I'm using stunnel v4.56 on Linux (Ubuntu) and trying to configure a routed tunnel in conjunction with pppd. I could do with some help to figure it out - my biggest problem is not knowing what a good connection configuration or log looks like.
I've read lots of (old) patchy articles on how it is done but the instructions are either hopelessly out of date, or plain wrong.
During extensive trial and error I found what appeared to be bugs in the Ubuntu distro-packaged v4.42 but as I don't yet know what a successful connection log looks like they may have been red herrings. The main issue I was trying to build out of was (on the server):
SSL accepted: new session negotiated Negotiated ciphers: ECDHE-RSA-RC4-SHA SSLv3 Kx=ECDH Au=RSA Enc=RC4(128) Mac=SHA1 TTY=/dev/pts/4 allocated Local mode child started (PID=17247) Remote FD=1 initialized TCP_NODELAY: Socket operation on non-socket (88) Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket linger (remote): Socket operation on non-socket (88) Service vpn finished (0 left)
At this point there would be no pppX interfaces.
I created an up-to-date Debian/Ubuntu package for v4.56 which has been more successful. Both ends of the link have the same x86 (i386) package installed. On the server again:
stunnel: LOG6[23986:3073268544]: SSL accepted: new session negotiated stunnel: LOG6[23986:3073268544]: Negotiated TLSv1/SSLv3 ciphersuite: ECDHE-RSA-RC4-SHA (128-bit encryption) stunnel: LOG6[23986:3073268544]: Compression: null, expansion: null stunnel: LOG7[23986:3073268544]: TTY=/dev/pts/5 allocated stunnel: LOG6[23986:3073268544]: Local mode child started (PID=23989) stunnel: LOG7[23986:3073268544]: Remote socket (FD=14) initialized stunnel: LOG3[23986:3073268544]: TCP_NODELAY: Socket operation on non-socket (88) stunnel: LOG4[23986:3073268544]: Failed to set remote socket options pppd[23989]: pppd options in effect: pppd[23989]: debug^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: updetach^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: linkname pella^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: ktune^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: unit 3^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: dump^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: nomp^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: noauth^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: ^I^I# (from /etc/ppp/options) pppd[23989]: notty^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: crtscts^I^I# (from /etc/ppp/options) pppd[23989]: local^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: noaccomp^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: asyncmap 0^I^I# (from /etc/ppp/options) pppd[23989]: nopcomp^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: silent^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: lcp-echo-failure 4^I^I# (from /etc/ppp/options) pppd[23989]: lcp-echo-interval 30^I^I# (from /etc/ppp/options) pppd[23989]: hide-password^I^I# (from /etc/ppp/options) pppd[23989]: novj^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: noipdefault^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: noccp^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: noipx^I^I# (from /etc/ppp/options) pppd[23989]: pppd 2.4.5 started by root, uid 0 pppd[23989]: using channel 19 udevd[2122]: device 0xb7b0a6e8 has devpath '/devices/virtual/net/ppp3' udevd[2122]: created empty file '/run/udev/data/n27' for '/devices/virtual/net/ppp3' pppd[23989]: Using interface ppp3 pppd[23989]: Connect: ppp3 <--> /dev/pts/6
Both ends of the link have ppp interfaces but neither have IP addresses.
The server configuration is:
----- /etc/stunnel/pella-vpn.conf ----- CAfile = /etc/stunnel/vpn.pem cert = /etc/stunnel/vpn.pem key = /etc/stunnel/vpn.pem output = /var/log/stunnel-vpn.log #verify = 2 debug = 7 client = no foreground = no
[vpn] accept = 109.74.x.y:9876 exec = /usr/sbin/pppd execargs = pppd call pella-vpn 10.254.241.1:10.254.241.2 pty = yes ---------- ----- /etc/ppp/peers/pella-vpn ----- unit 3 notty ktune local noipdefault noccp noauth novj nomp nopcomp noaccomp silent updetach linkname pella debug dump ----------
# ifconfig ppp3 ppp3 Link encap:Point-to-Point Protocol POINTOPOINT NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
The client configuration is:
---- /etc/network/interfaces ----- # SSL VPN to Pella iface ppp3 inet ppp unit 3 provider pella-vpn pre-up /sbin/ifconfig ppp0 up ---------- ----- /etc/ppp/peers/pella-vpn ----- # ensure we use ppp3 (ppp0-2 are already in use) unit 3 ktune local noipdefault noccp noauth novj nomp nopcomp noaccomp silent updetach logfd 2 linkname pella pty "/usr/bin/stunnel4 /etc/stunnel/pella.conf.vpn" user "tj"
# debugging debug dump ---------- ----- /etc/stunnel/pella.conf.vpn ----- pid = /var/run/stunnel4/pella.pid debug = debug output = /var/log/stunnel-pella.log foreground = no client=yes connect = 109.74.x.y:9876 CAfile = /etc/stunnel/vpn.pem # verify the peer's certificate verify = 2 ----------
# ifup ppp3 pppd options in effect: debug # (from /etc/ppp/peers/pella-vpn) updetach # (from command line) logfd 2 # (from /etc/ppp/peers/pella-vpn) linkname pella # (from /etc/ppp/peers/pella-vpn) ktune # (from /etc/ppp/peers/pella-vpn) unit 3 # (from command line) dump # (from /etc/ppp/peers/pella-vpn) nomp # (from /etc/ppp/peers/pella-vpn) noauth # (from /etc/ppp/peers/pella-vpn) user tj # (from /etc/ppp/peers/pella-vpn) # (from /etc/ppp/options) pty /usr/bin/stunnel4 /etc/stunnel/pella.conf.vpn # (from /etc/ppp/peers/pella-vpn) crtscts # (from /etc/ppp/options) local # (from /etc/ppp/peers/pella-vpn) noaccomp # (from /etc/ppp/peers/pella-vpn) asyncmap 0 # (from /etc/ppp/options) nopcomp # (from /etc/ppp/peers/pella-vpn) silent # (from /etc/ppp/peers/pella-vpn) lcp-echo-failure 4 # (from /etc/ppp/options) lcp-echo-interval 30 # (from /etc/ppp/options) hide-password # (from /etc/ppp/options) novj # (from /etc/ppp/peers/pella-vpn) noipdefault # (from /etc/ppp/peers/pella-vpn) noccp # (from /etc/ppp/peers/pella-vpn) noipx # (from /etc/ppp/options) using channel 43 Using interface ppp3 Connect: ppp3 <--> /dev/pts/5
# ifconfig ppp3 ppp3 Link encap:Point-to-Point Protocol POINTOPOINT NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
# netstat -natp | grep stun tcp 0 0 82.71.a.b:34437 109.74.x.y:9876 ESTABLISHED 24105/stunnel4
On 28/03/13 04:47, TJ wrote:
I'm using stunnel v4.56 on Linux (Ubuntu) and trying to configure a routed tunnel in conjunction with pppd. I could do with some help to figure it out - my biggest problem is not knowing what a good connection configuration or log looks like.
A quick follow-up on some progress. I realised on reading my own message that both ends of the PPP connection had the "silent" a.k.a 'passive' option set. I removed it from the client end and there is now LCP negotiation but the interface fails to come up.
On the server:
stunnel: LOG6[26011:3074280256]: SSL accepted: new session negotiated stunnel: LOG6[26011:3074280256]: Negotiated TLSv1/SSLv3 ciphersuite: ECDHE-RSA-RC4-SHA (128-bit encryption) stunnel: LOG6[26011:3074280256]: Compression: null, expansion: null stunnel: LOG7[26011:3074280256]: TTY=/dev/pts/5 allocated stunnel: LOG6[26011:3074280256]: Local mode child started (PID=27203) stunnel: LOG7[26011:3074280256]: Remote socket (FD=14) initialized stunnel: LOG3[26011:3074280256]: TCP_NODELAY: Socket operation on non-socket (88) stunnel: LOG4[26011:3074280256]: Failed to set remote socket options pppd[27203]: pppd options in effect: pppd[27203]: debug^I^I# (from /etc/ppp/peers/pella-vpn) ... pppd[27203]: pppd 2.4.5 started by root, uid 0 pppd[27203]: using channel 22 udevd[2122]: device 0xb7b02610 has devpath '/devices/virtual/net/ppp3' udevd[2122]: created empty file '/run/udev/data/n30' for '/devices/virtual/net/ppp3' pppd[27203]: Using interface ppp3 pppd[27203]: Connect: ppp3 <--> /dev/pts/6 stunnel: LOG5[26011:3074280256]: SSL socket error: Connection reset by peer (104) stunnel: LOG5[26011:3074280256]: Connection reset: 693 byte(s) sent to SSL, 693 byte(s) sent to socket stunnel: LOG7[26011:3074280256]: linger (remote): Socket operation on non-socket (88) stunnel: LOG7[26011:3074280256]: Remote socket (FD=14) closed stunnel: LOG7[26011:3074280256]: Local socket (FD=3) closed stunnel: LOG7[26011:3074280256]: Service [vpn] finished (0 left) pppd[27203]: Modem hangup pppd[27203]: Connection terminated. pppd[27203]: Script pppd (charshunt) finished (pid 27204), status = 0x0 pppd[27203]: Exit.
And on the client:
# ifup ppp3 pppd options in effect: debug # (from /etc/ppp/peers/pella-vpn) updetach # (from command line) logfd 2 # (from /etc/ppp/peers/pella-vpn) linkname pella # (from /etc/ppp/peers/pella-vpn) ktune # (from /etc/ppp/peers/pella-vpn) unit 3 # (from command line) dump # (from /etc/ppp/peers/pella-vpn) nomp # (from /etc/ppp/peers/pella-vpn) noauth # (from /etc/ppp/peers/pella-vpn) user tj # (from /etc/ppp/peers/pella-vpn) # (from /etc/ppp/options) pty /usr/bin/stunnel4 /etc/stunnel/pella.conf.vpn # (from /etc/ppp/peers/pella-vpn) crtscts # (from /etc/ppp/options) local # (from /etc/ppp/peers/pella-vpn) noaccomp # (from /etc/ppp/peers/pella-vpn) asyncmap 0 # (from /etc/ppp/options) nopcomp # (from /etc/ppp/peers/pella-vpn) lcp-echo-failure 4 # (from /etc/ppp/options) lcp-echo-interval 30 # (from /etc/ppp/options) hide-password # (from /etc/ppp/options) novj # (from /etc/ppp/peers/pella-vpn) noipdefault # (from /etc/ppp/peers/pella-vpn) noccp # (from /etc/ppp/peers/pella-vpn) noipx # (from /etc/ppp/options) using channel 45 Using interface ppp3 Connect: ppp3 <--> /dev/pts/5 sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x60a28ad7>] rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x60a28ad7>] sent [LCP ConfNak id=0x1 <magic 0xe61c63b3>] rcvd [LCP ConfNak id=0x1 <magic 0xe61c63b3>] sent [LCP ConfReq id=0x2 <asyncmap 0x0> <magic 0x960d9d68>] rcvd [LCP ConfReq id=0x2 <asyncmap 0x0> <magic 0x960d9d68>] sent [LCP ConfNak id=0x2 <magic 0xaffae16f>] rcvd [LCP ConfNak id=0x2 <magic 0xaffae16f>] sent [LCP ConfReq id=0x3 <asyncmap 0x0> <magic 0xa4f37a9b>] rcvd [LCP ConfReq id=0x3 <asyncmap 0x0> <magic 0xa4f37a9b>] sent [LCP ConfNak id=0x3 <magic 0xed9d1251>] rcvd [LCP ConfNak id=0x3 <magic 0xed9d1251>] sent [LCP ConfReq id=0x4 <asyncmap 0x0> <magic 0xdd9f2403>] rcvd [LCP ConfReq id=0x4 <asyncmap 0x0> <magic 0xdd9f2403>] sent [LCP ConfNak id=0x4 <magic 0x2c91d423>] rcvd [LCP ConfNak id=0x4 <magic 0x2c91d423>] sent [LCP ConfReq id=0x5 <asyncmap 0x0> <magic 0x8f92d97e>] rcvd [LCP ConfReq id=0x5 <asyncmap 0x0> <magic 0x8f92d97e>] sent [LCP ConfNak id=0x5 <magic 0x513839ee>] rcvd [LCP ConfNak id=0x5 <magic 0x513839ee>] sent [LCP ConfReq id=0x6 <asyncmap 0x0> <magic 0x4cd9ff7d>] rcvd [LCP ConfReq id=0x6 <asyncmap 0x0> <magic 0x4cd9ff7d>] sent [LCP ConfNak id=0x6 <magic 0x22bd0ba5>] rcvd [LCP ConfNak id=0x6 <magic 0x22bd0ba5>] sent [LCP ConfReq id=0x7 <asyncmap 0x0> <magic 0x36bb202e>] rcvd [LCP ConfReq id=0x7 <asyncmap 0x0> <magic 0x36bb202e>] sent [LCP ConfNak id=0x7 <magic 0x9fd1112>] rcvd [LCP ConfNak id=0x7 <magic 0x9fd1112>] sent [LCP ConfReq id=0x8 <asyncmap 0x0> <magic 0xcf421032>] rcvd [LCP ConfReq id=0x8 <asyncmap 0x0> <magic 0xcf421032>] sent [LCP ConfNak id=0x8 <magic 0x180ec775>] rcvd [LCP ConfNak id=0x8 <magic 0x180ec775>] sent [LCP ConfReq id=0x9 <asyncmap 0x0> <magic 0x33453d8>] rcvd [LCP ConfReq id=0x9 <asyncmap 0x0> <magic 0x33453d8>] sent [LCP ConfNak id=0x9 <magic 0xe58240af>] rcvd [LCP ConfNak id=0x9 <magic 0xe58240af>] sent [LCP ConfReq id=0xa <asyncmap 0x0> <magic 0xbf7eaff0>] rcvd [LCP ConfReq id=0xa <asyncmap 0x0> <magic 0xbf7eaff0>] sent [LCP ConfNak id=0xa <magic 0x87d73bf2>] rcvd [LCP ConfNak id=0xa <magic 0x87d73bf2>] Serial line is looped back. sent [LCP TermReq id=0xb "Loopback detected"] rcvd [LCP TermReq id=0xb "Loopback detected"] sent [LCP TermAck id=0xb] rcvd [LCP TermAck id=0xb] Connection terminated. Waiting for 1 child processes... script /usr/bin/stunnel4 /etc/stunnel/pella.conf.vpn, pid 25558 Script /usr/bin/stunnel4 /etc/stunnel/pella.conf.vpn finished (pid 25558), status = 0x0 Failed to bring up ppp3.
On 28/03/13 05:03, TJ wrote:
A quick follow-up on some progress. I realised on reading my own message that both ends of the PPP connection had the "silent" a.k.a 'passive' option set. I removed it from the client end and there is now LCP negotiation but the interface fails to come up.
Insight is snowballing. During the trials of the 'buggy' version 4.46 I had found that the "notty" option seemed to get the connection further along. After reading the last messages on the client that I just posted to the list:
Serial line is looped back.
I took a closer look at the server's configuration and tried removing the "notty" option. That solved the issue of no IP address assignment.
Both ends of the link now come up and have the expected IP addresses.
My next task is to open the shorewall policy rules up to allow traffic through. I'll tackle that tomorrow.
Here is the working configuration, server first:
----- /etc/stunnel/pella-vpn.conf ----- CAfile = /etc/stunnel/vpn.pem cert = /etc/stunnel/vpn.pem key = /etc/stunnel/vpn.pem output = /var/log/stunnel-vpn.log debug = 7 client = no foreground = no
[vpn] accept = 109.74.x.y:9876 exec = /usr/sbin/pppd execargs = pppd call pella-vpn 10.254.241.1:10.254.241.2 pty = yes ---------- ----- /etc/ppp/peers/pella-vpn ----- # ensure we use ppp3 (ppp0-2 are already in use) unit 3 #notty ktune local noipdefault noccp noauth novj nomp nopcomp noaccomp updetach linkname pella debug dump ----------
And on the client (note the name ends .vpn to prevent the stunnel4 daemon loading this profile automatically):
----- /etc/stunnel/pella.conf.vpn ----- pid = /var/run/stunnel4/pella.pid debug = debug output = /var/log/stunnel-pella.log foreground = no client=yes connect = 109.74.x.y:9876 CAfile = /etc/stunnel/vpn.pem # verify the peer's certificate verify = 2 ---------- ----- /etc/ppp/peers/pella-vpn ----- # ensure we use ppp3 (ppp0-2 are already in use) unit 3 ktune local noipdefault noccp noauth novj nomp nopcomp noaccomp updetach logfd 2 linkname pella pty "/usr/bin/stunnel4 /etc/stunnel/pella.conf.vpn" debug dump ----------
-
TJ