[stunnel-users] Linux pppd VPN network notwork very well
Colin McKinnon
colin at mms3.com
Thu Jul 21 16:50:21 CEST 2005
Hi all,
I've got two two LANs behind masquerading routers that I've linked via a
stunnel + pppd vpn. When it works, it works, but I've got a couple of
problems - has anybody out there in Stunnel Land managed to fix / workaround
these?
1) The connection goes down fairly regluarly.
I've setup a cron job to move a few packets back and forth to make sure that
the ADSL connection at both ends stays up (pppd set not do demand stuff).
There's nothing in the logs to suggest that the ADSL *is* going down, but I
thought it would eliminate a lot of possibilities. (see log entries below).
Currently the link is going down at lesat once per day. Uptime varies
greatly.
I can't see anyway of asking stunnel to try again if the pppd exits (see conf
below) other than manually restarting it.
I'm hoping to scale the VPN up to multiple sites - with one connection, I can
just do /etc/rc.d/stunnel restart - but if I've got multiple instances of
stunnel running with different configs it gets a bit messy to reset a single
connection. I did think about having multiple hard links to the stunnel
binary, so each VPN will have a different process name attached to it, but
this strikes me as a bit of a hack.
2) bandwidth on the link is poor.
I consistently get 1/4 of the bandwidth (measured using scp to copy largish
files) compared with bypassing the stunnel/pppd pair (same route between
LANs). While I expected some overhead, this seems rather a lot.
3) latency is a lot higher too
4) The VPN seems to stutter more regularly than the direct connection
...I mean that I don't seem to be getting any traffic for 5-10 seconds then it
resumes without any loss of data (e.g. when using ssh).
The routers at either end are relatively dumb so (as I understand it) there's
not many options for using IPIP or GRE tunnelling).
Anybody got any suggestions as to how I can make it (particularly) more
reliable and (also) a bit faster?
TIA,
Colin McKinnon
pppd
--------
pppd local nodeflate nobsdcomp nodefaultroute 10.1.17.208:10.1.20.202
log entries:
----------------
Stunnel started manually:
Jul 19 08:25:59 serv8 stunnel[740]: stunnel 4.05 on i686-suse-linux-gnu
PTHREAD with OpenSSL 0.9.7d 17 Mar 2004
Jul 19 08:25:59 serv8 stunnel[740]: FD_SETSIZE=1024, file ulimit=1024 -> 500
clients allowed
Jul 19 08:25:59 serv8 pppd[743]: pppd 2.4.2 started by stunnel, uid 100
Jul 19 08:25:59 serv8 pppd[743]: Using interface ppp0
Jul 19 08:25:59 serv8 pppd[743]: Connect: ppp0 <--> /dev/pts/1
Everything works fine (although a little slow) then...
Jul 19 10:36:32 serv8 pppd[743]: No response to 4 echo-requests
Jul 19 10:36:32 serv8 pppd[743]: Serial link appears to be disconnected.
Jul 19 10:36:34 serv8 pppd[743]: Script /etc/ppp/ip-down finished (pid 1668),
status = 0x0
Jul 19 10:36:34 serv8 ip-down: SIOCDELRT: No such process
Jul 19 10:36:36 serv8 pppd[743]: Connection terminated.
Jul 19 10:36:36 serv8 pppd[743]: Connect time 130.6 minutes.
Jul 19 10:36:36 serv8 pppd[743]: Sent 58200 bytes, received 57227 bytes.
Jul 19 10:36:36 serv8 pppd[743]: Connect time 130.6 minutes.
Jul 19 10:36:36 serv8 pppd[743]: Sent 58200 bytes, received 57227 bytes.
Jul 19 10:36:36 serv8 pppd[743]: Exit.
Jul 19 10:36:36 serv8 stunnel[741]: readsocket: Input/output error (5)
Jul 19 10:36:36 serv8 stunnel[741]: Connection reset: 68626 bytes sent to SSL,
66280 bytes sent to socket
Stunnel config
---------------------
foreground = no
client = yes
setuid = stunnel
setgid = dialout
CAfile = /etc/stunnel/3bCArootCert.pem
cert = /etc/stunnel/system.pem
verify = 2
session = 3600
[ppp]
connect = remotehost:2020
exec = /usr/sbin/pppd
execargs = pppd local nodeflate nobsdcomp nodefaultroute
10.1.17.208:10.1.20.202
pty = yes
(converse at other end)
Routing at 'cleint' end
---------------------------------
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.1.20.202 * 255.255.255.255 UH 0 0 0 ppp0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
10.1.20.0 * 255.255.255.0 U 0 0 0 ppp0
10.1.17.0 * 255.255.255.0 U 0 0 0 eth2
loopback * 255.0.0.0 U 0 0 0 lo
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth1
(eth1 conects to the ADSL router, eth2 to the LAN)
More information about the stunnel-users
mailing list