<div dir="ltr"><div>Hi,</div><div><br></div><div>I never did it, but from what I've read, it seems that there's an argument missing on the server side.</div><div><br></div><div>[ppp]</div><div><div>exec = /usr/sbin/pppd<br></div><div>execargs = <a href="http://10.0.1.1" target="_blank">10.0.1.1</a>: local debug noauth</div><div><br></div><div>should be <br></div><div><br></div><div>[ppp]</div><div><div>exec = /usr/sbin/pppd<br></div><div>execargs = pppd local debug noauth <a href="http://10.0.1.1" target="_blank">10.0.1.1</a>:</div></div></div><div><br></div><div><br></div><div>Flo</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Apr 11, 2019 at 9:53 PM Martin Got <<a href="mailto:martingot@protonmail.com">martingot@protonmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>Trying to set up pppd link with stunnel wrapped between two OpenBSD 6.4amd64 machines.<br></div><div>I use this reference article as an idea: <a href="http://bremford.org/tips/QuickStunnelVPN.html" target="_blank">http://bremford.org/tips/QuickStunnelVPN.html</a><br></div><div><br></div><div>While connecting from client's side by command:<br></div><div>/usr/sbin/pppd ptypA <a href="http://10.0.1.2" target="_blank">10.0.1.2</a>: local debug noauth passive noccp novj novjccomp nopcomp noaccomp name ppp-clnt connect 'stunnel /etc/stunnel/stunnel-client.conf<br></div><div><div> <br></div></div><div>stunnel-client starts, pppd starts on client's end according to stunnel-clnt.log, but has LCP timeouts:<br></div><div><br></div><div># tail stunnel-clnt.log<br></div><div>stunnel: LOG5[ui]: Configuration successful<br></div><div>pppd[5421]: Connect: ppp2 <--> /dev/ptypA<br></div><div>pppd[5421]: LCP: timeout sending Config-Requests<br></div><div>pppd[5421]: Connection terminated.<br></div><div>pppd[5421]: Connect script failed<br></div><div><br></div><div>It seems no pppd pty client connection to stunnel-local nor remote stunnel-server afterwards. But when I tried to connect to stunnel-client port 1723 using telnet:<br></div><div>telnet localhost 1723<br></div><div>I received pppd advertisements from remote stunnel-server. It seems exec = /usr/sbin/pppd on stunnel-server is running when client's stunnel-client connection appeared.<br></div><div><br></div><div>Can it be a problem with pppd and stunnel-client using pty?<br></div><div><br></div><div> Please advice. <br></div><div><br></div><div># cat /etc/stunnel/stunnel-server.conf<br></div><div><br></div><div>;chroot = /var/stunnel # chroot is disabled for testing<br></div><div>;setuid = _stunnel # stunnel started by root for testing currently<br></div><div>;setgid = _stunnel<br></div><div>; PID file is created inside the chroot jail (if enabled)<br></div><div>;pid = /stunnel.pid<br></div><div>foreground = yes<br></div><div>debug = 7<br></div><div>;output = log/stunnel.log # disabled<br></div><div>sslVersion = TLSv1.2<br></div><div>socket = l:TCP_NODELAY=1<br></div><div>socket = r:TCP_NODELAY=1<br></div><div>; Enable support for the insecure SSLv3 protocol<br></div><div>;options = NO_SSLv3<br></div><div>options = NO_TLSv1<br></div><div>options = NO_TLSv1.1<br></div><div>; Fix for Eudora "error reading network" can be useful for changing packet length<br></div><div>options = DONT_INSERT_EMPTY_FRAGMENTS<br></div><div>; These options provide additional security at some performance degradation<br></div><div>;options = SINGLE_ECDH_USE<br></div><div>;options = SINGLE_DH_USE<br></div><div><br></div><div>; *** TLS server mode services<br></div><div>[ppp]<br></div><div>accept = 723<br></div><div>exec = /usr/sbin/pppd<br></div><div>execargs = <a href="http://10.0.1.1" target="_blank">10.0.1.1</a>: local debug noauth<br></div><div>pty = yes<br></div><div>CAfile = /etc/stunnel/ca.crt<br></div><div>cert = /etc/stunnel/srv.crt<br></div><div>key = /etc/stunnel/private/srv.key<br></div><div>verifyChain = yes<br></div><div>TIMEOUTclose = 45<br></div><div><br></div><div>[default]<br></div><div>; HTTP connections <br></div><div>;ciphers = ALL<br></div><div>;options = CIPHER_SERVER_PREFERENCE<br></div><div>accept = 1111<br></div><div>connect = <a href="http://127.0.0.1:80" target="_blank">127.0.0.1:80</a><br></div><div>CAfile = /etc/stunnel/ca.crt<br></div><div>cert = /etc/stunnel/srv.crt<br></div><div>key = /etc/stunnel/private/srv.key<br></div><div>verifyChain = yes<br></div><div>TIMEOUTclose = 0<br></div><div><br></div><div>[ntp]<br></div><div>connect = <a href="http://127.0.0.1:123" target="_blank">127.0.0.1:123</a><br></div><div>sni = default:ntp<br></div><div>CAfile = /etc/stunnel/ca.crt<br></div><div>cert = /etc/stunnel/srv.crt<br></div><div>key = /etc/stunnel/private/srv.key<br></div><div>verifyChain = yes<br></div><div>TIMEOUTclose = 0<br></div><div>--------------------<br></div><div><br></div><div># cat /etc/stunnel/stunnel-client.conf<br></div><div><br></div><div>chroot = /var/stunnel<br></div><div>setuid = _stunnel<br></div><div>setgid = _stunnel<br></div><div>pid = /stunnel-clnt.pid<br></div><div>foreground = yes<br></div><div>debug = 7<br></div><div>;output = log/stunnel-clnt.log<br></div><div>sslVersion = TLSv1.2<br></div><div>socket = l:TCP_NODELAY=1<br></div><div>socket = r:TCP_NODELAY=1<br></div><div>; Enable support for the insecure SSLv3 protocol<br></div><div>;options = NO_SSLv3<br></div><div>options = NO_TLSv1<br></div><div>options = NO_TLSv1.1<br></div><div>; Fix for Eudora "error reading network" can be useful for changing packet length<br></div><div>options = DONT_INSERT_EMPTY_FRAGMENTS<br></div><div>; These options provide additional security at some performance degradation<br></div><div>;options = SINGLE_ECDH_USE<br></div><div>;options = SINGLE_DH_USE<br></div><div><br></div><div>[ppp]<br></div><div>client = yes<br></div><div>accept = <a href="http://127.0.0.1:1723" target="_blank">127.0.0.1:1723</a> # 'accept' is absent in client's configuration <a href="http://bremford.org/tips/QuickStunnelVPN.html" target="_blank">http://bremford.org/tips/QuickStunnelVPN.html </a>but stunnel reports: [!] Service [ppp]: Each service must define two endpoints on stunnel-5.44<br></div><div>connect = STUNNEL-SERVER-IP:723<br></div><div>CAfile = /etc/stunnel/ca.crt<br></div><div>cert = /etc/stunnel/client.crt<br></div><div>key = /etc/stunnel/client.key<br></div><div>verifyChain = yes<br></div><div>checkHost = <a href="http://hostna.me" target="_blank">hostna.me</a><br></div><div>;checkIP = 1.2.3.4<br></div><div>--------------------<br></div><div><br></div><div><br></div><div><br></div>_______________________________________________<br>
stunnel-users mailing list<br>
<a href="mailto:stunnel-users@stunnel.org" target="_blank">stunnel-users@stunnel.org</a><br>
<a href="https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users" rel="noreferrer" target="_blank">https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users</a><br>
</blockquote></div>