服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 什么是openvpnnetworking故障的原因?
Intereting Posts
通过连接APT系统来维护一个很好的信息文档? 如何安装iostat到红帽5,没有互联网连接? 在Apache中的多个域 批量阻止特定的电子邮件地址 谁能告诉我为什么我的Ubuntu服务器崩溃了? BKF转换为vmware兼容文件types 无法连接到RDS MySQL 在Amazon SES上使用自签名证书 使用第二台专用服务器作为备份? 我可以安全地删除由我的主机或cPanel添加_vti文件夹? 问题增加centOS磁盘空间 在Outlook联系人公司范围内显示Business 2或Notes字段? DNS“意外”在AD域 – 服务器2008中卸载 UNCpath由IP“没有networking提供商接受给定的networkingpath”失败,但使用主机名工作 如何从不同的用户会话刷新环境variables?

什么是openvpnnetworking故障的原因?

我们有大约1200个客户端连接的openvpnnetworking。 基本上一切运行良好,但是当我们失去大多数/所有连接时,每天都会出现0-4次崩溃(随机发生)。 有一个cron作业每分钟检查一次有多less个客户端连接存在: 

echo "status 3" | /bin/nc 127.0.0.1 5001 -q 1 | /bin/grep CLIENT_LIST | /bin/grep 10.10. | /usr/bin/wc -l

一天的结果是: 

 Mon Nov 23 23:24:02 EET 2015 1201 Mon Nov 23 23:25:02 EET 2015 312 Mon Nov 23 23:26:02 EET 2015 1201 Tue Nov 24 02:46:02 EET 2015 1196 Tue Nov 24 02:47:02 EET 2015 0 Tue Nov 24 02:48:02 EET 2015 1198 Tue Nov 24 05:45:02 EET 2015 1197 Tue Nov 24 05:46:02 EET 2015 324 Tue Nov 24 05:47:02 EET 2015 1196 Tue Nov 24 05:55:02 EET 2015 1199 Tue Nov 24 05:56:04 EET 2015 0 Tue Nov 24 05:57:02 EET 2015 35 Tue Nov 24 05:58:02 EET 2015 208 Tue Nov 24 05:59:02 EET 2015 369 Tue Nov 24 06:00:02 EET 2015 517 Tue Nov 24 06:01:02 EET 2015 636 Tue Nov 24 06:02:02 EET 2015 739 Tue Nov 24 06:03:02 EET 2015 845 Tue Nov 24 06:04:02 EET 2015 945 Tue Nov 24 06:05:02 EET 2015 1042 Tue Nov 24 06:06:02 EET 2015 1121 Tue Nov 24 06:07:02 EET 2015 1141

当“停电”发生日志说: 

 Nov 24 05:56:02 xxxxxx1 ovpn-openvpn[12639]: 11.111.111.111:59208 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Nov 24 05:56:02 xxxxxx1 ovpn-openvpn[12639]: 11.111.111.111:59208 TLS Error: TLS handshake failed Nov 24 05:56:02 xxxxxx1 ovpn-openvpn[12639]: 11.111.111.111:59208 SIGUSR1[soft,tls-error] received, client-instance restarting Nov 24 05:56:02 xxxxxx1 ovpn-openvpn[12639]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111) Nov 24 05:56:02 ovpn-openvpn[12639]: last message repeated 3 times Nov 24 05:56:02 xxxxxx1 ovpn-openvpn[12639]: MULTI: multi_create_instance called Nov 24 05:56:02 xxxxxx1 ovpn-openvpn[12639]: 222.222.222.222:34914 Re-using SSL/TLS context Nov 24 05:56:02 xxxxxx1 ovpn-openvpn[12639]: 222.222.222.222:34914 LZO compression initialized Nov 24 05:56:02 xxxxxx1 ovpn-openvpn[12639]: 222.222.222.222:34914 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ] Nov 24 05:56:02 xxxxxx1 ovpn-openvpn[12639]: 222.222.222.222:34914 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Nov 24 05:56:02 xxxxxx1 ovpn-openvpn[12639]: 222.222.222.222:34914 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server' Nov 24 05:56:02 xxxxxx1 ovpn-openvpn[12639]: 222.222.222.222:34914 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client' Nov 24 05:56:02 xxxxxx1 ovpn-openvpn[12639]: 222.222.222.222:34914 Local Options hash (VER=V4): '14168603' Nov 24 05:56:02 xxxxxx1 ovpn-openvpn[12639]: 222.222.222.222:34914 Expected Remote Options hash (VER=V4): '504e774e' Nov 24 05:56:02 xxxxxx1 ovpn-openvpn[12639]: 222.222.222.222:34914 TLS: Initial packet from [AF_INET]222.222.222.222:34914, sid=e60171c4 e7222269 Nov 24 05:56:02 xxxxxx1 kernel: [45070269.509652] IN=tun0 OUT=eth1 MAC= SRC=10.10.143.155 DST=10.1.1.11 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=50374 DF PROTO=TCP SPT=502 DPT=54773 WINDOW=7300 RES=0x00 ACK RST URGP=0 Nov 24 05:56:02 xxxxxx1 ovpn-openvpn[12639]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111) Nov 24 05:56:02 xxxxxx1 ovpn-openvpn[12639]: MULTI: multi_create_instance called Nov 24 05:56:02 xxxxxx1 ovpn-openvpn[12639]: 44.444.444.44:47624 Re-using SSL/TLS context Nov 24 05:56:02 xxxxxx1 ovpn-openvpn[12639]: 44.444.444.44:47624 LZO compression initialized Nov 24 05:56:02 xxxxxx1 ovpn-openvpn[12639]: 44.444.444.44:47624 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ] Nov 24 05:56:02 xxxxxx1 ovpn-openvpn[12639]: 44.444.444.44:47624 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Nov 24 05:56:02 xxxxxx1 ovpn-openvpn[12639]: 44.444.444.44:47624 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server' Nov 24 05:56:02 xxxxxx1 ovpn-openvpn[12639]: 44.444.444.44:47624 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client' Nov 24 05:56:02 xxxxxx1 ovpn-openvpn[12639]: 44.444.444.44:47624 Local Options hash (VER=V4): '14168603' Nov 24 05:56:02 xxxxxx1 ovpn-openvpn[12639]: 44.444.444.44:47624 Expected Remote Options hash (VER=V4): '504e774e' Nov 24 05:56:02 xxxxxx1 ovpn-openvpn[12639]: 44.444.444.44:47624 TLS: Initial packet from [AF_INET]44.444.444.44:47624, sid=f2f58219 caddd889 Nov 24 05:56:02 xxxxxx1 ovpn-openvpn[12639]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111) Nov 24 05:56:03 xxxxxx1 ovpn-openvpn[12639]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111) Nov 24 05:56:03 xxxxxx1 ovpn-openvpn[12639]: 1000000713/333.333.33.333:58655 MULTI: Learn: 10.200.6.150 -> 1000000713/333.333.33.333:58655 Nov 24 05:56:03 xxxxxx1 ovpn-openvpn[12639]: MANAGEMENT: Client disconnected Nov 24 05:56:04 xxxxxx1 ovpn-openvpn[19031]: Current Parameter Settings: Nov 24 05:56:04 xxxxxx1 ovpn-openvpn[19031]: config = '/etc/openvpn/openvpn.conf' Nov 24 05:56:04 xxxxxx1 ovpn-openvpn[19031]: mode = 1 . . . spits out server.conf file

要清楚: 

 Nov 24 05:56:02 xxxxxx1 ovpn-openvpn[12639]: 44.444.444.44:59208 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Nov 24 05:56:02 xxxxxx1 ovpn-openvpn[12639]: 44.444.444.44:59208 TLS Error: TLS handshake failed Nov 24 05:56:02 xxxxxx1 ovpn-openvpn[12639]: 44.444.444.44:59208 SIGUSR1[soft,tls-error] received, client-instance restarting Nov 24 05:56:02 xxxxxx1 ovpn-openvpn[12639]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)

由于证书有效的startTimes不正确,在那里存在。 (电气故障客户将其时钟重置为从证书有效范围外的默认值) – 可能不是主要问题的原因?

  • 看门狗检测到零连接后,openvpn服务被强制重启:

    / usr / bin / killall -9 openvpn

    / bin / sh /etc/init.d/openvpn restart

  • 我们一直以1秒的分辨率loggingnetworking接口,没有任何失败

  • 我们一直在loggingiptables,在丢弃的数据包内没有什么build议openvpn连接

  • openvpn重新启动后,所有客户端正常重新连接,一切正常,直到下一次崩溃。

  • 大多数情况下,我们的客户是使用dd-wrt的路由器,或者使用openvpnembedded式Linux。

  • 为server.conf: 

     local xxx.xx.xxx.xxx port 1194 ;proto tcp proto udp ;dev tap dev tun ;dev-node MyTap ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key dh /etc/openvpn/easy-rsa/keys/dh1024.pem mode server ifconfig 10.10.128.1 10.10.128.2 ifconfig-pool 10.10.128.4 10.10.255.255 route 10.10.128.0 255.255.128.0 route 10.200.0.0 255.255.0.0 push "route 10.200.0.0 255.255.0.0" push "route 10.10.128.0 255.255.128.0" push "route 10.1.1.0 255.255.255.0" client-config-dir /etc/openvpn/ccd keepalive 7 50 tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 # This file is secret tls-server comp-lzo no verb 5 topology p2p management localhost 5001 crl-verify /etc/openvpn/crl.pem script-security 2 client-disconnect "/usr/bin/php /root/cron/connect_disconnect.php disconnect" client-connect "/usr/bin/php /root/cron/connect_disconnect.php connect"

请问,你有什么build议如何logging/追踪/狩猎这种行为的可能原因?

感谢提前

  • Jani H