1. topology net30 support for server configs with IPv4
+ openvpn --config /etc/openvpn/openvpn.conf
2023-12-06 01:50:07 WARNING: --topology net30 support for server configs with IPv4 pools will be removed in a future release. Please migrate to --topology subnet as soon as possible.
2023-12-06 01:50:07 OpenVPN 2.5.9 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 29 2023
2023-12-06 01:50:07 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
目前实地测试认为当前版本这个不修复,基本功能仍可用
2. you should also set --tun-mtu 1500
WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1179)
目前实地测试认为当前版本这个不修复,基本功能仍可用
3. 客户端与服务端 tls 握手失败
2023-12-06 10:22:48 SIGUSR1[soft,tls-error] received, process restarting
2023-12-06 10:25:28 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2023-12-06 10:25:28 TCP/UDP: Preserving recently used remote address: [AF_INET]172.19.0.17:1194
2023-12-06 10:25:28 UDP link local: (not bound)
2023-12-06 10:25:28 UDP link remote: [AF_INET]172.19.0.17:1194
2023-12-06 10:25:28 TCP/UDP: Incoming packet rejected from [AF_INET]10.1.0.13:1194[2], expected peer address: [AF_INET]172.19.0.17:1194 (allow this incoming source address/port by removing --remote or adding --float)
2023-12-06 10:25:30 TCP/UDP: Incoming packet rejected from [AF_INET]10.1.0.13:1194[2], expected peer address: [AF_INET]172.19.0.17:1194 (allow this incoming source address/port by removing --remote or adding --float)
2023-12-06 10:25:34 TCP/UDP: Incoming packet rejected from [AF_INET]10.1.0.13:1194[2], expected peer address: [AF_INET]172.19.0.17:1194 (allow this incoming source address/port by removing --remote or adding --float)
2023-12-06 10:25:34 TCP/UDP: Incoming packet rejected from [AF_INET]10.1.0.13:1194[2], expected peer address: [AF_INET]172.19.0.17:1194 (allow this incoming source address/port by removing --remote or adding --float)
2023-12-06 10:25:42 TCP/UDP: Incoming packet rejected from [AF_INET]10.1.0.13:1194[2], expected peer address: [AF_INET]172.19.0.17:1194 (allow this incoming source address/port by removing --remote or adding --float)
2023-12-06 10:25:58 TCP/UDP: Incoming packet rejected from [AF_INET]10.1.0.13:1194[2], expected peer address: [AF_INET]172.19.0.17:1194 (allow this incoming source address/port by removing --remote or adding --float)
2023-12-06 10:25:58 TCP/UDP: Incoming packet rejected from [AF_INET]10.1.0.13:1194[2], expected peer address: [AF_INET]172.19.0.17:1194 (allow this incoming source address/port by removing --remote or adding --float)
2023-12-06 10:26:28 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2023-12-06 10:26:28 TLS Error: TLS handshake failed
2023-12-06 10:26:28 SIGUSR1[soft,tls-error] received, process restarting
看修复提示是
allow this incoming source address/port by removing --remote or adding --float
目前服务端的配置是:
root@keepalived01-0:/# cat /etc/openvpn/openvpn.conf
server 10.240.0.0 255.255.0.0
verb 3
key /etc/openvpn/certs/pki/private/server.key
ca /etc/openvpn/certs/pki/ca.crt
cert /etc/openvpn/certs/pki/issued/server.crt
dh /etc/openvpn/certs/pki/dh.pem
cipher AES-256-GCM
key-direction 0
keepalive 10 600
persist-key
persist-tun
link-mtu 1300
auth SHA1
proto udp
port 1194
dev tun0
status /openvpn-status.log
user nobody
group nogroup
push "route 10.1.0.0 255.255.255.0"
push "dhcp-option DOMAIN-SEARCH ns1.svc.cluster.local"
push "dhcp-option DOMAIN-SEARCH svc.cluster.local"
push "dhcp-option DOMAIN-SEARCH cluster.local"
客户端配置是:
root@empty:~# cat /tmp/ovpncli1.ovpn
client
nobind
dev tun
# remote-cert-tls server # mitigate mitm
# 注意这里由于 cert-manager 签的secret 没有 Key Usage, 所以这里需要屏蔽掉
# https://superuser.com/questions/1446201/openvpn-certificate-does-not-have-key-usage-extension
remote 172.19.0.17 1194 udp # 应该是把这里的 remote 改为 float
# default udp 1194
# defualt tcp 443
redirect-gateway def1
...
解决方式可以添加 float 配置
float # 添加即修复
remote 172.19.0.17 1194 udp # 应该是把这里的 remote 改为 float
参考: forum.netgate.com/topic/13137…
参考客户端配置:
dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA256
tls-client
client
resolv-retry infinite
remote 192.168.2.15 1195 udp
lport 0
verify-x509-name "VPN Server Cert" name
auth-user-pass
pkcs12 OPNsense-udp-1195-vpnuser01.p12
tls-auth OPNsense-udp-1195-vpnuser01-tls.key 1
remote-cert-tls server
comp-lzo no
float
4. cipher is not set
root@empty:/tmp# openvpn --config /tmp/ovpncli1.ovpn
2023-12-06 10:52:32 --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
客户端配置补充 cipher AES-256-GCM
5. WARNING: No server certificate verification method has been enabled
root@empty:/tmp# openvpn --config /tmp/ovpncli1.ovpn
2023-12-06 11:06:07 OpenVPN 2.5.9 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 29 2023
2023-12-06 11:06:07 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
2023-12-06 11:06:07 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2023-12-06 11:06:07 TCP/UDP: Preserving recently used remote address: [AF_INET]172.19.0.17:1194
2023-12-06 11:06:07 UDP link local: (not bound)
2023-12-06 11:06:07 UDP link remote: [AF_INET]172.19.0.17:1194
2023-12-06 11:07:07 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2023-12-06 11:07:07 TLS Error: TLS handshake failed
2023-12-06 11:07:07 SIGUSR1[soft,tls-error] received, process restarting
2023-12-06 11:07:12 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2023-12-06 11:07:12 TCP/UDP: Preserving recently used remote address: [AF_INET]172.19.0.17:1194
2023-12-06 11:07:12 UDP link local: (not bound)
2023-12-06 11:07:12 UDP link remote: [AF_INET]172.19.0.17:1194
2023-12-06 11:08:12 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2023-12-06 11:08:12 TLS Error: TLS handshake failed
2023-12-06 11:08:12 SIGUSR1[soft,tls-error] received, process restarting
