VPNGate连接 – OpenVPN证书错误

过去几天我一直在想这个，但没有find任何具体的情况。这看起来并不复杂，但我也不知道如何解决这个问题。

VPNGate提供其他好Samaritan用户的互联网的免费VPN访问。我专门使用OpenVPN连接到这些服务器，而不是他们的广告软件。

这里有一个日志，当一切顺利，我可以连接没有问题：

Tue May 09 16:33:20 2017 OpenVPN 2.4.1 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Mar 22 2017 Tue May 09 16:33:20 2017 Windows version 6.1 (Windows 7) 64bit Tue May 09 16:33:20 2017 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.09 Tue May 09 16:33:20 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341 Tue May 09 16:33:20 2017 Need hold release from management interface, waiting... Tue May 09 16:33:21 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341 Tue May 09 16:33:21 2017 MANAGEMENT: CMD 'state on' Tue May 09 16:33:21 2017 MANAGEMENT: CMD 'log all on' Tue May 09 16:33:21 2017 MANAGEMENT: CMD 'echo all on' Tue May 09 16:33:21 2017 MANAGEMENT: CMD 'hold off' Tue May 09 16:33:21 2017 MANAGEMENT: CMD 'hold release' Tue May 09 16:33:21 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Tue May 09 16:33:21 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]***:1426 Tue May 09 16:33:21 2017 Socket Buffers: R=[8192->8192] S=[8192->8192] Tue May 09 16:33:21 2017 UDP link local: (not bound) Tue May 09 16:33:21 2017 UDP link remote: [AF_INET]***:1426 Tue May 09 16:33:21 2017 MANAGEMENT: >STATE:1494344001,WAIT,,,,,, Tue May 09 16:33:21 2017 MANAGEMENT: >STATE:1494344001,AUTH,,,,,, Tue May 09 16:33:21 2017 TLS: Initial packet from [AF_INET]***:1426, sid=fcf3759f 64e4b082 Tue May 09 16:33:21 2017 VERIFY OK: depth=2, C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority Tue May 09 16:33:21 2017 VERIFY OK: depth=1, C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA Tue May 09 16:33:21 2017 VERIFY OK: depth=0, OU=Domain Control Validated, OU=PositiveSSL Wildcard, CN=*.opengw.net Tue May 09 16:33:21 2017 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Tue May 09 16:33:21 2017 [*.opengw.net] Peer Connection Initiated with [AF_INET]***:1426 Tue May 09 16:33:23 2017 MANAGEMENT: >STATE:1494344003,GET_CONFIG,,,,,, Tue May 09 16:33:23 2017 SENT CONTROL [*.opengw.net]: 'PUSH_REQUEST' (status=1) Tue May 09 16:33:23 2017 Key [AF_INET]***:1426 [0] not initialized (yet), dropping packet. Tue May 09 16:33:23 2017 PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 10.211.1.5 10.211.1.6,dhcp-option DNS 10.211.254.254,dhcp-option DNS 8.8.8.8,route-gateway 10.211.1.6,redirect-gateway def1' Tue May 09 16:33:23 2017 OPTIONS IMPORT: timers and/or timeouts modified Tue May 09 16:33:23 2017 OPTIONS IMPORT: --ifconfig/up options modified Tue May 09 16:33:23 2017 OPTIONS IMPORT: route options modified Tue May 09 16:33:23 2017 OPTIONS IMPORT: route-related options modified Tue May 09 16:33:23 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Tue May 09 16:33:23 2017 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key Tue May 09 16:33:23 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Tue May 09 16:33:23 2017 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key Tue May 09 16:33:23 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Tue May 09 16:33:23 2017 interactive service msg_channel=312 Tue May 09 16:33:23 2017 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 I=11 HWADDR=*** Tue May 09 16:33:23 2017 open_tun

某些服务器有证书错误。这是一个日志：

 Tue May 09 16:54:53 2017 OpenVPN 2.4.1 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Mar 22 2017 Tue May 09 16:54:53 2017 Windows version 6.1 (Windows 7) 64bit Tue May 09 16:54:53 2017 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.09 Tue May 09 16:54:53 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25342 Tue May 09 16:54:53 2017 Need hold release from management interface, waiting... Tue May 09 16:54:53 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25342 Tue May 09 16:54:53 2017 MANAGEMENT: CMD 'state on' Tue May 09 16:54:53 2017 MANAGEMENT: CMD 'log all on' Tue May 09 16:54:53 2017 MANAGEMENT: CMD 'echo all on' Tue May 09 16:54:53 2017 MANAGEMENT: CMD 'hold off' Tue May 09 16:54:53 2017 MANAGEMENT: CMD 'hold release' Tue May 09 16:54:53 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Tue May 09 16:54:53 2017 MANAGEMENT: >STATE:1494345293,RESOLVE,,,,,, Tue May 09 16:54:54 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]***:1777 Tue May 09 16:54:54 2017 Socket Buffers: R=[8192->8192] S=[8192->8192] Tue May 09 16:54:54 2017 UDP link local: (not bound) Tue May 09 16:54:54 2017 UDP link remote: [AF_INET]***:1777 Tue May 09 16:54:54 2017 MANAGEMENT: >STATE:1494345294,WAIT,,,,,, Tue May 09 16:54:54 2017 MANAGEMENT: >STATE:1494345294,AUTH,,,,,, Tue May 09 16:54:54 2017 TLS: Initial packet from [AF_INET]***:1777, sid=2bd721a1 2b3738b9 Tue May 09 16:54:54 2017 VERIFY ERROR: depth=0, error=self signed certificate: CN=Kanes-pc, O=Kanes-pc, OU=Kanes-pc, C=US Tue May 09 16:54:54 2017 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed Tue May 09 16:54:54 2017 TLS_ERROR: BIO read tls_read_plaintext error Tue May 09 16:54:54 2017 TLS Error: TLS object -> incoming plaintext read error Tue May 09 16:54:54 2017 TLS Error: TLS handshake failed Tue May 09 16:54:54 2017 SIGUSR1[soft,tls-error] received, process restarting Tue May 09 16:54:54 2017 MANAGEMENT: >STATE:1494345294,RECONNECTING,tls-error,,,,, Tue May 09 16:54:54 2017 Restart pause, 5 second(s)

这两台服务器都是基于英国的，所以日志1中的证书似乎是准确的。日志＃2是没有加起来的地方。

有两个问题来自这个：

是否有一个我可以在OpenVPN中使用的设置，这将有助于我在连接到这些服务器时防止MITM攻击？（我没有阅读从提供的链接的信息，但不明白什么样的设置是最好使用和放置在哪里）
关于证书错误，我可以在OpenVPN中使用任何可以跳过这些错误并连接到服务器的设置？

谢谢。

为什么在服务器上使用公共证书，在客户端使用自签名证书？几乎你会发现OpenVPN的每一个指南都描述了设置一个内部CA.

连接客户端需要由服务器上的--ca或--capath选项指定的CA进行签名，至less默认情况下为。