Search the Community
Showing results for tags 'stunnel'.
Found 14 results
-
Goal We want to use AirVPN's SSL tunneling mode on Android. SSL tunneling can be very useful, especially to defeat firewalls that block OpenVPN or SSH on a protocol level. We will use the Termux Terminal Emulator to install and run stunnel and OpenVPN for Android to manage the OpenVPN connection. Requirements Android 6.0 or newer (5.0 and derivatives thereof such as FireOS should work too)the Android device does not have to be rootedGoogle PlayStore or the free & open source F-Droid market (recommended)OpenVPN for Android (FOSS) – or Air's official Eddie Android Edition Please stay tuned for future Eddie releases as they may include native SSL tunnel support (which would make this cumbersome guide unnecessary)Termux Terminal Emulator (FOSS)stunnel (FOSS), via Termux repositorya separate computer to download/edit the config files (entirely optional, but recommended) Setup instructions Part 1: generate AirVPN config files 1/7: open AirVPN's config generator. When asked for your operating system, pick Linux: 2/7: Choose servers: Pick a single server. Do not select more than one. Do not select a whole region. 3/7: Protocols: First, enable Advanced Mode: Now select the SSL mode, port 443: 4/7: Accept Terms of Service and generate the config files: 5/7: Download the generated zip archive: 6/7: unzip AirVPN.zip and open the *.ssl file in a text editor. find this line: pid = /tmp/stunnel4.pid replace it with: pid = /data/data/com.termux/files/home/stunnel4.pid 7/7: Now transfer the AirVPN folder to your phone's sdcard / main storage directory. For ease of use, don't put it into any subdirectories. Instead, put it into your "root" storage directory, meaning on the same level as your other default Android folders such as Documents, Download and Movies. Part 2: Install and prepare Android software 1/3: Install OpenVPN for Android, via F-Droid or Play Store. Don't configure anything just yet. 2/3: Install Termux Terminal Emulator, via F-Droid or PlayStore open Termux and run: termux-setup-storageAllow Termux to access files on your device. (Android 8.0 Oreo users, please read the note at the end of this tutorial).The pkg command is used to install und update software packages. Make sure your base packages are all up to date: pkg upgradenow install stunnel: pkg install stunnel 3/3: Still in Termux, jump to the AirVPN folder you copied to your phone: cd storage/shared/AirVPNThe command lsshould list 3 files: AirVPN*.ovpn (the OpenVPN config file)AirVPN*.ssl (the stunnel config file)stunnel.crt (stunnel certificate)Now start stunnel: stunnel AirVPN*.ssl press the Home button to get out of Termux.Start OpenVPN and import the AirVPN*.ovpn config fileEdit your new OpenVPN connection (tap the "pencil button")in the ALLOWED APPS tab, tick the box next to Termuxreturn to OpenVPN's connection listyour VPN connection is now configured. A tap on its name will establish the connection.verify that a connection has been established by looking for the log entry Initialization Sequence Completedbrowse to ipleak.net (or any similar site) to verify that your traffic is indeed routed through the VPN tunnelHere's a short video, demonstrating the steps above: https://vimeo.com/246306477 Part 3: Usage instructions Now that everything is configured, future usage will be much easier: open Termuxnavigate to your AirVPN folder: cd storage/shared/AirVPNnow run stunnel: stunnel AirVPN*.sslPress the Home button and open the OpenVPN appConnect to your VPN profile Addendum: Tips as an alternative to OpenVPN for Android, you can also use Air's official Eddie Android edition. Don't forget to dive into Eddie's settings to exclude ("blacklist") Termux from the VPN tunnel.don't forget to periodically run pkg upgradeto keep all of Termux' packages, including stunnel, up-to-date.To prevent leaks, it's recommended to let OpenVPN set the default route for both IPv4 and IPv6; as well disabling the LAN bypass: you may want to take a look at Termux:Widget (via F-Droid or Play Store. It's an extension to Termux. If you put your stunnel commands into shell scripts, stored in ~/.shortcuts/ , you can launch them via Home screen widgets.enable Termux' extended keyboard by sliding out the left-side menu and long-pressing the KEYBOARD button. This will enable a row of additional keys, such as CTRL, ALT and TAB which are very useful in a terminal environment -- especially the TAB key, allowing you to autocomplete command and path names. Here's a short video on Vimeo demonstrating the extended keyboard.you may generate config files for as many servers as you like, put them into your AirVPN folder on your phone and add the *.ovpn profiles to OpenVPN.you may want to consider AFWall+ for additional firewalling (root required)it is recommended to move the *.ssl and stunnel.crt files out of Android's shared storage and into Termux' private data directory, while also deleting the no longer needed *.ovpn file: cd ~ mkdir st cd storage/shared/AirVPN cp *.ssl stunnel.crt ~/st rm *.ssl stunnel.crt *.ovpn Moving those files obviously changes the paths of your Termux commands. Instead of running: cd storage/shared/AirVPN stunnel AirVPN*.ssl You'd now need to run: cd ~/st stunnel AirVPN*.ssl Addendum: Caveats Following this tutorial will add the Termux app to OpenVPN's exclusion list, allowing it connect to the VPN server. But this also means that anything else you may do via Termux will also bypass the VPN tunnel. If you need a VPN-tunneled terminal app, I recommend using Termux only to run stunnel; using another terminal emulator app for your other tasks. Addendum: Testing and bugs This tutorial has been tested on: Stock Android 6.0Stock Android 7.0Stock Android 8.0LineageOS 14.1 (~ Android 7.1.x)Fire OS 5.6.0.0 (~ Android 5.x), testing done by user steve74it Important Notice for Android 8.0+ (Oreo) users: The command termux-setup-storage does not work (yet). Instead, follow this workaround to access storage: https://github.com/termux/termux-app/issues/157#issuecomment-246659496 The workaround will no longer be necessary once this bug is resolved: https://github.com/termux/termux-packages/issues/1578 EDIT LOG Thu Dec 7 20:24 UTC 2017: initial releaseThu Dec 7 20:40 UTC 2017: formatting correctionsThu Dec 7 20:58 UTC 2017: spellingFri Dec 8 18:47 UTC 2017: add recommended route settings. credit and thanks to Darkspace-HarbingerFri Jan 5 17:30 UTC 2018: add note that this guide is functional on FireOS 5.6 (Android 5.x). testing done by user steve74it, thank you!Mon Jan 22 18:34 UTC 2018: add mikevvl's security tip to move files out of shared storage. thank you!Sun Jul 15 12:16 UTC 2018: recommend against alternative VPN apps (thanks steve74it)Tue Jul 17 12:20 UTC 2018: mention Eddie compatibility (thanks steve74it) Any corrections, further testing, as well as general suggestions for improvement would be much appreciated.
-
So I am travelling to Egypt soon and they block all OpenVPN connections from what I've read, but stunnel is supposed to be working. How do I set this up through Eddie on Ubuntu? I read the guide and it just said Select AirVPN menu -> Preferences -> Protocols. Select one of the SSL Tunnel options. Click Save. I went into protocols and I don't see anything about SSL tunnels. I only see ports I can choose, I know SSL works over port 443. Will simply selecting port 443 work in circumventing the VPN block? Or is there something else I need to do?
-
Since it is not very easy to use a VPN from countries like Iran a recorded a tutorial on how to use airvpn from these countries: https://usefulvid.com/bypass-the-persian-and-chinese-firewall-by-using-airvpn-with-ssl/ The videos are hosted on my website and on youtube. The reason is that it is not possible to access youtube from Iran. https://youtu.be/jl8I2-GQF94 It would be nice if you could share this with your friends in Iran, China, Turkey, Russia, UAE, Saudi Arabia and provide feedback if this method works. You can also download this video from my website to make it easier to share and spread the word. A video on how to use stunnel on android will follow and also published on this site. Update on 6.1.2018: The Video for Android is finally published: https://www.youtube.com/watch?v=zwf5JI6t0TI For all who suffer from youtube censorship this is the link for you: https://usefulvid.com/bypass-the-persian-and-chinese-firewall-by-using-airvpn-with-ssl/ Second Video on the page
-
I am currently in China and like to share my experience with airvpn. Findings Every Hotel Wifi blocks VPN differently Tor (orbot) always works fine Airvpn is a pain on Android stunnel is complicated to install the own android app does not come with predefined profiles the config generator is not mobile friendly I tried to use stunnel on Windows -> eddie has a problem with usernames with a vowel mutation and fails to establish a connection Protocols and IPs Some IPs from AirVPN Servers seem to be completely blocked. E.g. Zuben: IP1 fails completly (tested on UDP 443 / SSH 22) IP2 on UDP 443 works fine IP2 on UDP 1194 works fine Ping to Zuben IP1 fails Ping to IP2 works fine The weired thing is that I am running 2 VPN servers in my home network. In the actual hotel both are blocked entirely. What I do not get is why zuben on 1194 works but my VPN in the home network (on 1194 and also on 1195) fails. I can't even ping my IP (dyndns). The DNS resolution works fine but no connection is possible. It can only be explained if all private network IPs are blocked. I tried a second private IP to connect to and this also failed. For the second ip a ping was possible but VPN on tcp/443 failed. There is no real consistent image I get.... The second IP was never used in china before. Some thoughts about Eddie A feature which detects blocked servers (by a ping test?) would be great. Eddie should be capable of choosing the best IP and protocol by itself. The chinese Firewall is able to detect openVPN connections it would be a could idea to reserve one IP (nr. 4?) only for stunnel and ssh connections. In the actual situation I am able to connect via 1194/udp to IP4. If the chinese firewall can detect a VPN it will block the whole IP4 and also stunnel and ssh is not possible any more. It is a very good idea to develop eddie for android. it should be able to use ssl/ssh connections and all possible IPs and protocols should be available without manual download
-
airvpn ssl tunnel not working on ddwrt router
yrahman posted a topic in Troubleshooting and Problems
Dear Team, I have installed stunnel on my linksys1900acs ddwrt router. now i am using the airvpn configurations to connect with i am getting following error daemon.err openvpn[28841]: Connection reset, restarting [0] Logs: Jun 11 00:47:08 DD-WRT daemon.notice stunnel: LOG5[ui]: stunnel 5.20 on arm-openwrt-linux-gnueabi platform Jun 11 00:47:08 DD-WRT daemon.notice stunnel: LOG5[ui]: Compiled/running with OpenSSL 1.0.2d 9 Jul 2015 Jun 11 00:47:08 DD-WRT daemon.notice stunnel: LOG5[ui]: Threading:FORK Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI Jun 11 00:47:08 DD-WRT daemon.notice stunnel: LOG5[ui]: Reading configuration from file /opt/etc/stunnel/stunnel.conf Jun 11 00:47:08 DD-WRT daemon.notice stunnel: LOG5[ui]: UTF-8 byte order mark detected Jun 11 00:47:08 DD-WRT daemon.notice stunnel: LOG5[ui]: FIPS mode disabled Jun 11 00:47:08 DD-WRT daemon.info stunnel: LOG6[ui]: Initializing service [openvpn] Jun 11 00:47:08 DD-WRT daemon.notice stunnel: LOG5[ui]: Configuration successful Jun 10 20:48:18 DD-WRT daemon.warn openvpn[28841]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Jun 10 20:48:18 DD-WRT daemon.notice openvpn[28841]: Re-using SSL/TLS context Jun 10 20:48:18 DD-WRT daemon.notice openvpn[28841]: Control Channel MTU parms [ L:1624 D:1210 EF:40 EB:0 ET:0 EL:3 ] Jun 10 20:48:18 DD-WRT daemon.notice openvpn[28841]: Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ] Jun 10 20:48:18 DD-WRT daemon.notice openvpn[28841]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client' Jun 10 20:48:18 DD-WRT daemon.notice openvpn[28841]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server' Jun 10 20:48:18 DD-WRT daemon.notice openvpn[28841]: TCP/UDP: Preserving recently used remote address: [AF_INET]127.0.0.1:1413 Jun 10 20:48:18 DD-WRT daemon.notice openvpn[28841]: Socket Buffers: R=[87380->87380] S=[16384->16384] Jun 10 20:48:18 DD-WRT daemon.notice openvpn[28841]: Attempting to establish TCP connection with [AF_INET]127.0.0.1:1413 [nonblock] Jun 11 00:48:18 DD-WRT daemon.notice stunnel: LOG5[0]: Service [openvpn] accepted connection from 127.0.0.1:48232 Jun 11 00:48:18 DD-WRT daemon.info stunnel: LOG6[0]: failover: round-robin Jun 11 00:48:18 DD-WRT daemon.info stunnel: LOG6[0]: s_connect: connecting 62.102.148.190:443 Jun 11 00:48:18 DD-WRT daemon.notice stunnel: LOG5[0]: s_connect: connected 62.102.148.190:443 Jun 11 00:48:18 DD-WRT daemon.info stunnel: LOG6[0]: SNI: sending servername: 62.102.148.190 Jun 11 00:48:18 DD-WRT daemon.info stunnel: LOG6[0]: CERT: Locally installed certificate matched Jun 11 00:48:18 DD-WRT daemon.notice stunnel: LOG5[0]: Certificate accepted at depth=0: C=IT, ST=Italy, L=Perugia, O=AirVPN, OU=stunnel, CN=stunnel.airvpn.org, emailAddress=info@airvpn.org Jun 11 00:48:18 DD-WRT daemon.info stunnel: LOG6[0]: SSL connected: new session negotiated Jun 11 00:48:18 DD-WRT daemon.info stunnel: LOG6[0]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES256-GCM-SHA384 (256-bit encryption) Jun 10 20:48:19 DD-WRT daemon.notice openvpn[28841]: TCP connection established with [AF_INET]127.0.0.1:1413 Jun 10 20:48:19 DD-WRT daemon.notice openvpn[28841]: TCPv4_CLIENT link local: (not bound) Jun 10 20:48:19 DD-WRT daemon.notice openvpn[28841]: TCPv4_CLIENT link remote: [AF_INET]127.0.0.1:1413 Jun 11 00:48:19 DD-WRT daemon.info stunnel: LOG6[0]: SSL closed (SSL_read) Jun 10 20:48:19 DD-WRT daemon.err openvpn[28841]: Connection reset, restarting [0] Jun 10 20:48:19 DD-WRT daemon.notice openvpn[28841]: TCP/UDP: Closing socket Jun 10 20:48:19 DD-WRT daemon.notice openvpn[28841]: SIGUSR1[soft,connection-reset] received, process restarting Jun 10 20:48:19 DD-WRT daemon.notice openvpn[28841]: Restart pause, 160 second(s) Jun 11 00:48:19 DD-WRT daemon.info stunnel: LOG6[0]: Read socket closed (readsocket) Jun 11 00:48:19 DD-WRT daemon.info stunnel: LOG6[0]: SSL_shutdown successfully sent close_notify alert Jun 11 00:48:19 DD-WRT daemon.notice stunnel: LOG5[0]: Connection closed: 16 byte(s) sent to SSL, 0 byte(s) sent to socket My OpenVpn config ca /tmp/openvpncl/ca.crtcert /tmp/openvpncl/client.crtkey /tmp/openvpncl/client.keymanagement 127.0.0.1 16management-log-cache 100verb 3mute 3syslogwritepid /var/run/openvpncl.pidclientresolv-retry infinitenobindpersist-keypersist-tunscript-security 2dev tun1proto tcp4-clientcipher aes-256-cbcauth sha256remote 127.0.0.1 1413comp-lzo notun-mtu 1500mtu-disc yesresolv-retry infinitenobindpersist-keypersist-tunauth-nocacheverb 5route 62.102.148.190 255.255.255.255 net_gatewayremote-cert-tls servercipher AES-256-CBCkey-direction 1 My Stunnel Configclient = yesdebug = 6 [openvpn];ciphers = DHE-RSA-AES128-SHA256accept = 127.0.0.1:1413connect = 62.102.148.190:443TIMEOUTclose = 0verify = 3CAfile = /opt/etc/stunnel/stunnel.crt -
I've managed to get a pfSense VM working with AirVPN's Serpentis server via Stunnel. Given the importance of using the latest versions of Stunnel and OpenSSL, I used pfSense 2.2-BETA x64, which is based on FreeBSD 10.1-RELEASE x64. Working in a FreeBSD 10.1 x64 VM, I made the stunnel-5.07 package and its dependencies from ports. See <http://www.freshports.org/security/stunnel/>. Also see <https://forums.freebsd.org/threads/howto-setting-up-stunnel-in-freebsd.1717/>. pfSense 2.2-BETA x64 VM: 512 MB RAM 7 MB video RAM 2 GB dynamic VDI PAE/NX, VT-x/AMD-V, Nested Paging Adapter 1: Intel PRO/1000 MT Desktop (NAT) Adapter 2: Intel PRO/1000 MT Desktop (Internal Network, 'AV') audio and USB disabled otherwise defaults FreeBSD 10.1 x64 VM 1024 MB RAM 7 MB video RAM 10 GB dynamic VDI PAE/NX, VT-x/AMD-V, Nested Paging Adapter 1: Intel PRO/1000 MT Desktop (Internal Network, 'AV') audio and USB disabled otherwise defaults Debian 7.6 x64 workspace VM 1024 MB RAM 128 MB video RAM 20 GB dynamic VDI PAE/NX, VT-x/AMD-V, Nested Paging Adapter 1: Intel PRO/1000 MT Desktop (Internal Network, 'AV') audio and USB disabled otherwise defaults legacy Gnome desktop installed openssh-server Working in FreeBSD VM: # portsnap fetch extract # mkdir /usr/ports/packages # cd /usr/ports/security/stunnel # make config [x] DOCS [x] EXAMPLES [ ] FIPS [ ] IPV6 [ ] LIBWRAP [x] SSL_PORT [ ] FORK [x] PTHREAD [ ] UCONTEXT # make package-recursive [use default openssl-1.0.1_16 settings] [use default perl5-5.18.4_10 settings] # cd /usr/ports/packages/All # ls openssl-1.0.1_16.txz pkg-1.3.8_3.txz perl5-5.18.4_10.txz stunnel-5.07.txz # sftp user@192.168.10.11 [Debian VM] # put * # exit # shutdown -p now Working in Debian VM: login pfSense webGUI browse "Diagnostics: Command Prompt" upload openssl-1.0.1_16.txz and move to /root/ upload pkg-1.3.8_3.txz and move to /root/ upload perl5-5.18.4_10.txz and move to /root/ upload stunnel-5.07.txz and move to /root/ Working in pfSense VM console: : pkg install *.txz The package management tool is not yet installed on your system. Do you want to fetch and install it now? [y/N]: y ... New packages to be INSTALLED: openssl-1.0.1_16 perl5-5.18.4_10 stunnel: 5.07 The process will require 61 MB more space. Proceed with this action? [y/N]: y [1/3] Installing openssl-1.0.1_16: 100% [2/3] Installing perl5-5.18.4_10: 100% makewhatis: not found makewhatis: not found pkg: POST-INSTALL script failed ===> Creating users and/or groups. Creating group 'stunnel' with gid '341'. Creating user 'stunnel' with uid '341'. [3/3] Installing stunnel-5.07: 100% Message for openssl-1.0.1_16: Copy /usr/local/openssl/openssl.cnf.sample to /usr/local/openssl/openssl.cnf and edit it to fit your needs. [DON'T DO THAT. USE EXISTING openssl.cnf] Message for stunnel-5.07: *************************************************************************** To create and install a new certificate, type "make cert" And don't forget to check out the FAQ at http://www.stunnel.org/ *************************************************************************** : mkdir /usr/local/etc/stunnel/run : chown stunnel:stunnel /usr/local/etc/stunnel/run : chmod 0622 /usr/local/etc/stunnel/run Working in Debian VM: login pfSense webGUI browse "Diagnostics: Edit File" browse "/usr/local/etc/stunnel/stunnel.conf-sample" and open to edit save as "/usr/local/etc/stunnel/stunnel.conf" replace content with this and save: ................................... ; create local jail chroot = /usr/local/etc/stunnel/run ; set own UID and GID setuid = stunnel setgid = stunnel client = yes foreground = no options = NO_SSLv2 [openvpn] accept = 1413 connect = 178.248.30.133:443 TIMEOUTclose = 0 ................................... browse "/etc/defaults/rc.conf" and open to edit add this at end and save: ......................................................... stunnel_enable="YES" stunnel_pid_file="/usr/local/etc/stunnel/run/stunnel.pid" ......................................................... browse "Diagnostics: Command Prompt" run "mv /usr/local/etc/rc.d/stunnel /usr/local/etc/rc.d/stunnel.sh" Working in pfSense VM console: hit "5" and "y" to reboot Working in Debian VM: login pfSense webGUI browse "Status: System logs: General" should see: ................................................................................................... ... ... php-fpm[243]: /rc.start_packages: Restarting/Starting all packages. ... kernel: done. ... stunnel: LOG5[34393318400]: stunnel 5.07 on amd64-portbld-freebsd10.1 platform ... stunnel: LOG5[34393318400]: Compiled/running with OpenSSL 1.0.1j 15 Oct 2014 ... stunnel: LOG5[34393318400]: Threading:PTHREAD Sockets:POLL,IPv4 SSL:ENGINE,OCSP ... stunnel: LOG5[34393318400]: Reading configuration from file /usr/local/etc/stunnel/stunnel.conf ... stunnel: LOG5[34393318400]: UTF-8 byte order mark not detected ... stunnel: LOG5[34393318400]: Configuration successful ... ................................................................................................... browse "System: General Setup" specify desired third-party DNS servers on WAN_DHCP [x] Do not use the DNS Forwarder as a DNS server for the firewall browse "Services: DNS Forwarder" [ ] Enable DNS forwarder browse "System: Advanced: Networking" [ ] Allow IPv6 [x] Prefer to use IPv4 even if IPv6 is available browse "System: Advanced: Miscellaneous" [x] Skip rules when gateway is down [x] Enable gateway monitoring debug logging browse "System: Certificate Authority Manager" add ca.crt browse "System: Certificate Manager" add client.crt|client.key browse "VPN: OpenVPN: Client" Protocol: TCP Interface: Localhost Server host or address: 127.0.0.1 Server port: 1413 Server host name resolution: don't "Infinitely resolve server" Encryption algorithm: AES-256-CBC Compression: Disabled - No Compression Disable IPv6: Don't forward IPv6 traffic Advanced: persist-key;persist-tun;remote-cert-tls server; route 178.248.30.133 255.255.255.255 net_gateway Verbosity level: 5 browse "Status: System logs: General" should see: ................................................................................................... ... ... openvpn[86987]: [server] Peer Connection Initiated with [AF_INET]127.0.0.1:1413 ... openvpn[86987]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) ... openvpn[86987]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1, dhcp-option DNS 10.50.0.1,comp-lzo no,route 10.50.0.1,topology net30,ping 10, ping-restart 60,ifconfig 10.50.2.74 10.50.2.73' ... ... openvpn[86987]: /sbin/ifconfig ovpnc1 10.50.2.74 10.50.2.73 mtu 1500 netmask 255.255.255.255 up ... openvpn[86987]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1560 10.50.2.74 10.50.2.73 init ... openvpn[86987]: /sbin/route add -net 127.0.0.1 10.0.2.2 255.255.255.255 ... openvpn[86987]: /sbin/route add -net 0.0.0.0 10.50.2.73 128.0.0.0 ... openvpn[86987]: /sbin/route add -net 128.0.0.0 10.50.2.73 128.0.0.0 ... openvpn[86987]: /sbin/route add -net 178.248.30.133 10.0.2.2 255.255.255.255 ... openvpn[86987]: /sbin/route add -net 10.50.0.1 10.50.2.73 255.255.255.255 ... openvpn[86987]: Initialization Sequence Completed ................................................................................................... browse "Services: DHCP Server" set 10.50.0.1 as DNS server browse "Interfaces: Assign Network Ports" add OPT1 browse "Interfaces: OPT1" enable and rename "AIRVPN" browse "Firewall: NAT: Outbound" select "Manual Outbound NAT rule generation (AON - Advanced Outbound NAT)" save and apply changes leave localhost rules alone "Auto created rule for ISAKMP - localhost to WAN" "Auto created rule - localhost to WAN" change interface for LAN rules from WAN to AIRVPN "Rule for ISAKMP - LAN to AIRVPN" "Rule - LAN to AIRVPN" apply changes browse "Firewall: Rules: LAN" delete IPv6 rule edit IPv4 rule specify AIRVPN_VPNV4 as Gateway\ rename as "Allow LAN to any rule via AIRVPN_VPNV4" apply changes Working in pfSense VM console: hit "5" and "y" to reboot Working in Debian VM: login pfSense webGUI browse "Status: OpenVPN" should see that Client TCP is up Done Edit: I've added rules on WAN, and required aliases. Aliases are needed for three types of outbound traffic: 1) the DNS server IPs specified in “System: General Setup”; 2) the pfSense NTP server hostname specified in “System: General Setup”; and 3) the connect server IP specified in the Stunnel configuration. In Firewall: Aliases: IP, create three aliases, using the + button to add the values: Name Values Description dnssvr 208.67.220.220 208.67.222.222 DNS server IP addresses ntpsvr 0.pfsense.pool.ntp.org default pfSense NTP server sslsvr 178.248.30.133 Stunnel server Using these aliases, you then add rules for the WAN interface to pass necessary outbound traffic, and then a final rule to block everything else. In "Firewall: Rules: WAN", create these rules, specifying “Single host or address” for the pass rules: Action TCP/IP Proto Source Port Dest Port Gateway Queue Description pass IPv4 TCP/UDP WAN address * dnssvr * * none Allow to DNS servers pass IPv4 UDP WAN address * ntpsvr * * none Allow to NTP server pass IPv4 TCP/UDP WAN address * sslsvr * * none Allow to SSL server block IPv4 * WAN address * * * * none Block all other IPv4 block IPv6 * WAN address * * * * none Block all IPv6 Then reboot from the console window, by entering 5 and then y to confirm.
-
Hello everyone, I am TheDarkOnyx. That aside, I am facing problems with connecting with SSL to any server, for that matter. In my case, my school has a hefty firewall that has DPI recently, and it has been effective. I have since been using STunnel and I am using SSL port 28439, and oddly enough, it has been resetting connection by peer by almost every single server available except the Dheneb server. Is there something I should fix? Thanks.
-
I am having an issue configuring AirVPN SSL to work with Tunnelblick and Stunnel on my macbook. I got it to work about a month ago, but I can't remember how I did it. I am pretty sure the issue is stunnel, but I can't figure out how to configure the proper files. 1. I have imported the .ovpn into tunnelblick 2. moved the .ssl and .crt into stunnel file 3. changed the .ssl in stunnel to .conf when I try to connect to the server via tunnelblick i receive this error: TCP: connect to [AF_INET]127.0.0.1:1413 failed, will try again in 5 seconds: Connection refused If you need any further information or files, please let me know. Thank you in advance for your assistance. connection_error.txt
-
Hi, On the experimental client (2.10.3) mono required, the binary stunnel is build with openssl .1.0.1f, which, have if i'm not making a mistake, multiples vulnerability Any reason why the stunnel binary is outdated ? Thanks !
-
I am consistently running into this problem on all my PCs (laptops). Over a period of time, I notice that AirVPN is disconnected and is constantly trying to reconnect. Checking the Windows Task Manager, I discover that multiple instances of stunnel.exe are running: the longer AirVPN is running, the more instances of stunnel (at time 2 or 3 dozens). Initially this behaviour can be reproduced by putting the PC to sleep while AirVPN is still connected. Upon waking, it starts the re-connection and fails, creating more and more stunnel.exe in the memory. Now however, I notice that AirVPN would spontaneously disconnect (I've set my PCs to stay awake constantly), and get into this rut. Other than manually ending all the instances of stunnel.exe (as well as the 1 instance of openvpn.exe), I'd have to do a full reboot. Does anyone notice this and know a fix? Thanks all!
-
I installed stunnel (32-bit) on Windows 7 w/ SP1, 64-bit. OpenVPN client is also 64-bit. For testing purposes, I used the Config Generator to produce the following two files AirVPN_CA-Hoedus_SSL-443.ovpn AirVPN_CA-Hoedus_SSL-443.ssl which I moved to C:\Program Files\OpenVPN\config In a command prompt window, I typed the following: C:\Program Files\OpenVPN\config>stunnel "AirVPN_CA-Hoedus_SSL-443.ssl" The following error message appeared: [ ] No limit detected for the number of clients [.] stunnel 5.02 on x86-pc-msvc-1500 platform [.] Compiled/running with OpenSSL 1.0.1h-fips 5 Jun 2014 [.] Threading:WIN32 Sockets:SELECT,IPv6 SSL:ENGINE,OCSP,FIPS [ ] errno: (*_errno()) [.] Reading configuration from file AirVPN_CA-Hoedus_SSL-443.ssl [!] Cannot open configuration file [.] [.] Syntax: [.] stunnel [ [-install | -uninstall] [-quiet] [<filename>] ] | -help | -version | -sockets [.] <filename> - use specified config file [.] -install - install NT service [.] -uninstall - uninstall NT service [.] -quiet - don't display a message box on success [.] -help - get config file help [.] -version - display version and defaults [.] -sockets - display default socket options [!] Server is down How do I fix the above problem? Is stunnel attempting to use IPv6? (I always disable IPv6 on the advice of friends who say that IPv6 leaks DNS and other data packets)
-
I've been using the Eddie client for a while now but I can not get it to work over ssh or ssl. I keeps disconnecting and reconnect repeating a cycle that creates a bunch of processes. 6/11/2014 - 9:55 PM AirVPN client version: 2.1, System: Linux, Architecture: x64 6/11/2014 - 9:55 PM Reading options from /home/klepto/AIR/AirVPN.xml 6/11/2014 - 9:55 PM Data Path: /home/klepto/AIR 6/11/2014 - 9:55 PM App Path: /home/klepto/AIR 6/11/2014 - 9:55 PM Executable Path: /home/klepto/AIR/airvpn 6/11/2014 - 9:55 PM Command line arguments: 6/11/2014 - 9:55 PM Operating System: Unix 3.14.6.1 - Linux LUNASYLUM 3.14.6-1-ARCH #1 SMP PREEMPT Sun Jun 8 10:08:38 CEST 2014 x86_64 GNU/Linux 6/11/2014 - 9:55 PM OpenVPN Driver - Found 6/11/2014 - 9:55 PM OpenVPN - Version: OpenVPN 2.3.3 (/home/klepto/AIR/openvpn) 6/11/2014 - 9:55 PM SSH - Version: OpenSSH_6.6.1p1, OpenSSL 1.0.1h 5 Jun 2014 (/usr/bin/ssh) 6/11/2014 - 9:55 PM SSL - Version: stunnel 5.01 (/home/klepto/AIR/stunnel) 6/11/2014 - 9:55 PM IPV6: Available 6/11/2014 - 9:55 PM Session starting. 6/11/2014 - 9:55 PM Checking environment 6/11/2014 - 9:55 PM Waiting for latency tests 6/11/2014 - 9:55 PM Checking authorization 6/11/2014 - 9:55 PM Connecting to Pavonis (us) 6/11/2014 - 9:55 PM SSL > 2014.06.11 21:55:35 LOG5[26060]: stunnel 5.01 on x86_64-unknown-linux-gnu platform 6/11/2014 - 9:55 PM SSL > 2014.06.11 21:55:35 LOG5[26060]: Compiled/running with OpenSSL 1.0.1g 7 Apr 2014 6/11/2014 - 9:55 PM SSL > 2014.06.11 21:55:35 LOG5[26060]: Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP 6/11/2014 - 9:55 PM SSL > 2014.06.11 21:55:35 LOG5[26060]: Reading configuration from file /home/klepto/AIR/a6a54b9427fd348ef37fea2ec7f05b91b6ba82fec6e24e851b036484588e613f.tmp.ssl 6/11/2014 - 9:55 PM SSL > 2014.06.11 21:55:35 LOG6[26060]: Initializing service [openvpn] 6/11/2014 - 9:55 PM SSL > 2014.06.11 21:55:35 LOG5[26060]: Configuration successful 6/11/2014 - 9:55 PM OpenVPN > OpenVPN 2.3.3 x86_64-unknown-linux-gnu [sSL (OpenSSL)] [LZO] [EPOLL] [MH] [iPv6] built on Apr 14 2014 6/11/2014 - 9:55 PM OpenVPN > MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:3100 6/11/2014 - 9:55 PM OpenVPN > Control Channel Authentication: tls-auth using INLINE static key file 6/11/2014 - 9:55 PM OpenVPN > Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication 6/11/2014 - 9:55 PM OpenVPN > Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication /* Removed IP info */ 6/11/2014 - 9:55 PM OpenVPN > Validating certificate key usage 6/11/2014 - 9:55 PM OpenVPN > ++ Certificate has key usage 00a0, expects 00a0 6/11/2014 - 9:55 PM OpenVPN > VERIFY KU OK 6/11/2014 - 9:55 PM OpenVPN > Validating certificate extended key usage 6/11/2014 - 9:55 PM OpenVPN > ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication 6/11/2014 - 9:55 PM OpenVPN > VERIFY EKU OK 6/11/2014 - 9:55 PM OpenVPN > VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org 6/11/2014 - 9:55 PM OpenVPN > Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key 6/11/2014 - 9:55 PM OpenVPN > Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication 6/11/2014 - 9:55 PM OpenVPN > Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key 6/11/2014 - 9:55 PM OpenVPN > Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication 6/11/2014 - 9:55 PM OpenVPN > Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA 6/11/2014 - 9:55 PM OpenVPN > [server] Peer Connection Initiated with [AF_INET]127.0.0.1:53314 6/11/2014 - 9:55 PM OpenVPN > SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) 6/11/2014 - 9:55 PM OpenVPN > OPTIONS IMPORT: timers and/or timeouts modified 6/11/2014 - 9:55 PM OpenVPN > OPTIONS IMPORT: LZO parms modified 6/11/2014 - 9:55 PM OpenVPN > OPTIONS IMPORT: --ifconfig/up options modified 6/11/2014 - 9:55 PM OpenVPN > OPTIONS IMPORT: route options modified 6/11/2014 - 9:55 PM OpenVPN > OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified 6/11/2014 - 9:55 PM Flushing DNS 6/11/2014 - 9:55 PM Checking route 6/11/2014 - 9:55 PM Connected. 6/11/2014 - 9:55 PM OpenVPN > MANAGEMENT: Client connected from [AF_INET]127.0.0.1:3100 6/11/2014 - 9:55 PM OpenVpn Management > >INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info 6/11/2014 - 9:55 PM Disconnecting 6/11/2014 - 9:55 PM Management - Send 'signal SIGTERM' 6/11/2014 - 9:55 PM OpenVPN > MANAGEMENT: CMD 'signal SIGTERM' 6/11/2014 - 9:55 PM SSL > 2014.06.11 21:55:42 LOG6[26063]: Read socket closed (readsocket) 6/11/2014 - 9:55 PM SSL > 2014.06.11 21:55:42 LOG6[26063]: SSL_shutdown successfully sent close_notify alert 6/11/2014 - 9:55 PM SSL > 2014.06.11 21:55:42 LOG3[26063]: transfer: s_poll_wait: TIMEOUTclose exceeded: closing 6/11/2014 - 9:55 PM SSL > 2014.06.11 21:55:42 LOG5[26063]: Connection closed: 12137 byte(s) sent to SSL, 15169 byte(s) sent to socket 6/11/2014 - 9:55 PM Connecting to Pavonis (us) 6/11/2014 - 9:55 PM SSL > 2014.06.11 21:55:46 LOG5[26081]: stunnel 5.01 on x86_64-unknown-linux-gnu platform 6/11/2014 - 9:55 PM SSL > 2014.06.11 21:55:46 LOG5[26081]: Compiled/running with OpenSSL 1.0.1g 7 Apr 2014 6/11/2014 - 9:55 PM SSL > 2014.06.11 21:55:46 LOG5[26081]: Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP 6/11/2014 - 9:55 PM SSL > 2014.06.11 21:55:46 LOG5[26081]: Reading configuration from file /home/klepto/AIR/232ecf01d2847609b6f741c518067d5a8012298972f180adcaed1ec52264c4dc.tmp.ssl 6/11/2014 - 9:55 PM SSL > 2014.06.11 21:55:46 LOG6[26081]: Initializing service [openvpn] 6/11/2014 - 9:55 PM SSL > 2014.06.11 21:55:46 LOG5[26081]: Configuration successful 6/11/2014 - 9:55 PM OpenVPN > OpenVPN 2.3.3 x86_64-unknown-linux-gnu [sSL (OpenSSL)] [LZO] [EPOLL] [MH] [iPv6] built on Apr 14 2014 6/11/2014 - 9:55 PM SSL > 2014.06.11 21:55:46 LOG6[26084]: Negotiated TLSv1/SSLv3 ciphersuite: ECDHE-RSA-AES256-SHA (256-bit encryption) 6/11/2014 - 9:55 PM OpenVPN > Socket Buffers: R=[87380->131072] S=[16384->131072] 6/11/2014 - 9:55 PM SSL > 2014.06.11 21:55:46 LOG6[26084]: Compression: null, expansion: null 6/11/2014 - 9:55 PM OpenVPN > Attempting to establish TCP connection with [AF_INET]127.0.0.1:34604 [nonblock] 6/11/2014 - 9:55 PM OpenVPN > TCP connection established with [AF_INET]127.0.0.1:34604 6/11/2014 - 9:55 PM OpenVPN > TCPv4_CLIENT link local: [undef] 6/11/2014 - 9:55 PM OpenVPN > TCPv4_CLIENT link remote: [AF_INET]127.0.0.1:34604 6/11/2014 - 9:55 PM OpenVPN > TLS: Initial packet from [AF_INET]127.0.0.1:34604, sid=0eb09504 ef87f7e3 6/11/2014 - 9:55 PM OpenVPN > VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org 6/11/2014 - 9:55 PM OpenVPN > Validating certificate key usage 6/11/2014 - 9:55 PM OpenVPN > ++ Certificate has key usage 00a0, expects 00a0 6/11/2014 - 9:55 PM OpenVPN > VERIFY KU OK 6/11/2014 - 9:55 PM OpenVPN > Validating certificate extended key usage 6/11/2014 - 9:55 PM OpenVPN > ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication 6/11/2014 - 9:55 PM OpenVPN > VERIFY EKU OK 6/11/2014 - 9:55 PM OpenVPN > VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org
-
Hello! These instructions describe how to build Stunnel on OS X. Go to https://www.stunnel.org/downloads.html and download stunnel-4.54.tar.gz and stunnel-4.54.tar.gz.sha256. Open a terminal from Utilities => Terminal. Terminal is case sensitive, before you do something think twice before you press RETURN - there is no undo or redo in terminal. Each line is one line in terminal and you need to press RETURN at the end of the line. cd $HOME/Downloads openssl dgst -sha256 stunnel-4.54.tar.gz more stunnel-4.54.tar.gz.sha256 Compare the output of the last 2 lines - if it matches all is fine, if not you had a security problem during download. tar -xzvf stunnel-4.54.tar.gz cd stunnel-4.54 ./configure && make && make check && sudo make install The configure script uses autoconf, so put your fingers away from other options because if all is there and supported it will build a fine 64 bit app for you. make check is optional. "sudo make install" requires your root (administrator) password. During this step you have to input some basic informations (self explaining). The && is used to run commands after each other ONLY if the previous was successful. Once everything is done your stunnel app will be installed in /usr/local/bin. Note: - To avoid /usr/lib/libwrap.7.dylib dependencies (not available on fresh Mountain Lion), use ./configure --disable-libwrap Kind regards AirVPN Support Team --- Thanks to NaWi at Mac, guide from this topic on stackexchange.com
-
Ubuntu 12.04 LTS stunnel and ssl configs not working
Guest posted a topic in Troubleshooting and Problems
Hi Guys, I am running Ubuntu 12.04 lts x86_64 and I have installed everything correctly and vpn works on all other configurations except for openvpn over ssl. when I use the command stunnel (see below) it gives me an openvpn error failed to initialize SSL I'm pretty frustrated trying to get this to work with gnome network manager or openvpn directly. can someone help? Thank you. stunnel AirVPN_US-Librae_SSL-443.ssl Clients allowed=500 stunnel 4.56 on x86_64-unknown-linux-gnu platform Compiled/running with OpenSSL 1.0.1 14 Mar 2012 Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS Reading configuration from file AirVPN_US-Librae_SSL-443.ssl FIPS_mode_set: F06D065: error:0F06D065:common libcrypto routines:FIPS_mode_set:fips mode not supported Line 13: "[openvpn]": Failed to initialize SSL str_stats: 4 block(s), 57 data byte(s), 232 control byte(s)