我在用著皮VPN在我的 Xubuntu 伺服器上建立 VPN。我知道 PiVPN 是專門為 Raspberry Pi 設計的,但它的設定和使用非常簡單,所以我決定也在我的 Xubuntu x64 機器上使用它。
使用 OpenVPN 連線透過 .ovpn 檔案進行連線可以在 Windows 上完美運行,但是當嘗試在我的三台 Pop!_OS (Ubuntu 22.04) 電腦中的任何一台上進行連線時,它就是無法連線。
這是 .ovpn 檔:
client
dev tun
proto udp
remote myserv.org 1194
resolv-retry infinite
nobind
remote-cert-tls server
tls-version-min 1.2
verify-x509-name myveryspecialx509name name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 5
<ca>
-----BEGIN CERTIFICATE-----
s0m3c3rt1f1c4t3
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
s0m3d1ff3r3n7c3r71f1c473
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
s0m3pr1v473k3y
-----END ENCRYPTED PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
s0m3st4t1ck3y
-----END OpenVPN Static key V1-----
</tls-crypt>
這是我的 Pop!_OS 用戶端上嘗試使用預設設定使用 .ovpn 檔案透過網路管理員連線時的系統日誌輸出:
Aug 22 19:39:05 ben NetworkManager[821]: <info> [1661189945.9755] vpn[0xd34db33f,blahblahblah,"blah"]: starting openvpn
Aug 22 19:39:05 ben NetworkManager[821]: <info> [1661189945.9762] audit: op="connection-activate" uuid="blahblahblah" name="blah" pid=31467 uid=1000 result="success"
Aug 22 19:39:09 ben nm-openvpn[31529]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Aug 22 19:39:09 ben nm-openvpn[31529]: OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
Aug 22 19:39:09 ben nm-openvpn[31529]: library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
Aug 22 19:39:09 ben nm-openvpn[31529]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 22 19:39:09 ben nm-openvpn[31529]: TCP/UDP: Preserving recently used remote address: [AF_INET6]some:ipv6:address:1194
Aug 22 19:39:09 ben nm-openvpn[31529]: UDP link local: (not bound)
Aug 22 19:39:09 ben nm-openvpn[31529]: UDP link remote: [AF_INET6]some:ipv6:address:1194
Aug 22 19:39:09 ben nm-openvpn[31529]: NOTE: chroot will be delayed because of --client, --pull, or --up-delay
Aug 22 19:39:09 ben nm-openvpn[31529]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Aug 22 19:40:09 ben nm-openvpn[31529]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Aug 22 19:40:09 ben nm-openvpn[31529]: TLS Error: TLS handshake failed
Aug 22 19:40:09 ben nm-openvpn[31529]: SIGUSR1[soft,tls-error] received, process restarting
Aug 22 19:40:09 ben NetworkManager[821]: <warn> [1661190009.4674] vpn[0xd34db33f,blahblahblah,"blah"]: connect timeout exceeded
Aug 22 19:40:09 ben nm-openvpn-serv[31515]: Connect timer expired, disconnecting.
Aug 22 19:40:09 ben nm-openvpn[31529]: SIGTERM[hard,init_instance] received, process exiting
基本上,客戶端會在 60 秒後斷開連接,抱怨 TLS 握手失敗。
我可以確認這在使用 OpenVPN 連接的 Windows 電腦上完美運行,並且連接埠 1194/UDP 已在我的軟體和硬體伺服器防火牆上開啟和存取。
任何幫助是極大的讚賞。
答案1
如果 TLS 金鑰協商未能在 60 秒內發生,我的第一個猜測是資料包在某處遺失。設定檔和日誌檔不會透露這一點。您需要使用 tcpdump 和/或 Wireshark 進行調查。