OpenVPN 在通过 udp 的自签名证书上失败，通过 tcp 工作

Question

我有以下 server.conf：

# OpenVPN 2.x config

proto tcp

port 1194
dev tun-vpn
dev-type tun

server 10.8.0.0 255.255.0.0
push "route 172.16.0.0 255.255.0.0"
push "dhcp-option DOMAIN mydom.com"
push "dhcp-option DNS 172.16.1.1"

# Certificates
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
tls-server

# Diffie hellman parameters
dh /etc/openvpn/easy-rsa/keys/dh1024.pem

# Connection settings
comp-lzo
ping 10
ping-restart 120

# Server security
persist-key
persist-tun
user nobody
group nogroup

# Logging
status openvpn-status.log
verb 4
mute 10

以及以下客户端配置：

# OpenVPN 2.x client config
client

dev tun

proto tcp

remote vpn.mydom.com 1194

resolv-retry infinite

nobind

persist-key
persist-tun

mute-replay-warnings

ca ca.crt
cert michaelc.crt
key michaelc.key

#ns-cert-type server

comp-lzo
ping 10
ping-restart 60

verb 3

这些配置工作正常，但如果我想使用 UDP 而不是 TCP，我会得到以下日志：

Thu May 24 22:30:16 2012 UDPv4 link local: [undef]
Thu May 24 22:30:16 2012 UDPv4 link remote: [AF_INET]x.x.x.x:1194
Thu May 24 22:30:16 2012 TLS: Initial packet from [AF_INET]x.x.x.x:1194, sid=e63bd705 392de807
Thu May 24 22:30:16 2012 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=NL/ST=Zuid_Holland/L=_s-Gravendeel/O=Visser__s-Gravendeel_Holding_B.V./CN=Visser__s-Gravendeel_Holding_B.V._CA/emailAddress=hostmaster@visser.eu
Thu May 24 22:30:16 2012 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Thu May 24 22:30:16 2012 TLS Error: TLS object -> incoming plaintext read error
Thu May 24 22:30:16 2012 TLS Error: TLS handshake failed
Thu May 24 22:30:16 2012 TCP/UDP: Closing socket
Thu May 24 22:30:16 2012 SIGUSR1[soft,tls-error] received, process restarting
Thu May 24 22:30:16 2012 Restart pause, 2 second(s)

我已经根据 ca.crt 验证了证书，server.crt 和 michaelc.crt 都是使用 ca.crt 签名的有效证书。

Also, because they work over TCP, my assumption would be that the certificates are perfectly valid. I can imagine the connection being bad (although it's DSL on one end and business fiber on the other end), but is this fixable? I also tried generating new certificates (both CA, server and client), but that gives the exact same error. I hope someone can give me any hints.

Answer 1

幸运的是我发现了这个问题，不幸的是这是我自己的错误。不久前，我在另一台服务器上测试基于 UDP 的 VPN，因此将端口 1194 上的 UDP 连接重定向到另一台服务器。另一台服务器仍然运行 OpenVPN，并具有非常相似的证书。所以事实上，错误是正确的，是由于使用UDP连接时连接到不同的服务器引起的。虽然我觉得自己犯了这个错误很愚蠢，但我很高兴我真的弄清楚了哪里出了问题。