背景:
openvpn 版本 2.5.4
windows server 2019
问题:tls-auth ta.key引起,将tls-auth配置注释之后不报错
解决:
tls-auth ta.key生成方式错误
按照容易搜到的教程,生成ta.key的命令为:
openvpn --genkey tls-auth ta.key
参照官网
How To Guide: Set Up & Configure OpenVPN Client/server VPN | OpenVPN
tls-auth
The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS. It can protect against:
- DoS attacks or port flooding on the OpenVPN UDP port.
- Port scanning to determine which server UDP ports are in a listening state.
- Buffer overflow vulnerabilities in the SSL/TLS implementation.
- SSL/TLS handshake initiations from unauthorized machines (while such handshakes would ultimately fail to authenticate, tls-auth can cut them off at a much earlier point).
Using tls-auth requires that you generate a shared-secret key that is used in addition to the standard RSA certificate/key:
openvpn --genkey --secret ta.key
实际操作
官网命令执行后有一条警告
WARNING: Using --genkey --secret filename is DEPRECATED. Use --genkey secret filename instead.
所以
EasyRSA Shell
# openvpn --genkey secret ta.key
EasyRSA Shell
参照官网的ta.key生成命令,openvpn成功连接。
多查官方文档才是王道。