Все время реконнектится Openvpn
-
Народ добрый день,
Помогите пожалуйста,
Есть в Ташкенте сервер Pfsense 2.3.3.1 с поднятым несколькими Openvpn на борту. Один из них настроен на 443 порт по UDP в режиме tun Peer-to-Peer SSL/TLS.
В Пекине в филиале также имеется клиент Pfsense 2.3.3.1 с поднятым Openvpn.
Клиент успешно подключается к серверу, вроде все работает. Пингуем и видим компы в удаленных сетях, соотвественно.
Проблема, каждые N-минут (5-10-30 и т.д., всегда по разному), пропадает связь и клиент рестартует туннель.
в чем может быть проблема?Да кстати, почему-то не могу пинговать адреса туннеля, хотя на других экземлярах Openvpn подобные адреса пингуются.
В обеих точках во вкладе Rules/Openvpn имеется доступ с source=локальные сети + сеть туннеля до всех адресов по любому протоколу.
Конфиг сервера /var/etc/openvpn/server5.conf:
dev ovpns5 verb 4 dev-type tun tun-ipv6 dev-node /dev/tun5 writepid /var/run/openvpn_server5.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-256-CBC auth SHA512 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 195.158.х.х tls-server server 10.0.100.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc/server5 ifconfig 10.0.100.1 10.0.100.2 tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'vpn-server.mfa.uz' 1" lport 443 management /var/etc/openvpn/server5.sock unix push "route 172.30.30.176 255.255.255.240" push "route 192.168.1.0 255.255.255.0" route 192.168.45.0 255.255.255.0 route 192.168.46.0 255.255.255.0 ca /var/etc/openvpn/server5.ca cert /var/etc/openvpn/server5.cert key /var/etc/openvpn/server5.key dh /etc/dh-parameters.4096 crl-verify /var/etc/openvpn/server5.crl-verify tls-auth /var/etc/openvpn/server5.tls-auth 0 persist-remote-ip float topology subnetОверрайд клиента /var/etc/openvpn-csc/server5
iroute 192.168.45.0 255.255.255.0Конфиг клиента /var/etc/openvpn/client1.conf:
dev ovpnc1 verb 1 dev-type tun tun-ipv6 dev-node /dev/tun1 writepid /var/run/openvpn_client1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-256-CBC auth SHA512 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 192.168.200.199 tls-client client lport 0 management /var/etc/openvpn/client1.sock unix remote 195.158.x.x 443 ca /var/etc/openvpn/client1.ca cert /var/etc/openvpn/client1.cert key /var/etc/openvpn/client1.key tls-auth /var/etc/openvpn/client1.tls-auth 1 resolv-retry infinite remote-cert-tls server**Вот логи клиента:```
May 3 15:04:56 openvpn 94536 Initialization Sequence Completed
May 3 15:04:56 openvpn 94536 Preserving previous TUN/TAP instance: ovpnc1
May 3 15:04:54 openvpn 94536 [vpn-server.mfa.uz] Peer Connection Initiated with [AF_INET]195.158.x.x:443
May 3 15:04:38 openvpn 94536 UDPv4 link remote: [AF_INET]195.158.x.x:443
May 3 15:04:38 openvpn 94536 UDPv4 link local (bound): [AF_INET]192.168.200.199
May 3 15:04:38 openvpn 94536 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 3 15:04:35 openvpn 94536 SIGUSR1[soft,ping-restart] received, process restarting
May 3 15:04:35 openvpn 94536 [UNDEF] Inactivity timeout (--ping-restart), restarting
May 3 15:03:35 openvpn 94536 UDPv4 link remote: [AF_INET]195.158.x.x:443
May 3 15:03:35 openvpn 94536 UDPv4 link local (bound): [AF_INET]192.168.200.199
May 3 15:03:35 openvpn 94536 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 3 15:03:33 openvpn 94536 SIGUSR1[soft,ping-restart] received, process restarting
May 3 15:03:33 openvpn 94536 [UNDEF] Inactivity timeout (--ping-restart), restarting
May 3 15:02:33 openvpn 94536 UDPv4 link remote: [AF_INET]195.158.x.x:443
May 3 15:02:33 openvpn 94536 UDPv4 link local (bound): [AF_INET]192.168.200.199
May 3 15:02:33 openvpn 94536 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 3 15:02:31 openvpn 94536 SIGUSR1[soft,tls-error] received, process restarting
May 3 15:02:31 openvpn 94536 TLS Error: TLS handshake failed
May 3 15:02:31 openvpn 94536 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
May 3 15:01:37 openvpn 94536 TLS Error: Unroutable control packet received from [AF_INET]195.158.x.x:443 (si=3 op=P_ACK_V1)
May 3 15:01:31 openvpn 94536 UDPv4 link remote: [AF_INET]195.158.x.x:443
May 3 15:01:31 openvpn 94536 UDPv4 link local (bound): [AF_INET]192.168.200.199
May 3 15:01:31 openvpn 94536 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 3 15:01:29 openvpn 94536 SIGUSR1[soft,ping-restart] received, process restarting
May 3 15:01:29 openvpn 94536 [UNDEF] Inactivity timeout (--ping-restart), restarting
May 3 15:00:29 openvpn 94536 UDPv4 link remote: [AF_INET]195.158.x.x:443
May 3 15:00:29 openvpn 94536 UDPv4 link local (bound): [AF_INET]192.168.200.199
May 3 15:00:29 openvpn 94536 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 3 15:00:27 openvpn 94536 SIGUSR1[soft,ping-restart] received, process restarting
May 3 15:00:27 openvpn 94536 [UNDEF] Inactivity timeout (--ping-restart), restarting
May 3 14:59:27 openvpn 94536 UDPv4 link remote: [AF_INET]195.158.x.x:443
May 3 14:59:27 openvpn 94536 UDPv4 link local (bound): [AF_INET]192.168.200.199
May 3 14:59:27 openvpn 94536 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 3 14:59:25 openvpn 94536 SIGUSR1[soft,ping-restart] received, process restarting
May 3 14:59:25 openvpn 94536 [vpn-server.mfa.uz] Inactivity timeout (--ping-restart), restarting
May 3 14:58:25 openvpn 94536 [vpn-server.mfa.uz] Peer Connection Initiated with [AF_INET]195.158.x.x:443
May 3 14:58:11 openvpn 94536 UDPv4 link remote: [AF_INET]195.158.x.x:443
May 3 14:58:11 openvpn 94536 UDPv4 link local (bound): [AF_INET]192.168.200.199
May 3 14:58:11 openvpn 94536 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 3 14:58:09 openvpn 94536 SIGUSR1[soft,ping-restart] received, process restarting
May 3 14:58:09 openvpn 94536 [UNDEF] Inactivity timeout (--ping-restart), restarting
May 3 14:57:09 openvpn 94536 UDPv4 link remote: [AF_INET]195.158.x.x:443
May 3 14:57:09 openvpn 94536 UDPv4 link local (bound): [AF_INET]192.168.200.199
May 3 14:57:09 openvpn 94536 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 3 14:57:07 openvpn 94536 SIGUSR1[soft,ping-restart] received, process restarting
May 3 14:57:07 openvpn 94536 [UNDEF] Inactivity timeout (--ping-restart), restarting
May 3 14:56:07 openvpn 94536 UDPv4 link remote: [AF_INET]195.158.x.x:443
May 3 14:56:07 openvpn 94536 UDPv4 link local (bound): [AF_INET]192.168.200.199
May 3 14:56:07 openvpn 94536 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 3 14:56:05 openvpn 94536 SIGUSR1[soft,ping-restart] received, process restarting
May 3 14:56:05 openvpn 94536 [vpn-server.mfa.uz] Inactivity timeout (--ping-restart), restarting
May 3 14:34:33 openvpn 94536 Initialization Sequence Completed
May 3 14:34:33 openvpn 94536 Preserving previous TUN/TAP instance: ovpnc1
May 3 14:34:31 openvpn 94536 [vpn-server.mfa.uz] Peer Connection Initiated with [AF_INET]195.158.x.x:443
May 3 14:34:27 openvpn 94536 TLS Error: Unroutable control packet received from [AF_INET]195.158.x.x:443 (si=3 op=P_ACK_V1)
May 3 14:34:13 openvpn 94536 UDPv4 link remote: [AF_INET]195.158.x.x:443
May 3 14:34:13 openvpn 94536 UDPv4 link local (bound): [AF_INET]192.168.200.199
May 3 14:34:13 openvpn 94536 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 3 14:34:11 openvpn 94536 SIGUSR1[soft,ping-restart] received, process restarting
May 3 14:34:11 openvpn 94536 [UNDEF] Inactivity timeout (--ping-restart), restarting
May 3 14:33:11 openvpn 94536 UDPv4 link remote: [AF_INET]195.158.x.x:443
May 3 14:33:11 openvpn 94536 UDPv4 link local (bound): [AF_INET]192.168.200.199
May 3 14:33:11 openvpn 94536 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 3 14:33:09 openvpn 94536 SIGUSR1[soft,ping-restart] received, process restarting
May 3 14:33:09 openvpn 94536 [UNDEF] Inactivity timeout (--ping-restart), restarting
May 3 14:32:09 openvpn 94536 UDPv4 link remote: [AF_INET]195.158.x.x:443
May 3 14:32:09 openvpn 94536 UDPv4 link local (bound): [AF_INET]192.168.200.199
May 3 14:32:09 openvpn 94536 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 3 14:32:07 openvpn 94536 SIGUSR1[soft,tls-error] received, process restarting
May 3 14:32:07 openvpn 94536 TLS Error: TLS handshake failed
May 3 14:32:07 openvpn 94536 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
May 3 14:31:07 openvpn 94536 UDPv4 link remote: [AF_INET]195.158.x.x:443
May 3 14:31:07 openvpn 94536 UDPv4 link local (bound): [AF_INET]192.168.200.199
May 3 14:31:07 openvpn 94536 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 3 14:31:05 openvpn 94536 SIGUSR1[soft,ping-restart] received, process restarting
May 3 14:31:05 openvpn 94536 [UNDEF] Inactivity timeout (--ping-restart), restarting
May 3 14:30:05 openvpn 94536 UDPv4 link remote: [AF_INET]195.158.x.x:443
May 3 14:30:05 openvpn 94536 UDPv4 link local (bound): [AF_INET]192.168.200.199
May 3 14:30:05 openvpn 94536 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 3 14:30:03 openvpn 94536 SIGUSR1[soft,ping-restart] received, process restarting
May 3 14:30:03 openvpn 94536 [UNDEF] Inactivity timeout (--ping-restart), restarting
May 3 14:29:03 openvpn 94536 UDPv4 link remote: [AF_INET]195.158.x.x:443
May 3 14:29:03 openvpn 94536 UDPv4 link local (bound): [AF_INET]192.168.200.199
May 3 14:29:03 openvpn 94536 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 3 14:29:01 openvpn 94536 SIGUSR1[soft,ping-restart] received, process restarting
May 3 14:29:01 openvpn 94536 [vpn-server.mfa.uz] Inactivity timeout (--ping-restart), restarting
May 3 14:21:39 openvpn 94536 Initialization Sequence Completed
May 3 14:21:39 openvpn 94536 Preserving previous TUN/TAP instance: ovpnc1
May 3 14:21:36 openvpn 94536 [vpn-server.mfa.uz] Peer Connection Initiated with [AF_INET]195.158.x.x:443
May 3 14:21:28 openvpn 94536 UDPv4 link remote: [AF_INET]195.158.x.x:443
May 3 14:21:28 openvpn 94536 UDPv4 link local (bound): [AF_INET]192.168.200.199
May 3 14:21:28 openvpn 94536 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 3 14:21:26 openvpn 94536 SIGUSR1[soft,ping-restart] received, process restarting
May 3 14:21:26 openvpn 94536 [UNDEF] Inactivity timeout (--ping-restart), restarting
May 3 14:20:26 openvpn 94536 UDPv4 link remote: [AF_INET]195.158.x.x:443
May 3 14:20:26 openvpn 94536 UDPv4 link local (bound): [AF_INET]192.168.200.199
May 3 14:20:26 openvpn 94536 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 3 14:20:24 openvpn 94536 SIGUSR1[soft,ping-restart] received, process restarting
May 3 14:20:24 openvpn 94536 [UNDEF] Inactivity timeout (--ping-restart), restarting
May 3 14:19:23 openvpn 94536 UDPv4 link remote: [AF_INET]195.158.x.x:443**Вот лог севрера:**May 3 12:14:21 openvpn 33468 I/O WAIT TR|Tw|SR|Sw [7/9931]
May 3 12:14:21 openvpn 33468 PO_CTL rwflags=0x0001 ev=5 arg=0x00693598
May 3 12:14:21 openvpn 33468 PO_CTL rwflags=0x0001 ev=7 arg=0x00693594
May 3 12:14:21 openvpn 33468 PO_CTL rwflags=0x0001 ev=6 arg=0x00694740
May 3 12:14:21 openvpn 33468 SCHEDULE: schedule_find_least wakeup=[Wed May 3 12:14:29 2017 us=9926] pri=2071388902
May 3 12:14:21 openvpn 33468 kayumov.mfa.uz/84.54.112.26:64383 SCHEDULE: schedule_add_modify wakeup=[Wed May 3 12:14:29 2017 us=9926] pri=2042523469
May 3 12:14:21 openvpn 33468 kayumov.mfa.uz/84.54.112.26:64383 RANDOM USEC=58507
May 3 12:14:21 openvpn 33468 kayumov.mfa.uz/84.54.112.26:64383 TLS: tls_multi_process: i=2 state=S_UNDEF, mysid=00000000 00000000, stored-sid=00000000 00000000, stored-ip=[undef]
May 3 12:14:21 openvpn 33468 kayumov.mfa.uz/84.54.112.26:64383 TLS: tls_multi_process: i=1 state=S_INITIAL, mysid=3e08c98b 0f86ddcb, stored-sid=00000000 00000000, stored-ip=[undef]
May 3 12:14:21 openvpn 33468 kayumov.mfa.uz/84.54.112.26:64383 TLS: tls_process: timeout set to 1096
May 3 12:14:21 openvpn 33468 kayumov.mfa.uz/84.54.112.26:64383 ACK reliable_send_timeout 604800 [6]
May 3 12:14:21 openvpn 33468 kayumov.mfa.uz/84.54.112.26:64383 ACK reliable_can_send active=0 current=0 : [6]
May 3 12:14:21 openvpn 33468 kayumov.mfa.uz/84.54.112.26:64383 STATE S_NORMAL_OP
May 3 12:14:21 openvpn 33468 kayumov.mfa.uz/84.54.112.26:64383 TLS: tls_process: chg=0 ks=S_NORMAL_OP lame=S_NORMAL_OP to_link->len=0 wakeup=1096
May 3 12:14:21 openvpn 33468 kayumov.mfa.uz/84.54.112.26:64383 TLS: tls_multi_process: i=0 state=S_NORMAL_OP, mysid=0f678122 b7f33cc8, stored-sid=af61d163 b797e3aa, stored-ip=[AF_INET]84.54.112.26:64383
May 3 12:14:21 openvpn 33468 kayumov.mfa.uz/84.54.112.26:64383 TIMER: coarse timer wakeup 7 seconds
May 3 12:14:21 openvpn 33468 MULTI: REAP range 144 -> 160
May 3 12:14:21 openvpn 33468 I/O WAIT status=0x0020
May 3 12:14:21 openvpn 33468 event_wait returned 0
May 3 12:14:18 openvpn 33468 I/O WAIT TR|Tw|SR|Sw [3/104880]
May 3 12:14:18 openvpn 33468 PO_CTL rwflags=0x0001 ev=5 arg=0x00693598
May 3 12:14:18 openvpn 33468 PO_CTL rwflags=0x0001 ev=7 arg=0x00693594
May 3 12:14:18 openvpn 33468 PO_CTL rwflags=0x0001 ev=6 arg=0x00694740
May 3 12:14:18 openvpn 33468 kayumov.mfa.uz/84.54.112.26:64383 UDPv4 write returned 165
May 3 12:14:18 openvpn 33468 kayumov.mfa.uz/84.54.112.26:64383 UDPv4 WRITE [165] to [AF_INET]84.54.112.26:64383: P_DATA_V1 kid=2 DATA 6a49b95a 47d31a9e caa0eb92 df3bd156 c39da98a 884fd3ab 99dd6e71 2af1916[more...]
May 3 12:14:18 openvpn 33468 I/O WAIT status=0x0002
May 3 12:14:18 openvpn 33468 event_wait returned 1
May 3 12:14:18 openvpn 33468 PO_WAIT[0,0] fd=6 rev=0x00000004 rwflags=0x0002 arg=0x00694740
May 3 12:14:18 openvpn 33468 I/O WAIT Tr|Tw|Sr|SW [3/104880]
May 3 12:14:18 openvpn 33468 PO_CTL rwflags=0x0001 ev=5 arg=0x00693598
May 3 12:14:18 openvpn 33468 PO_CTL rwflags=0x0000 ev=7 arg=0x00693594
May 3 12:14:18 openvpn 33468 PO_CTL rwflags=0x0002 ev=6 arg=0x00694740
May 3 12:14:18 openvpn 33468 kayumov.mfa.uz/84.54.112.26:64383 ENCRYPT TO: 884fd3ab 99dd6e71 2af1916b 62e91d17 50555648 b6a0102c b45f3ca5 4d564e2[more...]
May 3 12:14:18 openvpn 33468 kayumov.mfa.uz/84.54.112.26:64383 ENCRYPT FROM: 0000011a 45000077 bc520000 3f11d545 ac1e1ebe 0a001502 0035edf2 00633e5[more...]
May 3 12:14:18 openvpn 33468 kayumov.mfa.uz/84.54.112.26:64383 ENCRYPT IV: 884fd3ab 99dd6e71 2af1916b 62e91d17
May 3 12:14:18 openvpn 33468 kayumov.mfa.uz/84.54.112.26:64383 TLS: tls_pre_encrypt: key_id=2
May 3 12:14:18 openvpn 33468 kayumov.mfa.uz/84.54.112.26:64383 TUN READ [119]
May 3 12:14:18 openvpn 33468 GET INST BY VIRT: 10.0.21.2 -> kayumov.mfa.uz/84.54.112.26:64383 via 10.0.21.2
May 3 12:14:18 openvpn 33468 read from TUN/TAP returned 119
May 3 12:14:18 openvpn 33468 MULTI: REAP range 128 -> 144
May 3 12:14:18 openvpn 33468 I/O WAIT status=0x0004
May 3 12:14:18 openvpn 33468 event_wait returned 1
May 3 12:14:18 openvpn 33468 PO_WAIT[1,0] fd=7 rev=0x00000001 rwflags=0x0001 arg=0x00693594
May 3 12:14:17 openvpn 33468 I/O WAIT TR|Tw|SR|Sw [4/104880]
May 3 12:14:17 openvpn 33468 PO_CTL rwflags=0x0001 ev=5 arg=0x00693598
May 3 12:14:17 openvpn 33468 PO_CTL rwflags=0x0001 ev=7 arg=0x00693594
May 3 12:14:17 openvpn 33468 PO_CTL rwflags=0x0001 ev=6 arg=0x00694740
May 3 12:14:17 openvpn 33468 kayumov.mfa.uz/84.54.112.26:64383 write to TUN/TAP returned 72
May 3 12:14:17 openvpn 33468 kayumov.mfa.uz/84.54.112.26:64383 TUN WRITE [72]
May 3 12:14:17 openvpn 33468 I/O WAIT status=0x0008 -
Конфиги на, первый взгляд, адекватные.
Не может ли ваша проблема быть связана с работой DPI\Великого китайского файрволла?Попробуйте другие комбинации TCP\UDP и портов.
И да, если прячете IP - делайте это тщательнее. ;)
-
Спасибо, я и сам думал про это. Прочитал про китаёзских файрвол. Попробую с верхних диапазонов взять порты выше 25000.
Рекомендуют через SSH туннель пускать, но неохота так заморачиваться.
Можно ли как-то полностью спрятать наличие траффика OpenVPN, чтобы handshake не выделялся и был один в один похож на обычный SSL? -
Спасибо, я и сам думал про это. Прочитал про китаёзских файрвол. Попробую с верхних диапазонов взять порты выше 25000.
Рекомендуют через SSH туннель пускать, но неохота так заморачиваться.
Можно ли как-то полностью спрятать наличие траффика OpenVPN, чтобы handshake не выделялся и был один в один похож на обычный SSL?В OpenVPN 2.4 появилась такая возможность (название директивы не помню, недавно тут обсуждалось) OpenVPN 2.4 доступен в бете pfsense 2.4.
-
Вспомнил:
TLS Encryption (–tls-crypt)https://forum.pfsense.org/index.php?topic=66442.msg711087#msg711087
-
Огромное спасибо за подсказку,
Тогда подождем немного, надеюсь скоро выйдет стабильная версия