我想在pfsense中configurationOpenVpn来连接虚拟服务器中的一个专用networking,我遵循一些指令,读了很多,而且我也遇到了同样的问题,就是我所做的:
现在问题在客户端握手,但我认为它是在pfsense防火墙的问题,即使我尝试连接控制vpn端口的规则是0/0。
如果我用nmap扫描端口,我把这个:
1194/tcp filtered openvpn 1194/udp open|filtered openvpn 有任何想法吗?
那么openvpn.log让我看看这个
Dec 21 13:50:55 Firewall openvpn[6124]: OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Jul 19 2016 Dec 21 13:50:55 Firewall openvpn[6124]: library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09 Dec 21 13:50:55 Firewall openvpn[6222]: WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want Dec 21 13:50:55 Firewall openvpn[6222]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Dec 21 13:50:55 Firewall openvpn[6222]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file Dec 21 13:50:55 Firewall openvpn[6222]: TUN/TAP device ovpns1 exists previously, keep at program end Dec 21 13:50:55 Firewall openvpn[6222]: TUN/TAP device /dev/tun1 opened Dec 21 13:50:55 Firewall openvpn[6222]: ioctl(TUNSIFMODE): Device busy: Device busy (errno=16) Dec 21 13:50:55 Firewall openvpn[6222]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0 Dec 21 13:50:55 Firewall openvpn[6222]: /sbin/ifconfig ovpns1 10.0.0.1 10.0.0.2 mtu 1500 netmask 255.255.255.0 up Dec 21 13:50:55 Firewall openvpn[6222]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1557 10.0.0.1 255.255.255.0 init Dec 21 13:50:55 Firewall openvpn[6222]: UDPv4 link local (bound): [AF_INET]XX.XXX.XXX.XXX:1194 Dec 21 13:50:55 Firewall openvpn[6222]: UDPv4 link remote: [undef] Dec 21 13:50:55 Firewall openvpn[6222]: Initialization Sequence Completed
你可以看到一个警告,但我不明白什么是我,另一个日志文件filter.log显示了很多信息,但我grep的VPN,1194,我什么也没有得到什么,我在找什么? 对不起,但这是我第一次尝试与VPN,我不知道该怎么做。
试过之后:
tcpdump -n -e -ttt -i pflog0
15分钟后,我什么都没有得到,尝试openvpn客户端:
tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 65535 bytes ^C 0 packets captured 0 packets received by filter 0 packets dropped by kernel
但是,如果使用nmap进行端口扫描,我需要这样做:
tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 65535 bytes 00:00:00.000000 rule 5..16777216/0(match): block in on vmx0: IP8 bad-len 0 00:00:00.002001 rule 5..16777216/0(match): block in on vmx0: IP1 bad-len 0 00:01:09.092480 rule 5..16777216/0(match): block in on vmx0: IP10 bad-len 0 00:00:00.001754 rule 5..16777216/0(match): block in on vmx0: IP12 bad-len 0 8 packets captured 8 packets received by filter 0 packets dropped by kernel
防火墙没有收到任何数据包在1194端口正在监听openvpn服务器,一些方法来testing端口? 或者一些方法发送包到1194端口,看看是否工作?
那么我检查了configuration,我认为没关系,这是:
dev ovpns1 verb 1 dev-type tun tun-ipv6 dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-256-CBC auth SHA256 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown client-connect /usr/local/sbin/openvpn.attributes.sh client-disconnect /usr/local/sbin/openvpn.attributes.sh local XXX.XXX.XXX.XXX #public ip tls-server server 10.0.0.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc/server1 username-as-common-name auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' false server1" via-env tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'Server_CRT' 1" lport 1194 management /var/etc/openvpn/server1.sock unix max-clients 2 push "route 192.168.0.0 255.255.255.0" push "redirect-gateway def1" client-to-client ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key dh /etc/dh-parameters.2048 tls-auth /var/etc/openvpn/server1.tls-auth 0 persist-remote-ip float topology subnet
如果执行sockstat | grep 1194像工作一样工作:
root openvpn 84783 6 udp4 XXX.XXX.XXX.XXX:1194 *:*
我想我们继续,现在在openvpn日志中,当我尝试连接一个客户端,我看到这个:
Jan 14 22:30:16 Firewall openvpn[73374]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock Jan 14 22:30:16 Firewall openvpn[73374]: MANAGEMENT: CMD 'status 2' Jan 14 22:30:17 Firewall openvpn[73374]: MULTI: REAP range 176 -> 192 Jan 14 22:30:17 Firewall openvpn[73374]: MANAGEMENT: CMD 'quit' Jan 14 22:30:17 Firewall openvpn[73374]: MANAGEMENT: Client disconnected
而在客户端我看到这个:
Jan 14 22:31:14: UDPv4 link remote: [AF_INET]xxx.xxx.xxx.xxx:1194 Jan 14 22:32:14: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Jan 14 22:32:14: TLS Error: TLS handshake failed Jan 14 22:32:14: SIGUSR1[soft,tls-error] received, process restarting Jan 14 22:32:15: UDPv4 link local (bound): [undef] Jan 14 22:32:15: UDPv4 link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
找出它是否是防火墙的最佳方法是查看它的日志。
编辑:我的意思是你应该看看pf日志。 pf应logging它所做的任何拒绝,这可能会确认或拒绝您怀疑它是防火墙。 我没有使用过pfsense,但是看看FreeBSD上的pf日志是这样的: tcpdump -n -e -ttt -r / var / log / pflog或者你可以用tcpdump实时观察它-n -e -ttt -i pflog0 。
那么在与我的服务器提供商交谈并检查他的networking后,一切运行良好,他们正在我的服务器前面使用防火墙,谢谢大家的帮助!