张微波的BLOG: OpenVPN 2.0 HOWTO-初始化测试篇(翻译)

August 18, 2006

OpenVPN 2.0 HOWTO-初始化测试篇(翻译)

原文:http://openvpn.net/howto.html
翻译水平有限,许多地方都可能翻译的不当,请大家指教

Starting up the VPN and testing for initial connectivity

Starting the server

First, make sure the OpenVPN server will be accessible from the internet. That means:

opening up UDP port 1194 on the firewall (or whatever TCP/UDP port you've configured), or
setting up a port forward rule to forward UDP port 1194 from the firewall/gateway to the machine running the OpenVPN server.
Next, make sure that the TUN/TAP interface is not firewalled.

To simplify troubleshooting, it's best to initially start the OpenVPN server from the command line (or right-click on the .ovpn file on Windows), rather than start it as a daemon or service:

openvpn [server config file]

A normal server startup should look like this (output will vary across platforms):

Sun Feb 6 20:46:38 2005 OpenVPN 2.0_rc12 i686-suse-linux [SSL] [LZO] [EPOLL] built on Feb 5 2005
Sun Feb 6 20:46:38 2005 Diffie-Hellman initialized with 1024 bit key
Sun Feb 6 20:46:38 2005 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Feb 6 20:46:38 2005 TUN/TAP device tun1 opened
Sun Feb 6 20:46:38 2005 /sbin/ifconfig tun1 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Sun Feb 6 20:46:38 2005 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Sun Feb 6 20:46:38 2005 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:23 ET:0 EL:0 AF:3/1 ]
Sun Feb 6 20:46:38 2005 UDPv4 link local (bound): [undef]:1194
Sun Feb 6 20:46:38 2005 UDPv4 link remote: [undef]
Sun Feb 6 20:46:38 2005 MULTI: multi_init called, r=256 v=256
Sun Feb 6 20:46:38 2005 IFCONFIG POOL: base=10.8.0.4 size=62
Sun Feb 6 20:46:38 2005 IFCONFIG POOL LIST
Sun Feb 6 20:46:38 2005 Initialization Sequence Completed

Starting the client
As in the server configuration, it's best to initially start the OpenVPN server from the command line (or on Windows, by right-clicking on the client.ovpn file), rather than start it as a daemon or service:

openvpn [client config file]

A normal client startup on Windows will look similar to the server output above, and should end with the Initialization Sequence Completed message.

Now, try a ping across the VPN from the client. If you are using routing (i.e. dev tun in the server config file), try:

ping 10.8.0.1

If you are using bridging (i.e. dev tap in the server config file), try to ping the IP address of a machine on the server's ethernet subnet.

If the ping succeeds, congratulations! You now have a functioning VPN.

Troubleshooting

If the ping failed or the OpenVPN client initialization failed to complete, here is a checklist of common symptoms and their solutions:

You get the error message: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity). This error indicates that the client was unable to establish a network connection with the server.

Solutions:

Make sure the client is using the correct hostname/IP address and port number which will allow it to reach the OpenVPN server.
If the OpenVPN server machine is a single-NIC box inside a protected LAN, make sure you are using a correct port forward rule on the server's gateway firewall. For example, suppose your OpenVPN box is at 192.168.4.4 inside the firewall, listening for client connections on UDP port 1194. The NAT gateway servicing the 192.168.4.x subnet should have a port forward rule that says forward UDP port 1194 from my public IP address to 192.168.4.4.
Open up the server's firewall to allow incoming connections to UDP port 1194 (or whatever TCP/UDP port you have configured in the server config file).

You get the error message: Initialization Sequence Completed with errors -- This error can occur on Windows if (a) You don't have the DHCP client service running, or (b) You are using certain third-party personal firewalls on XP SP2.

Solution: Start the DHCP client server and make sure that you are using a personal firewall which is known to work correctly on XP SP2.

You get the Initialization Sequence Completed message but the ping test fails -- This usually indicates that a firewall on either server or client is blocking VPN network traffic by filtering on the TUN/TAP interface.

Solution: Disable the client firewall (if one exists) from filtering the TUN/TAP interface on the client. For example on Windows XP SP2, you can do this by going to Windows Security Center -> Windows Firewall -> Advanced and unchecking the box which corresponds to the TAP-Win32 adapter (disabling the client firewall from filtering the TUN/TAP adapter is generally reasonable from a security perspective, as you are essentially telling the firewall not to block authenticated VPN traffic). Also make sure that the TUN/TAP interface on the server is not being filtered by a firewall (having said that, note that selective firewalling of the TUN/TAP interface on the server side can confer certain security benefits. See the access policies section below).

The connection stalls on startup when using a proto udp configuration, the server log file shows this line:

TLS: Initial packet from x.x.x.x:x, sid=xxxxxxxx xxxxxxxxhowever the client log does not show an equivalent line.

Solution: You have a one-way connection from client to server. The server to client direction is blocked by a firewall, usually on the client side. The firewall can either be (a) a personal software firewall running on the client, or (b) the NAT router gateway for the client. Modify the firewall to allow returning UDP packets from the server to reach the client.

See the FAQ for additional troubleshooting information.

启动VPN服务并初始化测试

启动服务器

首先.得确认OpenVPN能通过internet被访问,意思是:

1.在防火墙上已经打开UDP端口(或者无论是UDP还是TCP都已经被配置打开),
2.或者防火墙上已经设置了一个专门的端口forward指向OpenVPN服务器的UDP1194端口.

下一步, 确信你的TUN/TAP没被防火墙禁止.

为了简单调试，启动OpenVPN的最好的办法是用命令方式（或者右肩单击server.ovpn文件启动），这样就作为一个服务启动了:

openvpn [server config file]

正常服务启动，我们会看到如下信息:

启动客户端

跟服务器端得配置一样，启动客户端最好的方式是命令方式（或者在windows下右键单击client.ovpn文件启动）:

openvpn [client config file]

客户端正常启动，应该能看到跟服务器类似的信息，最后以显示“Initialization Sequence Completed”结束.

现在，我们可以通过VPN尝试ping命令，假如你使用路由模式（也就是说在服务器的配置文件中使用“dev tun”），运行下列命令:

ping 10.8.0.1

如果你使用以太网桥模式（也就是说在服务器配置文件中配置使用“dev tap”）, 你可以尝试ping服务器所在局域网的ip地址.

如果ping显示正常，恭喜你，你已经拥有一个正常功能的VPN.

排错

如果遇到OpenVPN初始化失败，或者ping失败，下面有一些共同的问题症状和解决办法:

1.你得到如下错误信息: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity). 这个错误指出客户端不能跟服务器建立网络链接.

解决办法：

a.请确认客户端访问的服务器的机器名/IP和端口是正确的.
b.如果你的OpenVPN服务器是单网卡，并处在受保护的局域网中，请确认你你的网关防火墙使用了正确的端口转发规则。比如：你的OpenVPN机器的地址是192.168.4.4，但处在防火墙保护下，时刻监听着UDP协议1194的连接请求，那么负责维护192.168.4.x子网的网关就会有一个端口转发策略，即所有访问UDP协议1194端口的请求都被转发到192.168.4.4 。
c.打开服务器的防火墙允许UDP协议1194端口连接进来，（或者不管是TCP还是UDP协议在服务器的配置文件中配置了）。

2.你得到如下错误信息: Initialization Sequence Completed with errors – 这个错误可能发生在windows下（a）你没有启用DHCP客户端服务（b）你的XP SP2使用了某个第三方的个人防火墙。

解决办法: 启动DHCP客户端服务或者你确认你的XP SP2正确使用了个人防火墙.

3.你虽然获得了Initialization Sequence Completed 的信息，但ping测试还是失败了，那就通常是在服务器或者客户端的防火墙阻止过滤了在TUN/TAP设备结构上的网络流量。

解决办法: 关闭客户端的防火墙，如果防火墙过滤了TUN/TAP设备端口的流量。比如在Windows XP SP2系统，你可以到Windows 安全中心 -> Windows 防火墙 -> 高级然后不要选择TAP-Win32 adapter设备 (即禁止TUN/TAP设备使用防火墙过滤，实质上就是告诉防火墙不要阻止VPN认证信息)。同样在服务器端也要确认TUN/TAP设备不实用防火墙过滤 (也就是说在TUN/TAP接口上选择过滤是有一定的安全保障的. 具体请看下面一节的访问策略).

4.当以udp协议的配置文件启动的时候连接停止，服务器的日志文件显示如下一行信息：