I'm using stunnel v4.56 on Linux (Ubuntu) and trying to configure a routed tunnel in conjunction with pppd. I could do with some help to figure it out - my biggest problem is not knowing what a good connection configuration or log looks like.
I've read lots of (old) patchy articles on how it is done but the instructions are either hopelessly out of date, or plain wrong.
During extensive trial and error I found what appeared to be bugs in the Ubuntu distro-packaged v4.42 but as I don't yet know what a successful connection log looks like they may have been red herrings. The main issue I was trying to build out of was (on the server):
SSL accepted: new session negotiated Negotiated ciphers: ECDHE-RSA-RC4-SHA SSLv3 Kx=ECDH Au=RSA Enc=RC4(128) Mac=SHA1 TTY=/dev/pts/4 allocated Local mode child started (PID=17247) Remote FD=1 initialized TCP_NODELAY: Socket operation on non-socket (88) Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket linger (remote): Socket operation on non-socket (88) Service vpn finished (0 left)
At this point there would be no pppX interfaces.
I created an up-to-date Debian/Ubuntu package for v4.56 which has been more successful. Both ends of the link have the same x86 (i386) package installed. On the server again:
stunnel: LOG6[23986:3073268544]: SSL accepted: new session negotiated stunnel: LOG6[23986:3073268544]: Negotiated TLSv1/SSLv3 ciphersuite: ECDHE-RSA-RC4-SHA (128-bit encryption) stunnel: LOG6[23986:3073268544]: Compression: null, expansion: null stunnel: LOG7[23986:3073268544]: TTY=/dev/pts/5 allocated stunnel: LOG6[23986:3073268544]: Local mode child started (PID=23989) stunnel: LOG7[23986:3073268544]: Remote socket (FD=14) initialized stunnel: LOG3[23986:3073268544]: TCP_NODELAY: Socket operation on non-socket (88) stunnel: LOG4[23986:3073268544]: Failed to set remote socket options pppd[23989]: pppd options in effect: pppd[23989]: debug^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: updetach^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: linkname pella^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: ktune^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: unit 3^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: dump^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: nomp^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: noauth^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: ^I^I# (from /etc/ppp/options) pppd[23989]: notty^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: crtscts^I^I# (from /etc/ppp/options) pppd[23989]: local^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: noaccomp^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: asyncmap 0^I^I# (from /etc/ppp/options) pppd[23989]: nopcomp^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: silent^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: lcp-echo-failure 4^I^I# (from /etc/ppp/options) pppd[23989]: lcp-echo-interval 30^I^I# (from /etc/ppp/options) pppd[23989]: hide-password^I^I# (from /etc/ppp/options) pppd[23989]: novj^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: noipdefault^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: noccp^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: noipx^I^I# (from /etc/ppp/options) pppd[23989]: pppd 2.4.5 started by root, uid 0 pppd[23989]: using channel 19 udevd[2122]: device 0xb7b0a6e8 has devpath '/devices/virtual/net/ppp3' udevd[2122]: created empty file '/run/udev/data/n27' for '/devices/virtual/net/ppp3' pppd[23989]: Using interface ppp3 pppd[23989]: Connect: ppp3 <--> /dev/pts/6
Both ends of the link have ppp interfaces but neither have IP addresses.
The server configuration is:
----- /etc/stunnel/pella-vpn.conf ----- CAfile = /etc/stunnel/vpn.pem cert = /etc/stunnel/vpn.pem key = /etc/stunnel/vpn.pem output = /var/log/stunnel-vpn.log #verify = 2 debug = 7 client = no foreground = no
[vpn] accept = 109.74.x.y:9876 exec = /usr/sbin/pppd execargs = pppd call pella-vpn 10.254.241.1:10.254.241.2 pty = yes ---------- ----- /etc/ppp/peers/pella-vpn ----- unit 3 notty ktune local noipdefault noccp noauth novj nomp nopcomp noaccomp silent updetach linkname pella debug dump ----------
# ifconfig ppp3 ppp3 Link encap:Point-to-Point Protocol POINTOPOINT NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
The client configuration is:
---- /etc/network/interfaces ----- # SSL VPN to Pella iface ppp3 inet ppp unit 3 provider pella-vpn pre-up /sbin/ifconfig ppp0 up ---------- ----- /etc/ppp/peers/pella-vpn ----- # ensure we use ppp3 (ppp0-2 are already in use) unit 3 ktune local noipdefault noccp noauth novj nomp nopcomp noaccomp silent updetach logfd 2 linkname pella pty "/usr/bin/stunnel4 /etc/stunnel/pella.conf.vpn" user "tj"
# debugging debug dump ---------- ----- /etc/stunnel/pella.conf.vpn ----- pid = /var/run/stunnel4/pella.pid debug = debug output = /var/log/stunnel-pella.log foreground = no client=yes connect = 109.74.x.y:9876 CAfile = /etc/stunnel/vpn.pem # verify the peer's certificate verify = 2 ----------
# ifup ppp3 pppd options in effect: debug # (from /etc/ppp/peers/pella-vpn) updetach # (from command line) logfd 2 # (from /etc/ppp/peers/pella-vpn) linkname pella # (from /etc/ppp/peers/pella-vpn) ktune # (from /etc/ppp/peers/pella-vpn) unit 3 # (from command line) dump # (from /etc/ppp/peers/pella-vpn) nomp # (from /etc/ppp/peers/pella-vpn) noauth # (from /etc/ppp/peers/pella-vpn) user tj # (from /etc/ppp/peers/pella-vpn) # (from /etc/ppp/options) pty /usr/bin/stunnel4 /etc/stunnel/pella.conf.vpn # (from /etc/ppp/peers/pella-vpn) crtscts # (from /etc/ppp/options) local # (from /etc/ppp/peers/pella-vpn) noaccomp # (from /etc/ppp/peers/pella-vpn) asyncmap 0 # (from /etc/ppp/options) nopcomp # (from /etc/ppp/peers/pella-vpn) silent # (from /etc/ppp/peers/pella-vpn) lcp-echo-failure 4 # (from /etc/ppp/options) lcp-echo-interval 30 # (from /etc/ppp/options) hide-password # (from /etc/ppp/options) novj # (from /etc/ppp/peers/pella-vpn) noipdefault # (from /etc/ppp/peers/pella-vpn) noccp # (from /etc/ppp/peers/pella-vpn) noipx # (from /etc/ppp/options) using channel 43 Using interface ppp3 Connect: ppp3 <--> /dev/pts/5
# ifconfig ppp3 ppp3 Link encap:Point-to-Point Protocol POINTOPOINT NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
# netstat -natp | grep stun tcp 0 0 82.71.a.b:34437 109.74.x.y:9876 ESTABLISHED 24105/stunnel4