OpenVPN突发TLS握手失败,无法连接服务器求助
2026-4-23
OpenVPN突发TLS握手失败,无法连接服务器求助
各位大佬好,几个月前我折腾了好久终于在Ubuntu 20环境下搭建好了OpenVPN服务器和客户端,用来远程连接我的第一台组装PC,之前在各个远程地点都能正常连接,最初是跟着教程配置的。但现在突然遇到了TLS握手失败的问题,完全不知道该怎么排查,来这里求助!
我没碰过OpenVPN相关的设置,服务器也没安装什么大型软件,但现在笔记本客户端完全连不上了。我试过用另一台笔记本重新配置客户端,结果还是不行;甚至把两端的OpenVPN卸载重装,重新生成所有密钥证书,还是出现同样的TLS握手错误。
排查线索
- 线索1:服务器日志里完全看不到客户端的连接尝试(以前是能看到连接记录的)。我在服务器和客户端分别执行了
tcpdump命令(虽然我对这个工具不太熟),服务器端监听tun0接口没有抓到任何包:
客户端的~$ sudo tcpdump -D [sudo] password for adnan: 1.enp5s0 [Up, Running] 2.tun0 [Up, Running] 3.lo [Up, Running, Loopback] 4.any (Pseudo-device that captures on all interfaces) [Up, Running] 5.wlo1 [Up] 6.docker0 [Up] 7.br-d2c78a773ae5 [Up] 8.br-4b07fa21428c [Up] 9.bluetooth-monitor (Bluetooth Linux Monitor) [none] 10.nflog (Linux netfilter log (NFLOG) interface) [none] 11.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none] 12.bluetooth0 (Bluetooth adapter number 0) [none] ~$ sudo tcpdump -i tun0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on tun0, link-type RAW (Raw IP), capture size 262144 bytestcpdump设备列表:~$ sudo tcpdump -D 1.wlo1 [Up, Running] 2.lo [Up, Running, Loopback] 3.any (Pseudo-device that captures on all interfaces) [Up, Running] 4.docker0 [Up] 5.br-4fe775d77579 [Up] 6.bluetooth-monitor (Bluetooth Linux Monitor) [none] 7.nflog (Linux netfilter log (NFLOG) interface) [none] 8.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none] 9.bluetooth0 (Bluetooth adapter number 0) [none] - 线索2:重新看教程时发现
ip route list default的输出里默认网卡从enp4s0变成了enp5s0,不知道这个变化会不会影响VPN连接。 - 线索3:教程里提到客户端可以执行
systemd-resolve --status tun0,但我执行后返回Failed to resolve interface "tun0", ignoring: No such device,不过我没有设置把所有流量都走VPN,可能这个错误无关?
客户端日志输出
client$ openvpn laptop_client.conf Sun Jan 29 08:12:29 2023 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022 Sun Jan 29 08:12:29 2023 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10 Sun Jan 29 08:12:29 2023 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Sun Jan 29 08:12:29 2023 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Sun Jan 29 08:12:29 2023 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Sun Jan 29 08:12:29 2023 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Sun Jan 29 08:12:29 2023 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Sun Jan 29 08:12:29 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]140.141.196.45:11111 Sun Jan 29 08:12:29 2023 Socket Buffers: R=[212992->212992] S=[212992->212992] Sun Jan 29 08:12:29 2023 UDP link local: (not bound) Sun Jan 29 08:12:29 2023 UDP link remote: [AF_INET]140.141.196.45:11111 Sun Jan 29 08:12:29 2023 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay Sun Jan 29 08:13:29 2023 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Sun Jan 29 08:13:29 2023 TLS Error: TLS handshake failed Sun Jan 29 08:13:29 2023 SIGUSR1[soft,tls-error] received, process restarting Sun Jan 29 08:13:29 2023 Restart pause, 5 second(s) Sun Jan 29 08:13:34 2023 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Sun Jan 29 08:13:34 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]140.141.196.45:11111 Sun Jan 29 08:13:34 2023 Socket Buffers: R=[212992->212992] S=[212992->212992] Sun Jan 29 08:13:34 2023 UDP link local: (not bound) Sun Jan 29 08:13:34 2023 UDP link remote: [AF_INET]140.141.196.45:11111 Sun Jan 29 08:14:34 2023 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Sun Jan 29 08:14:34 2023 TLS Error: TLS handshake failed Sun Jan 29 08:14:34 2023 SIGUSR1[soft,tls-error] received, process restarting Sun Jan 29 08:14:34 2023 Restart pause, 5 second(s) Sun Jan 29 08:14:39 2023 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Sun Jan 29 08:14:39 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]140.141.196.45:11111 Sun Jan 29 08:14:39 2023 Socket Buffers: R=[212992->212992] S=[212992->212992] Sun Jan 29 08:14:39 2023 UDP link local: (not bound) Sun Jan 29 08:14:39 2023 UDP link remote: [AF_INET]140.141.196.45:11111
服务器日志输出
root@build1:/etc/openvpn/server# openvpn server_build1.conf Sat Jan 28 21:48:58 2023 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022 Sat Jan 28 21:48:58 2023 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10 Sat Jan 28 21:48:58 2023 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Sat Jan 28 21:48:58 2023 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Sat Jan 28 21:48:58 2023 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Sat Jan 28 21:48:58 2023 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Sat Jan 28 21:48:58 2023 ROUTE_GATEWAY 10.1.2.1/255.255.255.0 IFACE=enp5s0 HWADDR=d8:bb:c1:d9:d3:33 Sat Jan 28 21:48:58 2023 TUN/TAP device tun0 opened Sat Jan 28 21:48:58 2023 TUN/TAP TX queue length set to 100 Sat Jan 28 21:48:58 2023 /sbin/ip link set dev tun0 up mtu 1500 Sat Jan 28 21:48:58 2023 /sbin/ip addr add dev tun0 local 10.8.1.1 peer 10.8.1.2 Sat Jan 28 21:48:58 2023 /sbin/ip route add 10.8.1.0/24 via 10.8.1.2 Sat Jan 28 21:48:58 2023 Could not determine IPv4/IPv6 protocol. Using AF_INET Sat Jan 28 21:48:58 2023 Socket Buffers: R=[212992->212992] S=[212992->212992] Sat Jan 28 21:48:58 2023 UDPv4 link local (bound): [AF_INET][undef]:11111 Sat Jan 28 21:48:58 2023 UDPv4 link remote: [AF_UNSPEC] Sat Jan 28 21:48:58 2023 GID set to nogroup Sat Jan 28 21:48:58 2023 UID set to nobody Sat Jan 28 21:48:58 2023 MULTI: multi_init called, r=256 v=256 Sat Jan 28 21:48:58 2023 IFCONFIG POOL: base=10.8.1.4 size=62, ipv6=0 Sat Jan 28 21:48:58 2023 IFCONFIG POOL LIST Sat Jan 28 21:48:58 2023 Initialization Sequence Completed
客户端配置文件(laptop_client.conf)
client dev tun proto udp remote REDACTED 11111 resolv-retry infinite nobind user nobody group nogroup persist-key persist-tun remote-cert-tls server cipher AES-256-GCM auth SHA256 verb 3 key-direction 1 script-security 2 up /etc/openvpn/update-systemd-resolved down /etc/openvpn/update-systemd-resolved down-pre dhcp-option DOMAIN-ROUTE . <ca> -----BEGIN CERTIFICATE----- REDACTED -----END CERTIFICATE----- </ca> <cert> Certificate: Data: REDACTED ... -----BEGIN CERTIFICATE----- REDACTED -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- REDACTED -----END PRIVATE KEY----- </key> <tls-crypt> -----BEGIN OpenVPN Static key V1----- REDACTED -----END OpenVPN Static key V1----- </tls-crypt>
服务器配置文件(server_build1.conf)
port 11111 proto udp dev tun ca ca.crt cert server_build1.crt key server_build1.key # This file should be kept secret dh none server 10.8.1.0 255.255.255.0 ifconfig-pool-persist /var/log/openvpn/ipp.txt push "route 10.1.2.0 255.255.255.0" keepalive 10 120 tls-crypt ta.key cipher AES-256-GCM auth SHA256 user nobody group nogroup persist-key persist-tun status /var/log/openvpn/openvpn-status.log verb 3 explicit-exit-notify 1
服务器防火墙状态
root@build1:/etc/openvpn/server# ufw status Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere 11111/udp ALLOW Anywhere 5900/tcp ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) 11111/udp (v6) ALLOW Anywhere (v6) 5900/tcp (v6) ALLOW Anywhere (v6)
备注:内容来源于stack exchange,提问作者MaanDoabeDa
