Jump to content
Not connected, Your IP: 18.191.162.73
amires

ANSWERED openvpn via stunnel help needed

Recommended Posts

Hi all,

I am trying to configure openvpn via stunnel. I need to have openvpn client and stunnel client on different machines on my local network. What I am trying to do is
install and configure stunnel client on a raspberry pi 4 which I have on my home network and have openvpn client on my phone to connect to this stunnel client.
Simply changing the 127.0.0.1 lines in ssl and ovpn config files to the local ip of raspberry pi doesn't work. What do I need to do to achieve this? Thank you in advance.

Share this post


Link to post
2 hours ago, amires said:

What do I need to do to achieve this?


I'm sorry, are you looking for help to set this up, or are you struggling with a particular step of the setup process? If the latter, outline what you did and where you're stuck, maybe post the guide you're following.

If the former, please consult the internet for guides on how to set this up. Manual setup requires things like generating certificates and keys and configure stunnel to use them.

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post
1 hour ago, OpenSourcerer said:

I'm sorry, are you looking for help to set this up, or are you struggling with a particular step of the setup process? If the latter, outline what you did and where you're stuck, maybe post the guide you're following.

If the former, please consult the internet for guides on how to set this up. Manual setup requires things like generating certificates and keys and configure stunnel to use them.


Many thanks for your reply. I have already set this up on my windows pc using configs generated by config generator and it is working as it should when both openvpn client and stunnel client are running on the same machine, For testing purposes I installed another windows in vmware workstation and moved stunnel client there and modified ssl config file to reference local ip address of virtual machine instead of 127.0.0.1. I also changed openvpn client config file on my windows machine to reference this ip as well. Now when I run both stunnel client on virtual machine and openvpn client on my windows machine I get the following outputs :

stunnel output on virtual machine :
2022.10.17 23:48:42 LOG5[ui]: stunnel 5.56 on x86-pc-mingw32-gnu platform
2022.10.17 23:48:42 LOG5[ui]: Compiled/running with OpenSSL 1.1.1g  21 Apr 2020
2022.10.17 23:48:42 LOG5[ui]: Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,OCSP,PSK,SNI
2022.10.17 23:48:42 LOG5[ui]: Reading configuration from file AirVPN_DE-Berlin_Cujam_SSL-28439.ssl
2022.10.17 23:48:42 LOG5[ui]: UTF-8 byte order mark not detected
2022.10.17 23:48:42 LOG6[ui]: Initializing service [openvpn]
2022.10.17 23:48:42 LOG5[ui]: Configuration successful
2022.10.17 23:48:42 LOG6[ui]: Service [openvpn] (FD=256) bound to 192.168.2.49:1413
2022.10.17 23:48:42 LOG6[cron]: Executing cron jobs
2022.10.17 23:48:42 LOG6[cron]: Cron jobs completed in 0 seconds
2022.10.17 23:49:40 LOG5[0]: Service [openvpn] accepted connection from 192.168.2.20:58346
2022.10.17 23:49:40 LOG6[0]: s_connect: connecting 37.120.217.242:28439
2022.10.17 23:49:40 LOG5[0]: s_connect: connected 37.120.217.242:28439
2022.10.17 23:49:40 LOG5[0]: Service [openvpn] connected remote server from 192.168.2.49:55169
2022.10.17 23:49:40 LOG6[0]: SNI: sending servername: 37.120.217.242
2022.10.17 23:49:40 LOG6[0]: Peer certificate required
2022.10.17 23:49:40 LOG6[0]: CERT: No subject checks configured
2022.10.17 23:49:40 LOG6[0]: CERT: Locally installed certificate matched
2022.10.17 23:49:40 LOG5[0]: Certificate accepted at depth=0: C=IT, ST=Italy, L=Perugia, O=AirVPN, OU=stunnel, CN=stunnel.airvpn.org, emailAddress=info@airvpn.org
2022.10.17 23:49:40 LOG6[0]: Client certificate not requested
2022.10.17 23:49:40 LOG6[0]: Session id: DD623EC91C672A716BCC23585FE02339E3457573A4443B75B6535F0F9DF99CCA
2022.10.17 23:49:40 LOG6[0]: TLS connected: new session negotiated
2022.10.17 23:49:40 LOG6[0]: TLSv1.2 ciphersuite: ECDHE-RSA-AES256-GCM-SHA384 (256-bit encryption)
2022.10.17 23:49:50 LOG5[1]: Service [openvpn] accepted connection from 192.168.2.20:58365
2022.10.17 23:49:50 LOG6[1]: s_connect: connecting 37.120.217.242:28439
2022.10.17 23:49:50 LOG5[1]: s_connect: connected 37.120.217.242:28439
2022.10.17 23:49:50 LOG5[1]: Service [openvpn] connected remote server from 192.168.2.49:55170
2022.10.17 23:49:50 LOG6[1]: SNI: sending servername: 37.120.217.242
2022.10.17 23:49:50 LOG6[1]: Peer certificate required
2022.10.17 23:49:50 LOG6[1]: TLS connected: previous session reused
2022.10.17 23:49:50 LOG6[1]: TLSv1.2 ciphersuite: ECDHE-RSA-AES256-GCM-SHA384 (256-bit encryption)
2022.10.17 23:49:50 LOG6[1]: Session id: DD623EC91C672A716BCC23585FE02339E3457573A4443B75B6535F0F9DF99CCA
2022.10.17 23:49:51 LOG6[0]: TLS closed (SSL_read)
2022.10.17 23:50:00 LOG3[1]: readsocket: Connection reset by peer (WSAECONNRESET) (10054)
2022.10.17 23:50:00 LOG5[1]: Connection reset: 18615 byte(s) sent to TLS, 20816 byte(s) sent to socket

OpenVPN output on windows machine
 
2022-10-17 23:49:40 OpenVPN 2.5.7 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on May 27 2022
2022-10-17 23:49:40 Windows version 10.0 (Windows 10 or greater) 64bit
2022-10-17 23:49:40 library versions: OpenSSL 1.1.1o  3 May 2022, LZO 2.10
2022-10-17 23:49:40 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-10-17 23:49:40 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-10-17 23:49:40 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.2.49:1413
2022-10-17 23:49:40 Socket Buffers: R=[65536->65536] S=[65536->65536]
2022-10-17 23:49:40 Attempting to establish TCP connection with [AF_INET]192.168.2.49:1413 [nonblock]
2022-10-17 23:49:40 TCP connection established with [AF_INET]192.168.2.49:1413
2022-10-17 23:49:40 TCP_CLIENT link local: (not bound)
2022-10-17 23:49:40 TCP_CLIENT link remote: [AF_INET]192.168.2.49:1413
2022-10-17 23:49:41 TLS: Initial packet from [AF_INET]192.168.2.49:1413, sid=448dd50c 91cf5224
2022-10-17 23:49:41 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
2022-10-17 23:49:41 VERIFY KU OK
2022-10-17 23:49:41 Validating certificate extended key usage
2022-10-17 23:49:41 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2022-10-17 23:49:41 VERIFY EKU OK
2022-10-17 23:49:41 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=Cujam, emailAddress=info@airvpn.org
2022-10-17 23:49:41 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 4096 bit RSA, signature: RSA-SHA512
2022-10-17 23:49:41 [Cujam] Peer Connection Initiated with [AF_INET]192.168.2.49:1413
2022-10-17 23:49:41 PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway  def1 bypass-dhcp,dhcp-option DNS 10.11.113.1,route-gateway 10.11.113.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.11.113.222 255.255.255.0,peer-id 0,cipher CHACHA20-POLY1305'
2022-10-17 23:49:41 OPTIONS IMPORT: timers and/or timeouts modified
2022-10-17 23:49:41 OPTIONS IMPORT: compression parms modified
2022-10-17 23:49:41 OPTIONS IMPORT: --ifconfig/up options modified
2022-10-17 23:49:41 OPTIONS IMPORT: route options modified
2022-10-17 23:49:41 OPTIONS IMPORT: route-related options modified
2022-10-17 23:49:41 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2022-10-17 23:49:41 OPTIONS IMPORT: peer-id set
2022-10-17 23:49:41 OPTIONS IMPORT: adjusting link_mtu to 1627
2022-10-17 23:49:41 OPTIONS IMPORT: data channel crypto options modified
2022-10-17 23:49:41 Data Channel: using negotiated cipher 'CHACHA20-POLY1305'
2022-10-17 23:49:41 Outgoing Data Channel: Cipher 'CHACHA20-POLY1305' initialized with 256 bit key
2022-10-17 23:49:41 Incoming Data Channel: Cipher 'CHACHA20-POLY1305' initialized with 256 bit key
2022-10-17 23:49:41 interactive service msg_channel=0
2022-10-17 23:49:41 open_tun
2022-10-17 23:49:41 tap-windows6 device [Local Area Connection] opened
2022-10-17 23:49:41 TAP-Windows Driver Version 9.24
2022-10-17 23:49:41 Set TAP-Windows TUN subnet mode network/local/netmask = 10.11.113.0/10.11.113.222/255.255.255.0 [SUCCEEDED]
2022-10-17 23:49:41 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.11.113.222/255.255.255.0 on interface {94E2293C-799E-478C-847D-F07866B297E6} [DHCP-serv: 10.11.113.0, lease-time: 31536000]
2022-10-17 23:49:41 Successful ARP Flush on interface [56] {94E2293C-799E-478C-847D-F07866B297E6}
2022-10-17 23:49:41 IPv4 MTU set to 1500 on interface 56 using SetIpInterfaceEntry()
2022-10-17 23:49:46 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
2022-10-17 23:49:46 C:\WINDOWS\system32\route.exe ADD 192.168.2.49 MASK 255.255.255.255 192.168.2.1 IF 13
2022-10-17 23:49:46 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=25 and dwForwardType=4
2022-10-17 23:49:46 Route addition via IPAPI succeeded [adaptive]
2022-10-17 23:49:46 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.11.113.1
2022-10-17 23:49:46 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=25 and dwForwardType=4
2022-10-17 23:49:46 Route addition via IPAPI succeeded [adaptive]
2022-10-17 23:49:46 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.11.113.1
2022-10-17 23:49:46 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=25 and dwForwardType=4
2022-10-17 23:49:46 Route addition via IPAPI succeeded [adaptive]
2022-10-17 23:49:46 Initialization Sequence Completed
2022-10-17 23:49:46 Connection reset, restarting [-1]
2022-10-17 23:49:46 SIGUSR1[soft,connection-reset] received, process restarting
2022-10-17 23:49:46 Restart pause, 5 second(s)
2022-10-17 23:49:51 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-10-17 23:49:51 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-10-17 23:49:51 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.2.49:1413
2022-10-17 23:49:51 Socket Buffers: R=[65536->65536] S=[65536->65536]
2022-10-17 23:49:51 Attempting to establish TCP connection with [AF_INET]192.168.2.49:1413 [nonblock]
2022-10-17 23:49:51 TCP connection established with [AF_INET]192.168.2.49:1413
2022-10-17 23:49:51 TCP_CLIENT link local: (not bound)
2022-10-17 23:49:51 TCP_CLIENT link remote: [AF_INET]192.168.2.49:1413
2022-10-17 23:49:51 TLS: Initial packet from [AF_INET]192.168.2.49:1413, sid=8122fdd2 193d9f92
2022-10-17 23:49:51 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
2022-10-17 23:49:51 VERIFY KU OK
2022-10-17 23:49:51 Validating certificate extended key usage
2022-10-17 23:49:51 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2022-10-17 23:49:51 VERIFY EKU OK
2022-10-17 23:49:51 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=Cujam, emailAddress=info@airvpn.org
2022-10-17 23:49:51 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 4096 bit RSA, signature: RSA-SHA512
2022-10-17 23:49:51 [Cujam] Peer Connection Initiated with [AF_INET]192.168.2.49:1413
2022-10-17 23:49:52 SENT CONTROL [Cujam]: 'PUSH_REQUEST' (status=1)
2022-10-17 23:49:52 PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway  def1 bypass-dhcp,dhcp-option DNS 10.11.113.1,route-gateway 10.11.113.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.11.113.222 255.255.255.0,peer-id 0,cipher CHACHA20-POLY1305'
2022-10-17 23:49:52 OPTIONS IMPORT: timers and/or timeouts modified
2022-10-17 23:49:52 OPTIONS IMPORT: compression parms modified
2022-10-17 23:49:52 OPTIONS IMPORT: --ifconfig/up options modified
2022-10-17 23:49:52 OPTIONS IMPORT: route options modified
2022-10-17 23:49:52 OPTIONS IMPORT: route-related options modified
2022-10-17 23:49:52 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2022-10-17 23:49:52 OPTIONS IMPORT: peer-id set
2022-10-17 23:49:52 OPTIONS IMPORT: adjusting link_mtu to 1627
2022-10-17 23:49:52 OPTIONS IMPORT: data channel crypto options modified
2022-10-17 23:49:52 Data Channel: using negotiated cipher 'CHACHA20-POLY1305'
2022-10-17 23:49:52 Outgoing Data Channel: Cipher 'CHACHA20-POLY1305' initialized with 256 bit key
2022-10-17 23:49:52 Incoming Data Channel: Cipher 'CHACHA20-POLY1305' initialized with 256 bit key
2022-10-17 23:49:52 Preserving previous TUN/TAP instance: Local Area Connection
2022-10-17 23:49:52 Initialization Sequence Completed

At this point the tunnel wouldn't work and every 10 seconds or so OpenVPN disconnects and reconnects with connection reset error messages and I could see connection reset error messages in stunnel logs as well.

 

Share this post


Link to post
10 hours ago, Flx said:
13 hours ago, amires said:

tap-windows6 device [Local Area Connection] opened

Switch to Wintun.

Thank you for your suggestion. I tried it however it didn't make any difference.

I think I found the problem. It has something to do with the way openvpn adds routes. I added the option route-nopull to my openvpn config file to prevent openvpn from modifying my routing table
and now the connection seems to proceed without errors and any disconnections.

Here is the openvpn log files for route commands when both stunnel and openvpn are on the same machine :
 
2022-10-18 13:36:01 C:\WINDOWS\system32\route.exe ADD 127.0.0.1 MASK 255.255.255.255 192.168.2.1
2022-10-18 13:36:01 Route addition via service succeeded
2022-10-18 13:36:01 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.11.113.1
2022-10-18 13:36:01 Route addition via service succeeded
2022-10-18 13:36:01 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.11.113.1
2022-10-18 13:36:01 Route addition via service succeeded
2022-10-18 13:36:01 MANAGEMENT: >STATE:1666087561,ADD_ROUTES,,,,,,
2022-10-18 13:36:01 C:\WINDOWS\system32\route.exe ADD 37.120.217.242 MASK 255.255.255.255 192.168.2.1
2022-10-18 13:36:01 Route addition via service succeeded

However when they are on different machines I have :
 
2022-10-18 13:40:45 C:\WINDOWS\system32\route.exe ADD 192.168.2.49 MASK 255.255.255.255 192.168.2.1 IF 13
2022-10-18 13:40:45 Route addition via service succeeded
2022-10-18 13:40:45 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.11.113.1
2022-10-18 13:40:45 Route addition via service succeeded
2022-10-18 13:40:45 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.11.113.1
2022-10-18 13:40:45 Route addition via service succeeded

It looks like OpenVPN is adding route for 192.168.2.49 which is the machine stunnel is running on. It is not necessary since it is on the same network openvpn is running at.
If I could just find a way to prevent openvpn from adding this route I think the issue will be fixed. Any suggestions?




 

Share this post


Link to post

UPDATE : Finally I was able to fix it. I added the following line to my openvpn config file :

redirect-gateway local

This prevented openvpn to add static route for the machine stunnel was running at. Now I can have openvpn client and stunnel client on different machines on the same network.
Connection from my iphone to stunnel was successful as well.

Share this post


Link to post
Guest
This topic is now closed to further replies.

×
×
  • Create New...