[stunnel-users] stunnel 5.44 + pppd client side problem

Flo Rance trourance at gmail.com
Tue Apr 16 13:00:04 CEST 2019


My bad, I didn't read that it was openBSD.

I would try to set 'foreground = no' in stunnel client, because it doesn't
make sense if you use it as a connect script.

Regards,
Flo

On Mon, Apr 15, 2019 at 10:31 PM Martin Got <martingot at protonmail.com>
wrote:

> No luck, unfortunately.
>
> pppd option is not needed for OpenBSD pppd implementation (no this option
> available for pppd).
>
> It seems a client side problem at all. Server side replies to test telnet
> connection.
>
> Any ideas?
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Friday, April 12, 2019 7:58 AM, Flo Rance <trourance at gmail.com> wrote:
>
> Hi,
>
> I never did it, but from what I've read, it seems that there's an argument
> missing on the server side.
>
> [ppp]
> exec = /usr/sbin/pppd
> execargs = 10.0.1.1: local debug noauth
>
> should be
>
> [ppp]
> exec = /usr/sbin/pppd
> execargs = pppd local debug noauth 10.0.1.1:
>
>
> Flo
>
> On Thu, Apr 11, 2019 at 9:53 PM Martin Got <martingot at protonmail.com>
> wrote:
>
>> Trying to set up pppd link with stunnel wrapped between two OpenBSD
>> 6.4amd64 machines.
>> I use this reference article as an idea:
>> http://bremford.org/tips/QuickStunnelVPN.html
>>
>> While connecting from client's side by command:
>> /usr/sbin/pppd ptypA 10.0.1.2: local debug noauth passive noccp novj
>> novjccomp nopcomp noaccomp name ppp-clnt connect 'stunnel
>> /etc/stunnel/stunnel-client.conf
>>
>> stunnel-client starts, pppd starts on client's end according to
>> stunnel-clnt.log, but has LCP timeouts:
>>
>> # tail stunnel-clnt.log
>> stunnel: LOG5[ui]: Configuration successful
>> pppd[5421]: Connect: ppp2 <--> /dev/ptypA
>> pppd[5421]: LCP: timeout sending Config-Requests
>> pppd[5421]: Connection terminated.
>> pppd[5421]: Connect script failed
>>
>> It seems no pppd pty client connection to stunnel-local nor remote
>> stunnel-server afterwards. But when I tried to connect to stunnel-client
>> port 1723 using telnet:
>> telnet localhost 1723
>> I received pppd advertisements from remote stunnel-server. It seems exec
>> = /usr/sbin/pppd on stunnel-server is running when client's stunnel-client
>> connection appeared.
>>
>> Can it be a problem with pppd and stunnel-client using pty?
>>
>> Please advice.
>>
>> # cat /etc/stunnel/stunnel-server.conf
>>
>> ;chroot = /var/stunnel    # chroot is disabled for testing
>> ;setuid = _stunnel    # stunnel started by root for testing currently
>> ;setgid = _stunnel
>> ; PID file is created inside the chroot jail (if enabled)
>> ;pid = /stunnel.pid
>> foreground = yes
>> debug = 7
>> ;output = log/stunnel.log     # disabled
>> sslVersion = TLSv1.2
>> socket = l:TCP_NODELAY=1
>> socket = r:TCP_NODELAY=1
>> ; Enable support for the insecure SSLv3 protocol
>> ;options = NO_SSLv3
>> options = NO_TLSv1
>> options = NO_TLSv1.1
>> ; Fix for Eudora "error reading network" can be useful for changing
>> packet length
>> options = DONT_INSERT_EMPTY_FRAGMENTS
>> ; These options provide additional security at some performance
>> degradation
>> ;options = SINGLE_ECDH_USE
>> ;options = SINGLE_DH_USE
>>
>> ; *** TLS server mode services
>> [ppp]
>> accept = 723
>> exec = /usr/sbin/pppd
>> execargs = 10.0.1.1: local debug noauth
>> pty = yes
>> CAfile = /etc/stunnel/ca.crt
>> cert = /etc/stunnel/srv.crt
>> key = /etc/stunnel/private/srv.key
>> verifyChain = yes
>> TIMEOUTclose = 45
>>
>> [default]
>> ; HTTP connections
>> ;ciphers = ALL
>> ;options = CIPHER_SERVER_PREFERENCE
>> accept = 1111
>> connect = 127.0.0.1:80
>> CAfile = /etc/stunnel/ca.crt
>> cert = /etc/stunnel/srv.crt
>> key = /etc/stunnel/private/srv.key
>> verifyChain = yes
>> TIMEOUTclose = 0
>>
>> [ntp]
>> connect = 127.0.0.1:123
>> sni = default:ntp
>> CAfile = /etc/stunnel/ca.crt
>> cert = /etc/stunnel/srv.crt
>> key = /etc/stunnel/private/srv.key
>> verifyChain = yes
>> TIMEOUTclose = 0
>> --------------------
>>
>> # cat /etc/stunnel/stunnel-client.conf
>>
>> chroot = /var/stunnel
>> setuid = _stunnel
>> setgid = _stunnel
>> pid = /stunnel-clnt.pid
>> foreground = yes
>> debug = 7
>> ;output = log/stunnel-clnt.log
>> sslVersion = TLSv1.2
>> socket = l:TCP_NODELAY=1
>> socket = r:TCP_NODELAY=1
>> ; Enable support for the insecure SSLv3 protocol
>> ;options = NO_SSLv3
>> options = NO_TLSv1
>> options = NO_TLSv1.1
>> ; Fix for Eudora "error reading network" can be useful for changing
>> packet length
>> options = DONT_INSERT_EMPTY_FRAGMENTS
>> ; These options provide additional security at some performance
>> degradation
>> ;options = SINGLE_ECDH_USE
>> ;options = SINGLE_DH_USE
>>
>> [ppp]
>> client = yes
>> accept = 127.0.0.1:1723     # 'accept' is absent in client's
>> configuration http://bremford.org/tips/QuickStunnelVPN.html but stunnel
>> reports: [!] Service [ppp]: Each service must define two endpoints on
>> stunnel-5.44
>> connect = STUNNEL-SERVER-IP:723
>> CAfile = /etc/stunnel/ca.crt
>> cert = /etc/stunnel/client.crt
>> key = /etc/stunnel/client.key
>> verifyChain = yes
>> checkHost = hostna.me
>> ;checkIP = 1.2.3.4
>> --------------------
>>
>>
>>
>> _______________________________________________
>> stunnel-users mailing list
>> stunnel-users at stunnel.org
>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20190416/35e616a0/attachment.html>


More information about the stunnel-users mailing list