='cipher AES-256-GCM', remote='cipher BF-CBC'
要解決在遠端和本地配置上指定密碼
AES-256-GCM
對於 Keysize 忽略它,因為它是一個不推薦使用的標誌,並且密碼現在設置它的大小
256
,AES-256-GCM
並且在本地和遠端上指定此密鑰將與256
在遠端和本地上指定相同TLDR 將這些行添加到本地和遠端配置中。
auth SHA256 link-mtu 1500 cipher AES-256-GCM ncp-ciphers AES-256-GCM:AES-128-GCM