pfsense를 사용하여 openvpn 서버에 연결하는 데 문제가 있습니다.
테스트를 위해 pfsense openvpn 서버와 Windows 10 openvpn 클라이언트 모두에 2개의 네트워크 인터페이스가 있습니다.
내 pfsense에는 DHCP용으로 구성된 WAN에 1개의 네트워크 인터페이스가 있습니다. - WAN 192.168.0.28/24 - LAN 인터페이스 정적 192.168.10.10/24
내 Windows 10 클라이언트에서: -WAN DHCP 192.168.0.30/24 -LAN 인터페이스 정적 192.168.10.15/24
처음으로 udp를 사용하려고 시도했지만 "tls 키 협상 실패 tls 핸드셰이크가 60초 이내에 실패했습니다."라는 메시지가 표시되어 tcp를 사용하여 연결을 시도했지만 다음 오류가 발생했습니다.
내 OpenVPN 구성은 다음과 같습니다.
Server mode Remote Access (SSL/TLS + User Auth)
Backend for authentication Local Database
Protocol TCP
Device mode tun
Interface WAN
Local port 1194
Description VPN
TLS authentication Enable authentication of TLS packets
Key ...
Peer Certificate Authority OpenVPN CA
Server certificate ServerCertificate (Server: Yes, CA: OpenVPN CA, In Use)
DH Parameter length 2048
Encryption Algorithm AES-256-CBC(256 bit key, 128 bit block)
Auth digest algorithm SHA1(160-bit)
Hardware Crypto No Hardware Crypto Acceleration
Certificate Depth One(Client+Server)
IPv4 Tunnel Network 192.168.15.0/24
IPv4 Local network 192.168.10.0/24
Concurrent connections 5
Compression No Preference
Dynamic IP Allow connected client to retain their connections if their IP address changes
Address Pool Provide a virtual adapter IP address to clients
DNS Server enable Provide a DNS server list to clients
DNS Server 1 8.8.8.8
Force DNS cache update Run "net stop dnscache" ...
내 클라이언트 구성은 다음과 같습니다
client
dev tun
proto tcp
remote 192.168.0.28 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca OpenVPN+CA.crt
cert UserCertificate.crt
key UserCertificate.key
cipher AES-256-CBC
verb 5
인증 기관과 서버/사용자 인증서를 만들었습니다.
그런 다음 몇 가지 방화벽 및 NAT 규칙이 있습니다.
pfsense에서 방화벽을 확인했는데 포트 1194가 열려 있는 것 같습니다.
내 Windows 클라이언트에서도 방화벽이 꺼져 있습니다.
미리 감사드립니다!
편집 20:42:
서버와 클라이언트의 로그를 검색했는데 로그인 실패 후 서버에 로그가 없는 것 같습니다. 서비스를 시작/다시 시작할 때만 로그가 나타납니다.
이것은 서버의 내 로그입니다.
Apr 7 18:34:54 openvpn 13595 OpenVPN 2.3.14 i386-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Feb 15 2017
Apr 7 18:34:54 openvpn 13595 library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09
Apr 7 18:34:54 openvpn 13883 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 7 18:34:54 openvpn 13883 Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
Apr 7 18:34:54 openvpn 13883 TUN/TAP device ovpns1 exists previously, keep at program end
Apr 7 18:34:54 openvpn 13883 TUN/TAP device /dev/tun1 opened
Apr 7 18:34:54 openvpn 13883 ioctl(TUNSIFMODE): Device busy: Device busy (errno=16)
Apr 7 18:34:54 openvpn 13883 do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Apr 7 18:34:54 openvpn 13883 /sbin/ifconfig ovpns1 192.168.15.1 192.168.15.2 mtu 1500 netmask 255.255.255.0 up
Apr 7 18:34:54 openvpn 13883 /usr/local/sbin/ovpn-linkup ovpns1 1500 1559 192.168.15.1 255.255.255.0 init
Apr 7 18:34:54 openvpn 13883 Listening for incoming TCP connection on [AF_INET]192.168.0.25:1194
Apr 7 18:34:54 openvpn 13883 TCPv4_SERVER link local (bound): [AF_INET]192.168.0.25:1194
Apr 7 18:34:54 openvpn 13883 TCPv4_SERVER link remote: [undef]
Apr 7 18:34:54 openvpn 13883 Initialization Sequence Completed
클라이언트에 로그인합니다:
Sat Apr 07 20:31:33 2018 OpenVPN 2.4.5 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Mar 1 2018
Sat Apr 07 20:31:33 2018 Windows version 6.2 (Windows 8 or greater) 64bit
Sat Apr 07 20:31:33 2018 library versions: OpenSSL 1.1.0f 25 May 2017, LZO 2.10
Enter Management Password:
Sat Apr 07 20:31:33 2018 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sat Apr 07 20:31:33 2018 Need hold release from management interface, waiting...
Sat Apr 07 20:31:33 2018 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sat Apr 07 20:31:33 2018 MANAGEMENT: CMD 'state on'
Sat Apr 07 20:31:33 2018 MANAGEMENT: CMD 'log all on'
Sat Apr 07 20:31:33 2018 MANAGEMENT: CMD 'echo all on'
Sat Apr 07 20:31:33 2018 MANAGEMENT: CMD 'bytecount 5'
Sat Apr 07 20:31:33 2018 MANAGEMENT: CMD 'hold off'
Sat Apr 07 20:31:33 2018 MANAGEMENT: CMD 'hold release'
Sat Apr 07 20:31:33 2018 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sat Apr 07 20:31:33 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.0.28:1194
Sat Apr 07 20:31:33 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sat Apr 07 20:31:33 2018 Attempting to establish TCP connection with [AF_INET]192.168.0.28:1194 [nonblock]
Sat Apr 07 20:31:33 2018 MANAGEMENT: >STATE:1523125893,TCP_CONNECT,,,,,,
Sat Apr 07 20:33:34 2018 TCP: connect to [AF_INET]192.168.0.28:1194 failed: Unknown error
Sat Apr 07 20:33:34 2018 SIGUSR1[connection failed(soft),init_instance] received, process restarting
Sat Apr 07 20:33:34 2018 MANAGEMENT: >STATE:1523126014,RECONNECTING,init_instance,,,,,
Sat Apr 07 20:33:34 2018 Restart pause, 5 second(s)
Sat Apr 07 20:33:39 2018 SIGTERM[hard,init_instance] received, process exiting
Sat Apr 07 20:33:39 2018 MANAGEMENT: >STATE:1523126019,EXITING,init_instance,,,,,
답변1
VPN 터널을 생성한 후 PFsense에는 연결하려는 PC에 파일을 이메일로 보낼 수 있는 OpenVPN 내보내기 도구라는 옵션이 있습니다. VPN에 연결하는 데 필요한 인증서와 클라이언트를 다운로드합니다. 이것을 시도해 보셨나요?
내보내기 도구를 사용하면 PC를 VPN에 더 쉽게 연결할 수 있습니다.