使用tls-crypt时如何从Chromebook连接到OpenVPN?

编程问答 2022-06-12

问题描述

你好!

我对Chromebook和ONC文件非常陌生,因此如果已经提出并回答了我,我深表歉意。

我正在运行OpenVPN v2.4.9服务器,并且使用.ovpn格式的客户端配置文件,在Mac / Linux / Windows上一切正常。在服务器端,我按照新建议使用tls-crypt(而不是tls-auth),看起来这是使用ONC文件从CB失败的地方。

这是我的 服务器配置 

auth SHA256
auth-nocache
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
cipher AES-256-GCM
client-config-dir /etc/openvpn/client
compress lz4-v2
dev tun
dh /etc/openvpn/server/dh2048.pem
explicit-exit-notify 1
ifconfig-pool-persist /etc/openvpn/server/ipp.txt
keepalive 10 120
key /etc/openvpn/server/server.key
log         /var/log/openvpn/connection.log
log-append  /var/log/openvpn/connection.log
max-clients 10
ncp-ciphers AES-256-GCM
persist-key
persist-tun
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login
port 1194
proto udp4
push "compress lz4-v2"
push "dhcp-option DNS 8.8.8.8"
push "redirect-gateway def1 bypass-dhcp"
push "route 10.0.0.0 255.255.0.0"
remote-cert-eku "TLS Web Client Authentication"
server 192.168.10.0 255.255.255.0
sndbuf 2097152
status /var/log/openvpn/status.log
tls-crypt /etc/openvpn/server/ta.key
tls-version-min 1.2
verb 3

这是我的 客户端ONC配置 

{
  "Type": "UnencryptedConfiguration","Certificates": [
    {
      "GUID": "Bootstrap-Server-CA","Type": "Authority","X509": "MIIGITCCBAmgAw.....MAYsw8ZLPlmJNN/wA=="
    },{
      "GUID": "Bootstrap-Root-CA","X509": "MIIGDDCCA/SgAf.....TbtcIBMrAiSlsOwHg=="
    },{
      "GUID": "Bootstrap-User-Cert","Type": "Client","PKCS12": "MIILvQIBAzCC.....srrOGmHY3h7MPauIlD3"
    }
  ],"NetworkConfigurations": [
    {
      "GUID": "BOOTSTRAP_CONN_1","Name": "bootstrap_vpn","Type": "VPN","VPN": {
        "Type": "OpenVPN","Host": "xx.xxx.xx.xxx","OpenVPN": {
          "Auth": "SHA256","Cipher": "AES-256-GCM","ClientCertRef": "Bootstrap-User-Cert","ClientCertType": "Ref","IgnoreDefaultRoute": true,"KeyDirection": "1","Port": 1194,"Proto": "udp4","RemoteCertEKU": "TLS Web Client Authentication","RemoteCertTLS": "server","UseSystemCAs": true,"ServerCARefs": [
            "Bootstrap-Server-CA","Bootstrap-Root-CA",],"TLSAuthContents": "-----BEGIN OpenVPN Static key V1-----\n....\n.....\n-----END OpenVPN Static key V1-----\n","UserAuthenticationType": "Password"
        }
      }
    }
  ]
}

它失败,在客户端没有任何有用的消息(除了说:无法连接到网络..),但是在服务器上,报告为:

Wed Sep 23 17:44:15 2020 us=591576 tls-crypt unwrap error: packet authentication Failed 
Wed Sep 23 17:44:15 2020 us=591631 TLS Error: tls-crypt unwrapping Failed from [AF_INET]xx.xx.xx.xx:64762 
Wed Sep 23 17:44:44 2020 us=359795 tls-crypt unwrap error: packet authentication Failed 
Wed Sep 23 17:44:44 2020 us=359858 TLS Error: tls-crypt unwrapping Failed from [AF_INET]xx.xx.xx.xx:19733

知道我做错了什么还是想念什么?如果有人能够向正确的方向发展,我将不胜感激。

-S

解决方法

据我所知,ONC格式不接受tls-crypt。如果您的Chromebook接受Android应用,则可以使用不接受的非官方OpenVPN android应用(blinkt.de)。

chromebookopenvpntls1.2