[stunnel-users] SSL VPN configuration confusion
TJ
stunnel at iam.tj
Thu Mar 28 05:47:21 CET 2013
I'm using stunnel v4.56 on Linux (Ubuntu) and trying to configure a routed tunnel in conjunction with pppd. I could do with some help to figure it out - my biggest problem is not knowing what a good
connection configuration or log looks like.
I've read lots of (old) patchy articles on how it is done but the instructions are either hopelessly out of date, or plain wrong.
During extensive trial and error I found what appeared to be bugs in the Ubuntu distro-packaged v4.42 but as I don't yet know what a successful connection log looks like they may have been red
herrings. The main issue I was trying to build out of was (on the server):
SSL accepted: new session negotiated
Negotiated ciphers: ECDHE-RSA-RC4-SHA SSLv3 Kx=ECDH Au=RSA Enc=RC4(128) Mac=SHA1
TTY=/dev/pts/4 allocated
Local mode child started (PID=17247)
Remote FD=1 initialized
TCP_NODELAY: Socket operation on non-socket (88)
Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
linger (remote): Socket operation on non-socket (88)
Service vpn finished (0 left)
At this point there would be no pppX interfaces.
I created an up-to-date Debian/Ubuntu package for v4.56 which has been more successful. Both ends of the link have the same x86 (i386) package installed. On the server again:
stunnel: LOG6[23986:3073268544]: SSL accepted: new session negotiated
stunnel: LOG6[23986:3073268544]: Negotiated TLSv1/SSLv3 ciphersuite: ECDHE-RSA-RC4-SHA (128-bit encryption)
stunnel: LOG6[23986:3073268544]: Compression: null, expansion: null
stunnel: LOG7[23986:3073268544]: TTY=/dev/pts/5 allocated
stunnel: LOG6[23986:3073268544]: Local mode child started (PID=23989)
stunnel: LOG7[23986:3073268544]: Remote socket (FD=14) initialized
stunnel: LOG3[23986:3073268544]: TCP_NODELAY: Socket operation on non-socket (88)
stunnel: LOG4[23986:3073268544]: Failed to set remote socket options
pppd[23989]: pppd options in effect:
pppd[23989]: debug^I^I# (from /etc/ppp/peers/pella-vpn)
pppd[23989]: updetach^I^I# (from /etc/ppp/peers/pella-vpn)
pppd[23989]: linkname pella^I^I# (from /etc/ppp/peers/pella-vpn)
pppd[23989]: ktune^I^I# (from /etc/ppp/peers/pella-vpn)
pppd[23989]: unit 3^I^I# (from /etc/ppp/peers/pella-vpn)
pppd[23989]: dump^I^I# (from /etc/ppp/peers/pella-vpn)
pppd[23989]: nomp^I^I# (from /etc/ppp/peers/pella-vpn)
pppd[23989]: noauth^I^I# (from /etc/ppp/peers/pella-vpn)
pppd[23989]: ^I^I# (from /etc/ppp/options)
pppd[23989]: notty^I^I# (from /etc/ppp/peers/pella-vpn)
pppd[23989]: crtscts^I^I# (from /etc/ppp/options)
pppd[23989]: local^I^I# (from /etc/ppp/peers/pella-vpn)
pppd[23989]: noaccomp^I^I# (from /etc/ppp/peers/pella-vpn)
pppd[23989]: asyncmap 0^I^I# (from /etc/ppp/options)
pppd[23989]: nopcomp^I^I# (from /etc/ppp/peers/pella-vpn)
pppd[23989]: silent^I^I# (from /etc/ppp/peers/pella-vpn)
pppd[23989]: lcp-echo-failure 4^I^I# (from /etc/ppp/options)
pppd[23989]: lcp-echo-interval 30^I^I# (from /etc/ppp/options)
pppd[23989]: hide-password^I^I# (from /etc/ppp/options)
pppd[23989]: novj^I^I# (from /etc/ppp/peers/pella-vpn)
pppd[23989]: noipdefault^I^I# (from /etc/ppp/peers/pella-vpn)
pppd[23989]: noccp^I^I# (from /etc/ppp/peers/pella-vpn)
pppd[23989]: noipx^I^I# (from /etc/ppp/options)
pppd[23989]: pppd 2.4.5 started by root, uid 0
pppd[23989]: using channel 19
udevd[2122]: device 0xb7b0a6e8 has devpath '/devices/virtual/net/ppp3'
udevd[2122]: created empty file '/run/udev/data/n27' for '/devices/virtual/net/ppp3'
pppd[23989]: Using interface ppp3
pppd[23989]: Connect: ppp3 <--> /dev/pts/6
Both ends of the link have ppp interfaces but neither have IP addresses.
The server configuration is:
----- /etc/stunnel/pella-vpn.conf -----
CAfile = /etc/stunnel/vpn.pem
cert = /etc/stunnel/vpn.pem
key = /etc/stunnel/vpn.pem
output = /var/log/stunnel-vpn.log
#verify = 2
debug = 7
client = no
foreground = no
[vpn]
accept = 109.74.x.y:9876
exec = /usr/sbin/pppd
execargs = pppd call pella-vpn 10.254.241.1:10.254.241.2
pty = yes
----------
----- /etc/ppp/peers/pella-vpn -----
unit 3
notty
ktune
local
noipdefault
noccp
noauth
novj
nomp
nopcomp
noaccomp
silent
updetach
linkname pella
debug
dump
----------
# ifconfig ppp3
ppp3 Link encap:Point-to-Point Protocol
POINTOPOINT NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
The client configuration is:
---- /etc/network/interfaces -----
# SSL VPN to Pella
iface ppp3 inet ppp
unit 3
provider pella-vpn
pre-up /sbin/ifconfig ppp0 up
----------
----- /etc/ppp/peers/pella-vpn -----
# ensure we use ppp3 (ppp0-2 are already in use)
unit 3
ktune
local
noipdefault
noccp
noauth
novj
nomp
nopcomp
noaccomp
silent
updetach
logfd 2
linkname pella
pty "/usr/bin/stunnel4 /etc/stunnel/pella.conf.vpn"
user "tj"
# debugging
debug
dump
----------
----- /etc/stunnel/pella.conf.vpn -----
pid = /var/run/stunnel4/pella.pid
debug = debug
output = /var/log/stunnel-pella.log
foreground = no
client=yes
connect = 109.74.x.y:9876
CAfile = /etc/stunnel/vpn.pem
# verify the peer's certificate
verify = 2
----------
# ifup ppp3
pppd options in effect:
debug # (from /etc/ppp/peers/pella-vpn)
updetach # (from command line)
logfd 2 # (from /etc/ppp/peers/pella-vpn)
linkname pella # (from /etc/ppp/peers/pella-vpn)
ktune # (from /etc/ppp/peers/pella-vpn)
unit 3 # (from command line)
dump # (from /etc/ppp/peers/pella-vpn)
nomp # (from /etc/ppp/peers/pella-vpn)
noauth # (from /etc/ppp/peers/pella-vpn)
user tj # (from /etc/ppp/peers/pella-vpn)
# (from /etc/ppp/options)
pty /usr/bin/stunnel4 /etc/stunnel/pella.conf.vpn # (from /etc/ppp/peers/pella-vpn)
crtscts # (from /etc/ppp/options)
local # (from /etc/ppp/peers/pella-vpn)
noaccomp # (from /etc/ppp/peers/pella-vpn)
asyncmap 0 # (from /etc/ppp/options)
nopcomp # (from /etc/ppp/peers/pella-vpn)
silent # (from /etc/ppp/peers/pella-vpn)
lcp-echo-failure 4 # (from /etc/ppp/options)
lcp-echo-interval 30 # (from /etc/ppp/options)
hide-password # (from /etc/ppp/options)
novj # (from /etc/ppp/peers/pella-vpn)
noipdefault # (from /etc/ppp/peers/pella-vpn)
noccp # (from /etc/ppp/peers/pella-vpn)
noipx # (from /etc/ppp/options)
using channel 43
Using interface ppp3
Connect: ppp3 <--> /dev/pts/5
# ifconfig ppp3
ppp3 Link encap:Point-to-Point Protocol
POINTOPOINT NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
# netstat -natp | grep stun
tcp 0 0 82.71.a.b:34437 109.74.x.y:9876 ESTABLISHED 24105/stunnel4
More information about the stunnel-users
mailing list