服务器 Gind.cn
  1. 服务器 Gind.cn
  3. TLS错误:握手失败。 Openvpn Server在dynamicip上位于NAT之后
Intereting Posts
Windows服务器Wail2ban和文件夹共享不能一起工作 – 错误4625没有IP Logstash,Kibana和电子邮件警报 允许来自引用HTTP基本保护的SSL apache站点 尽pipe所有的交换空闲,我的服务器内存不足 有一个全球性的,持续的CMD历史吗? 在Vista中升级Windows安装程序 服务器上的ZFS ZIL故障 尝试在本地webdav服务器的受保护视图中打开文件时,MS-Word 2016崩溃 测量虚拟机的性能 多个Linux系统pipe理员以root身份工作 Google Firebasefunction的免费层中的“没有出站networking”究竟是什么意思? 重命名AD计算机成员失败,并且“该文件已存在时无法创build文件” 我应该在我的Level 3 VPS上安装memcached吗? 主机:: 1parsing为远程IP 最大ping响应时间?

TLS错误:握手失败。 Openvpn Server在dynamicip上位于NAT之后

这是一个常见的问题,很容易出现在search中,似乎与防火墙有关,但我似乎无法弄清楚如何解决这个问题。 其实我之前已经问过了 ,但是这次我回来了更多关于这个问题的信息,并且更好的理解了这个问题。

当我的openvpn服务器(位于一个NAT之后)有其外部IP改变,因为我的互联网连接有一个dynamicIP,问题出现。

所以,只要我的外部IP变化,我的VPN客户端不能再连接到服务器。 这是一个令人头疼的问题,因为在重新启动(openvpn服务器,也许还有防火墙)之后,事情通常不会被纠正。 几次重新启动后,虽然事情会得到工作几天,直到我的IP更改。

以下日志是从2(服务器和客户端)slackware linux系统获得的。

我的服务器configuration如下: 

cd /etc/openvpn proto udp port 32456 comp-lzo verb 1 log-append /var/log/openvpn/server.log status /var/log/openvpn/server-status.log daemon dev tun persist-tun persist-key server 192.168.26.0 255.255.255.0 ifconfig-pool-persist /var/log/openvpn/ipp.txt client-to-client client-config-dir ccd route-gateway 'dhcp' route 192.168.114.0 255.255.255.0 route 192.168.18.0 255.255.255.0 push "route 192.168.112.0 255.255.255.0 vpn_gateway" push "route 192.168.114.0 255.255.255.0" push "route 192.168.18.0 255.255.255.0" cipher BF-CBC ca keys/ca.crt dh keys/dh1024.pem cert keys/stardust.crt key keys/stardust.key crl-verify certs/crl.pem keepalive 20 120 user openvpn group openvpn max-clients 15

和客户端configuration如下(所有客户端相同) 

 client dev tun proto udp remote my.dyndns1.site 32456 remote mydyndns2.site 32456 float resolv-retry infinite nobind user nobody group nobody persist-key persist-tun ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/forge.crt key /etc/openvpn/keys/forge.key ns-cert-type server cipher BF-CBC comp-lzo verb 3 mute 10 keepalive 10 60 log-append /var/log/openvpn/client.log

在服务器上,日志文件指出以下内容() 

 Mon Jul 13 17:27:43 2015 us=15365 xxxx:39397 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Mon Jul 13 17:27:43 2015 us=15406 xxxx:39397 TLS Error: TLS handshake failed .... ....(a few seconds pass by) .... Mon Jul 13 17:29:43 2015 us=15492 xxxx:39397 SIGUSR1[soft,tls-error] received, client-instance restarting Mon Jul 13 17:29:44 2015 us=718669 MULTI: multi_create_instance called Mon Jul 13 17:29:44 2015 us=718735 xxxx:47092 Re-using SSL/TLS context Mon Jul 13 17:29:44 2015 us=718770 xxxx:47092 LZO compression initialized Mon Jul 13 17:29:44 2015 us=718856 xxxx:47092 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ] Mon Jul 13 17:29:44 2015 us=718888 xxxx:47092 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Mon Jul 13 17:29:44 2015 us=718932 xxxx:47092 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SH A1,keysize 128,key-method 2,tls-server' Mon Jul 13 17:29:44 2015 us=718948 xxxx:47092 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-C BC,auth SHA1,keysize 128,key-method 2,tls-client' Mon Jul 13 17:29:44 2015 us=718974 xxxx:47092 Local Options hash (VER=V4): '530fdded' Mon Jul 13 17:29:44 2015 us=718994 xxxx:47092 Expected Remote Options hash (VER=V4): '41690919' Mon Jul 13 17:29:44 2015 us=719028 xxxx:47092 TLS: Initial packet from xxxx:47092, sid=a439532b 854729a0

在客户端上,日志文件指出: 

 Mon Jul 13 17:32:51 2015 us=341010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Mon Jul 13 17:32:51 2015 us=341263 Re-using SSL/TLS context Mon Jul 13 17:32:51 2015 us=341309 LZO compression initialized Mon Jul 13 17:32:51 2015 us=341451 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ] Mon Jul 13 17:32:51 2015 us=341526 Socket Buffers: R=[229376->131072] S=[229376->131072] Mon Jul 13 17:32:51 2015 us=510459 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Mon Jul 13 17:32:51 2015 us=510614 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128 ,key-method 2,tls-client' Mon Jul 13 17:32:51 2015 us=510642 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,k eysize 128,key-method 2,tls-server' Mon Jul 13 17:32:51 2015 us=510692 Local Options hash (VER=V4): '41690919' Mon Jul 13 17:32:51 2015 us=510733 Expected Remote Options hash (VER=V4): '530fdded' Mon Jul 13 17:32:51 2015 us=510771 UDPv4 link local: [undef] Mon Jul 13 17:32:51 2015 us=510806 UDPv4 link remote: [AF_INET]xxxx:32456 .... ....(a few secs pass by) .... Mon Jul 13 17:32:49 2015 us=340411 [UNDEF] Inactivity timeout (--ping-restart), restarting Mon Jul 13 17:32:49 2015 us=340678 TCP/UDP: Closing socket Mon Jul 13 17:32:49 2015 us=340752 SIGUSR1[soft,ping-restart] received, process restarting Mon Jul 13 17:32:49 2015 us=340792 Restart pause, 2 second(s)

你看到我的configuration有什么问题吗? 我的猜测是,客户端防火墙不允许ping响应到达他们,一旦服务器的IP已经改变(所有有状态的build立,相关连接不再适用于新的服务器IP)。

所以看着它,我开始testing防火墙日志,并在客户端和openvpn服务器之间logging数据包。

tcpdump -i eth1 host <server_ip> and udp从客户端我检查传入的数据包… 

 17:31:22.467092 IP 192.168.233.165.36312 > <server_ip>.32456: UDP, length 14 17:31:22.510463 IP <server_ip>.13519 > 192.168.233.165.36312: UDP, length 26 17:31:24.553394 IP 192.168.233.165.36312 > <server_ip>.32456: UDP, length 14 17:31:24.595869 IP <server_ip>.13519 > 192.168.233.165.36312: UDP, length 26

…同时查看防火墙日志 

 Jul 15 17:31:22 zeus INPUT packet died: IN=eth1 OUT= MAC=00:50:bf:2b:5f:f8:20:89:86:9a:f1:10:08:00 SRC=<server_ip> DST=192.168.233.165 LEN=54 TOS=00 PREC=0x00 TTL=56 ID=0 DF PROTO=UDP SPT=13519 DPT=36312 LEN=34 Jul 15 17:31:24 zeus INPUT packet died: IN=eth1 OUT= MAC=00:50:bf:2b:5f:f8:20:89:86:9a:f1:10:08:00 SRC=<server_ip> DST=192.168.233.165 LEN=54 TOS=00 PREC=0x00 TTL=56 ID=0 DF PROTO=UDP SPT=13519 DPT=36312 LEN=34

事实上,由于客户端防火墙的INPUT链截获了服务器的响应,因此按预期build立的连接没有build立。 客户端防火墙看起来像 

 iptables -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT

所以我希望这一行让数据包通过。 我确实启用了状态数据包检测: 

 zcat /proc/config.gz | grep CONFIG_NF_CONNTRACK CONFIG_NF_CONNTRACK=m CONFIG_NF_CONNTRACK_MARK=y # CONFIG_NF_CONNTRACK_EVENTS is not set CONFIG_NF_CONNTRACK_IPV4=m CONFIG_NF_CONNTRACK_IPV6=m CONFIG_NETFILTER_NETLINK=m CONFIG_NETFILTER_NETLINK_QUEUE=m CONFIG_NETFILTER_NETLINK_LOG=m

只是为了validation我也检查了 

 cat /proc/net/ip_conntrack | <server_ip> udp 17 24 src=192.168.233.165 dst=<server_ip> sport=36312 dport=32456 [UNREPLIED] src=<server_ip> dst=192.168.233.165 sport=32456 dport=36312 mark=0 use=2

因此,读取tcpdump的2个第一行(从客户端获取),客户端将数据包从端口36312发送到指定的(在openvpn服务器configuration中)端口32456。

然后,客户端防火墙设置一个conntrack规则(build立连接)。 这还没有build立 – 我假设服务器必须在同一频道回复。

但(读回tcpdump,第二行)openvpn服务器从13519端口回复,所以这永远不能通过“ESTABLISHED,RELATED”行。

我有权得出这样的结论吗? 我能做些什么呢? 在openvpn服务器上似乎没有任何可用的修复服务器响应端口。 而且我不清楚这个问题的其他可能的解决scheme…

不是一个真正的答案,我知道,我刚刚粘贴我的configurationOP请求。

客户端configuration: 

 remote xxxx.no-ip.info port 1195 float # network dev tun0 ifconfig 192.168.7.98 192.168.7.97 route 192.168.7.64 255.255.255.224 192.168.7.97 route 192.168.7.128 255.255.255.224 192.168.7.97 # symmetrical key secret /etc/openvpn/scalpel/static.key # compression comp-lzo # Security user nobody group nogroup # high availability options keepalive 10 30 persist-tun persist-key verb 1 mute 2 # Logging log-append /var/log/openvpn_scalpel.log

服务器configuration: 

 # Scalpel - OpenVPN Server (do lacznosci miedzy oddzialami) # Last modified 2011.05.22 port 1195 # network dev tun0 ifconfig 192.168.7.97 192.168.7.98 route 192.168.7.0 255.255.255.192 192.168.7.98 # symmetrical key secret /etc/openvpn/scalpel/static.key # compression comp-lzo # Security user nobody group nogroup max-clients 1 # maximum number to clients allowed to connect # high availability options keepalive 10 30 persist-tun persist-key verb 1 mute 2 # Logging log-append /var/log/openvpn_scalpel.log

数据包跟踪服务器端: 

  0.000000 79.184.15.251 -> 192.168.7.66 UDP 102 Source port: 5117 Destination port: 1195 3.834972 192.168.7.66 -> 79.184.15.251 UDP 158 Source port: 1195 Destination port: 5117 3.927502 79.184.15.251 -> 192.168.7.66 UDP 166 Source port: 5117 Destination port: 1195 3.930257 192.168.7.66 -> 79.184.15.251 UDP 158 Source port: 1195 Destination port: 5117 4.022063 79.184.15.251 -> 192.168.7.66 UDP 166 Source port: 5117 Destination port: 1195 8.223466 79.184.15.251 -> 192.168.7.66 UDP 102 Source port: 5117 Destination port: 1195 14.436576 192.168.7.66 -> 79.184.15.251 UDP 102 Source port: 1195 Destination port: 5117 17.929467 79.184.15.251 -> 192.168.7.66 UDP 102 Source port: 5117 Destination port: 1195 17.929594 79.184.15.251 -> 192.168.7.66 UDP 102 Source port: 5117 Destination port: 1195 17.929685 192.168.7.66 -> 79.184.15.251 UDP 238 Source port: 1195 Destination port: 5117 27.989889 192.168.7.66 -> 79.184.15.251 UDP 102 Source port: 1195 Destination port: 5117 28.081743 79.184.15.251 -> 192.168.7.66 UDP 102 Source port: 5117 Destination port: 1195 38.104471 192.168.7.66 -> 79.184.15.251 UDP 102 Source port: 1195 Destination port: 5117 38.207144 79.184.15.251 -> 192.168.7.66 UDP 102 Source port: 5117 Destination port: 1195 44.063394 79.184.15.251 -> 192.168.7.66 UDP 254 Source port: 5117 Destination port: 1195 44.063662 79.184.15.251 -> 192.168.7.66 UDP 214 Source port: 5117 Destination port: 1195 48.249463 192.168.7.66 -> 79.184.15.251 UDP 102 Source port: 1195 Destination port: 5117 54.440786 79.184.15.251 -> 192.168.7.66 UDP 102 Source port: 5117 Destination port: 1195 58.703483 192.168.7.66 -> 79.184.15.251 UDP 102 Source port: 1195 Destination port: 5117 Wed Jul 29 14:40:02 2015 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 68.715974 192.168.7.66 -> 79.184.15.251 UDP 102 Source port: 1195 Destination port: 5117 Wed Jul 29 14:40:12 2015 NOTE: --mute triggered... 78.984871 192.168.7.66 -> 79.184.15.251 UDP 102 Source port: 1195 Destination port: 5117 Wed Jul 29 14:40:17 2015 1 variation(s) on previous 2 message(s) suppressed by --mute Wed Jul 29 14:40:17 2015 Inactivity timeout (--ping-restart), restarting Wed Jul 29 14:40:17 2015 SIGUSR1[soft,ping-restart] received, process restarting Wed Jul 29 14:40:19 2015 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Wed Jul 29 14:40:19 2015 Re-using pre-shared static key Wed Jul 29 14:40:19 2015 LZO compression initialized Wed Jul 29 14:40:19 2015 Preserving previous TUN/TAP instance: tun0 Wed Jul 29 14:40:19 2015 UDPv4 link local (bound): [undef]:1195 Wed Jul 29 14:40:19 2015 UDPv4 link remote: [undef] Wed Jul 29 14:40:32 2015 Peer Connection Initiated with 79.184.15.251:5117 99.482520 79.184.15.251 -> 192.168.7.66 UDP 102 Source port: 5117 Destination port: 1195 Wed Jul 29 14:40:33 2015 Initialization Sequence Completed 106.579960 192.168.7.66 -> 79.184.15.251 UDP 102 Source port: 1195 Destination port: 5117 106.579994 192.168.7.66 -> 79.184.15.251 UDP 102 Source port: 1195 Destination port: 5117 106.671790 79.184.15.251 -> 192.168.7.66 UDP 238 Source port: 5117 Destination port: 1195 110.199108 79.184.15.251 -> 192.168.7.66 UDP 102 Source port: 5117 Destination port: 1195 110.199228 192.168.7.66 -> 79.184.15.251 UDP 238 Source port: 1195 Destination port: 5117 119.683353 79.184.15.251 -> 192.168.7.66 UDP 102 Source port: 5117 Destination port: 1195 120.784617 192.168.7.66 -> 79.184.15.251 UDP 102 Source port: 1195 Destination port: 5117

数据包跟踪客户端: 

  0.000000 192.168.7.2 -> 89.69.145.76 UDP Source port: 1195 Destination port: 1195 2.227622 192.168.7.2 -> 89.69.145.76 UDP Source port: 1195 Destination port: 1195 2.227651 192.168.7.2 -> 89.69.145.76 UDP Source port: 1195 Destination port: 1195 3.566194 89.69.145.76 -> 192.168.7.2 UDP Source port: 1195 Destination port: 1195 11.640422 192.168.7.2 -> 89.69.145.76 UDP Source port: 1195 Destination port: 1195 13.809216 89.69.145.76 -> 192.168.7.2 UDP Source port: 1195 Destination port: 1195 Wed Jul 29 14:43:02 2015 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 21.876795 192.168.7.2 -> 89.69.145.76 UDP Source port: 1195 Destination port: 1195 Wed Jul 29 14:43:12 2015 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 32.116168 192.168.7.2 -> 89.69.145.76 UDP Source port: 1195 Destination port: 1195 Wed Jul 29 14:43:22 2015 NOTE: --mute triggered... 42.283532 192.168.7.2 -> 89.69.145.76 UDP Source port: 1195 Destination port: 1195 42.283564 192.168.7.2 -> 89.69.145.76 UDP Source port: 1195 Destination port: 1195 Wed Jul 29 14:43:24 2015 2 variation(s) on previous 2 message(s) suppressed by --mute Wed Jul 29 14:43:24 2015 Inactivity timeout (--ping-restart), restarting Wed Jul 29 14:43:24 2015 SIGUSR1[soft,ping-restart] received, process restarting Wed Jul 29 14:43:26 2015 Re-using pre-shared static key Wed Jul 29 14:43:26 2015 LZO compression initialized Wed Jul 29 14:43:27 2015 Preserving previous TUN/TAP instance: tun0 Wed Jul 29 14:43:27 2015 UDPv4 link local (bound): [undef]:1195 Wed Jul 29 14:43:27 2015 UDPv4 link remote: 89.69.145.76:1195 Wed Jul 29 14:43:27 2015 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) Wed Jul 29 14:43:27 2015 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 46.575799 192.168.7.2 -> 89.69.145.76 UDP Source port: 1195 Destination port: 1195 46.575822 192.168.7.2 -> 89.69.145.76 UDP Source port: 1195 Destination port: 1195 Wed Jul 29 14:43:31 2015 NOTE: --mute triggered... 51.283850 192.168.7.2 -> 89.69.145.76 UDP Source port: 1195 Destination port: 1195 57.386083 192.168.7.2 -> 89.69.145.76 UDP Source port: 1195 Destination port: 1195 66.606426 192.168.7.2 -> 89.69.145.76 UDP Source port: 1195 Destination port: 1195 66.606450 192.168.7.2 -> 89.69.145.76 UDP Source port: 1195 Destination port: 1195 Wed Jul 29 14:43:58 2015 4 variation(s) on previous 2 message(s) suppressed by --mute Wed Jul 29 14:43:58 2015 Inactivity timeout (--ping-restart), restarting Wed Jul 29 14:43:58 2015 SIGUSR1[soft,ping-restart] received, process restarting 79.480353 192.168.7.2 -> 89.69.145.76 UDP Source port: 1195 Destination port: 1195 Wed Jul 29 14:44:00 2015 Re-using pre-shared static key Wed Jul 29 14:44:00 2015 LZO compression initialized Wed Jul 29 14:44:00 2015 Preserving previous TUN/TAP instance: tun0 Wed Jul 29 14:44:00 2015 UDPv4 link local (bound): [undef]:1195 Wed Jul 29 14:44:00 2015 UDPv4 link remote: 89.69.145.76:1195 Wed Jul 29 14:44:00 2015 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) Wed Jul 29 14:44:10 2015 Peer Connection Initiated with 89.69.145.76:1195 89.588295 192.168.7.2 -> 89.69.145.76 UDP Source port: 1195 Destination port: 1195 89.588321 192.168.7.2 -> 89.69.145.76 UDP Source port: 1195 Destination port: 1195 89.680566 89.69.145.76 -> 192.168.7.2 UDP Source port: 1195 Destination port: 1195 Wed Jul 29 14:44:11 2015 Initialization Sequence Completed 92.180902 89.69.145.76 -> 192.168.7.2 UDP Source port: 1195 Destination port: 1195 92.181072 192.168.7.2 -> 89.69.145.76 UDP Source port: 1195 Destination port: 1195 92.405420 89.69.145.76 -> 192.168.7.2 UDP Source port: 1195 Destination port: 1195 92.405643 192.168.7.2 -> 89.69.145.76 UDP Source port: 1195 Destination port: 1195 92.409120 89.69.145.76 -> 192.168.7.2 UDP Source port: 1195 Destination port: 1195 92.409194 192.168.7.2 -> 89.69.145.76 UDP Source port: 1195 Destination port: 1195 92.501167 89.69.145.76 -> 192.168.7.2 UDP Source port: 1195 Destination port: 1195 92.501909 192.168.7.2 -> 89.69.145.76 UDP Source port: 1195 Destination port: 1195 92.504901 89.69.145.76 -> 192.168.7.2 UDP Source port: 1195 Destination port: 1195 92.505027 192.168.7.2 -> 89.69.145.76 UDP Source port: 1195 Destination port: 1195

客户端和服务器都在nat后面,都有dynamic的公有IP地址。 路由器上还有一个端口转发(1195),连接服务器和“世界”。

路由器configuration – 服务器端:

路由器配置

路由器configuration,端口转发 – 服务器端:

转发端口

路由器configuration – 客户端:

客户端路由器

Conntrack客户端: 

 udp 17 179 src=192.168.7.2 dst=89.69.145.76 sport=1195 dport=1195 packets=852493 bytes=480026440 src=89.69.145.76 dst=192.168.7.2 sport=1195 dport=1195 packets=1093350 bytes=1226684584 [ASSURED] mark=0 use=1