OpenVPN上的连接故障(Ubuntu18.04)

Question

我多次尝试通过VPN连接到我的办公室，但没有成功。我从公司收到：

1. client.ovpn #OpenVPN服务器conf tls-客户端dev tun proto udp tun-mtu 1400远程server.net 1194 pkcs12 client.p12密码BF-CBC comp-lzo谓词3 ns-cert-type服务器
2. 12把钥匙。我使用openssl提取
3. ca证书
4. 用户证书
5. 用户密钥

该公司通过IPcop运行openvpn

在ubuntu16.04中，我在我的家庭目录中创建了名为"Clesopenvpn“的文件，Connexion 100%很好，没有中断。

实际上，我使用的是Ubuntu18.04，我已经安装了OpenVPN和网络管理器gnome。我执行了相同的步骤，但当我尝试启动openvpn时，我无法连接到VPN，我收到了以下消息：

“连接失败启用网络连接失败”

请帮我解决这个问题。

这是syslog错误

Jun  5 22:05:53 dusty-Lenovo-B50-30 systemd-resolved[819]: Grace period over, resuming full feature set (UDP+EDNS0) for DNS server 192.168.3.1.
Jun  5 22:10:06 dusty-Lenovo-B50-30 NetworkManager[1007]: <info>  [1528229406.2474] audit: op="connection-activate" uuid="e1671165-1347-48cc-ab1e-0f5dd841f1fb" name="MUSTAPHA-TO-IPCop" pid=2093 uid=1000 result="success"
Jun  5 22:10:06 dusty-Lenovo-B50-30 NetworkManager[1007]: <info>  [1528229406.2573] vpn-connection[0x55ca9c864560,e1671165-1347-48cc-ab1e-0f5dd841f1fb,"MUSTAPHA-TO-IPCop",0]: Started the VPN service, PID 4605
Jun  5 22:10:06 dusty-Lenovo-B50-30 NetworkManager[1007]: <info>  [1528229406.2597] vpn-connection[0x55ca9c864560,e1671165-1347-48cc-ab1e-0f5dd841f1fb,"MUSTAPHA-TO-IPCop",0]: Saw the service appear; activating connection
Jun  5 22:10:06 dusty-Lenovo-B50-30 nm-openvpn[4611]: WARNING: file '/home/dusty/Clesopenvpn/MUSTAPHA.key' is group or others accessible
Jun  5 22:10:06 dusty-Lenovo-B50-30 nm-openvpn[4611]: OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 10 2018
Jun  5 22:10:06 dusty-Lenovo-B50-30 nm-openvpn[4611]: library versions: OpenSSL 1.1.0g  2 Nov 2017, LZO 2.08
Jun  5 22:10:06 dusty-Lenovo-B50-30 nm-openvpn[4611]: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Jun  5 22:10:06 dusty-Lenovo-B50-30 nm-openvpn[4611]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun  5 22:10:06 dusty-Lenovo-B50-30 nm-openvpn[4611]: OpenSSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak
Jun  5 22:10:06 dusty-Lenovo-B50-30 nm-openvpn[4611]: Cannot load certificate file /home/dusty/Clesopenvpn/MUSTAPHA.crt
Jun  5 22:10:06 dusty-Lenovo-B50-30 nm-openvpn[4611]: Exiting due to fatal error
Jun  5 22:10:06 dusty-Lenovo-B50-30 NetworkManager[1007]: <info>  [1528229406.3673] vpn-connection[0x55ca9c864560,e1671165-1347-48cc-ab1e-0f5dd841f1fb,"MUSTAPHA-TO-IPCop",0]: VPN plugin: state changed: starting (3)
Jun  5 22:10:06 dusty-Lenovo-B50-30 NetworkManager[1007]: <info>  [1528229406.3675] vpn-connection[0x55ca9c864560,e1671165-1347-48cc-ab1e-0f5dd841f1fb,"MUSTAPHA-TO-IPCop",0]: VPN connection: (ConnectInteractive) reply received
Jun  5 22:10:06 dusty-Lenovo-B50-30 NetworkManager[1007]: <info>  [1528229406.3699] vpn-connection[0x55ca9c864560,e1671165-1347-48cc-ab1e-0f5dd841f1fb,"MUSTAPHA-TO-IPCop",0]: VPN service disappeared

这是来自syslog的消息

Jun  5 21:26:24 dusty-Lenovo-B50-30 NetworkManager[1007]: <info>   [1528226784.5443] vpn-connection[0x55ca9c864360,e1671165-1347-48cc-ab1e-0f5dd841f1fb,"MUSTAPHA-TO-IPCop",0]: VPN connection: (ConnectInteractive) reply received
Jun  5 21:26:24 dusty-Lenovo-B50-30 nm-openvpn[4222]: library versions: OpenSSL 1.1.0g  2 Nov 2017, LZO 2.08
Jun  5 21:26:24 dusty-Lenovo-B50-30 nm-openvpn[4222]: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Jun  5 21:26:24 dusty-Lenovo-B50-30 nm-openvpn[4222]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun  5 21:26:24 dusty-Lenovo-B50-30 nm-openvpn[4222]: OpenSSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak
Jun  5 21:26:24 dusty-Lenovo-B50-30 nm-openvpn[4222]: Cannot load certificate file /home/dusty/Clesopenvpn/MUSTAPHA.crt
Jun  5 21:26:24 dusty-Lenovo-B50-30 nm-openvpn[4222]: Exiting due to fatal error
Jun  5 21:26:24 dusty-Lenovo-B50-30 NetworkManager[1007]: <warn>  [1528226784.5458] vpn-connection[0x55ca9c864360,e1671165-1347-48cc-ab1e-0f5dd841f1fb,"MUSTAPHA-TO-IPCop",0]: VPN plugin: failed: connect-failed (1)
Jun  5 21:26:24 dusty-Lenovo-B50-30 NetworkManager[1007]: <warn>  [1528226784.5459] vpn-connection[0x55ca9c864360,e1671165-1347-48cc-ab1e-0f5dd841f1fb,"MUSTAPHA-TO-IPCop",0]: VPN plugin: failed: connect-failed (1)
Jun  5 21:26:24 dusty-Lenovo-B50-30 NetworkManager[1007]: <info>  [1528226784.5468] vpn-connection[0x55ca9c864360,e1671165-1347-48cc-ab1e-0f5dd841f1fb,"MUSTAPHA-TO-IPCop",0]: VPN service disappeared

Answer 1

我按照来自OpenVPN的指令在远程服务器上安装了自己的https://openvpn.net/index.php/open-source/documentation/howto.html，并且能够将运行Ubuntu18.04的机器连接到远程服务器。

我构建的.ovpn配置包括客户机配置，后面是ca、cert、key和tls部分。VPN设置允许我导入文件并自动设置所有内容。

你能检查一下你的client.ovpn看看哪些部分在那里吗？如果只有配置，我建议您在文件末尾添加以下内容，尝试在VPN设置中导入整个文件。

(client.ovpn settings)
<ca>
(ca file content)
</ca>
<cert>
(certificate file content)
</cert>
<key>
(key file content)
</key>

调用此combine.ovpn或其他什么，并尝试将其导入到VPN设置中。

(编辑)还确保安装了openvpn包。

dpkg -l |grep openvpn
ii  network-manager-openvpn                    1.8.2-1                                     amd64        network management framework (OpenVPN plugin core)
ii  network-manager-openvpn-gnome              1.8.2-1                                     amd64        network management framework (OpenVPN plugin GNOME GUI)
ii  openvpn                                    2.4.4-2ubuntu1                              amd64        virtual private network daemon

由于日志显示证书使用的是旧的md5，而openssl拒绝使用它，因此这个线程提供了一种传递方式，即https://forums.openvpn.net/viewtopic.php?t=23979，您讨论的解决方案来自于mavron。我在此引用他的话：

• 查找您的NetworkManager配置文件(我的配置文件位于/etc/NetworkManager/system-连接；如果您有很多连接，而且文件名对找到正确的文件没有多大帮助，请使用grep -i "id=yourmnemonicname“*)
• 在vpn部分下添加行：tls-cipher=DEFAULT:@SECLEVEL=0
• 使用命令重新加载配置: nmcli连接重新加载

我自己还没有尝试过这一点，但是它应该禁用openssl检查，以便在允许使用旧证书的证书中使用过时的散列使用。