Hei,
jeg har skaffet en VPS hos digitalocean, og har problemer med å koble til serveren fra min macbook.
Konfigurasjonsfilen (<navn>.ovpn) ser slik ut:
Vet ikke helt hvordan jeg skal tolke resultatene. Det skal sies at jeg har tillatt tilkoblinger med kommandoen
og
og jeg har i tillegg deaktivert brannmuren på min klientmaskin.
Hva er det jeg har gjort galt? Si bare i fra om det mangler dokumentasjon for å kunne finne ut av hva som er problemet.
Takk!
jeg har skaffet en VPS hos digitalocean, og har problemer med å koble til serveren fra min macbook.
Konfigurasjonsfilen (<navn>.ovpn) ser slik ut:
Kode
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote 107.170.1.14 1194
;remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroup
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
# ca ca.crt
# cert client.crt
# key client.key
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
<ca>
-----BEGIN CERTIFICATE-----
Sertifikat her.
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=NY, L=NewYork, O=HSL, OU=HSL, CN=HSL/name=Navn/emailAddress=mail@domain.com
Validity
Not Before: Apr 18 14:15:35 2016 GMT
Not After : Apr 16 14:15:35 2026 GMT
Subject: C=US, ST=NY, L=NewYork, O=HSL, OU=HSL, CN=client1/name=Navn/emailAddress=mail@domain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e8:1b:ed:ee:7b:78:9e:22:7f:0a:ed:e7:31:40:
99:5b:26:cf:6b:17:b7:96:31:ef:69:40:47:ff:5e:
e8:90:b5:61:0c:fe:80:78:df:5b:1f:44:36:93:ba:
b4:65:2a:49:23:e6:e3:bb:23:e9:bc:b8:a5:82:b5:
3b:ff:00:f5:b1:18:e0:e5:f1:13:d2:36:e5:43:49:
dd:fa:76:fa:4c:c5:5d:f3:cc:0f:bb:30:fb:0c:77:
7f:cc:ac:0b:4d:0e:90:88:5b:ca:9a:87:64:80:c3:
2e:35:15:d7:be:cf:9e:91:79:85:c0:b1:15:00:04:
fc:91:b9:91:49:5a:89:17:c1:c1:14:9c:57:f7:72:
7a:bf:8e:1a:fb:6c:93:b4:ef:2b:53:2d:7c:99:f9:
1b:67:51:25:72:90:6b:18:7a:68:d9:6a:b3:39:af:
ff:2b:06:a8:9c:2a:b4:99:ff:c1:ec:62:94:2e:76:
8e:eb:00:d8:bc:c4:f4:f9:df:ec:b6:bf:c2:6f:48:
68:73:67:2e:b7:20:ef:65:72:6d:81:54:91:c4:d0:
e9:b0:de:cd:fa:56:ce:81:ce:3e:b7:1d:63:3a:f6:
ef:05:e9:5a:5b:6b:8f:50:47:f0:2f:f5:1b:e7:bb:
11:9a:a1:f7:58:ba:32:8f:75:f1:be:f2:8d:f6:7b:
79:25
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
82:97:86:CB:FC:2F:DC:15:FF:E8:0B:DA:73:15:65:11:0C:8B:42:25
X509v3 Authority Key Identifier:
keyid:83:DD:69:F5:FE:97:24:72:E8:5A:61:BF:78:EA:DC:31:2A:93:D5:8E
DirName:/C=US/ST=NY/L=NewYork/O=HSL/OU=HSL/CN=HSL/name=Navn/emailAddress=mail@domain.com
serial:85:63:0D:21:58:94:74:C9
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
X509v3 Subject Alternative Name:
DNS:client1
Signature Algorithm: sha256WithRSAEncryption
bd:af:70:2d:d2:75:b3:f3:58:f0:d1:84:58:9a:d4:14:49:2a:
cc:47:2a:26:ca:ee:40:8b:98:29:e3:f0:83:0e:57:2b:47:5a:
68:94:b8:be:e5:2d:47:3f:6e:cb:c0:df:43:bb:20:5a:1f:b2:
da:2a:7d:f5:18:eb:67:8a:f8:93:c4:07:9a:d4:25:39:ad:16:
48:da:26:8e:1a:96:2b:03:a0:45:f7:5f:a4:2c:08:5e:a4:0f:
e6:20:de:d1:04:75:19:d9:08:b0:e6:73:f9:dc:91:1a:3e:d5:
cf:15:69:11:c6:23:aa:86:8d:2a:e9:53:f9:60:e3:d9:51:b3:
f3:a5:9e:b8:85:2c:46:ff:ff:4a:3a:d1:48:a5:88:7c:ba:f6:
fc:86:d6:9a:3f:74:d2:96:88:c7:1c:ef:59:7c:31:2f:61:43:
f1:e5:72:fb:54:cc:49:9c:dc:8a:22:c3:5d:81:96:f5:97:2a:
1b:ec:9c:35:0e:5a:ab:a6:f3:9d:07:c7:6b:88:86:96:15:c1:
92:4e:77:6a:69:0d:ae:7f:7b:cb:f5:f7:d5:8f:18:ec:67:7c:
4d:65:58:65:1a:e4:03:f4:24:62:32:68:af:c2:36:b2:93:3a:
6c:a2:5e:d4:36:36:8a:5d:62:d5:ab:75:32:65:f9:e7:48:0e:
1f:0b:b6:5c
-----BEGIN CERTIFICATE-----
Sertifikat her.
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
Nøkkel her.
-----END PRIVATE KEY-----
</key>
Kode
2016-04-18 16:34:04 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=US, ST=NY, L=NewYork, O=HSL, OU=HSL, CN=SLA CA, name=server, emailAddress=mail@domain.com 2016-04-18 16:34:04 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed 2016-04-18 16:34:04 TLS Error: TLS object -> incoming plaintext read error 2016-04-18 16:34:04 TLS Error: TLS handshake failed 2016-04-18 16:34:04 SIGUSR1[soft,tls-error] received, process restarting 2016-04-18 16:34:04 MANAGEMENT: >STATE:1460990044,RECONNECTING,tls-error,, 2016-04-18 16:34:04 MANAGEMENT: CMD 'hold release' 2016-04-18 16:34:04 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 2016-04-18 16:34:04 Socket Buffers: R=[196724->196724] S=[9216->9216] 2016-04-18 16:34:04 UDPv4 link local: [undef] 2016-04-18 16:34:04 UDPv4 link remote: [AF_INET]107.170.1.14:1194 2016-04-18 16:34:04 MANAGEMENT: >STATE:1460990044,WAIT,,, 2016-04-18 16:34:04 MANAGEMENT: >STATE:1460990044,AUTH,,, 2016-04-18 16:34:04 TLS: Initial packet from [AF_INET]107.170.1.14:1194, sid=d5cd9678 8fd3f598 2016-04-18 16:34:05 *Tunnelblick: Disconnecting; VPN Details… window disconnect button pressed 2016-04-18 16:34:05 *Tunnelblick: No 'pre-disconnect.sh' script to execute 2016-04-18 16:34:05 *Tunnelblick: Disconnecting using 'kill' 2016-04-18 16:34:05 event_wait : Interrupted system call (code=4) 2016-04-18 16:34:05 PLUGIN_CLOSE: /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.10/openvpn-down-root.so 2016-04-18 16:34:05 SIGTERM[hard,] received, process exiting 2016-04-18 16:34:05 MANAGEMENT: >STATE:1460990045,EXITING,SIGTERM,, 2016-04-18 16:34:06 *Tunnelblick: No 'post-disconnect.sh' script to execute 2016-04-18 16:34:06 *Tunnelblick: Expected disconnection occurred.
Kode
ufw allow 1194/tcp
Kode
ufw allow 1194/udp
Hva er det jeg har gjort galt? Si bare i fra om det mangler dokumentasjon for å kunne finne ut av hva som er problemet.
Takk!
