查看: 5365|回复: 2

请修复openvpn服务器故障

[复制链接]

2

主题

24

帖子

20

积分

初级玩家

Rank: 1

积分
20
发表于 2021-3-1 23:15:38 | 显示全部楼层 |阅读模式
本帖最后由 xffer 于 2021-3-3 17:47 编辑

固件版本是SX1200,5.2.0.19646,有问题1和2;升级到19862出现严重的断线重连问题,表现为故障3,降级至19646后间歇性出现问题3.
1.迪菲-赫尔曼参数是必选?可否取消?
2.日志中每分钟会提示错误。如下:
Fri Feb 26 08:47:56 2021 OpenVPN 2.3.6 i486-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on May  9 2020
Fri Feb 26 08:47:56 2021 library versions: OpenSSL 1.0.2 22 Jan 2015, LZO 2.08
Fri Feb 26 08:47:56 2021 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:2616
Fri Feb 26 08:47:56 2021 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Feb 26 08:47:56 2021 Diffie-Hellman initialized with 1024 bit key
Fri Feb 26 08:47:56 2021 WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate
Fri Feb 26 08:47:56 2021 WARNING: file '/tmp/openvpnserver/openvpnserver.key' is group or others accessible
Fri Feb 26 08:47:56 2021 Socket Buffers: R=[180224->131072] S=[180224->131072]
Fri Feb 26 08:47:56 2021 TUN/TAP device tun0 opened
Fri Feb 26 08:47:56 2021 TUN/TAP TX queue length set to 100
Fri Feb 26 08:47:56 2021 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Feb 26 08:47:56 2021 /sbin/ifconfig tun0 172.16.123.1 netmask 255.255.255.0 mtu 1500 broadcast 172.16.123.255
Fri Feb 26 08:47:56 2021 UDPv4 link local (bound): [undef]
Fri Feb 26 08:47:56 2021 UDPv4 link remote: [undef]
Fri Feb 26 08:47:56 2021 MULTI: multi_init called, r=256 v=256
Fri Feb 26 08:47:56 2021 IFCONFIG POOL: base=172.16.123.2 size=252, ipv6=0
Fri Feb 26 08:47:56 2021 IFCONFIG POOL LIST
Fri Feb 26 08:47:56 2021 Initialization Sequence Completed
Fri Feb 26 08:48:42 2021 IP packet with unknown IP version=15 seen
Fri Feb 26 08:49:42 2021 IP packet with unknown IP version=15 seen
Fri Feb 26 08:50:42 2021 IP packet with unknown IP version=15 seen
Fri Feb 26 08:51:43 2021 IP packet with unknown IP version=15 seen
Fri Feb 26 08:52:43 2021 IP packet with unknown IP version=15 seen
Fri Feb 26 08:53:43 2021 IP packet with unknown IP version=15 seen
Fri Feb 26 08:54:43 2021 IP packet with unknown IP version=15 seen
Fri Feb 26 08:55:43 2021 IP packet with unknown IP version=15 seen
Fri Feb 26 08:56:43 2021 IP packet with unknown IP version=15 seen
Fri Feb 26 08:57:44 2021 IP packet with unknown IP version=15 seen
Fri Feb 26 08:58:44 2021 IP packet with unknown IP version=15 seen
Fri Feb 26 08:59:44 2021 IP packet with unknown IP version=15 seen
Fri Feb 26 09:00:44 2021 IP packet with unknown IP version=15 seen
Fri Feb 26 09:01:44 2021 IP packet with unknown IP version=15 seen
Fri Feb 26 09:02:44 2021 IP packet with unknown IP version=15 seen
Fri Feb 26 09:03:44 2021 IP packet with unknown IP version=15 seen
Fri Feb 26 09:04:45 2021 IP packet with unknown IP version=15 seen
Fri Feb 26 09:05:45 2021 IP packet with unknown IP version=15 seen
Fri Feb 26 09:06:45 2021 IP packet with unknown IP version=15 seen
Fri Feb 26 09:07:45 2021 IP packet with unknown IP version=15 seen
Fri Feb 26 09:08:45 2021 IP packet with unknown IP version=15 seen
Fri Feb 26 09:09:45 2021 IP packet with unknown IP version=15 seen
Fri Feb 26 09:10:46 2021 IP packet with unknown IP version=15 seen
Fri Feb 26 09:11:46 2021 IP packet with unknown IP version=15 seen
Fri Feb 26 09:12:46 2021 IP packet with unknown IP version=15 seen
Fri Feb 26 09:13:46 2021 IP packet with unknown IP version=15 seen
Fri Feb 26 09:14:46 2021 IP packet with unknown IP version=15 seen
Fri Feb 26 09:15:46 2021 IP packet with unknown IP version=15 seen
Fri Feb 26 09:16:47 2021 IP packet with unknown IP version=15 seen
Fri Feb 26 09:17:47 2021 IP packet with unknown IP version=15 seen
Fri Feb 26 09:18:47 2021 IP packet with unknown IP version=15 seen
Fri Feb 26 09:19:47 2021 IP packet with unknown IP version=15 seen
Fri Feb 26 09:20:47 2021 IP packet with unknown IP version=15 seen
Fri Feb 26 09:21:47 2021 IP packet with unknown IP version=15 seen
Fri Feb 26 09:22:48 2021 IP packet with unknown IP version=15 seen
Fri Feb 26 09:23:48 2021 IP packet with unknown IP version=15 seen
Fri Feb 26 09:24:48 2021 IP packet with unknown IP version=15 seen
Fri Feb 26 09:25:48 2021 IP packet with unknown IP version=15 seen

3.断线,无故断线,服务器日志如下:
Mon Mar  1 16:17:25 2021 p750tm/X.X.X.X:16513 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Mar  1 16:17:25 2021 p750tm/X.X.X.X:16513 TLS Error: TLS handshake failed
Mon Mar  1 16:17:25 2021 p750tm/X.X.X.X:16513 TLS: move_session: dest=TM_LAME_DUCK src=TM_ACTIVE reinit_src=1
4.

Tue Mar  2 12:12:34 2021 IP packet with unknown IP version=15 seen
Tue Mar  2 12:13:34 2021 IP packet with unknown IP version=15 seen
Tue Mar  2 12:13:38 2021 p750tm/X.X.X.X:13938 [p750tm] Inactivity timeout (--ping-restart), restarting
Tue Mar  2 12:13:38 2021 p750tm/X.X.X.X.:13938 SIGUSR1[soft,ping-restart] received, client-instance restarting
Tue Mar  2 12:14:34 2021 IP packet with unknown IP version=15 seen
Tue Mar  2 12:15:34 2021 IP packet with unknown IP version=15 seen


Wed Mar  3 15:38:56 2021 IP packet with unknown IP version=15 seen
Wed Mar  3 15:39:57 2021 IP packet with unknown IP version=15 seen
Wed Mar  3 15:40:57 2021 IP packet with unknown IP version=15 seen
Wed Mar  3 15:41:03 2021 p750tm/X.X.X.X:54297 TLS: tls_process: killed expiring key
Wed Mar  3 15:41:57 2021 IP packet with unknown IP version=15 seen
Wed Mar  3 15:42:09 2021 p750tm/X.X.X.X:54297 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Mar  3 15:42:09 2021 p750tm/X.X.X.X:54297 TLS Error: TLS handshake failed
Wed Mar  3 15:42:09 2021 p750tm/X.X.X.X:54297 TLS: move_session: dest=TM_LAME_DUCK src=TM_ACTIVE reinit_src=1
Wed Mar  3 15:42:24 2021 p750tm/X.X.X.X:54297 TLS: Initial packet from [AF_INET]X.X.X.X:54297, sid=cd125d95 9c94052f
Wed Mar  3 15:42:31 2021 p750tm/X.X.X.X:54297 TLS: Username/Password authentication succeeded for username 'p750tm' [CN SET]
Wed Mar  3 15:42:31 2021 p750tm/X.X.X.X:54297 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Mar  3 15:42:31 2021 p750tm/X.X.X.X:54297 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Mar  3 15:42:31 2021 p750tm/X.X.X.X:54297 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Mar  3 15:42:31 2021 p750tm/X.X.X.X:54297 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Mar  3 15:42:31 2021 p750tm/X.X.X.X:54297 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA

客服端日志如下:2021-03-03 16:45:42 Validating certificate extended key usage
2021-03-03 16:45:42 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2021-03-03 16:45:42 VERIFY EKU OK
2021-03-03 16:45:42 VERIFY OK: depth=0, C=CN, ST=Shanghai, L=Shanghai, O=Gocloud, OU=gocloud, CN=server, name=server, emailAddress=info@gocloud.cn
2021-03-03 16:45:42 Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
2021-03-03 16:45:42 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
2021-03-03 16:45:42 Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
2021-03-03 16:45:42 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
2021-03-03 16:45:42 Control Channel: TLSv1, cipher SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
2021-03-03 17:45:37 TLS: tls_process: killed expiring key
2021-03-03 17:45:42 TLS: soft reset sec=3600/3600 bytes=4051661/-1 pkts=9842/0
2021-03-03 17:45:48 MANAGEMENT: CMD 'username "Auth" "p750tm"'
2021-03-03 17:45:48 MANAGEMENT: CMD 'password [...]'
2021-03-03 17:45:48 VERIFY OK: depth=1, C=CN, ST=Shanghai, L=Shanghai, O=Gocloud, OU=gocloud, CN=gocloud, name=gocloud, emailAddress=info@gocloud.cn
2021-03-03 17:45:48 VERIFY KU OK
2021-03-03 17:45:48 Validating certificate extended key usage
2021-03-03 17:45:48 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2021-03-03 17:45:48 VERIFY EKU OK
2021-03-03 17:45:48 VERIFY OK: depth=0, C=CN, ST=Shanghai, L=Shanghai, O=Gocloud, OU=gocloud, CN=server, name=server, emailAddress=info@gocloud.cn
2021-03-03 17:45:48 Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
2021-03-03 17:45:48 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
2021-03-03 17:45:48 Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
2021-03-03 17:45:48 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
2021-03-03 17:45:48 Control Channel: TLSv1, cipher SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA

另,wan口防火墙功能弱,根本不生效,望开发。




回复

使用道具 举报

2

主题

24

帖子

20

积分

初级玩家

Rank: 1

积分
20
 楼主| 发表于 2021-3-16 22:25:56 | 显示全部楼层
请问一下版主进度如何啊
回复 支持 反对

使用道具 举报

2

主题

24

帖子

20

积分

初级玩家

Rank: 1

积分
20
 楼主| 发表于 2021-4-15 22:02:11 | 显示全部楼层
本帖最后由 xffer 于 2021-4-15 22:06 编辑

看来高恪是不打算完善这个模块的功能了,我来分析一波日志吧,我已经将版本退回到19366,openvpn的服务器版本仍然是 OpenVPN 2.3.6 i486-openwrt-linux-gnu ,所以故障也是一样的,那么,为什么要用i486-openwrt的版本?不能使用i386版本,然后为啥要用为openwrt编译的版本呢? IP packet with unknown IP version=15 seen我认为这条每分钟跳的错误跟版本有很大的关系,另外无故掉线的问题是出在script-security 默认导出的配置文件是2,修改为3之后就不会出现TLS handshake failed,然后断线重连的问题。这让我不得不怀疑是故意的了...........
回复 支持 反对

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表