OpenVPN认证/解密数据包错误

Question

我正在尝试将运行Windos 10的笔记本电脑连接到运行OpenVPN的Ubuntu16.04服务器上。

客户端一直收到以下错误：

 MANAGEMENT: >STATE:1491498025,WAIT,,,,,,
 Connection reset, restarting [0]
 SIGUSR1[soft,connection-reset] received, process restarting
 MANAGEMENT: >STATE:1491498025,RECONNECTING,connection-reset,,

我跟踪本指南来安装OpenVPN。除了我更改为端口443和tcp之外，一切都是默认的。

在服务器上，我从"Systemctl状态openvpn@ server“中看到此错误：

 ovpn-server[4627]: [IP ADDR] Fatal TLS error (check_tls_errors_co), restarting
 ovpn-server[4627]: [IP ADDR] SIGUSR1[soft,tls-error] received, client-instance restarting
 ovpn-server[4627]: TCP connection established with [AF_INET][IP ADDR]
 ovpn-server[4627]: [IP ADDR] TLS: Initial packet from [AF_INET][IP ADDR], sid=5bf6806d 9c9b6639
 ovpn-server[4627]:[IP ADDR] Authenticate/Decrypt packet error: packet HMAC authentication failed
 ovpn-server[4627]: [IP ADDR] TLS Error: incoming packet authentication failed from [AF_INET][IP ADDR]
 ovpn-server[4627]: [IP ADDR] Fatal TLS error (check_tls_errors_co), restarting
 ovpn-server[4627]: [IP ADDR] SIGUSR1[soft,tls-error] received, client-instance restarting

server.conf

port 443
proto tcp
dev tun
ca ca.crt
cert KICLAB-HV-01.crt
key KICLAB-HV-01.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
tls-auth ta.key 0
key-direction 0 
mode server
tls-server
cipher AES-128-CBC    # AES
auth SHA256           # SHA256
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3

base.conf:

client
dev tun
proto tcp
remote [Internal LAN IP for testing] 443
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-128-CBC
auth SHA256 
key-direction 1
comp-lzo
verb 3

客户机日志

Attempting to establish TCP connection with [AF_INET][IP:443} [nonblock]
MANAGEMENT: >STATE:1491826387,TCP_CONNECT,,,,,,
TCP connection established with [AF_INET][IP:443}
TCP_CLIENT link local: (not bound)
TCP_CLIENT link remote: [AF_INET][IP:443}
MANAGEMENT: >STATE:1491826388,WAIT,,,,,,
Connection reset, restarting [0]
SIGUSR1[soft,connection-reset] received, process restarting
MANAGEMENT: >STATE:1491826388,RECONNECTING,connection-reset,,,,,
Restart pause, 5 second(s)
TCP/UDP: Preserving recently used remote address: [AF_INET][IP:443}
Socket Buffers: R=[65536->65536] S=[65536->65536]
Attempting to establish TCP connection with [AF_INET][IP:443} [nonblock]
MANAGEMENT: >STATE:1491826393,TCP_CONNECT,,,,,,
TCP connection established with [AF_INET][IP:443}
TCP_CLIENT link local: (not bound)
TCP_CLIENT link remote: [AF_INET][IP:443}
MANAGEMENT: >STATE:1491826394,WAIT,,,,,,
Connection reset, restarting [0]
SIGUSR1[soft,connection-reset] received, process restarting
MANAGEMENT: >STATE:1491826394,RECONNECTING,connection-reset,,,,,
Restart pause, 5 second(s)

"Systemctl状态openvpn@server“的当前输出(注意，IP地址实际上不是客户机的正确IP。这有问题吗？)：

MULTI: multi_init called, r=256 v=256
IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
IFCONFIG POOL LIST
MULTI: TCP INIT maxclients=1024 maxevents=1028
Initialization Sequence Completed
TCP connection established with [AF_INET][IP]:48758
[IP]:48758 TLS: Initial packet from [AF_INET][IP]:48758, sid=9ab50ac0 a37efe04
[IP]:48758 TLS Error: reading acknowledgement record from packet
[IP]:48758 Fatal TLS error (check_tls_errors_co), restarting
Apr 10 08:36:24 [host] ovpn-server[2191]: [IP]:48758 SIGUSR1[soft,tls-error] received, client-instance restarting

谢谢!

Answer 1

你在你的信任中没有客户证明。应该使用生成一个由同一个CA签名的证书，您在服务器上使用该CA并将其添加到client.conf中，如下所示：

ca "ca.crt"
cert "client.crt"
key "client.key"

Answer 2

来自OpenVPN网站：

--tls-auth选项使用静态预共享密钥(PSK)，该密钥必须预先生成并在所有对等点之间共享。

您将它放在服务器上，如下所示：

tls-auth ta.key 0 # This file is secret
key-direction 0

但在客户端，你的评论是：

;tls-auth ta.key 1
...
key-direction 1

tls-auth的第二个参数是关键方向，因此不需要使用key-direction节重复它。

在您的服务器上，只需删除key-direction 0行，而在您的客户端上，可以同时删除注释分隔符(;)和key-direction 1行。

当然，ta.key还需要先在客户端计算机上运行，然后才能实际工作--用scp或类似的方法在那里安全地复制它。