[stunnel-users] stunnel 5.44 + pppd client side problem
Martin Got
martingot at protonmail.com
Mon Apr 15 22:31:21 CEST 2019
No luck, unfortunately.
pppd option is not needed for OpenBSD pppd implementation (no this option available for pppd).
It seems a client side problem at all. Server side replies to test telnet connection.
Any ideas?
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Friday, April 12, 2019 7:58 AM, Flo Rance <trourance at gmail.com> wrote:
> Hi,
>
> I never did it, but from what I've read, it seems that there's an argument missing on the server side.
>
> [ppp]
> exec = /usr/sbin/pppd
> execargs = 10.0.1.1: local debug noauth
>
> should be
>
> [ppp]
> exec = /usr/sbin/pppd
> execargs = pppd local debug noauth 10.0.1.1:
>
> Flo
>
> On Thu, Apr 11, 2019 at 9:53 PM Martin Got <martingot at protonmail.com> wrote:
>
>> Trying to set up pppd link with stunnel wrapped between two OpenBSD 6.4amd64 machines.
>> I use this reference article as an idea: http://bremford.org/tips/QuickStunnelVPN.html
>>
>> While connecting from client's side by command:
>> /usr/sbin/pppd ptypA 10.0.1.2: local debug noauth passive noccp novj novjccomp nopcomp noaccomp name ppp-clnt connect 'stunnel /etc/stunnel/stunnel-client.conf
>>
>> stunnel-client starts, pppd starts on client's end according to stunnel-clnt.log, but has LCP timeouts:
>>
>> # tail stunnel-clnt.log
>> stunnel: LOG5[ui]: Configuration successful
>> pppd[5421]: Connect: ppp2 <--> /dev/ptypA
>> pppd[5421]: LCP: timeout sending Config-Requests
>> pppd[5421]: Connection terminated.
>> pppd[5421]: Connect script failed
>>
>> It seems no pppd pty client connection to stunnel-local nor remote stunnel-server afterwards. But when I tried to connect to stunnel-client port 1723 using telnet:
>> telnet localhost 1723
>> I received pppd advertisements from remote stunnel-server. It seems exec = /usr/sbin/pppd on stunnel-server is running when client's stunnel-client connection appeared.
>>
>> Can it be a problem with pppd and stunnel-client using pty?
>>
>> Please advice.
>>
>> # cat /etc/stunnel/stunnel-server.conf
>>
>> ;chroot = /var/stunnel # chroot is disabled for testing
>> ;setuid = _stunnel # stunnel started by root for testing currently
>> ;setgid = _stunnel
>> ; PID file is created inside the chroot jail (if enabled)
>> ;pid = /stunnel.pid
>> foreground = yes
>> debug = 7
>> ;output = log/stunnel.log # disabled
>> sslVersion = TLSv1.2
>> socket = l:TCP_NODELAY=1
>> socket = r:TCP_NODELAY=1
>> ; Enable support for the insecure SSLv3 protocol
>> ;options = NO_SSLv3
>> options = NO_TLSv1
>> options = NO_TLSv1.1
>> ; Fix for Eudora "error reading network" can be useful for changing packet length
>> options = DONT_INSERT_EMPTY_FRAGMENTS
>> ; These options provide additional security at some performance degradation
>> ;options = SINGLE_ECDH_USE
>> ;options = SINGLE_DH_USE
>>
>> ; *** TLS server mode services
>> [ppp]
>> accept = 723
>> exec = /usr/sbin/pppd
>> execargs = 10.0.1.1: local debug noauth
>> pty = yes
>> CAfile = /etc/stunnel/ca.crt
>> cert = /etc/stunnel/srv.crt
>> key = /etc/stunnel/private/srv.key
>> verifyChain = yes
>> TIMEOUTclose = 45
>>
>> [default]
>> ; HTTP connections
>> ;ciphers = ALL
>> ;options = CIPHER_SERVER_PREFERENCE
>> accept = 1111
>> connect = 127.0.0.1:80
>> CAfile = /etc/stunnel/ca.crt
>> cert = /etc/stunnel/srv.crt
>> key = /etc/stunnel/private/srv.key
>> verifyChain = yes
>> TIMEOUTclose = 0
>>
>> [ntp]
>> connect = 127.0.0.1:123
>> sni = default:ntp
>> CAfile = /etc/stunnel/ca.crt
>> cert = /etc/stunnel/srv.crt
>> key = /etc/stunnel/private/srv.key
>> verifyChain = yes
>> TIMEOUTclose = 0
>> --------------------
>>
>> # cat /etc/stunnel/stunnel-client.conf
>>
>> chroot = /var/stunnel
>> setuid = _stunnel
>> setgid = _stunnel
>> pid = /stunnel-clnt.pid
>> foreground = yes
>> debug = 7
>> ;output = log/stunnel-clnt.log
>> sslVersion = TLSv1.2
>> socket = l:TCP_NODELAY=1
>> socket = r:TCP_NODELAY=1
>> ; Enable support for the insecure SSLv3 protocol
>> ;options = NO_SSLv3
>> options = NO_TLSv1
>> options = NO_TLSv1.1
>> ; Fix for Eudora "error reading network" can be useful for changing packet length
>> options = DONT_INSERT_EMPTY_FRAGMENTS
>> ; These options provide additional security at some performance degradation
>> ;options = SINGLE_ECDH_USE
>> ;options = SINGLE_DH_USE
>>
>> [ppp]
>> client = yes
>> accept = 127.0.0.1:1723 # 'accept' is absent in client's configuration http://bremford.org/tips/QuickStunnelVPN.htmlbut stunnel reports: [!] Service [ppp]: Each service must define two endpoints on stunnel-5.44
>> connect = STUNNEL-SERVER-IP:723
>> CAfile = /etc/stunnel/ca.crt
>> cert = /etc/stunnel/client.crt
>> key = /etc/stunnel/client.key
>> verifyChain = yes
>> checkHost = hostna.me
>> ;checkIP = 1.2.3.4
>> --------------------
>>
>> _______________________________________________
>> stunnel-users mailing list
>> stunnel-users at stunnel.org
>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20190415/73cfc389/attachment.html>
More information about the stunnel-users
mailing list