Trying to set up pppd link with stunnel wrapped between two OpenBSD 6.4amd64 machines. I use this reference article as an idea: http://bremford.org/tips/QuickStunnelVPN.html
While connecting from client's side by command: /usr/sbin/pppd ptypA 10.0.1.2: local debug noauth passive noccp novj novjccomp nopcomp noaccomp name ppp-clnt connect 'stunnel /etc/stunnel/stunnel-client.conf
stunnel-client starts, pppd starts on client's end according to stunnel-clnt.log, but has LCP timeouts:
# tail stunnel-clnt.log stunnel: LOG5[ui]: Configuration successful pppd[5421]: Connect: ppp2 <--> /dev/ptypA pppd[5421]: LCP: timeout sending Config-Requests pppd[5421]: Connection terminated. pppd[5421]: Connect script failed
It seems no pppd pty client connection to stunnel-local nor remote stunnel-server afterwards. But when I tried to connect to stunnel-client port 1723 using telnet: telnet localhost 1723 I received pppd advertisements from remote stunnel-server. It seems exec = /usr/sbin/pppd on stunnel-server is running when client's stunnel-client connection appeared.
Can it be a problem with pppd and stunnel-client using pty?
Please advice.
# cat /etc/stunnel/stunnel-server.conf
;chroot = /var/stunnel # chroot is disabled for testing ;setuid = _stunnel # stunnel started by root for testing currently ;setgid = _stunnel ; PID file is created inside the chroot jail (if enabled) ;pid = /stunnel.pid foreground = yes debug = 7 ;output = log/stunnel.log # disabled sslVersion = TLSv1.2 socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Enable support for the insecure SSLv3 protocol ;options = NO_SSLv3 options = NO_TLSv1 options = NO_TLSv1.1 ; Fix for Eudora "error reading network" can be useful for changing packet length options = DONT_INSERT_EMPTY_FRAGMENTS ; These options provide additional security at some performance degradation ;options = SINGLE_ECDH_USE ;options = SINGLE_DH_USE
; *** TLS server mode services [ppp] accept = 723 exec = /usr/sbin/pppd execargs = 10.0.1.1: local debug noauth pty = yes CAfile = /etc/stunnel/ca.crt cert = /etc/stunnel/srv.crt key = /etc/stunnel/private/srv.key verifyChain = yes TIMEOUTclose = 45
[default] ; HTTP connections ;ciphers = ALL ;options = CIPHER_SERVER_PREFERENCE accept = 1111 connect = 127.0.0.1:80 CAfile = /etc/stunnel/ca.crt cert = /etc/stunnel/srv.crt key = /etc/stunnel/private/srv.key verifyChain = yes TIMEOUTclose = 0
[ntp] connect = 127.0.0.1:123 sni = default:ntp CAfile = /etc/stunnel/ca.crt cert = /etc/stunnel/srv.crt key = /etc/stunnel/private/srv.key verifyChain = yes TIMEOUTclose = 0 --------------------
# cat /etc/stunnel/stunnel-client.conf
chroot = /var/stunnel setuid = _stunnel setgid = _stunnel pid = /stunnel-clnt.pid foreground = yes debug = 7 ;output = log/stunnel-clnt.log sslVersion = TLSv1.2 socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Enable support for the insecure SSLv3 protocol ;options = NO_SSLv3 options = NO_TLSv1 options = NO_TLSv1.1 ; Fix for Eudora "error reading network" can be useful for changing packet length options = DONT_INSERT_EMPTY_FRAGMENTS ; These options provide additional security at some performance degradation ;options = SINGLE_ECDH_USE ;options = SINGLE_DH_USE
[ppp] client = yes accept = 127.0.0.1:1723 # 'accept' is absent in client's configuration http://bremford.org/tips/QuickStunnelVPN.htmlbut stunnel reports: [!] Service [ppp]: Each service must define two endpoints on stunnel-5.44 connect = STUNNEL-SERVER-IP:723 CAfile = /etc/stunnel/ca.crt cert = /etc/stunnel/client.crt key = /etc/stunnel/client.key verifyChain = yes checkHost = hostna.me ;checkIP = 1.2.3.4 --------------------
Hi,
I never did it, but from what I've read, it seems that there's an argument missing on the server side.
[ppp] exec = /usr/sbin/pppd execargs = 10.0.1.1: local debug noauth
should be
[ppp] exec = /usr/sbin/pppd execargs = pppd local debug noauth 10.0.1.1:
Flo
On Thu, Apr 11, 2019 at 9:53 PM Martin Got martingot@protonmail.com wrote:
Trying to set up pppd link with stunnel wrapped between two OpenBSD 6.4amd64 machines. I use this reference article as an idea: http://bremford.org/tips/QuickStunnelVPN.html
While connecting from client's side by command: /usr/sbin/pppd ptypA 10.0.1.2: local debug noauth passive noccp novj novjccomp nopcomp noaccomp name ppp-clnt connect 'stunnel /etc/stunnel/stunnel-client.conf
stunnel-client starts, pppd starts on client's end according to stunnel-clnt.log, but has LCP timeouts:
# tail stunnel-clnt.log stunnel: LOG5[ui]: Configuration successful pppd[5421]: Connect: ppp2 <--> /dev/ptypA pppd[5421]: LCP: timeout sending Config-Requests pppd[5421]: Connection terminated. pppd[5421]: Connect script failed
It seems no pppd pty client connection to stunnel-local nor remote stunnel-server afterwards. But when I tried to connect to stunnel-client port 1723 using telnet: telnet localhost 1723 I received pppd advertisements from remote stunnel-server. It seems exec = /usr/sbin/pppd on stunnel-server is running when client's stunnel-client connection appeared.
Can it be a problem with pppd and stunnel-client using pty?
Please advice.
# cat /etc/stunnel/stunnel-server.conf
;chroot = /var/stunnel # chroot is disabled for testing ;setuid = _stunnel # stunnel started by root for testing currently ;setgid = _stunnel ; PID file is created inside the chroot jail (if enabled) ;pid = /stunnel.pid foreground = yes debug = 7 ;output = log/stunnel.log # disabled sslVersion = TLSv1.2 socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Enable support for the insecure SSLv3 protocol ;options = NO_SSLv3 options = NO_TLSv1 options = NO_TLSv1.1 ; Fix for Eudora "error reading network" can be useful for changing packet length options = DONT_INSERT_EMPTY_FRAGMENTS ; These options provide additional security at some performance degradation ;options = SINGLE_ECDH_USE ;options = SINGLE_DH_USE
; *** TLS server mode services [ppp] accept = 723 exec = /usr/sbin/pppd execargs = 10.0.1.1: local debug noauth pty = yes CAfile = /etc/stunnel/ca.crt cert = /etc/stunnel/srv.crt key = /etc/stunnel/private/srv.key verifyChain = yes TIMEOUTclose = 45
[default] ; HTTP connections ;ciphers = ALL ;options = CIPHER_SERVER_PREFERENCE accept = 1111 connect = 127.0.0.1:80 CAfile = /etc/stunnel/ca.crt cert = /etc/stunnel/srv.crt key = /etc/stunnel/private/srv.key verifyChain = yes TIMEOUTclose = 0
[ntp] connect = 127.0.0.1:123 sni = default:ntp CAfile = /etc/stunnel/ca.crt cert = /etc/stunnel/srv.crt key = /etc/stunnel/private/srv.key verifyChain = yes TIMEOUTclose = 0
# cat /etc/stunnel/stunnel-client.conf
chroot = /var/stunnel setuid = _stunnel setgid = _stunnel pid = /stunnel-clnt.pid foreground = yes debug = 7 ;output = log/stunnel-clnt.log sslVersion = TLSv1.2 socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Enable support for the insecure SSLv3 protocol ;options = NO_SSLv3 options = NO_TLSv1 options = NO_TLSv1.1 ; Fix for Eudora "error reading network" can be useful for changing packet length options = DONT_INSERT_EMPTY_FRAGMENTS ; These options provide additional security at some performance degradation ;options = SINGLE_ECDH_USE ;options = SINGLE_DH_USE
[ppp] client = yes accept = 127.0.0.1:1723 # 'accept' is absent in client's configuration http://bremford.org/tips/QuickStunnelVPN.html but stunnel reports: [!] Service [ppp]: Each service must define two endpoints on stunnel-5.44 connect = STUNNEL-SERVER-IP:723 CAfile = /etc/stunnel/ca.crt cert = /etc/stunnel/client.crt key = /etc/stunnel/client.key verifyChain = yes checkHost = hostna.me ;checkIP = 1.2.3.4
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-
Flo Rance -
Martin Got