openVPN TLS错误: TLS握手失败,但之前正在工作。
openVPN TLS错误: TLS握手失败,但之前正在工作。
提问于 2021-08-19 20:29:42
我有一个openvpn配置在我的覆盆子,我遵循这个指南:https://juncotic.com/openvpn-easyrsa-3-montando-la-vpn/和一切正常工作了几个星期。突然一个丘比特几天前vpn停止工作并抛出TLS错误。我检查了端口转发是否还在运行,我还检查了服务器和我的机器上的所有东西都是最新的,还检查了openvpn是否正确运行,日志上没有任何不应该工作的地方,我还尝试将vpn的端口更改为更高的端口,这是不起作用的。我不知道还能找什么。我会提供一些信息,如果有人需要什么,让我知道。
这些是我的配置文件:
server.conf:
port 1194
proto udp
server 192.168.10.0 255.255.255.0
client-to-client
persist-key
persist-tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/cloudAtlas.crt
dh /etc/openvpn/keys/dh.pem
key /etc/openvpn/keys/cloudAtlas.key
tls-auth /etc/openvpn/keys/ta.key 0
crl-verify /etc/openvpn/keys/crl.pem
comp-lzo adaptive
dev tun
ifconfig-pool-persist server-ipp.txt 0
keepalive 10 120
cipher AES-256-CBC
auth SHA512
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
log /var/log/openvpn/server.log
verb 3client2.conf:
client
dev tun
proto udp
port 1194
remote 21e800.duckdns.org 1194
remote-cert-tls server
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
cipher AES-256-CBC
auth SHA512
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
ca /etc/openvpn/keys/ca.crt
key /etc/openvpn/keys/cliente1.key
cert /etc/openvpn/keys/cliente1.crt
key-direction 1
tls-auth /etc/openvpn/keys/ta.key 1openvpn在启动时记录输出:
Thu Aug 19 22:10:30 2021 OpenVPN 2.4.7 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 28 2021
Thu Aug 19 22:10:30 2021 library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10
Thu Aug 19 22:10:30 2021 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Thu Aug 19 22:10:30 2021 Note: cannot open server-ipp.txt for READ
Thu Aug 19 22:10:30 2021 Diffie-Hellman initialized with 2048 bit key
Thu Aug 19 22:10:30 2021 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Aug 19 22:10:30 2021 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Aug 19 22:10:30 2021 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=eth0 HWADDR=e4:5f:01:38:49:2b
Thu Aug 19 22:10:30 2021 TUN/TAP device tun0 opened
Thu Aug 19 22:10:30 2021 TUN/TAP TX queue length set to 100
Thu Aug 19 22:10:30 2021 /sbin/ip link set dev tun0 up mtu 1500
Thu Aug 19 22:10:30 2021 /sbin/ip addr add dev tun0 local 192.168.10.1 peer 192.168.10.2
Thu Aug 19 22:10:30 2021 /sbin/ip route add 192.168.10.0/24 via 192.168.10.2
Thu Aug 19 22:10:30 2021 Could not determine IPv4/IPv6 protocol. Using AF_INET
Thu Aug 19 22:10:30 2021 Socket Buffers: R=[180224->180224] S=[180224->180224]
Thu Aug 19 22:10:30 2021 UDPv4 link local (bound): [AF_INET][undef]:1194
Thu Aug 19 22:10:30 2021 UDPv4 link remote: [AF_UNSPEC]
Thu Aug 19 22:10:30 2021 MULTI: multi_init called, r=256 v=256
Thu Aug 19 22:10:30 2021 IFCONFIG POOL: base=192.168.10.4 size=62, ipv6=0
Thu Aug 19 22:10:30 2021 IFCONFIG POOL LIST
Thu Aug 19 22:10:30 2021 Initialization Sequence Completed当试图连接时客户端的消息:
Thu Aug 19 22:12:03 2021 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 19 2021
Thu Aug 19 22:12:03 2021 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10
Thu Aug 19 22:12:03 2021 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Aug 19 22:12:03 2021 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Aug 19 22:12:03 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]83.51.211.151:1194
Thu Aug 19 22:12:03 2021 Socket Buffers: R=[212992->212992] S=[212992->212992]
Thu Aug 19 22:12:03 2021 UDP link local: (not bound)
Thu Aug 19 22:12:03 2021 UDP link remote: [AF_INET]83.51.211.151:1194
Thu Aug 19 22:13:03 2021 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Aug 19 22:13:03 2021 TLS Error: TLS handshake failed
Thu Aug 19 22:13:03 2021 SIGUSR1[soft,tls-error] received, process restarting
Thu Aug 19 22:13:03 2021 Restart pause, 5 second(s)
Thu Aug 19 22:13:08 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]83.51.211.151:1194
Thu Aug 19 22:13:08 2021 Socket Buffers: R=[212992->212992] S=[212992->212992]
Thu Aug 19 22:13:08 2021 UDP link local: (not bound)
Thu Aug 19 22:13:08 2021 UDP link remote: [AF_INET]83.51.211.151:1194
Thu Aug 19 22:14:08 2021 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Aug 19 22:14:08 2021 TLS Error: TLS handshake failed
Thu Aug 19 22:14:08 2021 SIGUSR1[soft,tls-error] received, process restarting
Thu Aug 19 22:14:08 2021 Restart pause, 5 second(s)
Thu Aug 19 22:14:13 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]83.51.211.151:1194
Thu Aug 19 22:14:13 2021 Socket Buffers: R=[212992->212992] S=[212992->212992]
Thu Aug 19 22:14:13 2021 UDP link local: (not bound)
Thu Aug 19 22:14:13 2021 UDP link remote: [AF_INET]83.51.211.151:1194
Thu Aug 19 22:15:13 2021 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Aug 19 22:15:13 2021 TLS Error: TLS handshake failed
Thu Aug 19 22:15:13 2021 SIGUSR1[soft,tls-error] received, process restarting
Thu Aug 19 22:15:13 2021 Restart pause, 5 second(s)
Thu Aug 19 22:15:18 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]83.51.211.151:1194我的端口转发配置(路由器):
答案:
这就是当我用指定的端口切换到路由器时得到的结果:
pah@xiaomi:~$ nmap -Pn -p 1194 21e800.duckdns.org
Starting Nmap 7.80 ( https://nmap.org ) at 2021-08-19 22:58 CEST
Nmap scan report for 21e800.duckdns.org (83.51.211.151)
Host is up.
rDNS record for 83.51.211.151: 151.red-83-51-211.dynamicip.rima-tde.net
PORT STATE SERVICE
1194/tcp filtered openvpn
Nmap done: 1 IP address (1 host up) scanned in 2.34 seconds证书有效期至2024年。以防万一我漏掉了什么东西,我已经检查了所有的证书,但仍然不起作用。
此外,我还试图检查是否收到了以下数据包:
sudo tcpdump -i any -c5 -nn port 1194什么都没有出来,所以我怀疑问题与网络有关,但我的知识是.稀缺,因此我不知道如何进一步删除它,也不知道除了端口转发(我认为这是因为ping (?)的响应而起作用的端口转发之外,问题可能在哪里)。
不管怎么说,如果有人有什么想法,请告诉我。
答:我发现了问题!这是DNS服务,不知道为什么,但它没有正确地更新我的IP,因为它是动态的,一切都停止工作。我应该先检查一下那件事的,我真丢脸。
回答 1
Server Fault用户
发布于 2021-08-19 21:02:13
检查您是否真的可以从互联网连接到ip和端口:
- 也许你有服务器通过DHCP获取内部IP,而它的内部IP已经改变了。
- 也许你的外部IP换了两次检查。
检查您的服务器和客户端证书是否过期,这可能是因为您之前说过它运行良好。
页面原文内容由Server Fault提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://serverfault.com/questions/1075096
复制相关文章
相似问题
腾讯云开发者
