Estou solucionando um atraso de conexão com meu servidor OpenVPN, que ocorre quando meu cliente se conecta e desconecta algumas vezes (2 a 3 vezes geralmente resultam no comportamento descrito). Nomes de servidor / cliente e endereços IP foram modificados para esta postagem.
O cliente simplesmente trava na conexão, veja o log abaixo:
Fri Mar 3 14:39:34 2017 OpenVPN 2.4.0 [git:master/f5bf296bacce76a8+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Dec 29 2016
Fri Mar 3 14:39:34 2017 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.08
Fri Mar 3 14:39:34 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]127.0.0.2:443
Fri Mar 3 14:39:34 2017 UDP link local (bound): [AF_INET][undef]:443
Fri Mar 3 14:39:34 2017 UDP link remote: [AF_INET]127.0.0.2:443
Fri Mar 3 14:39:34 2017 [SERVERNAME] Peer Connection Initiated with [AF_INET]127.0.0.2:443
Os registros do servidor mostram o seguinte durante esse atraso:
Fri Mar 3 15:05:02 2017 CLIENTNAME/127.0.0.2:443 TLS: new session incoming connection from [AF_INET]127.0.0.2:443
Fri Mar 3 15:05:02 2017 CLIENTNAME/127.0.0.2:443 VERIFY OK: ~redacted
Fri Mar 3 15:05:02 2017 CLIENTNAME/127.0.0.2:443 VERIFY OK: ~redacted
Fri Mar 3 15:05:02 2017 CLIENTNAME/127.0.0.2:443 peer info: IV_VER=2.4.0
Fri Mar 3 15:05:02 2017 CLIENTNAME/127.0.0.2:443 peer info: IV_PLAT=linux
Fri Mar 3 15:05:02 2017 CLIENTNAME/127.0.0.2:443 peer info: IV_PROTO=2
Fri Mar 3 15:05:02 2017 CLIENTNAME/127.0.0.2:443 peer info: IV_NCP=2
Fri Mar 3 15:05:02 2017 CLIENTNAME/127.0.0.2:443 peer info: IV_LZ4=1
Fri Mar 3 15:05:02 2017 CLIENTNAME/127.0.0.2:443 peer info: IV_LZ4v2=1
Fri Mar 3 15:05:02 2017 CLIENTNAME/127.0.0.2:443 peer info: IV_LZO=1
Fri Mar 3 15:05:02 2017 CLIENTNAME/127.0.0.2:443 peer info: IV_COMP_STUB=1
Fri Mar 3 15:05:02 2017 CLIENTNAME/127.0.0.2:443 peer info: IV_COMP_STUBv2=1
Fri Mar 3 15:05:02 2017 CLIENTNAME/127.0.0.2:443 peer info: IV_TCPNL=1
Fri Mar 3 15:05:02 2017 CLIENTNAME/127.0.0.2:443 TLS: move_session: dest=TM_ACTIVE src=TM_UNTRUSTED reinit_src=1
Fri Mar 3 15:05:02 2017 CLIENTNAME/127.0.0.2:443 TLS: tls_multi_process: untrusted session promoted to semi-trusted
Fri Mar 3 15:05:02 2017 CLIENTNAME/127.0.0.2:443 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4069 bit RSA
Fri Mar 3 15:05:03 2017 CLIENTNAME/127.0.0.2:443 PUSH: Received control message: 'PUSH_REQUEST'
Fri Mar 3 15:05:08 2017 CLIENTNAME/127.0.0.2:443 PUSH: Received control message: 'PUSH_REQUEST'
Fri Mar 3 15:05:13 2017 CLIENTNAME/127.0.0.2:443 PUSH: Received control message: 'PUSH_REQUEST'
Fri Mar 3 15:05:18 2017 CLIENTNAME/127.0.0.2:443 PUSH: Received control message: 'PUSH_REQUEST'
Fri Mar 3 15:05:23 2017 CLIENTNAME/127.0.0.2:443 PUSH: Received control message: 'PUSH_REQUEST'
Fri Mar 3 15:05:28 2017 CLIENTNAME/127.0.0.2:443 PUSH: Received control message: 'PUSH_REQUEST'
O arquivo de configuração do servidor é o seguinte:
port 443
proto udp
dev tun
server 172.16.0.0 255.255.255.0
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh4096.pem
tls-crypt /etc/openvpn/server/tls-crypt.key
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
cipher AES-256-CBC
auth SHA512
verb 3
comp-lzo
duplicate-cn
Ambos os lados usam o OpenVPN 2.4.0 e o OpenSSL 1.0.2k no Debian.
O que causa esse atraso e como ele pode ser evitado / reduzido?
Tags configuration vpn debian openvpn delay