amires 10 Posted ... Hi all, I am trying to configure openvpn via stunnel. I need to have openvpn client and stunnel client on different machines on my local network. What I am trying to do is install and configure stunnel client on a raspberry pi 4 which I have on my home network and have openvpn client on my phone to connect to this stunnel client. Simply changing the 127.0.0.1 lines in ssl and ovpn config files to the local ip of raspberry pi doesn't work. What do I need to do to achieve this? Thank you in advance. Share this post Link to post
OpenSourcerer 1435 Posted ... 2 hours ago, amires said: What do I need to do to achieve this? I'm sorry, are you looking for help to set this up, or are you struggling with a particular step of the setup process? If the latter, outline what you did and where you're stuck, maybe post the guide you're following. If the former, please consult the internet for guides on how to set this up. Manual setup requires things like generating certificates and keys and configure stunnel to use them. Hide OpenSourcerer's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
amires 10 Posted ... 1 hour ago, OpenSourcerer said: I'm sorry, are you looking for help to set this up, or are you struggling with a particular step of the setup process? If the latter, outline what you did and where you're stuck, maybe post the guide you're following. If the former, please consult the internet for guides on how to set this up. Manual setup requires things like generating certificates and keys and configure stunnel to use them. Many thanks for your reply. I have already set this up on my windows pc using configs generated by config generator and it is working as it should when both openvpn client and stunnel client are running on the same machine, For testing purposes I installed another windows in vmware workstation and moved stunnel client there and modified ssl config file to reference local ip address of virtual machine instead of 127.0.0.1. I also changed openvpn client config file on my windows machine to reference this ip as well. Now when I run both stunnel client on virtual machine and openvpn client on my windows machine I get the following outputs :stunnel output on virtual machine : 2022.10.17 23:48:42 LOG5[ui]: stunnel 5.56 on x86-pc-mingw32-gnu platform 2022.10.17 23:48:42 LOG5[ui]: Compiled/running with OpenSSL 1.1.1g 21 Apr 2020 2022.10.17 23:48:42 LOG5[ui]: Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,OCSP,PSK,SNI 2022.10.17 23:48:42 LOG5[ui]: Reading configuration from file AirVPN_DE-Berlin_Cujam_SSL-28439.ssl 2022.10.17 23:48:42 LOG5[ui]: UTF-8 byte order mark not detected 2022.10.17 23:48:42 LOG6[ui]: Initializing service [openvpn] 2022.10.17 23:48:42 LOG5[ui]: Configuration successful 2022.10.17 23:48:42 LOG6[ui]: Service [openvpn] (FD=256) bound to 192.168.2.49:1413 2022.10.17 23:48:42 LOG6[cron]: Executing cron jobs 2022.10.17 23:48:42 LOG6[cron]: Cron jobs completed in 0 seconds 2022.10.17 23:49:40 LOG5[0]: Service [openvpn] accepted connection from 192.168.2.20:58346 2022.10.17 23:49:40 LOG6[0]: s_connect: connecting 37.120.217.242:28439 2022.10.17 23:49:40 LOG5[0]: s_connect: connected 37.120.217.242:28439 2022.10.17 23:49:40 LOG5[0]: Service [openvpn] connected remote server from 192.168.2.49:55169 2022.10.17 23:49:40 LOG6[0]: SNI: sending servername: 37.120.217.242 2022.10.17 23:49:40 LOG6[0]: Peer certificate required 2022.10.17 23:49:40 LOG6[0]: CERT: No subject checks configured 2022.10.17 23:49:40 LOG6[0]: CERT: Locally installed certificate matched 2022.10.17 23:49:40 LOG5[0]: Certificate accepted at depth=0: C=IT, ST=Italy, L=Perugia, O=AirVPN, OU=stunnel, CN=stunnel.airvpn.org, emailAddress=info@airvpn.org 2022.10.17 23:49:40 LOG6[0]: Client certificate not requested 2022.10.17 23:49:40 LOG6[0]: Session id: DD623EC91C672A716BCC23585FE02339E3457573A4443B75B6535F0F9DF99CCA 2022.10.17 23:49:40 LOG6[0]: TLS connected: new session negotiated 2022.10.17 23:49:40 LOG6[0]: TLSv1.2 ciphersuite: ECDHE-RSA-AES256-GCM-SHA384 (256-bit encryption) 2022.10.17 23:49:50 LOG5[1]: Service [openvpn] accepted connection from 192.168.2.20:58365 2022.10.17 23:49:50 LOG6[1]: s_connect: connecting 37.120.217.242:28439 2022.10.17 23:49:50 LOG5[1]: s_connect: connected 37.120.217.242:28439 2022.10.17 23:49:50 LOG5[1]: Service [openvpn] connected remote server from 192.168.2.49:55170 2022.10.17 23:49:50 LOG6[1]: SNI: sending servername: 37.120.217.242 2022.10.17 23:49:50 LOG6[1]: Peer certificate required 2022.10.17 23:49:50 LOG6[1]: TLS connected: previous session reused 2022.10.17 23:49:50 LOG6[1]: TLSv1.2 ciphersuite: ECDHE-RSA-AES256-GCM-SHA384 (256-bit encryption) 2022.10.17 23:49:50 LOG6[1]: Session id: DD623EC91C672A716BCC23585FE02339E3457573A4443B75B6535F0F9DF99CCA 2022.10.17 23:49:51 LOG6[0]: TLS closed (SSL_read) 2022.10.17 23:50:00 LOG3[1]: readsocket: Connection reset by peer (WSAECONNRESET) (10054) 2022.10.17 23:50:00 LOG5[1]: Connection reset: 18615 byte(s) sent to TLS, 20816 byte(s) sent to socket OpenVPN output on windows machine : 2022-10-17 23:49:40 OpenVPN 2.5.7 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on May 27 2022 2022-10-17 23:49:40 Windows version 10.0 (Windows 10 or greater) 64bit 2022-10-17 23:49:40 library versions: OpenSSL 1.1.1o 3 May 2022, LZO 2.10 2022-10-17 23:49:40 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication 2022-10-17 23:49:40 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication 2022-10-17 23:49:40 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.2.49:1413 2022-10-17 23:49:40 Socket Buffers: R=[65536->65536] S=[65536->65536] 2022-10-17 23:49:40 Attempting to establish TCP connection with [AF_INET]192.168.2.49:1413 [nonblock] 2022-10-17 23:49:40 TCP connection established with [AF_INET]192.168.2.49:1413 2022-10-17 23:49:40 TCP_CLIENT link local: (not bound) 2022-10-17 23:49:40 TCP_CLIENT link remote: [AF_INET]192.168.2.49:1413 2022-10-17 23:49:41 TLS: Initial packet from [AF_INET]192.168.2.49:1413, sid=448dd50c 91cf5224 2022-10-17 23:49:41 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org 2022-10-17 23:49:41 VERIFY KU OK 2022-10-17 23:49:41 Validating certificate extended key usage 2022-10-17 23:49:41 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication 2022-10-17 23:49:41 VERIFY EKU OK 2022-10-17 23:49:41 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=Cujam, emailAddress=info@airvpn.org 2022-10-17 23:49:41 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 4096 bit RSA, signature: RSA-SHA512 2022-10-17 23:49:41 [Cujam] Peer Connection Initiated with [AF_INET]192.168.2.49:1413 2022-10-17 23:49:41 PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.11.113.1,route-gateway 10.11.113.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.11.113.222 255.255.255.0,peer-id 0,cipher CHACHA20-POLY1305' 2022-10-17 23:49:41 OPTIONS IMPORT: timers and/or timeouts modified 2022-10-17 23:49:41 OPTIONS IMPORT: compression parms modified 2022-10-17 23:49:41 OPTIONS IMPORT: --ifconfig/up options modified 2022-10-17 23:49:41 OPTIONS IMPORT: route options modified 2022-10-17 23:49:41 OPTIONS IMPORT: route-related options modified 2022-10-17 23:49:41 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified 2022-10-17 23:49:41 OPTIONS IMPORT: peer-id set 2022-10-17 23:49:41 OPTIONS IMPORT: adjusting link_mtu to 1627 2022-10-17 23:49:41 OPTIONS IMPORT: data channel crypto options modified 2022-10-17 23:49:41 Data Channel: using negotiated cipher 'CHACHA20-POLY1305' 2022-10-17 23:49:41 Outgoing Data Channel: Cipher 'CHACHA20-POLY1305' initialized with 256 bit key 2022-10-17 23:49:41 Incoming Data Channel: Cipher 'CHACHA20-POLY1305' initialized with 256 bit key 2022-10-17 23:49:41 interactive service msg_channel=0 2022-10-17 23:49:41 open_tun 2022-10-17 23:49:41 tap-windows6 device [Local Area Connection] opened 2022-10-17 23:49:41 TAP-Windows Driver Version 9.24 2022-10-17 23:49:41 Set TAP-Windows TUN subnet mode network/local/netmask = 10.11.113.0/10.11.113.222/255.255.255.0 [SUCCEEDED] 2022-10-17 23:49:41 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.11.113.222/255.255.255.0 on interface {94E2293C-799E-478C-847D-F07866B297E6} [DHCP-serv: 10.11.113.0, lease-time: 31536000] 2022-10-17 23:49:41 Successful ARP Flush on interface [56] {94E2293C-799E-478C-847D-F07866B297E6} 2022-10-17 23:49:41 IPv4 MTU set to 1500 on interface 56 using SetIpInterfaceEntry() 2022-10-17 23:49:46 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up 2022-10-17 23:49:46 C:\WINDOWS\system32\route.exe ADD 192.168.2.49 MASK 255.255.255.255 192.168.2.1 IF 13 2022-10-17 23:49:46 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=25 and dwForwardType=4 2022-10-17 23:49:46 Route addition via IPAPI succeeded [adaptive] 2022-10-17 23:49:46 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.11.113.1 2022-10-17 23:49:46 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=25 and dwForwardType=4 2022-10-17 23:49:46 Route addition via IPAPI succeeded [adaptive] 2022-10-17 23:49:46 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.11.113.1 2022-10-17 23:49:46 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=25 and dwForwardType=4 2022-10-17 23:49:46 Route addition via IPAPI succeeded [adaptive] 2022-10-17 23:49:46 Initialization Sequence Completed 2022-10-17 23:49:46 Connection reset, restarting [-1] 2022-10-17 23:49:46 SIGUSR1[soft,connection-reset] received, process restarting 2022-10-17 23:49:46 Restart pause, 5 second(s) 2022-10-17 23:49:51 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication 2022-10-17 23:49:51 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication 2022-10-17 23:49:51 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.2.49:1413 2022-10-17 23:49:51 Socket Buffers: R=[65536->65536] S=[65536->65536] 2022-10-17 23:49:51 Attempting to establish TCP connection with [AF_INET]192.168.2.49:1413 [nonblock] 2022-10-17 23:49:51 TCP connection established with [AF_INET]192.168.2.49:1413 2022-10-17 23:49:51 TCP_CLIENT link local: (not bound) 2022-10-17 23:49:51 TCP_CLIENT link remote: [AF_INET]192.168.2.49:1413 2022-10-17 23:49:51 TLS: Initial packet from [AF_INET]192.168.2.49:1413, sid=8122fdd2 193d9f92 2022-10-17 23:49:51 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org 2022-10-17 23:49:51 VERIFY KU OK 2022-10-17 23:49:51 Validating certificate extended key usage 2022-10-17 23:49:51 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication 2022-10-17 23:49:51 VERIFY EKU OK 2022-10-17 23:49:51 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=Cujam, emailAddress=info@airvpn.org 2022-10-17 23:49:51 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 4096 bit RSA, signature: RSA-SHA512 2022-10-17 23:49:51 [Cujam] Peer Connection Initiated with [AF_INET]192.168.2.49:1413 2022-10-17 23:49:52 SENT CONTROL [Cujam]: 'PUSH_REQUEST' (status=1) 2022-10-17 23:49:52 PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.11.113.1,route-gateway 10.11.113.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.11.113.222 255.255.255.0,peer-id 0,cipher CHACHA20-POLY1305' 2022-10-17 23:49:52 OPTIONS IMPORT: timers and/or timeouts modified 2022-10-17 23:49:52 OPTIONS IMPORT: compression parms modified 2022-10-17 23:49:52 OPTIONS IMPORT: --ifconfig/up options modified 2022-10-17 23:49:52 OPTIONS IMPORT: route options modified 2022-10-17 23:49:52 OPTIONS IMPORT: route-related options modified 2022-10-17 23:49:52 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified 2022-10-17 23:49:52 OPTIONS IMPORT: peer-id set 2022-10-17 23:49:52 OPTIONS IMPORT: adjusting link_mtu to 1627 2022-10-17 23:49:52 OPTIONS IMPORT: data channel crypto options modified 2022-10-17 23:49:52 Data Channel: using negotiated cipher 'CHACHA20-POLY1305' 2022-10-17 23:49:52 Outgoing Data Channel: Cipher 'CHACHA20-POLY1305' initialized with 256 bit key 2022-10-17 23:49:52 Incoming Data Channel: Cipher 'CHACHA20-POLY1305' initialized with 256 bit key 2022-10-17 23:49:52 Preserving previous TUN/TAP instance: Local Area Connection 2022-10-17 23:49:52 Initialization Sequence Completed At this point the tunnel wouldn't work and every 10 seconds or so OpenVPN disconnects and reconnects with connection reset error messages and I could see connection reset error messages in stunnel logs as well. Share this post Link to post
Flx 76 Posted ... 3 hours ago, amires said: tap-windows6 device [Local Area Connection] opened Switch to Wintun. Hide Flx's signature Hide all signatures Guide - EMBY Block ALL interfaces except tap/vpn Windows OS - Configuring your operating system Windows OS - Multi Session/Tunnel Share this post Link to post
amires 10 Posted ... 10 hours ago, Flx said: 13 hours ago, amires said: tap-windows6 device [Local Area Connection] opened Switch to Wintun. Thank you for your suggestion. I tried it however it didn't make any difference. I think I found the problem. It has something to do with the way openvpn adds routes. I added the option route-nopull to my openvpn config file to prevent openvpn from modifying my routing table and now the connection seems to proceed without errors and any disconnections. Here is the openvpn log files for route commands when both stunnel and openvpn are on the same machine : 2022-10-18 13:36:01 C:\WINDOWS\system32\route.exe ADD 127.0.0.1 MASK 255.255.255.255 192.168.2.1 2022-10-18 13:36:01 Route addition via service succeeded 2022-10-18 13:36:01 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.11.113.1 2022-10-18 13:36:01 Route addition via service succeeded 2022-10-18 13:36:01 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.11.113.1 2022-10-18 13:36:01 Route addition via service succeeded 2022-10-18 13:36:01 MANAGEMENT: >STATE:1666087561,ADD_ROUTES,,,,,, 2022-10-18 13:36:01 C:\WINDOWS\system32\route.exe ADD 37.120.217.242 MASK 255.255.255.255 192.168.2.1 2022-10-18 13:36:01 Route addition via service succeeded However when they are on different machines I have : 2022-10-18 13:40:45 C:\WINDOWS\system32\route.exe ADD 192.168.2.49 MASK 255.255.255.255 192.168.2.1 IF 13 2022-10-18 13:40:45 Route addition via service succeeded 2022-10-18 13:40:45 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.11.113.1 2022-10-18 13:40:45 Route addition via service succeeded 2022-10-18 13:40:45 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.11.113.1 2022-10-18 13:40:45 Route addition via service succeeded It looks like OpenVPN is adding route for 192.168.2.49 which is the machine stunnel is running on. It is not necessary since it is on the same network openvpn is running at. If I could just find a way to prevent openvpn from adding this route I think the issue will be fixed. Any suggestions? Share this post Link to post
amires 10 Posted ... UPDATE : Finally I was able to fix it. I added the following line to my openvpn config file : redirect-gateway local This prevented openvpn to add static route for the machine stunnel was running at. Now I can have openvpn client and stunnel client on different machines on the same network. Connection from my iphone to stunnel was successful as well. 1 OpenSourcerer reacted to this Share this post Link to post
Not connected, Your IP: 18.216.53.7 Not connected, Your IP: 18.216.53.7
Online: 26018 users - 332165 Mbit/s total BW
