• Я не могу настроить VPN-сервер на своем хосте, используя OpenVPN, в частности, при подключении к серверу происходит сбой соединения с ошибкой tls-crypt unwrap error: packet authentication failed
. Похоже, TCP-соединение установлено, следовательно, переадресация портов работает должным образом, однако TLS не работает.
• Я настроил OpenVPN, используя PIVPN http://www.pivpn.io/
• firewalld
не работает на хосте, вот запущенные сервисы:
Ï gateway
State: running
Jobs: 0 queued
Failed: 0 units
Since: Thu 1970-01-01 01:00:01 BST; 49 years 1 months ago
CGroup: /
+-user.slice
| +-user-1000.slice
| +-user@1000.service
| | +-init.scope
| | +-790 /lib/systemd/systemd --user
| | +-793 (sd-pam)
| +-session-c1.scope
| +- 785 sshd: pi [priv]
| +- 800 sshd: pi@pts/0
| +- 803 -bash
| +-1053 sudo systemctl status
| +-1057 systemctl status
+-init.scope
| +-1 /sbin/init
+-system.slice
+-systemd-timesyncd.service
| +-256 /lib/systemd/systemd-timesyncd
+-dbus.service
| +-303 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
+-hciuart.service
| +-505 /usr/bin/hciattach /dev/serial1 bcm43xx 3000000 flow - b8:27:eb:30:50:9d
+-ssh.service
| +-647 /usr/sbin/sshd -D
+-dnsmasq.service
| +-658 /usr/sbin/dnsmasq -x /run/dnsmasq/dnsmasq.pid -u dnsmasq -r /run/dnsmasq/resolv.conf -7 /etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new --local-service --trust-anchor=.,19036,8,2,49aac11d7b6f6446702e5
4a1607371607a1a41855200fd2ce1cdde32f24e8fb5 --trust-anchor=.,20326,8,2,e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d
+-avahi-daemon.service
| +-301 avahi-daemon: running [gateway.local]
| +-322 avahi-daemon: chroot helper
+-system-getty.slice
| +-getty@tty1.service
| +-644 /sbin/agetty --noclear tty1 linux
+-triggerhappy.service
| +-283 /usr/sbin/thd --triggers /etc/triggerhappy/triggers.d/ --socket /run/thd.socket --user nobody --deviceglob /dev/input/event*
+-system-openvpn.slice
| +-openvpn@server.service
| +-331 /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --config /etc/openvpn/server.conf --writepid /run/openvpn/server.pid
+-systemd-logind.service
| +-281 /lib/systemd/systemd-logind
+-cron.service
| +-273 /usr/sbin/cron -f
+-apache2.service
| +-724 /usr/sbin/apache2 -k start
| +-726 /usr/sbin/apache2 -k start
| +-727 /usr/sbin/apache2 -k start
+-systemd-udevd.service
| +-131 /lib/systemd/systemd-udevd
+-rsyslog.service
| +-294 /usr/sbin/rsyslogd -n
+-bluetooth.service
| +-510 /usr/lib/bluetooth/bluetoothd
+-networking.service
| +-477 /sbin/wpa_supplicant -s -B -P /run/wpa_supplicant.wlan0.pid -i wlan0 -D nl80211,wext -C /run/wpa_supplicant
| +-576 /sbin/dhclient -4 -v -pf /run/dhclient.wlan0.pid -lf /var/lib/dhcp/dhclient.wlan0.leases -I -df /var/lib/dhcp/dhclient6.wlan0.leases wlan0
+-systemd-journald.service
| +-104 /lib/systemd/systemd-journald
+-ddclient.service
+-723 ddclient - sleeping for 170 seconds
• Вот мой файл /etc/openvpn/server.conf
:
dev tun
proto tcp
port 1803
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server_a6v9wsgyDAXuGevE.crt
key /etc/openvpn/easy-rsa/pki/private/server_a6v9wsgyDAXuGevE.key
dh none
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
keepalive 1800 3600
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
• Вот файл gateway.ovpn
:
client
dev tun
proto tcp
remote justbeforeyou.site 1803
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-version-min 1.2
verify-x509-name server_ptHh8tHeqm2l12Ef name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
<ca>
-----BEGIN CERTIFICATE-----
MIIBoDCCAUWgAwIBAgIJAKmvGYkjVQ27MAoGCCqGSM49BAMCMBMxETAPBgNVBAMM
CENoYW5nZU1lMB4XDTE5MDIyNDEzMjQxMVoXDTI5MDIyMTEzMjQxMVowEzERMA8G
A1UEAwwIQ2hhbmdlTWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS1hhxgvsi5
BWUByCb6wlZ8KeDfmwzWys+Bi0L5BJZO3MHc4afD/rN/yyewpUFC9DMtk+N16Eua
hQ/uiDXRqdQ4o4GBMH8wHQYDVR0OBBYEFAzB+EbDlPPxkkOyKjbIfyJOHZqRMEMG
A1UdIwQ8MDqAFAzB+EbDlPPxkkOyKjbIfyJOHZqRoRekFTATMREwDwYDVQQDDAhD
aGFuZ2VNZYIJAKmvGYkjVQ27MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoG
CCqGSM49BAMCA0kAMEYCIQC+6WedweAPFYN2wBvTRwuAgv/GXBfAoA+JfyLFxrJt
JQIhAOjMORWbIhWotZhmmbCUUxY79PqpI1UljP+dkNXGYVJk
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIBuDCCAV6gAwIBAgIQJTeTKuJG0J3dNMrLUmdNfzAKBggqhkjOPQQDAjATMREw
DwYDVQQDDAhDaGFuZ2VNZTAeFw0xOTAyMjQxNDA5NDJaFw0yOTAyMjExNDA5NDJa
MBIxEDAOBgNVBAMMB2dhdGV3YXkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASZ
waRXKwlI1QLjddDkR8fNjDkMwIQ3HfpSBaPZ4QUKB3Ao4+7RcFX64qj5850uRcS5
68XhwotUl9MyeACTP9jao4GUMIGRMAkGA1UdEwQCMAAwHQYDVR0OBBYEFMFgXgqG
46bo+2Q9s6t/xMhpKDxgMEMGA1UdIwQ8MDqAFAzB+EbDlPPxkkOyKjbIfyJOHZqR
oRekFTATMREwDwYDVQQDDAhDaGFuZ2VNZYIJAKmvGYkjVQ27MBMGA1UdJQQMMAoG
CCsGAQUFBwMCMAsGA1UdDwQEAwIHgDAKBggqhkjOPQQDAgNIADBFAiBOMRXxpfRZ
h4fLVKJ0UwuBmNz7pVm/enj3Ud/KT5I58AIhAMBK+l6ErDltdAdH9kcDxTd5Hu+u
uudxUvoc3sppC+KI
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIHjME4GCSqGSIb3DQEFDTBBMCkGCSqGSIb3DQEFDDAcBAgiscLqF5wpUwICCAAw
DAYIKoZIhvcNAgkFADAUBggqhkiG9w0DBwQIuvME5ITiEmQEgZD7qoueBtcl2Zyj
glstxLbrECe1E6vO5lJ+38sMW3z++Hh1l7BFOu19N7jE0g+Zd7KlR3zHKhnGQBeh
/flGhCMHu1AXgpO3FyQt3VWhtZU/3Dn4J/sVCTkAsfkw5urqRTzHXHYYHDKXjNws
jXXRCDmMBmqLx0ItC+1Q8YFzY6OeVpwYalUWy4VgvH1jep15vfE=
-----END ENCRYPTED PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
fa267dd4652e50aab4d956757234f837
3be34b7ebfb068f157dbaf5791a8a5c7
99ba9800054ac411436b085d0279bac9
6766f1dc47fa5703ba0281c32a073fd4
e326caa0bf978e9a1aca071bb378c730
78571fb21038528e7f4de8bd638b0780
76b7203e53fd124b617b0f6a6f080c57
2318d1caab033c32749af7d6efb90d55
2a92ed0c436a52a6b82ba213a19cad62
a1ea0d2619c58b9b8736baf48d43681d
1f0edacf3424f472afe7cd4c51deb948
75bff3d0bad15a1814ea0400d74bf330
ee994d402f47af7ab51686ec05a3b879
521c782a2397a6b32806ad3af023fa73
11f22f53e8e22ebe4cb2c75f32a967ed
5cc8060012f772092e3eda93da3b1a14
-----END OpenVPN Static key V1-----
</tls-crypt>
Графический интерфейс OpenVPN на клиенте показывает следующий журнал:
Sun Feb 24 17:10:14 2019 MANAGEMENT: >STATE:1551024614,RECONNECTING,connection-reset,,,,,
Sun Feb 24 17:10:14 2019 Restart pause, 40 second(s)
Sun Feb 24 17:10:54 2019 MANAGEMENT: >STATE:1551024654,RESOLVE,,,,,,
Sun Feb 24 17:10:55 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]83.22.109.39:1803
Sun Feb 24 17:10:55 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Feb 24 17:10:55 2019 Attempting to establish TCP connection with [AF_INET]83.22.109.39:1803 [nonblock]
Sun Feb 24 17:10:55 2019 MANAGEMENT: >STATE:1551024655,TCP_CONNECT,,,,,,
Sun Feb 24 17:10:56 2019 TCP connection established with [AF_INET]83.22.109.39:1803
Sun Feb 24 17:10:56 2019 TCP_CLIENT link local: (not bound)
Sun Feb 24 17:10:56 2019 TCP_CLIENT link remote: [AF_INET]83.22.109.39:1803
Sun Feb 24 17:10:56 2019 MANAGEMENT: >STATE:1551024656,WAIT,,,,,,
Sun Feb 24 17:10:56 2019 Connection reset, restarting [0]
Sun Feb 24 17:10:56 2019 SIGUSR1[soft,connection-reset] received, process restarting
Sun Feb 24 17:10:56 2019 MANAGEMENT: >STATE:1551024656,RECONNECTING,connection-reset,,,,,
Sun Feb 24 17:10:56 2019 Restart pause, 80 second(s)
Sun Feb 24 17:12:16 2019 MANAGEMENT: >STATE:1551024736,RESOLVE,,,,,,
Sun Feb 24 17:12:16 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]83.22.109.39:1803
Sun Feb 24 17:12:16 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Feb 24 17:12:16 2019 Attempting to establish TCP connection with [AF_INET]83.22.109.39:1803 [nonblock]
Sun Feb 24 17:12:16 2019 MANAGEMENT: >STATE:1551024736,TCP_CONNECT,,,,,,
Sun Feb 24 17:12:17 2019 TCP connection established with [AF_INET]83.22.109.39:1803
Sun Feb 24 17:12:17 2019 TCP_CLIENT link local: (not bound)
Sun Feb 24 17:12:17 2019 TCP_CLIENT link remote: [AF_INET]83.22.109.39:1803
Sun Feb 24 17:12:17 2019 MANAGEMENT: >STATE:1551024737,WAIT,,,,,,
Sun Feb 24 17:12:17 2019 Connection reset, restarting [0]
Sun Feb 24 17:12:17 2019 SIGUSR1[soft,connection-reset] received, process restarting
Sun Feb 24 17:12:17 2019 MANAGEMENT: >STATE:1551024737,RECONNECTING,connection-reset,,,,,
/var/log/openvpn.log
показывает следующее:
Feb 24 15:56:57 gateway ovpn-server[351]: TCP connection established with [AF_INET]5.173.40.158:18815
Feb 24 15:56:58 gateway ovpn-server[351]: 5.173.40.158:18815 TLS: Initial packet from [AF_INET]5.173.40.158:18815, sid=6c0e365a 728d1b9d
Feb 24 15:56:58 gateway ovpn-server[351]: 5.173.40.158:18815 tls-crypt unwrap error: packet authentication failed
Feb 24 15:56:58 gateway ovpn-server[351]: 5.173.40.158:18815 TLS Error: tls-crypt unwrapping failed from [AF_INET]5.173.40.158:18815
Feb 24 15:56:58 gateway ovpn-server[351]: 5.173.40.158:18815 Fatal TLS error (check_tls_errors_co), restarting
Feb 24 15:56:58 gateway ovpn-server[351]: 5.173.40.158:18815 SIGUSR1[soft,tls-error] received, client-instance restarting
Feb 24 16:01:59 gateway ovpn-server[351]: TCP connection established with [AF_INET]5.173.40.158:18788
Feb 24 16:02:00 gateway ovpn-server[351]: 5.173.40.158:18788 TLS: Initial packet from [AF_INET]5.173.40.158:18788, sid=d05afdfe 0af0a9b9
Feb 24 16:02:00 gateway ovpn-server[351]: 5.173.40.158:18788 tls-crypt unwrap error: packet authentication failed
Feb 24 16:02:00 gateway ovpn-server[351]: 5.173.40.158:18788 TLS Error: tls-crypt unwrapping failed from [AF_INET]5.173.40.158:18788
Feb 24 16:02:00 gateway ovpn-server[351]: 5.173.40.158:18788 Fatal TLS error (check_tls_errors_co), restarting
Feb 24 16:02:00 gateway ovpn-server[351]: 5.173.40.158:18788 SIGUSR1[soft,tls-error] received, client-instance restarting
Вопросы:
1) Что означает ошибка распаковки tls tls-crypt unwrap error: packet authentication failed
сообщение об ошибке проверки подлинности пакета в openvpn.log? Это связано с тем, что установлены таймауты? Как это исправить, чтобы иметь возможность установить соединение клиента OpenVPN с сервером?