修复OpenVPN客户端上的TLS错误:TLS握手失败
我正在我的Arch服务器上配置OpenVPN 2.3.6-1,以便在公共互联网上加密SMB流量。当我在我的Linux虚拟机客户端上测试安装时,我得到了错误:TLS Error: TLS handshake failed。
我快速读取(OpenVPN on OpenVZ TLS错误: TLS握手失败(谷歌建议的解决方案没有帮助))并尝试从默认的UDP切换到TCP,但这只会导致客户机反复报告连接超时。我还试图禁用密码和TLS身份验证,但这导致服务器在Assertion failed at crypto_openssl.c:523中失败。在这两种情况下,对客户端和服务器配置都进行了所需的更改。
我一直按照(https://wiki.archlinux.org/index.php/OpenVPN)的指令来设置OpenVPN,并按照(https://wiki.archlinux.org/index.php/Create_一个_公共的_钥匙_基础设施_使用_这个_易-_脚本)的指令创建密钥和证书。我对这些指令所做的唯一偏离就是指定了我自己的计算机名称及其相应的密钥/证书文件名。
还请参阅我关于在因特网上保护SMB流量的最初问题:(Samba共享的简单加密)
有人能解释我怎么解决这个问题吗?
详细信息:
服务器: Arch Linux (最新的)通过以太网电缆直接连接到网关。没有便宜货。
客户端: VirtualBox 4.3.28r100309Windows8.1主机上的Arch (最新)虚拟机,桥接网络适配器。没有便宜货。Windows防火墙已禁用。
网关:启用端口1194的端口转发,没有防火墙限制。
以下分别是服务器和客户端上的配置文件。我是根据Arch Wiki上的说明创建这些的。
/etc/openvpn/server.conf (仅限评论行):
port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server-name.crt
key /etc/openvpn/server-name.key
dh /etc/openvpn/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
tls-auth /etc/openvpn/ta.key 0
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3/etc/openvpn/client.conf (仅限评论行):
client
dev tun
proto udp
remote [my public IP here] 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client-name.crt
key /etc/openvpn/client-name.key
remote-cert-tls server
tls-auth /etc/openvpn/ta.key 1
comp-lzo
verb 3以下是在具有上述配置的机器上运行openvpn的输出。我首先启动了服务器,然后启动了客户机。
服务器上的openvpn /etc/openvpn/server.conf输出:
Thu Jul 30 17:02:53 2015 OpenVPN 2.3.6 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 2 2014
Thu Jul 30 17:02:53 2015 library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.09
Thu Jul 30 17:02:53 2015 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Thu Jul 30 17:02:53 2015 Diffie-Hellman initialized with 2048 bit key
Thu Jul 30 17:02:53 2015 Control Channel Authentication: using '/etc/openvpn/ta.key' as a OpenVPN static key file
Thu Jul 30 17:02:53 2015 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jul 30 17:02:53 2015 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jul 30 17:02:53 2015 Socket Buffers: R=[212992->131072] S=[212992->131072]
Thu Jul 30 17:02:53 2015 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=enp5s0 HWADDR=##:##:##:##:##:##
Thu Jul 30 17:02:53 2015 TUN/TAP device tun0 opened
Thu Jul 30 17:02:53 2015 TUN/TAP TX queue length set to 100
Thu Jul 30 17:02:53 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Jul 30 17:02:53 2015 /usr/bin/ip link set dev tun0 up mtu 1500
Thu Jul 30 17:02:53 2015 /usr/bin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Thu Jul 30 17:02:53 2015 /usr/bin/ip route add 10.8.0.0/24 via 10.8.0.2
Thu Jul 30 17:02:53 2015 GID set to nobody
Thu Jul 30 17:02:53 2015 UID set to nobody
Thu Jul 30 17:02:53 2015 UDPv4 link local (bound): [undef]
Thu Jul 30 17:02:53 2015 UDPv4 link remote: [undef]
Thu Jul 30 17:02:53 2015 MULTI: multi_init called, r=256 v=256
Thu Jul 30 17:02:53 2015 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Thu Jul 30 17:02:53 2015 IFCONFIG POOL LIST
Thu Jul 30 17:02:53 2015 Initialization Sequence Completed客户端上的openvpn /etc/openvpn/client.conf输出:
Thu Jul 30 21:03:02 2015 OpenVPN 2.3.6 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 2 2014
Thu Jul 30 21:03:02 2015 library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.09
Thu Jul 30 21:03:02 2015 WARNING: file '/etc/openvpn/client-name.key' is group or others accessible
Thu Jul 30 21:03:02 2015 WARNING: file '/etc/openvpn/ta.key' is group or others accessible
Thu Jul 30 21:03:02 2015 Control Channel Authentication: using '/etc/openvpn/ta.key' as a OpenVPN static key file
Thu Jul 30 21:03:02 2015 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jul 30 21:03:02 2015 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jul 30 21:03:02 2015 Socket Buffers: R=[212992->131072] S=[212992->131072]
Thu Jul 30 21:03:02 2015 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Thu Jul 30 21:03:02 2015 UDPv4 link local: [undef]
Thu Jul 30 21:03:02 2015 UDPv4 link remote: [AF_INET][my public IP here]:1194
Thu Jul 30 21:04:02 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Jul 30 21:04:02 2015 TLS Error: TLS handshake failed
Thu Jul 30 21:04:02 2015 SIGUSR1[soft,tls-error] received, process restarting
Thu Jul 30 21:04:02 2015 Restart pause, 2 second(s)回答 8
Server Fault用户
发布于 2015-08-01 00:15:23
正如迈克尔·汉普顿和米哈尔·索科洛夫斯基在关于我的问题的评论中所建议的那样,这是我在网关上创建的港口转发规则的一个问题。OpenVPN被配置为使用UDP,而我忘了在网关上从TCP切换到UDP,因为我通常不使用该协议。转发规则现在使用UDP,而我的VPN是功能良好的。
Server Fault用户
发布于 2016-03-22 00:18:47
我也有这个问题。
我正在使用数字海洋提供商作为我的服务器,问题是浮动ip功能。
为了解决这个问题,您必须更新openvpn配置设置:
local <ip anchor>ip锚点应该是从ip addr命令中收集的ip入口,参见示例:
Server Fault用户
发布于 2017-10-09 19:50:40
我目前的配置将适用于一些国家,但不适用于其他国家。我怀疑我目前的供应商正在阻止TLS握手包。解决办法?由于我是唯一使用该VPN的人,所以我已经切换到静态密钥身份验证,在我的例子中,它被证明是超快的https://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html。
https://serverfault.com/questions/709860
复制相似问题
腾讯云开发者
