Hi all,
I've got two two LANs behind masquerading routers that I've linked via a stunnel + pppd vpn. When it works, it works, but I've got a couple of problems - has anybody out there in Stunnel Land managed to fix / workaround these?
1) The connection goes down fairly regluarly.
I've setup a cron job to move a few packets back and forth to make sure that the ADSL connection at both ends stays up (pppd set not do demand stuff). There's nothing in the logs to suggest that the ADSL *is* going down, but I thought it would eliminate a lot of possibilities. (see log entries below). Currently the link is going down at lesat once per day. Uptime varies greatly.
I can't see anyway of asking stunnel to try again if the pppd exits (see conf below) other than manually restarting it.
I'm hoping to scale the VPN up to multiple sites - with one connection, I can just do /etc/rc.d/stunnel restart - but if I've got multiple instances of stunnel running with different configs it gets a bit messy to reset a single connection. I did think about having multiple hard links to the stunnel binary, so each VPN will have a different process name attached to it, but this strikes me as a bit of a hack.
2) bandwidth on the link is poor. I consistently get 1/4 of the bandwidth (measured using scp to copy largish files) compared with bypassing the stunnel/pppd pair (same route between LANs). While I expected some overhead, this seems rather a lot.
3) latency is a lot higher too
4) The VPN seems to stutter more regularly than the direct connection ...I mean that I don't seem to be getting any traffic for 5-10 seconds then it resumes without any loss of data (e.g. when using ssh).
The routers at either end are relatively dumb so (as I understand it) there's not many options for using IPIP or GRE tunnelling).
Anybody got any suggestions as to how I can make it (particularly) more reliable and (also) a bit faster?
TIA,
Colin McKinnon
pppd -------- pppd local nodeflate nobsdcomp nodefaultroute 10.1.17.208:10.1.20.202
log entries: ---------------- Stunnel started manually:
Jul 19 08:25:59 serv8 stunnel[740]: stunnel 4.05 on i686-suse-linux-gnu PTHREAD with OpenSSL 0.9.7d 17 Mar 2004 Jul 19 08:25:59 serv8 stunnel[740]: FD_SETSIZE=1024, file ulimit=1024 -> 500 clients allowed Jul 19 08:25:59 serv8 pppd[743]: pppd 2.4.2 started by stunnel, uid 100 Jul 19 08:25:59 serv8 pppd[743]: Using interface ppp0 Jul 19 08:25:59 serv8 pppd[743]: Connect: ppp0 <--> /dev/pts/1
Everything works fine (although a little slow) then...
Jul 19 10:36:32 serv8 pppd[743]: No response to 4 echo-requests Jul 19 10:36:32 serv8 pppd[743]: Serial link appears to be disconnected. Jul 19 10:36:34 serv8 pppd[743]: Script /etc/ppp/ip-down finished (pid 1668), status = 0x0 Jul 19 10:36:34 serv8 ip-down: SIOCDELRT: No such process Jul 19 10:36:36 serv8 pppd[743]: Connection terminated. Jul 19 10:36:36 serv8 pppd[743]: Connect time 130.6 minutes. Jul 19 10:36:36 serv8 pppd[743]: Sent 58200 bytes, received 57227 bytes. Jul 19 10:36:36 serv8 pppd[743]: Connect time 130.6 minutes. Jul 19 10:36:36 serv8 pppd[743]: Sent 58200 bytes, received 57227 bytes. Jul 19 10:36:36 serv8 pppd[743]: Exit. Jul 19 10:36:36 serv8 stunnel[741]: readsocket: Input/output error (5) Jul 19 10:36:36 serv8 stunnel[741]: Connection reset: 68626 bytes sent to SSL, 66280 bytes sent to socket
Stunnel config --------------------- foreground = no client = yes setuid = stunnel setgid = dialout CAfile = /etc/stunnel/3bCArootCert.pem cert = /etc/stunnel/system.pem verify = 2 session = 3600 [ppp] connect = remotehost:2020 exec = /usr/sbin/pppd execargs = pppd local nodeflate nobsdcomp nodefaultroute 10.1.17.208:10.1.20.202 pty = yes
(converse at other end)
Routing at 'cleint' end --------------------------------- Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.1.20.202 * 255.255.255.255 UH 0 0 0 ppp0 192.168.1.0 * 255.255.255.0 U 0 0 0 eth1 10.1.20.0 * 255.255.255.0 U 0 0 0 ppp0 10.1.17.0 * 255.255.255.0 U 0 0 0 eth2 loopback * 255.0.0.0 U 0 0 0 lo default 192.168.1.1 0.0.0.0 UG 0 0 0 eth1
(eth1 conects to the ADSL router, eth2 to the LAN)