Trying to set up pppd link with stunnel wrapped between two OpenBSD 6.4amd64 machines.
While connecting from client's side by command:
/usr/sbin/pppd ptypA
10.0.1.2: local debug noauth passive noccp novj novjccomp nopcomp noaccomp name ppp-clnt connect 'stunnel /etc/stunnel/stunnel-client.conf
stunnel-client starts, pppd starts on client's end according to stunnel-clnt.log, but has LCP timeouts:
# tail stunnel-clnt.log
stunnel: LOG5[ui]: Configuration successful
pppd[5421]: Connect: ppp2 <--> /dev/ptypA
pppd[5421]: LCP: timeout sending Config-Requests
pppd[5421]: Connection terminated.
pppd[5421]: Connect script failed
It seems no pppd pty client connection to stunnel-local nor remote stunnel-server afterwards. But when I tried to connect to stunnel-client port 1723 using telnet:
telnet localhost 1723
I received pppd advertisements from remote stunnel-server. It seems exec = /usr/sbin/pppd on stunnel-server is running when client's stunnel-client connection appeared.
Can it be a problem with pppd and stunnel-client using pty?
Please advice.
# cat /etc/stunnel/stunnel-server.conf
;chroot = /var/stunnel # chroot is disabled for testing
;setuid = _stunnel # stunnel started by root for testing currently
;setgid = _stunnel
; PID file is created inside the chroot jail (if enabled)
;pid = /stunnel.pid
foreground = yes
debug = 7
;output = log/stunnel.log # disabled
sslVersion = TLSv1.2
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
; Enable support for the insecure SSLv3 protocol
;options = NO_SSLv3
options = NO_TLSv1
options = NO_TLSv1.1
; Fix for Eudora "error reading network" can be useful for changing packet length
options = DONT_INSERT_EMPTY_FRAGMENTS
; These options provide additional security at some performance degradation
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE
; *** TLS server mode services
[ppp]
accept = 723
exec = /usr/sbin/pppd
pty = yes
CAfile = /etc/stunnel/ca.crt
cert = /etc/stunnel/srv.crt
key = /etc/stunnel/private/srv.key
verifyChain = yes
TIMEOUTclose = 45
[default]
; HTTP connections
;ciphers = ALL
;options = CIPHER_SERVER_PREFERENCE
accept = 1111
CAfile = /etc/stunnel/ca.crt
cert = /etc/stunnel/srv.crt
key = /etc/stunnel/private/srv.key
verifyChain = yes
TIMEOUTclose = 0
[ntp]
sni = default:ntp
CAfile = /etc/stunnel/ca.crt
cert = /etc/stunnel/srv.crt
key = /etc/stunnel/private/srv.key
verifyChain = yes
TIMEOUTclose = 0
--------------------
# cat /etc/stunnel/stunnel-client.conf
chroot = /var/stunnel
setuid = _stunnel
setgid = _stunnel
pid = /stunnel-clnt.pid
foreground = yes
debug = 7
;output = log/stunnel-clnt.log
sslVersion = TLSv1.2
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
; Enable support for the insecure SSLv3 protocol
;options = NO_SSLv3
options = NO_TLSv1
options = NO_TLSv1.1
; Fix for Eudora "error reading network" can be useful for changing packet length
options = DONT_INSERT_EMPTY_FRAGMENTS
; These options provide additional security at some performance degradation
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE
[ppp]
client = yes
connect = STUNNEL-SERVER-IP:723
CAfile = /etc/stunnel/ca.crt
cert = /etc/stunnel/client.crt
key = /etc/stunnel/client.key
verifyChain = yes
;checkIP = 1.2.3.4
--------------------
_______________________________________________
stunnel-users mailing list
stunnel-users@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users