[stunnel-users] stunnel 5.44 + pppd client side problem

Flo Rance trourance at gmail.com
Fri Apr 12 08:58:45 CEST 2019


Hi,

I never did it, but from what I've read, it seems that there's an argument
missing on the server side.

[ppp]
exec = /usr/sbin/pppd
execargs = 10.0.1.1: local debug noauth

should be

[ppp]
exec = /usr/sbin/pppd
execargs = pppd local debug noauth 10.0.1.1:


Flo

On Thu, Apr 11, 2019 at 9:53 PM Martin Got <martingot at protonmail.com> wrote:

> Trying to set up pppd link with stunnel wrapped between two OpenBSD
> 6.4amd64 machines.
> I use this reference article as an idea:
> http://bremford.org/tips/QuickStunnelVPN.html
>
> While connecting from client's side by command:
> /usr/sbin/pppd ptypA 10.0.1.2: local debug noauth passive noccp novj
> novjccomp nopcomp noaccomp name ppp-clnt connect 'stunnel
> /etc/stunnel/stunnel-client.conf
>
> stunnel-client starts, pppd starts on client's end according to
> stunnel-clnt.log, but has LCP timeouts:
>
> # tail stunnel-clnt.log
> stunnel: LOG5[ui]: Configuration successful
> pppd[5421]: Connect: ppp2 <--> /dev/ptypA
> pppd[5421]: LCP: timeout sending Config-Requests
> pppd[5421]: Connection terminated.
> pppd[5421]: Connect script failed
>
> It seems no pppd pty client connection to stunnel-local nor remote
> stunnel-server afterwards. But when I tried to connect to stunnel-client
> port 1723 using telnet:
> telnet localhost 1723
> I received pppd advertisements from remote stunnel-server. It seems exec =
> /usr/sbin/pppd on stunnel-server is running when client's stunnel-client
> connection appeared.
>
> Can it be a problem with pppd and stunnel-client using pty?
>
> Please advice.
>
> # cat /etc/stunnel/stunnel-server.conf
>
> ;chroot = /var/stunnel    # chroot is disabled for testing
> ;setuid = _stunnel    # stunnel started by root for testing currently
> ;setgid = _stunnel
> ; PID file is created inside the chroot jail (if enabled)
> ;pid = /stunnel.pid
> foreground = yes
> debug = 7
> ;output = log/stunnel.log     # disabled
> sslVersion = TLSv1.2
> socket = l:TCP_NODELAY=1
> socket = r:TCP_NODELAY=1
> ; Enable support for the insecure SSLv3 protocol
> ;options = NO_SSLv3
> options = NO_TLSv1
> options = NO_TLSv1.1
> ; Fix for Eudora "error reading network" can be useful for changing packet
> length
> options = DONT_INSERT_EMPTY_FRAGMENTS
> ; These options provide additional security at some performance degradation
> ;options = SINGLE_ECDH_USE
> ;options = SINGLE_DH_USE
>
> ; *** TLS server mode services
> [ppp]
> accept = 723
> exec = /usr/sbin/pppd
> execargs = 10.0.1.1: local debug noauth
> pty = yes
> CAfile = /etc/stunnel/ca.crt
> cert = /etc/stunnel/srv.crt
> key = /etc/stunnel/private/srv.key
> verifyChain = yes
> TIMEOUTclose = 45
>
> [default]
> ; HTTP connections
> ;ciphers = ALL
> ;options = CIPHER_SERVER_PREFERENCE
> accept = 1111
> connect = 127.0.0.1:80
> CAfile = /etc/stunnel/ca.crt
> cert = /etc/stunnel/srv.crt
> key = /etc/stunnel/private/srv.key
> verifyChain = yes
> TIMEOUTclose = 0
>
> [ntp]
> connect = 127.0.0.1:123
> sni = default:ntp
> CAfile = /etc/stunnel/ca.crt
> cert = /etc/stunnel/srv.crt
> key = /etc/stunnel/private/srv.key
> verifyChain = yes
> TIMEOUTclose = 0
> --------------------
>
> # cat /etc/stunnel/stunnel-client.conf
>
> chroot = /var/stunnel
> setuid = _stunnel
> setgid = _stunnel
> pid = /stunnel-clnt.pid
> foreground = yes
> debug = 7
> ;output = log/stunnel-clnt.log
> sslVersion = TLSv1.2
> socket = l:TCP_NODELAY=1
> socket = r:TCP_NODELAY=1
> ; Enable support for the insecure SSLv3 protocol
> ;options = NO_SSLv3
> options = NO_TLSv1
> options = NO_TLSv1.1
> ; Fix for Eudora "error reading network" can be useful for changing packet
> length
> options = DONT_INSERT_EMPTY_FRAGMENTS
> ; These options provide additional security at some performance degradation
> ;options = SINGLE_ECDH_USE
> ;options = SINGLE_DH_USE
>
> [ppp]
> client = yes
> accept = 127.0.0.1:1723     # 'accept' is absent in client's
> configuration http://bremford.org/tips/QuickStunnelVPN.html but stunnel
> reports: [!] Service [ppp]: Each service must define two endpoints on
> stunnel-5.44
> connect = STUNNEL-SERVER-IP:723
> CAfile = /etc/stunnel/ca.crt
> cert = /etc/stunnel/client.crt
> key = /etc/stunnel/client.key
> verifyChain = yes
> checkHost = hostna.me
> ;checkIP = 1.2.3.4
> --------------------
>
>
>
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20190412/7579b018/attachment-0001.html>


More information about the stunnel-users mailing list