问题描述
你好!
我对Chromebook和ONC文件非常陌生,因此如果已经提出并回答了我,我深表歉意。
我正在运行OpenVPN v2.4.9服务器,并且使用.ovpn
格式的客户端配置文件,在Mac / Linux / Windows上一切正常。在服务器端,我按照新建议使用tls-crypt
(而不是tls-auth
),看起来这是使用ONC文件从CB失败的地方。
这是我的 服务器配置 :
auth SHA256
auth-nocache
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
cipher AES-256-GCM
client-config-dir /etc/openvpn/client
compress lz4-v2
dev tun
dh /etc/openvpn/server/dh2048.pem
explicit-exit-notify 1
ifconfig-pool-persist /etc/openvpn/server/ipp.txt
keepalive 10 120
key /etc/openvpn/server/server.key
log /var/log/openvpn/connection.log
log-append /var/log/openvpn/connection.log
max-clients 10
ncp-ciphers AES-256-GCM
persist-key
persist-tun
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login
port 1194
proto udp4
push "compress lz4-v2"
push "dhcp-option DNS 8.8.8.8"
push "redirect-gateway def1 bypass-dhcp"
push "route 10.0.0.0 255.255.0.0"
remote-cert-eku "TLS Web Client Authentication"
server 192.168.10.0 255.255.255.0
sndbuf 2097152
status /var/log/openvpn/status.log
tls-crypt /etc/openvpn/server/ta.key
tls-version-min 1.2
verb 3
这是我的 客户端ONC配置 :
{
"Type": "UnencryptedConfiguration","Certificates": [
{
"GUID": "Bootstrap-Server-CA","Type": "Authority","X509": "MIIGITCCBAmgAw.....MAYsw8ZLPlmJNN/wA=="
},{
"GUID": "Bootstrap-Root-CA","X509": "MIIGDDCCA/SgAf.....TbtcIBMrAiSlsOwHg=="
},{
"GUID": "Bootstrap-User-Cert","Type": "Client","PKCS12": "MIILvQIBAzCC.....srrOGmHY3h7MPauIlD3"
}
],"NetworkConfigurations": [
{
"GUID": "BOOTSTRAP_CONN_1","Name": "bootstrap_vpn","Type": "VPN","VPN": {
"Type": "OpenVPN","Host": "xx.xxx.xx.xxx","OpenVPN": {
"Auth": "SHA256","Cipher": "AES-256-GCM","ClientCertRef": "Bootstrap-User-Cert","ClientCertType": "Ref","IgnoreDefaultRoute": true,"KeyDirection": "1","Port": 1194,"Proto": "udp4","RemoteCertEKU": "TLS Web Client Authentication","RemoteCertTLS": "server","UseSystemCAs": true,"ServerCARefs": [
"Bootstrap-Server-CA","Bootstrap-Root-CA",],"TLSAuthContents": "-----BEGIN OpenVPN Static key V1-----\n....\n.....\n-----END OpenVPN Static key V1-----\n","UserAuthenticationType": "Password"
}
}
}
]
}
它失败,在客户端没有任何有用的消息(除了说:无法连接到网络..),但是在服务器上,报告为:
Wed Sep 23 17:44:15 2020 us=591576 tls-crypt unwrap error: packet authentication Failed
Wed Sep 23 17:44:15 2020 us=591631 TLS Error: tls-crypt unwrapping Failed from [AF_INET]xx.xx.xx.xx:64762
Wed Sep 23 17:44:44 2020 us=359795 tls-crypt unwrap error: packet authentication Failed
Wed Sep 23 17:44:44 2020 us=359858 TLS Error: tls-crypt unwrapping Failed from [AF_INET]xx.xx.xx.xx:19733
知道我做错了什么还是想念什么?如果有人能够向正确的方向发展,我将不胜感激。
-S
解决方法
据我所知,ONC格式不接受tls-crypt。如果您的Chromebook接受Android应用,则可以使用不接受的非官方OpenVPN android应用(blinkt.de)。