我是 openvpn 新手,正在尝试将 openvpn 从 2.5.6 升级到 2.6.12。密钥方法 2 选项在 2.5 版本中已弃用(更正 – 密钥方法 2 选项已删除),因此我已从 server.conf 文件中删除该选项,现在我无法在 IOS 设备上连接 vpn,但是 Android 设备仍可以使用下面提到的配置进行连接。请帮我找到密钥方法 2 的替代方案。
下面是 server.conf 文件
dev tun
dev-node VPNT
topology subnet
port 8114
proto udp
persist-key
persist-tun
server 10.1.0.224 255.255.255.224
keepalive 60 300
plugin "C:\\tls-plugin.dll"
log-append "C:\\ProgramData\\VPN\\log4c.conf"
status "C:\\ProgramData\\VPN\\vpn-status.log" 47
ca "C:\\ProgramData\\VPN\\ca.crt"
cert "C:\\ProgramData\\VPN\\server.crt"
key "C:\\ProgramData\\VPN\\server.key"
tls-auth "C:\\ProgramData\\VPN\\TA.key"
auth SHA256
dh "C:\\ProgramData\\VPN\\dh2048.pem"
push "redirect-gateway def1 bypass-dhcp "
push "dhcp-option DNS 8.8.8.8"
comp-lzo
management 127.0.0.1 56834
tls-timeout 3
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
#BEGIN_CUSTOM_SETTINGS
verb 6
#END_CUSTOM_SETTINGS
VPN 服务器报告以下错误。
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed
更新 – 添加了 vpn 服务器日志
INFO - us=126813 Connection Attempt MULTI: multi_create_instance called
INFO - us=143839 20.163.82.254:44443 Re-using SSL/TLS context
INFO - us=159135 20.163.82.254:44443 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
INFO - us=169353 20.163.82.254:44443 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
INFO - us=178972 20.163.82.254:44443 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
INFO - us=188714 20.163.82.254:44443 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
INFO - us=197991 20.163.82.254:44443 UDPv6 READ [414] from [AF_INET6]::ffff:20.163.82.254:44443: P_CONTROL_V1 kid=0 pid=[ #3 ] [ ] pid=2 DATA len=360
ERROR - us=207319 20.163.82.254:44443 TLS Error: Unroutable control packet received from [AF_INET6]::ffff:20.163.82.254:44443 (si=3 op=P_CONTROL_V1)
INFO - us=216408 20.163.82.254:44443 LINK packet from [248.127.0.0/234] destined for [UNKNOWN]
INFO - us=225025 20.163.82.254:44443 UDPv6 READ [62] from [AF_INET6]::ffff:20.163.82.254:44443: P_ACK_V1 kid=0 pid=[ #4 ] [ 0 ] DATA len=0
ERROR - us=234432 20.163.82.254:44443 TLS Error: Unroutable control packet received from [AF_INET6]::ffff:20.163.82.254:44443 (si=3 op=P_ACK_V1)
INFO - us=243417 20.163.82.254:44443 LINK packet from [248.127.0.0/234] destined for [UNKNOWN]
INFO - us=107467 20.163.82.254:44443 UDPv6 READ [66] from [AF_INET6]::ffff:20.163.82.254:44443: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ 0 ] pid=1 DATA len=0
INFO - us=125086 20.163.82.254:44443 TLS: Initial packet from [AF_INET6]::ffff:20.163.82.254:44443, sid=2575aee9 aa84ea47
ERROR - us=136820 20.163.82.254:44443 TLS Error: reading acknowledgement record from packet
INFO - us=146739 20.163.82.254:44443 LINK packet from [248.127.0.0/234] destined for [UNKNOWN]
INFO - us=156332 20.163.82.254:44443 UDPv6 WRITE [54] to [AF_INET6]::ffff:20.163.82.254:44443: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 pid=[ #1 ] [ ] pid=0 DATA len=0
INFO - us=165324 20.163.82.254:44443 UDPv6 READ [414] from [AF_INET6]::ffff:20.163.82.254:44443: P_CONTROL_V1 kid=0 pid=[ #3 ] [ ] pid=2 DATA len=360
INFO - us=174284 20.163.82.254:44443 LINK packet from [248.127.0.0/234] destined for [UNKNOWN]
INFO - us=182455 20.163.82.254:44443 UDPv6 WRITE [62] to [AF_INET6]::ffff:20.163.82.254:44443: P_ACK_V1 kid=0 pid=[ #2 ] [ 2 ] DATA len=0
INFO - us=111245 20.163.82.254:44443 UDPv6 READ [66] from [AF_INET6]::ffff:20.163.82.254:44443: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ 0 ] pid=1 DATA len=0
INFO - us=126077 20.163.82.254:44443 PID_ERR replay-window backtrack occurred [1] [TLS_WRAP-0] [22_] 1729584337:3 1729584337:2 t=1729584342[0] r=[-2,64,15,1,1] sl=[61,3,64,528]
INFO - us=140830 20.163.82.254:44443 PID_ERR replay [1] [TLS_WRAP-0] [22_] 1729584337:3 1729584337:2 t=1729584342[0] r=[-2,64,15,1,1] sl=[61,3,64,528]
ERROR - us=151114 20.163.82.254:44443 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #2 / time = (1729584337) 03:05:37 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
ERROR - us=161576 20.163.82.254:44443 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:20.163.82.254:44443
INFO - us=170483 20.163.82.254:44443 LINK packet from [248.127.0.0/234] destined for [UNKNOWN]
INFO - us=179701 20.163.82.254:44443 UDPv6 READ [414] from [AF_INET6]::ffff:20.163.82.254:44443: P_CONTROL_V1 kid=0 pid=[ #3 ] [ ] pid=2 DATA len=360
INFO - us=189622 20.163.82.254:44443 PID_ERR replay [0] [TLS_WRAP-0] [22_] 1729584337:3 1729584337:3 t=1729584342[0] r=[-2,64,15,1,1] sl=[61,3,64,528]
ERROR - us=302573 20.163.82.254:44443 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:20.163.82.254:44443
INFO - us=319106 20.163.82.254:44443 LINK packet from [248.127.0.0/234] destined for [UNKNOWN]
ERROR - us=757727 20.163.82.254:44443 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
ERROR - us=778504 20.163.82.254:44443 TLS Error: TLS handshake failed
INFO - us=796896 20.163.82.254:44443 SIGUSR1[soft,tls-error] received, client-instance restarting
最佳答案
1
不可能。key-method已被删除,因为它给 OpenVPN 带来了漏洞。它已被永久删除。
此外,它仅用于与旧版本(2.0 之前的版本)兼容,因此您可能根本不需要它。例如,我从未使用过它,但我的 Apple 设备仍然运行良好,因此我可以保证肯定没有必要。
此外,它并没有被弃用,而是在 2.5 版本中被删除了(至少man openvpn2.5.1 版本是这么说的)。
升级您的客户端,或者更新他们的配置,以便他们不依赖此选项。
您使用的另一个选项是 ,它已被弃用,不再使用,并且将被删除comp-lzo。压缩会使加密变得脆弱。我建议您也将其删除,以免将来陷入类似的情况。
2
-
感谢@Nikita 的回复。我已更新问题(key-method 2 已删除但未弃用)我将检查客户端配置并再次检查。谢谢
–
-
添加了 vpn 服务器日志(更改了 ip 和其他信息)。IOS 使用 openvpn 客户端版本 3.0,openvpn 服务器版本为 2.6.12,这两者之间是否有已知的兼容性。我浏览了互联网上可用的文章,但找不到任何相关信息。任何指示都会有所帮助
–
|
|