My bad, I didn't read that it was openBSD. I would try to set 'foreground = no' in stunnel client, because it doesn't make sense if you use it as a connect script.
Regards, Flo On Mon, Apr 15, 2019 at 10:31 PM Martin Got <[email protected]> wrote: > No luck, unfortunately. > > pppd option is not needed for OpenBSD pppd implementation (no this option > available for pppd). > > It seems a client side problem at all. Server side replies to test telnet > connection. > > Any ideas? > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > On Friday, April 12, 2019 7:58 AM, Flo Rance <[email protected]> wrote: > > Hi, > > I never did it, but from what I've read, it seems that there's an argument > missing on the server side. > > [ppp] > exec = /usr/sbin/pppd > execargs = 10.0.1.1: local debug noauth > > should be > > [ppp] > exec = /usr/sbin/pppd > execargs = pppd local debug noauth 10.0.1.1: > > > Flo > > On Thu, Apr 11, 2019 at 9:53 PM Martin Got <[email protected]> > wrote: > >> Trying to set up pppd link with stunnel wrapped between two OpenBSD >> 6.4amd64 machines. >> I use this reference article as an idea: >> http://bremford.org/tips/QuickStunnelVPN.html >> >> While connecting from client's side by command: >> /usr/sbin/pppd ptypA 10.0.1.2: local debug noauth passive noccp novj >> novjccomp nopcomp noaccomp name ppp-clnt connect 'stunnel >> /etc/stunnel/stunnel-client.conf >> >> stunnel-client starts, pppd starts on client's end according to >> stunnel-clnt.log, but has LCP timeouts: >> >> # tail stunnel-clnt.log >> stunnel: LOG5[ui]: Configuration successful >> pppd[5421]: Connect: ppp2 <--> /dev/ptypA >> pppd[5421]: LCP: timeout sending Config-Requests >> pppd[5421]: Connection terminated. >> pppd[5421]: Connect script failed >> >> It seems no pppd pty client connection to stunnel-local nor remote >> stunnel-server afterwards. But when I tried to connect to stunnel-client >> port 1723 using telnet: >> telnet localhost 1723 >> I received pppd advertisements from remote stunnel-server. It seems exec >> = /usr/sbin/pppd on stunnel-server is running when client's stunnel-client >> connection appeared. >> >> Can it be a problem with pppd and stunnel-client using pty? >> >> Please advice. >> >> # cat /etc/stunnel/stunnel-server.conf >> >> ;chroot = /var/stunnel # chroot is disabled for testing >> ;setuid = _stunnel # stunnel started by root for testing currently >> ;setgid = _stunnel >> ; PID file is created inside the chroot jail (if enabled) >> ;pid = /stunnel.pid >> foreground = yes >> debug = 7 >> ;output = log/stunnel.log # disabled >> sslVersion = TLSv1.2 >> socket = l:TCP_NODELAY=1 >> socket = r:TCP_NODELAY=1 >> ; Enable support for the insecure SSLv3 protocol >> ;options = NO_SSLv3 >> options = NO_TLSv1 >> options = NO_TLSv1.1 >> ; Fix for Eudora "error reading network" can be useful for changing >> packet length >> options = DONT_INSERT_EMPTY_FRAGMENTS >> ; These options provide additional security at some performance >> degradation >> ;options = SINGLE_ECDH_USE >> ;options = SINGLE_DH_USE >> >> ; *** TLS server mode services >> [ppp] >> accept = 723 >> exec = /usr/sbin/pppd >> execargs = 10.0.1.1: local debug noauth >> pty = yes >> CAfile = /etc/stunnel/ca.crt >> cert = /etc/stunnel/srv.crt >> key = /etc/stunnel/private/srv.key >> verifyChain = yes >> TIMEOUTclose = 45 >> >> [default] >> ; HTTP connections >> ;ciphers = ALL >> ;options = CIPHER_SERVER_PREFERENCE >> accept = 1111 >> connect = 127.0.0.1:80 >> CAfile = /etc/stunnel/ca.crt >> cert = /etc/stunnel/srv.crt >> key = /etc/stunnel/private/srv.key >> verifyChain = yes >> TIMEOUTclose = 0 >> >> [ntp] >> connect = 127.0.0.1:123 >> sni = default:ntp >> CAfile = /etc/stunnel/ca.crt >> cert = /etc/stunnel/srv.crt >> key = /etc/stunnel/private/srv.key >> verifyChain = yes >> TIMEOUTclose = 0 >> -------------------- >> >> # cat /etc/stunnel/stunnel-client.conf >> >> chroot = /var/stunnel >> setuid = _stunnel >> setgid = _stunnel >> pid = /stunnel-clnt.pid >> foreground = yes >> debug = 7 >> ;output = log/stunnel-clnt.log >> sslVersion = TLSv1.2 >> socket = l:TCP_NODELAY=1 >> socket = r:TCP_NODELAY=1 >> ; Enable support for the insecure SSLv3 protocol >> ;options = NO_SSLv3 >> options = NO_TLSv1 >> options = NO_TLSv1.1 >> ; Fix for Eudora "error reading network" can be useful for changing >> packet length >> options = DONT_INSERT_EMPTY_FRAGMENTS >> ; These options provide additional security at some performance >> degradation >> ;options = SINGLE_ECDH_USE >> ;options = SINGLE_DH_USE >> >> [ppp] >> client = yes >> accept = 127.0.0.1:1723 # 'accept' is absent in client's >> configuration http://bremford.org/tips/QuickStunnelVPN.html but stunnel >> reports: [!] Service [ppp]: Each service must define two endpoints on >> stunnel-5.44 >> connect = STUNNEL-SERVER-IP:723 >> CAfile = /etc/stunnel/ca.crt >> cert = /etc/stunnel/client.crt >> key = /etc/stunnel/client.key >> verifyChain = yes >> checkHost = hostna.me >> ;checkIP = 1.2.3.4 >> -------------------- >> >> >> >> _______________________________________________ >> stunnel-users mailing list >> [email protected] >> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users >> > >
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
