Linux Distros에서 Tor 문제가 있는 OpenVPN

tag-icon tag-icon linux openvpn tor ubuntu-16.04
Linux Distros에서 Tor 문제가 있는 OpenVPN

Tor Socks Proxy를 통해 OpenVPN 서버에 연결하려고 합니다.

socks-proxy 127.0.0.1.ovpn 파일 추가 및 옵션을 편집했지만 socks-proxy-retry성공하지 못했습니다.

문제는 다음과 같습니다. 모든 것이 잘 진행되고 Initialization Sequence Completed메시지가 표시되지만 몇 초 후에 openvpn 클라이언트가 여러 번 다시 연결을 시도하고 오류 115 시간 초과가 발생합니다.

현재 우분투 16.04를 사용하고 있습니다

로그는 다음과 같습니다.

Sat Sep 17 16:38:08 2016 DEPRECATED OPTION: http-proxy-retry and socks-proxy-retry: In OpenVPN 2.4 proxy connection retries are handled like regular connections. Use connect-retry-max 1 to get a similar behavior as before.
Sat Sep 17 16:38:08 2016 OpenVPN 2.3_git x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [IPv6] built on Sep 17 2016
Sat Sep 17 16:38:08 2016 library versions: OpenSSL 1.0.2g-fips  1 Mar 2016, LZO 2.08
Sat Sep 17 16:38:08 2016 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sat Sep 17 16:38:08 2016 TCP/UDP: Preserving recently used remote address: [AF_INET]127.0.0.1:9050
Sat Sep 17 16:38:08 2016 Socket Buffers: R=[87380->87380] S=[16384->16384]
Sat Sep 17 16:38:08 2016 Attempting to establish TCP connection with [AF_INET]127.0.0.1:9050 [nonblock]
Sat Sep 17 16:38:08 2016 TCP connection established with [AF_INET]127.0.0.1:9050
Sat Sep 17 16:38:08 2016 TCP_CLIENT link local: (not bound)
Sat Sep 17 16:38:08 2016 TCP_CLIENT link remote: [AF_INET]127.0.0.1:9050
Sat Sep 17 16:38:09 2016 TLS: Initial packet from [AF_INET]127.0.0.1:9050, sid=8f81fa06 41348202
Sat Sep 17 16:38:10 2016 VERIFY OK: depth=0, CN=49njfbdc.com, O=m4jhl x3avvp9iijj, C=US
Sat Sep 17 16:38:12 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Sat Sep 17 16:38:12 2016 [49njfbdc.com] Peer Connection Initiated with [AF_INET]127.0.0.1:9050
Sat Sep 17 16:38:13 2016 SENT CONTROL [49njfbdc.com]: 'PUSH_REQUEST' (status=1)
Sat Sep 17 16:38:14 2016 PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 10.211.1.73 10.211.1.74,dhcp-option DNS 10.211.254.254,dhcp-option DNS 8.8.8.8,route-gateway 10.211.1.74,redirect-gateway def1'
Sat Sep 17 16:38:14 2016 OPTIONS IMPORT: timers and/or timeouts modified
Sat Sep 17 16:38:14 2016 OPTIONS IMPORT: --ifconfig/up options modified
Sat Sep 17 16:38:14 2016 OPTIONS IMPORT: route options modified
Sat Sep 17 16:38:14 2016 OPTIONS IMPORT: route-related options modified
Sat Sep 17 16:38:14 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Sep 17 16:38:14 2016 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Sat Sep 17 16:38:14 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Sep 17 16:38:14 2016 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Sat Sep 17 16:38:14 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Sep 17 16:38:14 2016 ROUTE_GATEWAY 192.168.1.254/255.255.255.0 IFACE=*hidden* HWADDR=*hidden*
Sat Sep 17 16:38:14 2016 TUN/TAP device tun0 opened
Sat Sep 17 16:38:14 2016 TUN/TAP TX queue length set to 100
Sat Sep 17 16:38:14 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat Sep 17 16:38:14 2016 /sbin/ifconfig tun0 10.211.1.73 pointopoint 10.211.1.74 mtu 1500
Sat Sep 17 16:38:14 2016 /sbin/route add -net 127.0.0.1 netmask 255.255.255.255 gw 192.168.1.254
Sat Sep 17 16:38:14 2016 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.211.1.74
Sat Sep 17 16:38:14 2016 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.211.1.74
Sat Sep 17 16:38:14 2016 Initialization Sequence Completed
Sat Sep 17 16:38:24 2016 [49njfbdc.com] Inactivity timeout (--ping-restart), restarting
Sat Sep 17 16:38:24 2016 SIGUSR1[soft,ping-restart] received, process restarting
Sat Sep 17 16:38:24 2016 Restart pause, 5 second(s)
Sat Sep 17 16:38:29 2016 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sat Sep 17 16:38:29 2016 TCP/UDP: Preserving recently used remote address: [AF_INET]127.0.0.1:9050
Sat Sep 17 16:38:29 2016 Socket Buffers: R=[87380->87380] S=[16384->16384]
Sat Sep 17 16:38:29 2016 Attempting to establish TCP connection with [AF_INET]127.0.0.1:9050 [nonblock]
Sat Sep 17 16:38:29 2016 TCP connection established with [AF_INET]127.0.0.1:9050
Sat Sep 17 16:38:34 2016 recv_socks_reply: TCP port read timeout expired: Operation now in progress (errno=115)
Sat Sep 17 16:38:34 2016 SIGUSR1[soft,init_instance] received, process restarting
Sat Sep 17 16:38:34 2016 Restart pause, 5 second(s)
^CSat Sep 17 16:38:36 2016 /sbin/route del -net 127.0.0.1 netmask 255.255.255.255
Sat Sep 17 16:38:36 2016 /sbin/route del -net 0.0.0.0 netmask 128.0.0.0
Sat Sep 17 16:38:36 2016 /sbin/route del -net 128.0.0.0 netmask 128.0.0.0
Sat Sep 17 16:38:36 2016 Closing TUN/TAP interface
Sat Sep 17 16:38:36 2016 /sbin/ifconfig tun0 0.0.0.0
Sat Sep 17 16:38:36 2016 SIGINT[hard,init_instance] received, process exiting

.ovpn 파일은 다음과 같습니다.

socks-proxy 127.0.0.1 9150
socks-proxy-retry
###############################################################################
# OpenVPN 2.0 Sample Configuration File
# for PacketiX VPN / SoftEther VPN Server
# 
# !!! AUTO-GENERATED BY SOFTETHER VPN SERVER MANAGEMENT TOOL !!!
# 
# !!! YOU HAVE TO REVIEW IT BEFORE USE AND MODIFY IT AS NECESSARY !!!
# 
# This configuration file is auto-generated. You might use this config file
# in order to connect to the PacketiX VPN / SoftEther VPN Server.
# However, before you try it, you should review the descriptions of the file
# to determine the necessity to modify to suitable for your real environment.
# If necessary, you have to modify a little adequately on the file.
# For example, the IP address or the hostname as a destination VPN Server
# should be confirmed.
# 
# Note that to use OpenVPN 2.0, you have to put the certification file of
# the destination VPN Server on the OpenVPN Client computer when you use this
# config file. Please refer the below descriptions carefully.


###############################################################################
# Specify the type of the layer of the VPN connection.
# 
# To connect to the VPN Server as a "Remote-Access VPN Client PC",
#  specify 'dev tun'. (Layer-3 IP Routing Mode)
#
# To connect to the VPN Server as a bridging equipment of "Site-to-Site VPN",
#  specify 'dev tap'. (Layer-2 Ethernet Bridgine Mode)

dev tun


###############################################################################
# Specify the underlying protocol beyond the Internet.
# Note that this setting must be correspond with the listening setting on
# the VPN Server.
# 
# Specify either 'proto tcp' or 'proto udp'.

proto tcp


###############################################################################
# The destination hostname / IP address, and port number of
# the target VPN Server.
# 
# You have to specify as 'remote <HOSTNAME> <PORT>'. You can also
# specify the IP address instead of the hostname.
# 
# Note that the auto-generated below hostname are a "auto-detected
# IP address" of the VPN Server. You have to confirm the correctness
# beforehand.
# 
# When you want to connect to the VPN Server by using TCP protocol,
# the port number of the destination TCP port should be same as one of
# the available TCP listeners on the VPN Server.
# 
# When you use UDP protocol, the port number must same as the configuration
# setting of "OpenVPN Server Compatible Function" on the VPN Server.

remote 180.183.122.187 1639


###############################################################################
# The HTTP/HTTPS proxy setting.
# 
# Only if you have to use the Internet via a proxy, uncomment the below
# two lines and specify the proxy address and the port number.
# In the case of using proxy-authentication, refer the OpenVPN manual.

;http-proxy-retry
;http-proxy [proxy server] [proxy port]


###############################################################################
# The encryption and authentication algorithm.
# 
# Default setting is good. Modify it as you prefer.
# When you specify an unsupported algorithm, the error will occur.
# 
# The supported algorithms are as follows:
#  cipher: [NULL-CIPHER] NULL AES-128-CBC AES-192-CBC AES-256-CBC BF-CBC
#          CAST-CBC CAST5-CBC DES-CBC DES-EDE-CBC DES-EDE3-CBC DESX-CBC
#          RC2-40-CBC RC2-64-CBC RC2-CBC
#  auth:   SHA SHA1 MD5 MD4 RMD160

cipher AES-128-CBC
auth SHA1


###############################################################################
# Other parameters necessary to connect to the VPN Server.
# 
# It is not recommended to modify it unless you have a particular need.

resolv-retry infinite
nobind
persist-key
persist-tun
client
verb 3
#auth-user-pass


###############################################################################
# The certificate file of the destination VPN Server.
# 
# The CA certificate file is embedded in the inline format.
# You can replace this CA contents if necessary.
# Please note that if the server certificate is not a self-signed, you have to
# specify the signer's root certificate (CA) here.

답변1

양말을 사용하는 다른 프로그램으로 양말 프록시를 테스트합니다. OpenVPN은 작동하지만 OpenVPN은 작동하지 않는다면 OpenVPN 구성에 문제가 있는 것입니다. 로그 항목이 [*.opengw.net]조금 의심스러워 보입니다. 유효한 호스트 이름이 아닙니다! 의심스러운 것이 있는지 확인할 수 있도록 구성 파일의 최소한 일부를 여기에 게시할 수 있습니다. (저는 약 8년 동안 OpenVPN을 사용해 왔습니다.)

예: 양말 프록시(프록시체인?)를 통해 텔넷 연결을 엽니다. 적절한 포트 번호를 사용하여 예제의 호스트 주소에 대한 세션을 엽니다. 프로토콜은 TCP입니다. 텔넷 연결이 작동하면(프롬프트에 "가비지" 문자가 표시되어야 함) 이는 양말 프록시가 제대로 작동하고 있음을 의미합니다.

openvpn은 연결할 수 없지만 telnet은 연결할 수 있는 경우 OVPN 파일에 양말 프록시에 대한 인증 정보가 누락되었거나 양말 버전/구현이 호환되지 않을 수 있습니다.

관련 정보