Início / computer / Perguntas / 1454580
Accepted
LucG
Asked: 2019-07-01 01:41:22 +0800 CST

O arquivo de configuração Openvpn funciona com CLI, mas não com o gerenciador de rede

  • 772

Eu instalei meu próprio servidor openvpn em um VPS remoto usando o utilitário openvpn-install e tomando todos os parâmetros padrão.

Depois de baixar o arquivo .ovpn de saída para minha máquina cliente, testei o servidor openvpn da CLI e funcionou bem:

sudo openvpn vpnperso.ovpn

Mas quando tento importar este arquivo no gerenciador de rede, a conexão com a vpn atinge o tempo limite.

Registros do lado do cliente:

$cat /var/log/syslog | grep vpn

juin 30 10:58:09 sainte-victoire NetworkManager[774]: <info>  [1561885089.8474] audit: op="connection-activate" uuid="1c4eaa3c-a511-4e0d-b115-ced19c047574" name="vpnperso" pid=1281 uid=1000 result="success"
juin 30 10:58:09 sainte-victoire NetworkManager[774]: <info>  [1561885089.8538] vpn-connection[0x562bf20367c0,1c4eaa3c-a511-4e0d-b115-ced19c047574,"vpnperso",0]: Started the VPN service, PID 31822
juin 30 10:58:09 sainte-victoire NetworkManager[774]: <info>  [1561885089.8634] vpn-connection[0x562bf20367c0,1c4eaa3c-a511-4e0d-b115-ced19c047574,"vpnperso",0]: Saw the service appear; activating connection
juin 30 10:58:09 sainte-victoire NetworkManager[774]: <info>  [1561885089.8698] vpn-connection[0x562bf20367c0,1c4eaa3c-a511-4e0d-b115-ced19c047574,"vpnperso",0]: VPN plugin: state changed: starting (3)
juin 30 10:58:09 sainte-victoire nm-openvpn[31825]: WARNING: file '/home/luc/.local/share/networkmanagement/certificates/vpnperso/private.key' is group or others accessible
juin 30 10:58:09 sainte-victoire nm-openvpn[31825]: OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2019
juin 30 10:58:09 sainte-victoire nm-openvpn[31825]: library versions: OpenSSL 1.1.1  11 Sep 2018, LZO 2.08
juin 30 10:58:09 sainte-victoire nm-openvpn[31825]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
juin 30 10:58:09 sainte-victoire nm-openvpn[31825]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
juin 30 10:58:09 sainte-victoire nm-openvpn[31825]: TCP/UDP: Preserving recently used remote address: [AF_INET]ip.ip.ip.ip:1194
juin 30 10:58:09 sainte-victoire nm-openvpn[31825]: UDP link local: (not bound)
juin 30 10:58:09 sainte-victoire nm-openvpn[31825]: UDP link remote: [AF_INET]ip.ip.ip.ip:1194
juin 30 10:58:09 sainte-victoire nm-openvpn[31825]: NOTE: chroot will be delayed because of --client, --pull, or --up-delay
juin 30 10:58:09 sainte-victoire nm-openvpn[31825]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
juin 30 10:59:09 sainte-victoire NetworkManager[774]: <warn>  [1561885149.6776] vpn-connection[0x562bf20367c0,1c4eaa3c-a511-4e0d-b115-ced19c047574,"vpnperso",0]: VPN connection: connect timeout exceeded.
juin 30 10:59:09 sainte-victoire nm-openvpn-serv[31822]: Connect timer expired, disconnecting.
juin 30 10:59:09 sainte-victoire nm-openvpn[31825]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
juin 30 10:59:09 sainte-victoire nm-openvpn[31825]: TLS Error: TLS handshake failed
juin 30 10:59:09 sainte-victoire nm-openvpn[31825]: SIGTERM[hard,tls-error] received, process exiting
juin 30 10:59:09 sainte-victoire NetworkManager[774]: <warn>  [1561885149.6875] vpn-connection[0x562bf20367c0,1c4eaa3c-a511-4e0d-b115-ced19c047574,"vpnperso",0]: VPN plugin: failed: connect-failed (1)
juin 30 10:59:09 sainte-victoire NetworkManager[774]: <info>  [1561885149.6884] vpn-connection[0x562bf20367c0,1c4eaa3c-a511-4e0d-b115-ced19c047574,"vpnperso",0]: VPN plugin: state changed: stopping (5)
juin 30 10:59:09 sainte-victoire NetworkManager[774]: <info>  [1561885149.6892] vpn-connection[0x562bf20367c0,1c4eaa3c-a511-4e0d-b115-ced19c047574,"vpnperso",0]: VPN plugin: state changed: stopped (6)

Registros do lado do servidor

$cat /var/log/syslog | grep vpn

Jun 30 10:59:09 vps704584 ovpn-server[12227]: TLS Error: tls-crypt unwrapping failed from [AF_INET]ip:ip:ip:ip:53903
Jun 30 10:59:09 vps704584 ovpn-server[12227]: tls-crypt unwrap error: packet too short

Como faço para o NetworkManager funcionar?

openvpn networkmanager

1 respostas

  1. Best Answer

    O problema é que o NetworkManager não suporta atualmente o tls-cryptrecurso do openvpn versão 2.4+.

    https://github.com/angristan/openvpn-install/issues/312

    Por padrão, o openvpn-install aplica as melhores configurações de segurança durante a instalação, que estão tls-crypthabilitadas. Se você deseja que o gerenciador de rede funcione com seu servidor openvpn, desative esse recurso ao instalar o openvpn em seu servidor. Você pode desinstalar o openvpn usando o mesmo openvpn-install.shscript, reinstalá-lo e, durante o procedimento de instalação, usar configurações personalizadas para criptografia. Em algum momento, você será solicitado a usar tls-authou tls-crypt, selecione tls-auth.

    Diferenças entre tls-auth vs tls-crypt

    • 0

relate perguntas