[stunnel-users] Linux pppd VPN network notwork very well

• Previous message (by thread): [stunnel-users] Error resolving '...' (Windows)
• Next message (by thread): [stunnel-users] Linux pppd VPN network notwork very well
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi all,

I've got two two LANs behind masquerading routers that I've linked via a 
stunnel + pppd vpn. When it works, it works, but I've got a couple of 
problems - has anybody out there in Stunnel Land managed to fix / workaround 
these?

1) The connection goes down fairly regluarly.

I've setup a cron job to move a few packets back and forth to make sure that 
the ADSL connection at both ends stays up (pppd set not do demand stuff). 
There's nothing in the logs to suggest that the ADSL *is* going down, but I 
thought it would eliminate a lot of possibilities. (see log entries below). 
Currently the link is going down at lesat once per day. Uptime varies 
greatly.

I can't see anyway of asking stunnel to try again if the pppd exits (see conf 
below) other than manually restarting it.

I'm hoping to scale the VPN up to multiple sites - with one connection, I can 
just do /etc/rc.d/stunnel restart - but if I've got multiple instances of 
stunnel running with different configs it gets a bit messy to reset a single 
connection. I did think about having multiple hard links to the stunnel 
binary, so each VPN will have a different process name attached to it, but 
this strikes me as a bit of a hack.

2) bandwidth on the link is poor.
I consistently get 1/4 of the bandwidth (measured using scp to copy largish 
files) compared with bypassing the stunnel/pppd pair (same route between 
LANs). While I expected some overhead, this seems rather a lot.

3) latency is a lot higher too

4) The VPN seems to stutter more regularly than the direct connection
...I mean that I don't seem to be getting any traffic for 5-10 seconds then it 
resumes without any loss of data (e.g. when using ssh).

The routers at either end are relatively dumb so (as I understand it) there's 
not many options for using IPIP or GRE tunnelling).

Anybody got any suggestions as to how I can make it (particularly) more 
reliable and (also) a bit faster?

TIA,

Colin McKinnon

pppd
--------
pppd local nodeflate nobsdcomp nodefaultroute 10.1.17.208:10.1.20.202

log entries:
----------------
Stunnel started manually:

Jul 19 08:25:59 serv8 stunnel[740]: stunnel 4.05 on i686-suse-linux-gnu 
PTHREAD with OpenSSL 0.9.7d 17 Mar 2004
Jul 19 08:25:59 serv8 stunnel[740]: FD_SETSIZE=1024, file ulimit=1024 -> 500 
clients allowed
Jul 19 08:25:59 serv8 pppd[743]: pppd 2.4.2 started by stunnel, uid 100
Jul 19 08:25:59 serv8 pppd[743]: Using interface ppp0
Jul 19 08:25:59 serv8 pppd[743]: Connect: ppp0 <--> /dev/pts/1

Everything works fine (although a little slow) then...

Jul 19 10:36:32 serv8 pppd[743]: No response to 4 echo-requests
Jul 19 10:36:32 serv8 pppd[743]: Serial link appears to be disconnected.
Jul 19 10:36:34 serv8 pppd[743]: Script /etc/ppp/ip-down finished (pid 1668), 
status = 0x0
Jul 19 10:36:34 serv8 ip-down: SIOCDELRT: No such process
Jul 19 10:36:36 serv8 pppd[743]: Connection terminated.
Jul 19 10:36:36 serv8 pppd[743]: Connect time 130.6 minutes.
Jul 19 10:36:36 serv8 pppd[743]: Sent 58200 bytes, received 57227 bytes.
Jul 19 10:36:36 serv8 pppd[743]: Connect time 130.6 minutes.
Jul 19 10:36:36 serv8 pppd[743]: Sent 58200 bytes, received 57227 bytes.
Jul 19 10:36:36 serv8 pppd[743]: Exit.
Jul 19 10:36:36 serv8 stunnel[741]: readsocket: Input/output error (5)
Jul 19 10:36:36 serv8 stunnel[741]: Connection reset: 68626 bytes sent to SSL, 
66280 bytes sent to socket

Stunnel config
---------------------
foreground = no
client = yes
setuid = stunnel
setgid = dialout
CAfile = /etc/stunnel/3bCArootCert.pem
cert = /etc/stunnel/system.pem
verify = 2
session = 3600
[ppp]
connect = remotehost:2020
exec = /usr/sbin/pppd
execargs = pppd local nodeflate nobsdcomp nodefaultroute 
10.1.17.208:10.1.20.202
pty = yes

(converse at other end)

Routing at 'cleint' end
---------------------------------
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.1.20.202     *               255.255.255.255 UH    0      0        0 ppp0
192.168.1.0     *               255.255.255.0   U     0      0        0 eth1
10.1.20.0       *               255.255.255.0   U     0      0        0 ppp0
10.1.17.0       *               255.255.255.0   U     0      0        0 eth2
loopback        *               255.0.0.0       U     0      0        0 lo
default         192.168.1.1     0.0.0.0         UG    0      0        0 eth1

(eth1 conects to the ADSL router, eth2 to the LAN)

• Previous message (by thread): [stunnel-users] Error resolving '...' (Windows)
• Next message (by thread): [stunnel-users] Linux pppd VPN network notwork very well
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]