Hi, I never did it, but from what I've read, it seems that there's an argument missing on the server side.
[ppp] exec = /usr/sbin/pppd execargs = 10.0.1.1: local debug noauth should be [ppp] exec = /usr/sbin/pppd execargs = pppd local debug noauth 10.0.1.1: Flo On Thu, Apr 11, 2019 at 9:53 PM Martin Got <[email protected]> wrote: > Trying to set up pppd link with stunnel wrapped between two OpenBSD > 6.4amd64 machines. > I use this reference article as an idea: > http://bremford.org/tips/QuickStunnelVPN.html > > While connecting from client's side by command: > /usr/sbin/pppd ptypA 10.0.1.2: local debug noauth passive noccp novj > novjccomp nopcomp noaccomp name ppp-clnt connect 'stunnel > /etc/stunnel/stunnel-client.conf > > stunnel-client starts, pppd starts on client's end according to > stunnel-clnt.log, but has LCP timeouts: > > # tail stunnel-clnt.log > stunnel: LOG5[ui]: Configuration successful > pppd[5421]: Connect: ppp2 <--> /dev/ptypA > pppd[5421]: LCP: timeout sending Config-Requests > pppd[5421]: Connection terminated. > pppd[5421]: Connect script failed > > It seems no pppd pty client connection to stunnel-local nor remote > stunnel-server afterwards. But when I tried to connect to stunnel-client > port 1723 using telnet: > telnet localhost 1723 > I received pppd advertisements from remote stunnel-server. It seems exec = > /usr/sbin/pppd on stunnel-server is running when client's stunnel-client > connection appeared. > > Can it be a problem with pppd and stunnel-client using pty? > > Please advice. > > # cat /etc/stunnel/stunnel-server.conf > > ;chroot = /var/stunnel # chroot is disabled for testing > ;setuid = _stunnel # stunnel started by root for testing currently > ;setgid = _stunnel > ; PID file is created inside the chroot jail (if enabled) > ;pid = /stunnel.pid > foreground = yes > debug = 7 > ;output = log/stunnel.log # disabled > sslVersion = TLSv1.2 > socket = l:TCP_NODELAY=1 > socket = r:TCP_NODELAY=1 > ; Enable support for the insecure SSLv3 protocol > ;options = NO_SSLv3 > options = NO_TLSv1 > options = NO_TLSv1.1 > ; Fix for Eudora "error reading network" can be useful for changing packet > length > options = DONT_INSERT_EMPTY_FRAGMENTS > ; These options provide additional security at some performance degradation > ;options = SINGLE_ECDH_USE > ;options = SINGLE_DH_USE > > ; *** TLS server mode services > [ppp] > accept = 723 > exec = /usr/sbin/pppd > execargs = 10.0.1.1: local debug noauth > pty = yes > CAfile = /etc/stunnel/ca.crt > cert = /etc/stunnel/srv.crt > key = /etc/stunnel/private/srv.key > verifyChain = yes > TIMEOUTclose = 45 > > [default] > ; HTTP connections > ;ciphers = ALL > ;options = CIPHER_SERVER_PREFERENCE > accept = 1111 > connect = 127.0.0.1:80 > CAfile = /etc/stunnel/ca.crt > cert = /etc/stunnel/srv.crt > key = /etc/stunnel/private/srv.key > verifyChain = yes > TIMEOUTclose = 0 > > [ntp] > connect = 127.0.0.1:123 > sni = default:ntp > CAfile = /etc/stunnel/ca.crt > cert = /etc/stunnel/srv.crt > key = /etc/stunnel/private/srv.key > verifyChain = yes > TIMEOUTclose = 0 > -------------------- > > # cat /etc/stunnel/stunnel-client.conf > > chroot = /var/stunnel > setuid = _stunnel > setgid = _stunnel > pid = /stunnel-clnt.pid > foreground = yes > debug = 7 > ;output = log/stunnel-clnt.log > sslVersion = TLSv1.2 > socket = l:TCP_NODELAY=1 > socket = r:TCP_NODELAY=1 > ; Enable support for the insecure SSLv3 protocol > ;options = NO_SSLv3 > options = NO_TLSv1 > options = NO_TLSv1.1 > ; Fix for Eudora "error reading network" can be useful for changing packet > length > options = DONT_INSERT_EMPTY_FRAGMENTS > ; These options provide additional security at some performance degradation > ;options = SINGLE_ECDH_USE > ;options = SINGLE_DH_USE > > [ppp] > client = yes > accept = 127.0.0.1:1723 # 'accept' is absent in client's > configuration http://bremford.org/tips/QuickStunnelVPN.html but stunnel > reports: [!] Service [ppp]: Each service must define two endpoints on > stunnel-5.44 > connect = STUNNEL-SERVER-IP:723 > CAfile = /etc/stunnel/ca.crt > cert = /etc/stunnel/client.crt > key = /etc/stunnel/client.key > verifyChain = yes > checkHost = hostna.me > ;checkIP = 1.2.3.4 > -------------------- > > > > _______________________________________________ > stunnel-users mailing list > [email protected] > https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users >
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
