Hei,
jeg har skaffet en VPS hos digitalocean, og har problemer med å koble til serveren fra min macbook.
Konfigurasjonsfilen (<navn>.ovpn) ser slik ut:
Vet ikke helt hvordan jeg skal tolke resultatene. Det skal sies at jeg har tillatt tilkoblinger med kommandoen
og
og jeg har i tillegg deaktivert brannmuren på min klientmaskin.
Hva er det jeg har gjort galt? Si bare i fra om det mangler dokumentasjon for å kunne finne ut av hva som er problemet.
Takk!
jeg har skaffet en VPS hos digitalocean, og har problemer med å koble til serveren fra min macbook.
Konfigurasjonsfilen (<navn>.ovpn) ser slik ut:
Kode
############################################## # Sample client-side OpenVPN 2.0 config file # # for connecting to multi-client server. # # # # This configuration can be used by multiple # # clients, however each client should have # # its own cert and key files. # # # # On Windows, you might want to rename this # # file so it has a .ovpn extension # ############################################## # Specify that we are a client and that we # will be pulling certain config file directives # from the server. client # Use the same setting as you are using on # the server. # On most systems, the VPN will not function # unless you partially or fully disable # the firewall for the TUN/TAP interface. ;dev tap dev tun # Windows needs the TAP-Win32 adapter name # from the Network Connections panel # if you have more than one. On XP SP2, # you may need to disable the firewall # for the TAP adapter. ;dev-node MyTap # Are we connecting to a TCP or # UDP server? Use the same setting as # on the server. ;proto tcp proto udp # The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. remote 107.170.1.14 1194 ;remote my-server-2 1194 # Choose a random host from the remote # list for load-balancing. Otherwise # try hosts in the order specified. ;remote-random # Keep trying indefinitely to resolve the # host name of the OpenVPN server. Very useful # on machines which are not permanently connected # to the internet such as laptops. resolv-retry infinite # Most clients don't need to bind to # a specific local port number. nobind # Downgrade privileges after initialization (non-Windows only) user nobody group nogroup # Try to preserve some state across restarts. persist-key persist-tun # If you are connecting through an # HTTP proxy to reach the actual OpenVPN # server, put the proxy server/IP and # port number here. See the man page # if your proxy server requires # authentication. ;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #] # Wireless networks often produce a lot # of duplicate packets. Set this flag # to silence duplicate packet warnings. ;mute-replay-warnings # SSL/TLS parms. # See the server config file for more # description. It's best to use # a separate .crt/.key file pair # for each client. A single ca # file can be used for all clients. # ca ca.crt # cert client.crt # key client.key # Verify server certificate by checking # that the certicate has the nsCertType # field set to "server". This is an # important precaution to protect against # a potential attack discussed here: # http://openvpn.net/howto.html#mitm # # To use this feature, you will need to generate # your server certificates with the nsCertType # field set to "server". The build-key-server # script in the easy-rsa folder will do this. ns-cert-type server # If a tls-auth key is used on the server # then every client must also have the key. ;tls-auth ta.key 1 # Select a cryptographic cipher. # If the cipher option is used on the server # then you must also specify it here. ;cipher x # Enable compression on the VPN link. # Don't enable this unless it is also # enabled in the server config file. comp-lzo # Set log file verbosity. verb 3 # Silence repeating messages ;mute 20 <ca> -----BEGIN CERTIFICATE----- Sertifikat her. -----END CERTIFICATE----- </ca> <cert> Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=NY, L=NewYork, O=HSL, OU=HSL, CN=HSL/name=Navn/emailAddress=mail@domain.com Validity Not Before: Apr 18 14:15:35 2016 GMT Not After : Apr 16 14:15:35 2026 GMT Subject: C=US, ST=NY, L=NewYork, O=HSL, OU=HSL, CN=client1/name=Navn/emailAddress=mail@domain.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:e8:1b:ed:ee:7b:78:9e:22:7f:0a:ed:e7:31:40: 99:5b:26:cf:6b:17:b7:96:31:ef:69:40:47:ff:5e: e8:90:b5:61:0c:fe:80:78:df:5b:1f:44:36:93:ba: b4:65:2a:49:23:e6:e3:bb:23:e9:bc:b8:a5:82:b5: 3b:ff:00:f5:b1:18:e0:e5:f1:13:d2:36:e5:43:49: dd:fa:76:fa:4c:c5:5d:f3:cc:0f:bb:30:fb:0c:77: 7f:cc:ac:0b:4d:0e:90:88:5b:ca:9a:87:64:80:c3: 2e:35:15:d7:be:cf:9e:91:79:85:c0:b1:15:00:04: fc:91:b9:91:49:5a:89:17:c1:c1:14:9c:57:f7:72: 7a:bf:8e:1a:fb:6c:93:b4:ef:2b:53:2d:7c:99:f9: 1b:67:51:25:72:90:6b:18:7a:68:d9:6a:b3:39:af: ff:2b:06:a8:9c:2a:b4:99:ff:c1:ec:62:94:2e:76: 8e:eb:00:d8:bc:c4:f4:f9:df:ec:b6:bf:c2:6f:48: 68:73:67:2e:b7:20:ef:65:72:6d:81:54:91:c4:d0: e9:b0:de:cd:fa:56:ce:81:ce:3e:b7:1d:63:3a:f6: ef:05:e9:5a:5b:6b:8f:50:47:f0:2f:f5:1b:e7:bb: 11:9a:a1:f7:58:ba:32:8f:75:f1:be:f2:8d:f6:7b: 79:25 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: Easy-RSA Generated Certificate X509v3 Subject Key Identifier: 82:97:86:CB:FC:2F:DC:15:FF:E8:0B:DA:73:15:65:11:0C:8B:42:25 X509v3 Authority Key Identifier: keyid:83:DD:69:F5:FE:97:24:72:E8:5A:61:BF:78:EA:DC:31:2A:93:D5:8E DirName:/C=US/ST=NY/L=NewYork/O=HSL/OU=HSL/CN=HSL/name=Navn/emailAddress=mail@domain.com serial:85:63:0D:21:58:94:74:C9 X509v3 Extended Key Usage: TLS Web Client Authentication X509v3 Key Usage: Digital Signature X509v3 Subject Alternative Name: DNS:client1 Signature Algorithm: sha256WithRSAEncryption bd:af:70:2d:d2:75:b3:f3:58:f0:d1:84:58:9a:d4:14:49:2a: cc:47:2a:26:ca:ee:40:8b:98:29:e3:f0:83:0e:57:2b:47:5a: 68:94:b8:be:e5:2d:47:3f:6e:cb:c0:df:43:bb:20:5a:1f:b2: da:2a:7d:f5:18:eb:67:8a:f8:93:c4:07:9a:d4:25:39:ad:16: 48:da:26:8e:1a:96:2b:03:a0:45:f7:5f:a4:2c:08:5e:a4:0f: e6:20:de:d1:04:75:19:d9:08:b0:e6:73:f9:dc:91:1a:3e:d5: cf:15:69:11:c6:23:aa:86:8d:2a:e9:53:f9:60:e3:d9:51:b3: f3:a5:9e:b8:85:2c:46:ff:ff:4a:3a:d1:48:a5:88:7c:ba:f6: fc:86:d6:9a:3f:74:d2:96:88:c7:1c:ef:59:7c:31:2f:61:43: f1:e5:72:fb:54:cc:49:9c:dc:8a:22:c3:5d:81:96:f5:97:2a: 1b:ec:9c:35:0e:5a:ab:a6:f3:9d:07:c7:6b:88:86:96:15:c1: 92:4e:77:6a:69:0d:ae:7f:7b:cb:f5:f7:d5:8f:18:ec:67:7c: 4d:65:58:65:1a:e4:03:f4:24:62:32:68:af:c2:36:b2:93:3a: 6c:a2:5e:d4:36:36:8a:5d:62:d5:ab:75:32:65:f9:e7:48:0e: 1f:0b:b6:5c -----BEGIN CERTIFICATE----- Sertifikat her. -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- Nøkkel her. -----END PRIVATE KEY----- </key>
Kode
2016-04-18 16:34:04 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=US, ST=NY, L=NewYork, O=HSL, OU=HSL, CN=SLA CA, name=server, emailAddress=mail@domain.com 2016-04-18 16:34:04 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed 2016-04-18 16:34:04 TLS Error: TLS object -> incoming plaintext read error 2016-04-18 16:34:04 TLS Error: TLS handshake failed 2016-04-18 16:34:04 SIGUSR1[soft,tls-error] received, process restarting 2016-04-18 16:34:04 MANAGEMENT: >STATE:1460990044,RECONNECTING,tls-error,, 2016-04-18 16:34:04 MANAGEMENT: CMD 'hold release' 2016-04-18 16:34:04 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 2016-04-18 16:34:04 Socket Buffers: R=[196724->196724] S=[9216->9216] 2016-04-18 16:34:04 UDPv4 link local: [undef] 2016-04-18 16:34:04 UDPv4 link remote: [AF_INET]107.170.1.14:1194 2016-04-18 16:34:04 MANAGEMENT: >STATE:1460990044,WAIT,,, 2016-04-18 16:34:04 MANAGEMENT: >STATE:1460990044,AUTH,,, 2016-04-18 16:34:04 TLS: Initial packet from [AF_INET]107.170.1.14:1194, sid=d5cd9678 8fd3f598 2016-04-18 16:34:05 *Tunnelblick: Disconnecting; VPN Details… window disconnect button pressed 2016-04-18 16:34:05 *Tunnelblick: No 'pre-disconnect.sh' script to execute 2016-04-18 16:34:05 *Tunnelblick: Disconnecting using 'kill' 2016-04-18 16:34:05 event_wait : Interrupted system call (code=4) 2016-04-18 16:34:05 PLUGIN_CLOSE: /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.10/openvpn-down-root.so 2016-04-18 16:34:05 SIGTERM[hard,] received, process exiting 2016-04-18 16:34:05 MANAGEMENT: >STATE:1460990045,EXITING,SIGTERM,, 2016-04-18 16:34:06 *Tunnelblick: No 'post-disconnect.sh' script to execute 2016-04-18 16:34:06 *Tunnelblick: Expected disconnection occurred.
Kode
ufw allow 1194/tcp
Kode
ufw allow 1194/udp
Hva er det jeg har gjort galt? Si bare i fra om det mangler dokumentasjon for å kunne finne ut av hva som er problemet.
Takk!