Ubuntu 22.10。OpenVPN 无法作为客户端连接

Question

更新到 Ubuntu 22.10 后，openvpn 无法使用 Ubuntu 22.04 LTS 中相同的旧工作 ovpn 配置文件作为客户端连接到服务器。

我不断收到错误：

2022-10-20 20:10:04 TCPv4_CLIENT link remote: [AF_INET]xx.xxx.xxx.xxx:1194
2022-10-20 20:10:04 Connection reset, restarting [0]
2022-10-20 20:10:04 SIGUSR1[soft,connection-reset] received, process restarting

我尝试重新安装 openvpn 但没有帮助。

我的配置：

client
dev tun
proto tcp
remote xx.xxx.xxx.x 1194
user nobody
group nogroup
persist-key
persist-tun
pkcs12 /home/dyedfox/openvpn/opvn-client1.p12
auth-user-pass /home/dyedfox/openvpn/auth.cfg
askpass /home/dyedfox/openvpn/keypass.cfg
remote-cert-tls server
route 10.0.0.0 255.255.0.0 10.8.8.1
route 10.176.64.16 255.255.255.248 10.8.8.1
route 10.210.4.200 255.255.255.248 10.8.8.1
cipher AES-256-CBC

您能帮我解决这个问题吗？

PS完整输出：

2022-10-20 21:36:40 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations. 
2022-10-20 21:36:40 WARNING: file '/home/dyedfox/openvpn/opvn-client1.p12' is group or others accessible
2022-10-20 21:36:40 WARNING: file '/home/dyedfox/openvpn/keypass.cfg' is group or others accessible
2022-10-20 21:36:40 WARNING: file '/home/dyedfox/openvpn/auth.cfg' is group or others accessible
2022-10-20 21:36:40 OpenVPN 2.6_git x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2022-10-20 21:36:40 library versions: OpenSSL 3.0.5 5 Jul 2022, LZO 2.10
2022-10-20 21:36:40 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2022-10-20 21:36:40 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:40 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:40 TCP connection established with [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:40 TCPv4_CLIENT link local: (not bound)
2022-10-20 21:36:40 TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:40 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
2022-10-20 21:36:41 Connection reset, restarting [0]
2022-10-20 21:36:41 SIGUSR1[soft,connection-reset] received, process restarting
2022-10-20 21:36:46 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:46 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:46 TCP connection established with [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:46 TCPv4_CLIENT link local: (not bound)
2022-10-20 21:36:46 TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:47 Connection reset, restarting [0]
2022-10-20 21:36:47 SIGUSR1[soft,connection-reset] received, process restarting
2022-10-20 21:36:52 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:52 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:52 TCP connection established with [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:52 TCPv4_CLIENT link local: (not bound)
2022-10-20 21:36:52 TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:53 Connection reset, restarting [0]
2022-10-20 21:36:53 SIGUSR1[soft,connection-reset] received, process restarting
2022-10-20 21:36:58 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:58 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:58 TCP connection established with [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:58 TCPv4_CLIENT link local: (not bound)
2022-10-20 21:36:58 TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:58 Connection reset, restarting [0]
2022-10-20 21:36:58 SIGUSR1[soft,connection-reset] received, process restarting

Answer 1

这是由 中的一个错误引起的 。network-manager-openvpn

Ubuntu 22.10 更新到较新版本的 OpenVPN (2.6)，该版本不支持该cipher选项，忽略它，并期望较新的data-ciphers选项，如此处的输出所示：

2022-10-20 21:36:40 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.

问题是旧选项被硬编码在 中network-manager-openvpn，因此重写新选项将不起作用，除非您使用命令行传递它。

目前，您应该降级到 OpenVPN 2.5.5。以下是基于此答案的步骤，这也对我有很大帮助：https://askubuntu.com/a/1406472/1589545

1. 卸载当前的 OpenVPN 版本（如果已安装）：sudo apt remove openvpn

2. 安装 OpenVPN 2.5.5

• 转到https://launchpad.net/ubuntu/jammy/amd64/openvpn/2.5.5-1ubuntu3
• openvpn_2.5.5-1ubuntu3_amd64.deb在“可下载文件”部分下载文件
• 双击该文件并使用软件安装 (GUI) 打开

3. 可选：标记 OpenVPN 不更新：sudo apt-mark hold openvpn

4. 重新安装 NetworkManager OpenVPN GUI：sudo apt install network-manager-openvpn-gnome

Answer 2

我刚刚添加了

data-ciphers=AES-128-CBC

在原始的chipher条目下方

/etc/NetworkManager/system-connections/MYVPN.nmconnection

它正在发挥作用。

cipher=AES-128-CBC
data-ciphers=AES-128-CBC

Answer 3

我找到了一种无需降级 OpenVPN 版本即可使用 OpenVPN 2.6 的方法。

看起来 NetworkManager 没有data-ciphers从 ovpn 文件中读取所有选项（如选项）。这个想法是手动将所需的选项直接放入 NetworkManager 配置文件中。

以下是说明：

1. 您的 OpenVPN 连接应该已显示在网络管理器的 VPN 连接列表中。如果 NetworkManager 中未显示您的 OpenVPN 连接，您可以使用“从文件导入...”菜单项 ( Settings-> Network-> VPN-> VPN +-> Import from file...)创建它

2. 运行 gnome-terminal：按Alt-F2您的键盘类型gnome-terminal，然后按Enter

3. 在终端应用程序中，请运行以下命令来编辑 NetworkManager 连接文件：

   sudo nano /etc/NetworkManager/system-connections/*your_connection_name*.nmconnection
   

   当系统要求输入您的 Ubuntu 用户密码并按 Enter 键时，输入您的 Ubuntu 用户密码（密码或星号不会显示在终端中）。

4. 将以下行添加到该[vpn]部分：

   data-ciphers=AES-256-CBC
   

   请AES-256-CBC设置您的 OpenVPN 服务器或 OpenVPN 服务提供商支持的数据密码值。您应该能够在 VPN 服务提供商提供的 ovpn 文件中找到该值。

5. 按F2键盘上的 ，然后按y和Enter保存文件。

6. 通过运行以下命令重新启动 NetworkManager 服务：

   sudo systemctl restart NetworkManager
   

7. 尝试从网络管理器连接 OpenVPN 连接。