OpenVPN + stunnel, having DNS problems..

[JAGaffer]

My school insists on using an open network for the campus's wireless, so I've been forced to use a VPN while at school to protect my privacy. That wasn't enough though, because the school's sysadmin has decided to block OpenVPN connections. He claims it is for security reasons, despite my protest that I need to be able to use a VPN for my own security. To get around this I have been using stunnel to encapsulate the OpenVPN connection.

It has been working great until recently when he started proxying DNS requests. I assumed all traffic would go through the VPN but apparently that is not the case. I noticed he started pushing DNS servers through DHCP and my adapter was configured to use auto configured DNS servers. I tried setting the wireless adapter to use Google's DNS servers, but when I do that I just get timeouts on lookups. I tried setting the 'redirect-gateway' and pushing DNS servers to the client, but when I do that I am not able to get a session open. I get connected, but then it instantly drops. The server log shows the connection, then the OpenVPN service restarts and the session fails.

Here are my logs and configs:

Client OpenVPN Configuration:

View OriginalClient

client
dev tun
proto tcp
#connect to local stunnel service
remote 127.0.0.1 22994
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert tneal.crt
key tneal.key
remote-cert-tls server
comp-lzo
verb 3
route-method exe
route-delay 2
redirect-gateway def1

Client OpenVPN Log:

Code: Select all

23:44:01 2017 OpenVPN 2.3.12 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug 23 2016
23:44:01 2017 Windows version 6.2 (Windows 8 or greater) 64bit
23:44:01 2017 library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.09
Enter Management Password:
23:44:01 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
23:44:01 2017 Need hold release from management interface, waiting...
23:44:01 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
23:44:01 2017 MANAGEMENT: CMD 'state on'
23:44:01 2017 MANAGEMENT: CMD 'log all on'
23:44:01 2017 MANAGEMENT: CMD 'hold off'
23:44:01 2017 MANAGEMENT: CMD 'hold release'
23:44:01 2017 Socket Buffers: R=[65536->65536] S=[65536->65536]
23:44:01 2017 Attempting to establish TCP connection with [AF_INET]127.0.0.1:22994 [nonblock]
23:44:01 2017 MANAGEMENT: >STATE:1491374641,TCP_CONNECT,,,
23:44:01 2017 TCP connection established with [AF_INET]127.0.0.1:22994
23:44:01 2017 TCPv4_CLIENT link local: [undef]
23:44:01 2017 TCPv4_CLIENT link remote: [AF_INET]127.0.0.1:22994
23:44:01 2017 MANAGEMENT: >STATE:1491374641,WAIT,,,
23:44:02 2017 Connection reset, restarting [-1]
23:44:02 2017 SIGUSR1[soft,connection-reset] received, process restarting
23:44:02 2017 MANAGEMENT: >STATE:1491374642,RECONNECTING,connection-reset,,
23:44:02 2017 Restart pause, 5 second(s)

Client stunnel Configuration:

Code: Select all

[openvpn]
client = yes  
accept = 127.0.0.1:22994  
connect = [Server IP]:443
PSKsecrets=psks.txt

Server OpenVPN Configuration:

View OriginalServer

server 10.8.0.0 255.255.255.0
port 11303
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4""
keepalive 10 120
comp-lzo
persist-key
persist-tun

Server OpenVPN Log:

Code: Select all

09:33:14 server systemd[1]: Starting OpenVPN connection to server...
09:33:14 server systemd[1]: Stopping OpenVPN service...
09:33:14 server systemd[1]: Starting OpenVPN service...
09:33:14 server systemd[1]: Failed to start OpenVPN connection to server.
09:33:14 server systemd[1]: Started OpenVPN service.

Server stunnel Configuration:

Code: Select all

sslVersion = all
options = NO_SSLv2
pid = /stunnel4.pid
debug = 7
output = /var/log/stunnel4/stunnel4.log
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

[openvpn]
accept = [Server IP]:443
connect = [Server IP]:11303
cert=/etc/stunnel/server.pem
key=/etc/stunnel/server.key
ciphers=PSK
PSKsecrets=/etc/stunnel/psk.txt
verb 10

I know these logs may look a little weird if you're not familiar with stunnel, but trust me it works. I included the stunnel configs just to help clear it up, but all it does is wrap the OpenVPN packets so that they look like regular SSL traffic. That's why I'm running it with tcp and on port 443.

Server is running Debian and the client is Windows as you can see from the log. If I take out the DNS push lines, it connects and I can connect to IP addresses directly, but DNS goes through his servers.

Can anyone see why this is happening and how can I make sure I'm protecting my DNS lookups? Thanks for reading

[TinCanTech]

Server stunnel Configuration:

sslVersion = all
options = NO_SSLv2
pid = /stunnel4.pid
debug = 7
output = /var/log/stunnel4/stunnel4.log
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

[openvpn]
accept = [Server IP]:443
connect = [Server IP]:11303

Try setting up your openvpn server to use HTTPS port.

However, take note:

• The network administrator has the right and means to block you and there is nothing you can do about it.

[JAGaffer]

Stunnel is running on HTTPS port. I don't connect to it directly. I connect to the stunnel service which then connects to the OpenVPN server, wrapping the connection with SSL/TLS.

This makes the traffic look like HTTPS traffic and there's nothing he can do about it (short of blocking HTTPS for everyone). It's been working fine all year. The only problem I'm having is that my DNS requests will not go through the VPN. If I take out the lines in the server config for pushing DNS servers to the client, I can connect just fine. The link works for connecting directly to IP addresses, but DNS requests get proxied.

The OpenVPN server doesn't even accept connections from the outside. The only ports accepting outside connections are stunnel and and sshd.

The connection looks something like this, sorry if I'm bad at explaining it:

[Open VPN Client]-->[client stunnel]<-->[server stunnel (port 443)]<--[OpenVPN Server]

[TinCanTech]

The only problem I'm having is that my DNS requests will not go through the VPN

Please see:
HOWTO: Request Help !

This makes the traffic look like HTTPS traffic and there's nothing he can do about it

Google DPI

[JAGaffer]

Yes, DPI is what was preventing me from using OpenVPN without the stunnel wrapper. The connection would establish but then was dropped as soon as the first OpenVPN packet was sent. Stunnel perfectly circumvents that.

Thanks for linking me to that HOWTO, I thought I followed it well. Is there some other information I'm missing?

[JAGaffer]

Oh I found the problem with the server config lol

Code: Select all

push "dhcp-option DNS 8.8.4.4""

Oops, syntax error. Weird that OpenVPN doesn't throw up some kind of message, it just crashes lol

DNS servers are being pushed to the virtual adapter successfully, now I just need to test it on campus.

[JAGaffer]

Yeah, that did the trick. Browsing through my VPN on the school's network now. Thanks for trying though!

[JAGaffer]

Doing some more research about stunnel, apparently this is a solution used by many people to get around the Great Firewall of China. I think if stunnel can beat Chinese firewall it should be fine to shutdown the sysadmin of this little school. You should be on the dev team, you should know this man

[disqualified]

What is:

• The First rule of Fight Club ?

[JAGaffer]

gatekeepers smh

[JAGaffer]

Looks like DNS leaks were discovered on Win 10 back in 2015 and they added a new option for it:

https://community.openvpn.net/openvpn/ticket/605

Code: Select all

--block-outside-dns
    Block DNS servers on other network adapters to prevent DNS leaks. This option prevents any application from accessing TCP or UDP port 53 except one inside the tunnel. It uses Windows Filtering Platform (WFP) and works on Windows Vista or later.

    This option is considered unknown on non-Windows platforms and unsupported on Windows XP, resulting in fatal error. You may want to use --setenv opt or --ignore-unknown-option (not suitable for Windows XP) to ignore said error. Note that pushing unknown options from server does not trigger fatal errors. 

Thanks again for your help!