Acho que o que você está procurando é a opção --tls-exit. A partir da página de manual do openvpn:
--tls-exit
Exit on TLS negotiation failure.
Eu tenho vários dispositivos de celular que estabelecem túneis de openvpn sempre ativos em um servidor que está sempre atento a solicitações de conexão de entrada openvpn. Às vezes, os dispositivos celulares são entregues aos meus clientes com configurações de data / hora ruins (por exemplo, 1º de janeiro de 1970), portanto a verificação de TLS falha porque o openvpn no dispositivo celular acha que o certificado da CA ainda não é válido. Tudo bem comigo, exceto que o openvpn repetidamente tenta se reconectar em intervalos de 2 segundos, e a largura de banda de celular é cara. Usando o tcpdump, estou vendo mais de 2KB / s de tráfego de rede entre o servidor e o dispositivo celular. Eu quero que o openvpn saia (não reinicie) no cliente de celular se ele rejeitar o certificado de CA do servidor. Isso é possível?
Configuração do servidor:
dev tun1
topology subnet
mode server
tls-server
push "topology subnet"
ifconfig 10.0.1.1 255.255.255.0
ifconfig-pool 10.0.1.200 10.0.1.254 255.255.255.0
push "route-gateway 10.0.1.1"
route 10.0.2.0 255.255.255.0 10.0.1.12
push "route 10.0.2.0 255.255.255.0"
port 1194
proto udp
persist-key
persist-tun
comp-lzo
ca /etc/openvpn/ssl/tmvca-cacert.pem
cert /etc/openvpn/ssl/principal-cert.pem
key /etc/openvpn/ssl/principal-key.pem
dh /etc/openvpn/ssl/dh1024.pem
client-config-dir /etc/openvpn/ccd
#client-connect /usr/local/bin/cc.py
client-to-client
user nobody
group nogroup
keepalive 10 120
status /var/log/openvpn/vpn1.log
verb 3
tls-verify /usr/local/bin/tls-verify.py
script-security 2
Configuração do cliente celular:
client
remote 198.74.60.142 1194
nobind
keepalive 10 120
resolv-retry infinite
proto udp
mssfix 1400
persist-key
persist-tun
dev tun
ns-cert-type server
ca /etc/config/openvpn/gw1-ca.crt
cert /etc/config/openvpn/gw1-public.crt
key /etc/config/openvpn/gw1-private.key
dh /etc/config/openvpn/gw1-dh.pem
comp-lzo
verb 3
syslog openvpn-gw
script-security 2
up "echo $script_type $signal"
writepid "/var/run/openvpn-gw.pid"
tls-remote principal
Saída do cliente celular:
<28>Jan 1 18:14:23 openvpn-gw[3202]: WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
<28>Jan 1 18:14:23 openvpn-gw[3202]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
<29>Jan 1 18:14:23 openvpn-gw[3202]: LZO compression initialized
<29>Jan 1 18:14:23 openvpn-gw[3202]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
<29>Jan 1 18:14:23 openvpn-gw[3202]: Data Channel MTU parms [ L:1542 D:1400 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
<29>Jan 1 18:14:23 openvpn-gw[3202]: Local Options hash (VER=V4): '41690919'
<29>Jan 1 18:14:23 openvpn-gw[3202]: Expected Remote Options hash (VER=V4): '530fdded'
<29>Jan 1 18:14:23 openvpn-gw[3202]: Socket Buffers: R=[163840->131072] S=[163840->131072]
<29>Jan 1 18:14:23 openvpn-gw[3202]: UDPv4 link local: [undef]
<29>Jan 1 18:14:23 openvpn-gw[3202]: UDPv4 link remote: 198.74.60.142:1194
<27>Jan 1 18:14:24 openvpn-gw[3202]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
<29>Jan 1 18:14:54 openvpn-gw[3202]: TLS: Initial packet from 198.74.60.142:1194, sid=38c1dcd3 f194273b
<27>Jan 1 18:14:55 openvpn-gw[3202]: VERIFY ERROR: depth=1, error=certificate is not yet valid: /C=CA/ST=ON/L=Cambridge/O=TMV_Control_Systems_Inc./OU=IT/CN=tmvca
<27>Jan 1 18:14:55 openvpn-gw[3202]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:lib(20):func(144):reason(134)
<27>Jan 1 18:14:55 openvpn-gw[3202]: TLS Error: TLS object -> incoming plaintext read error
<27>Jan 1 18:14:55 openvpn-gw[3202]: TLS Error: TLS handshake failed
<29>Jan 1 18:14:55 openvpn-gw[3202]: TCP/UDP: Closing socket
<29>Jan 1 18:14:55 openvpn-gw[3202]: SIGUSR1[soft,tls-error] received, process restarting
<29>Jan 1 18:14:55 openvpn-gw[3202]: Restart pause, 2 second(s)
<28>Jan 1 18:14:57 openvpn-gw[3202]: WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
<28>Jan 1 18:14:57 openvpn-gw[3202]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
<29>Jan 1 18:14:57 openvpn-gw[3202]: Re-using SSL/TLS context
<29>Jan 1 18:14:57 openvpn-gw[3202]: LZO compression initialized
<29>Jan 1 18:14:57 openvpn-gw[3202]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
<29>Jan 1 18:14:57 openvpn-gw[3202]: Data Channel MTU parms [ L:1542 D:1400 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
<29>Jan 1 18:14:57 openvpn-gw[3202]: Local Options hash (VER=V4): '41690919'
<29>Jan 1 18:14:57 openvpn-gw[3202]: Expected Remote Options hash (VER=V4): '530fdded'
<29>Jan 1 18:14:57 openvpn-gw[3202]: Socket Buffers: R=[163840->131072] S=[163840->131072]
<29>Jan 1 18:14:57 openvpn-gw[3202]: UDPv4 link local: [undef]
<29>Jan 1 18:14:57 openvpn-gw[3202]: UDPv4 link remote: 198.74.60.142:1194
<29>Jan 1 18:14:57 openvpn-gw[3202]: TLS: Initial packet from 198.74.60.142:1194, sid=944e1fb2 c074a030
<27>Jan 1 18:14:58 openvpn-gw[3202]: VERIFY ERROR: depth=1, error=certificate is not yet valid: /C=CA/ST=ON/L=Cambridge/O=TMV_Control_Systems_Inc./OU=IT/CN=tmvca
<27>Jan 1 18:14:58 openvpn-gw[3202]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:lib(20):func(144):reason(134)
<27>Jan 1 18:14:58 openvpn-gw[3202]: TLS Error: TLS object -> incoming plaintext read error
<27>Jan 1 18:14:58 openvpn-gw[3202]: TLS Error: TLS handshake failed
<29>Jan 1 18:14:58 openvpn-gw[3202]: TCP/UDP: Closing socket
<29>Jan 1 18:14:58 openvpn-gw[3202]: SIGUSR1[soft,tls-error] received, process restarting
<29>Jan 1 18:14:58 openvpn-gw[3202]: Restart pause, 2 second(s)
Acho que o que você está procurando é a opção --tls-exit. A partir da página de manual do openvpn:
--tls-exit
Exit on TLS negotiation failure.