OpenVPN and Stunnel problem [SOLVED]

Message

esperto · Post by **esperto** » Sun Oct 22, 2017 11:14 pm

Hi all,

I'm going to china and would like to get to my home VPN, reading over the internet a recommendation was to wrap openVPN connection into SSL to avoid being cut off by the GFW, as openVPN is not pure SSL.
I've followed the instructions (they are quite easy actually) and created a tunnel for openVPN, the issue is I can connect but no packet goes through after that, it is very odd.
OpenVPN log shows the connection starting, I can even authenticate with a local user, but after that, nothing.
To test if there was a problem with the tunnel I used netcat and was able to connected over the tunnel and get messages across both ways in the first try.
Does anyone has experience with this?
I'm putting below my config with some critical parts removed (like certs and keys)

stunnel server config file

Code: Select all

# Sample stunnel configuration file by Michal Trojnara 2002-2005
# Some options used here may not be adequate for your particular configuration
# Please make sure you understand them (especially the effect of chroot jail)

# Certificate/key is needed in server mode and optional in client mode
 cert = /etc/stunnel/stunnel.pem
 key = /etc/stunnel/stunnel.pem

# Some security enhancements for UNIX systems - comment them out on Win32
# chroot = /chroot/stunnel/
setuid = stunnel
setgid = stunnel
# PID is created inside chroot jail
pid = /run/stunnel/stunnel.pid

# Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
#compression = rle

# Workaround for Eudora bug
options = NO_SSLv2

# Some debugging stuff useful for troubleshooting
#debug = 7
output = /var/log/stunnel.log

# Service-level configuration

[openvpn]
accept = 4600
connect = 127.0.0.1:4500

[nc]
accept = 10000
connect = 127.0.0.1:11000

stunnel client config

Code: Select all

#stunnel para openvpn de casa
#pid = /run/stunnel/stunnel.pid
#output = /var/log/stunnel4/stunnel.log

[openvpn]
client = yes
accept = 127.0.0.1:4500
connect = remote_ip:4600

[nc]
client = yes
accept = 127.0.0.1:11000
connect = remote_ip:10000

OpenVPN server config

Code: Select all

plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so system-auth

port 4500
proto tcp
dev tun

ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/cert.crt
key /etc/openvpn/certs/key.key
dh /etc/openvpn/certs/dh2048.pem
tls-auth /etc/openvpn/certs/ta.key 0

server 192.168.10.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"

client-to-client
keepalive 1800 4000

cipher AES-256-CBC 
comp-lzo

max-clients 4

user nobody
group nobody

persist-key
persist-tun

log        /var/log/openvpn.log
status     openvpn-status.log
status-version 1
verb 5
mute 20

OpenVPN client config

Code: Select all

client 
remote 127.0.0.1 4500
ca /home/user/OpenVPN/ca.crt
cert /home/user/OpenVPN/cert-client.crt
key /home/user/OpenVPN/key-client.key
cipher AES-256-CBC
comp-lzo yes
dev tun
proto tcp
tls-auth ./ta.key 1
nobind
auth-nocache
script-security 2
persist-key
persist-tun
user user
group user
auth-user-pass

Thanks in advance!

bbgermany · Post by **bbgermany** » Mon Oct 23, 2017 9:59 am

Hi,

please try adding "pull" to your client config.

Greets, bb

esperto · Post by **esperto** » Mon Oct 23, 2017 7:36 pm

bbgermany wrote:Hi,

please try adding "pull" to your client config.

Greets, bb

Just tried, didn't work

bbgermany · Post by **bbgermany** » Tue Oct 24, 2017 4:55 am

Hi,

Please post the output of "netstat -rn" and "ifconfig -a" after you tried to establish the openvpn tunnel.

Thx and greets, bb

esperto · Post by **esperto** » Tue Oct 24, 2017 3:39 pm

Ok, weird thing, I don't have the results asked on the post above right now, but tested using a windows machine and the tunnel + openVPN worked

My android phone and my notebook running Mint both showed the same problem, connects but nothing after that, so this indicates to something at the client side.

The "pull" command at the client config didn't make any difference, any other suggestions?

bbgermany · Post by **bbgermany** » Wed Oct 25, 2017 4:30 am

Hi,

please try posting the output of the commands, this can maybe help us debuggung the issue. You can also post the kernel config, maybe there is an option missing. Additionally you should post the logfile of openvpn (at least client side).

greets, bb

esperto · Post by **esperto** » Wed Oct 25, 2017 11:54 am

BB,

thanks for the support, the problem was a routing issue, found the answer on this reddit thread:
https://www.reddit.com/r/OpenVPN/commen ... sl_tunnel/

I just had to add, before connecting, a route to my server with the gateway from the "normal" connection, or the packets seems to get routed in a loop inside the VPN connection.

Code: Select all

route add -host <VPN-server-public-IP> gw <Gateway-as-defined-by-default-route>

bbgermany · Post by **bbgermany** » Thu Oct 26, 2017 5:08 am

Hi,

good to see it working now, maybe you should consider adding the route at boot via /etc/conf.d/net, if possible

https://wiki.gentoo.org/wiki/Static_Rou ... atic_Route

greets, bb