Ssl
OpenVPN 身份驗證/解密數據包錯誤
我正在嘗試將執行 Windos 10 的筆記型電腦連接到執行 OpenVPN 的 Ubuntu 16.04 伺服器。
客戶端不斷收到此錯誤:
MANAGEMENT: >STATE:1491498025,WAIT,,,,,, Connection reset, restarting [0] SIGUSR1[soft,connection-reset] received, process restarting MANAGEMENT: >STATE:1491498025,RECONNECTING,connection-reset,,我按照本指南設置 OpenVPN。一切都是預設的,除了我更改為埠 443 和 tcp。
在伺服器上,我從“Systemctl status openvpn@server”看到這個錯誤:
ovpn-server[4627]: [IP ADDR] Fatal TLS error (check_tls_errors_co), restarting ovpn-server[4627]: [IP ADDR] SIGUSR1[soft,tls-error] received, client-instance restarting ovpn-server[4627]: TCP connection established with [AF_INET][IP ADDR] ovpn-server[4627]: [IP ADDR] TLS: Initial packet from [AF_INET][IP ADDR], sid=5bf6806d 9c9b6639 ovpn-server[4627]:[IP ADDR] Authenticate/Decrypt packet error: packet HMAC authentication failed ovpn-server[4627]: [IP ADDR] TLS Error: incoming packet authentication failed from [AF_INET][IP ADDR] ovpn-server[4627]: [IP ADDR] Fatal TLS error (check_tls_errors_co), restarting ovpn-server[4627]: [IP ADDR] SIGUSR1[soft,tls-error] received, client-instance restartingserver.conf:
port 443 proto tcp dev tun ca ca.crt cert KICLAB-HV-01.crt key KICLAB-HV-01.key dh dh2048.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt keepalive 10 120 tls-auth ta.key 0 key-direction 0 mode server tls-server cipher AES-128-CBC # AES auth SHA256 # SHA256 comp-lzo user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3base.conf:
client dev tun proto tcp remote [Internal LAN IP for testing] 443 resolv-retry infinite nobind user nobody group nogroup persist-key persist-tun remote-cert-tls server cipher AES-128-CBC auth SHA256 key-direction 1 comp-lzo verb 3客戶端日誌
Attempting to establish TCP connection with [AF_INET][IP:443} [nonblock] MANAGEMENT: >STATE:1491826387,TCP_CONNECT,,,,,, TCP connection established with [AF_INET][IP:443} TCP_CLIENT link local: (not bound) TCP_CLIENT link remote: [AF_INET][IP:443} MANAGEMENT: >STATE:1491826388,WAIT,,,,,, Connection reset, restarting [0] SIGUSR1[soft,connection-reset] received, process restarting MANAGEMENT: >STATE:1491826388,RECONNECTING,connection-reset,,,,, Restart pause, 5 second(s) TCP/UDP: Preserving recently used remote address: [AF_INET][IP:443} Socket Buffers: R=[65536->65536] S=[65536->65536] Attempting to establish TCP connection with [AF_INET][IP:443} [nonblock] MANAGEMENT: >STATE:1491826393,TCP_CONNECT,,,,,, TCP connection established with [AF_INET][IP:443} TCP_CLIENT link local: (not bound) TCP_CLIENT link remote: [AF_INET][IP:443} MANAGEMENT: >STATE:1491826394,WAIT,,,,,, Connection reset, restarting [0] SIGUSR1[soft,connection-reset] received, process restarting MANAGEMENT: >STATE:1491826394,RECONNECTING,connection-reset,,,,, Restart pause, 5 second(s)“Systemctl Status openvpn@server”的目前輸出(注意,
$$ IP $$實際上不是客戶端的正確 IP。那是問題嗎?):
MULTI: multi_init called, r=256 v=256 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0 IFCONFIG POOL LIST MULTI: TCP INIT maxclients=1024 maxevents=1028 Initialization Sequence Completed TCP connection established with [AF_INET][IP]:48758 [IP]:48758 TLS: Initial packet from [AF_INET][IP]:48758, sid=9ab50ac0 a37efe04 [IP]:48758 TLS Error: reading acknowledgement record from packet [IP]:48758 Fatal TLS error (check_tls_errors_co), restarting Apr 10 08:36:24 [host] ovpn-server[2191]: [IP]:48758 SIGUSR1[soft,tls-error] received, client-instance restarting謝謝!
您的配置中沒有客戶端證書。您應該生成一個由您在伺服器上使用的同一個 CA 簽名的證書,並將其添加到 client.conf,如下所示:
ca "ca.crt" cert "client.crt" key "client.key"
從 OpenVPN 網站:
–tls-auth 選項使用必須提前生成並在所有對等方之間共享的靜態預共享密鑰 (PSK)。
你在你的伺服器上有它:
tls-auth ta.key 0 # This file is secret key-direction 0但是在客戶端上,您已將其註釋掉:
;tls-auth ta.key 1 ... key-direction 1的第二個參數
tls-auth是鍵方向,因此您不需要使用該key-direction節重複它。在您的伺服器上,只需刪除該
key-direction 0行,然後在您的客戶端上刪除註釋分隔符 (;) 和該key-direction 1行。當然,在上述操作真正起作用之前,還需要首先在您的客戶端電腦上 - 使用或類似
ta.key方法安全地將其複製到那裡。scp