stunnel + openvpn some problems encountered

ganhehe · Post by **ganhehe** » Thu Mar 14, 2019 6:56 am

environment
server : centos7+stunnel+openvpn2.4.6
client: win10 pro+stunnel+openvpn-guiv11.12

connect successed

when use chome/ie to access web site: dns query dose not traffic throuth VPN，but http/https traffic throuth VPN
when use WinMTR(traceroute tools)：host:www.example.com and start to traceroute, dns query also not traffic throuth VPN
when use cmd--》nslookup command: dns query traffic throute vpn
other applications only use ip but not domain name also work fine throuth VPN

by the way:
1.use udp mode the same problems
2.on the same server and cilent test ocserv+Cisco AnyConnect client all traffice inclued dns query throuth VPN

server.conf

local 127.0.0.1
port 11194
proto tcp
dev tun
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/server.crt
dh /etc/openvpn/pki/dh.pem
server 10.8.110.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 1.0.0.1"
keepalive 10 120
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

client.conf

client
dev tun
proto tcp
remote 127.0.0.1 18080
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1
cipher AES-256-CBC
comp-lzo
verb 3
redirect-gateway def1

route print
===========================================================================
接口列表
17...88 51 fb 5d 89 d2 ......Intel(R) 82579LM Gigabit Network Connection
7...02 00 4c 4f 4f 50 ......Npcap Loopback Adapter
6...88 51 fb 5d 89 d3 ......Intel(R) 82574L Gigabit Network Connection
11...00 ff b0 12 8f 50 ......TAP-Windows Adapter V9
1...........................Software Loopback Interface 1
===========================================================================

IPv4 路由表
===========================================================================
活动路由:
网络目标网络掩码网关接口跃点数
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.221 291
0.0.0.0 128.0.0.0 10.8.110.5 10.8.110.6 291
10.8.110.1 255.255.255.255 10.8.110.5 10.8.110.6 291
10.8.110.4 255.255.255.252 在链路上 10.8.110.6 291
10.8.110.6 255.255.255.255 在链路上 10.8.110.6 291
10.8.110.7 255.255.255.255 在链路上 10.8.110.6 291
127.0.0.0 255.0.0.0 在链路上 127.0.0.1 331
127.0.0.1 255.255.255.255 在链路上 127.0.0.1 331
127.0.0.1 255.255.255.255 192.168.1.254 192.168.1.221 291
127.255.255.255 255.255.255.255 在链路上 127.0.0.1 331
128.0.0.0 128.0.0.0 10.8.110.5 10.8.110.6 291
169.254.0.0 255.255.0.0 在链路上 169.254.139.40 281
169.254.139.40 255.255.255.255 在链路上 169.254.139.40 281
169.254.255.255 255.255.255.255 在链路上 169.254.139.40 281
192.168.1.0 255.255.255.0 在链路上 192.168.1.221 291
192.168.1.221 255.255.255.255 在链路上 192.168.1.221 291
192.168.1.255 255.255.255.255 在链路上 192.168.1.221 291
224.0.0.0 240.0.0.0 在链路上 127.0.0.1 331
224.0.0.0 240.0.0.0 在链路上 10.8.110.6 291
224.0.0.0 240.0.0.0 在链路上 169.254.139.40 281
224.0.0.0 240.0.0.0 在链路上 192.168.1.221 291
255.255.255.255 255.255.255.255 在链路上 127.0.0.1 331
255.255.255.255 255.255.255.255 在链路上 10.8.110.6 291
255.255.255.255 255.255.255.255 在链路上 169.254.139.40 281
255.255.255.255 255.255.255.255 在链路上 192.168.1.221 291
===========================================================================
永久路由:
网络地址网络掩码网关地址跃点数
0.0.0.0 0.0.0.0 192.168.1.254 默认
===========================================================================

TinCanTech · Post by **TinCanTech** » Thu Mar 14, 2019 3:24 pm

ganhehe wrote: ↑
Thu Mar 14, 2019 6:56 am
client: win10

ganhehe wrote: ↑
Thu Mar 14, 2019 6:56 am
dns query dose not traffic throuth VPN

Use --block-outside-dns

ganhehe · Post by **ganhehe** » Fri Mar 15, 2019 2:22 am

Thanks @TinCanTech

I use push "block-outside-dns" on server.conf
Use tcpdump tools i can see dns query throuth vpn server, but the source ip is my cilent virtual tun ip(10.8.110.6)
and the query results can`t route to my cilent,still can`t access any web site

tcpdump -nn port 53:

18:20:54.993546 IP 10.8.110.6.55566 > 1.1.1.1.53: 6+ A? www.google.com. (32)
18:20:57.015337 IP 10.8.110.6.55567 > 1.1.1.1.53: 7+ AAAA? www.google.com. (32)
18:20:59.030747 IP 10.8.110.6.55568 > 1.1.1.1.53: 8+ A? www.google.com. (32)
18:21:01.046823 IP 10.8.110.6.55569 > 1.1.1.1.53: 9+ AAAA? www.google.com. (32)

TinCanTech · Post by **TinCanTech** » Fri Mar 15, 2019 4:32 am

--block-outside-dns is a client directive.

santer · Post by **santer** » Sun Feb 02, 2025 3:17 pm

Hi there,

Unfortunately I cannot start a new topic so I found similar subject and would write here.

I have a problem with my Asus RT-AC68U (Firmware:386.14_2) when trying to use OpenVPN through stunnel.
I use the same configuration separately on my MacBook, VM on Linux, Windows. It works fine (openvpn to 127.0.0.1 + stunnel to external vpn server).
When I'm trying to repeat this configuration on my router (without need to do it on each client) I see this working only from router console (ssh) but not for connected clients.
OpenVPN

client

client
dev tun
proto tcp
remote 127.0.0.1 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun

remote-cert-tls server
cipher AES-256-GCM
verb 3

Stunnel

client

foreground = yes
[openvpn]
client = yes
accept = 127.0.0.1:1194
connect = 83.10.10.10:1111
verifyPeer = yes

My steps:
1. Check internet connection
- from router console (working)

Code: Select all

curl api.myip.com
{"ip":"my_ISP_ip","country":"my_country","cc":"XX"}

- from client (working)

Code: Select all

curl api.myip.com
{"ip":"my_ISP_ip","country":"my_country","cc":"XX"}

2. Turn OpenVPN client ON.

Code: Select all

ip route show table ovpnc1
8.8.4.4 via 100.88.0.1 dev vlan2  metric 1
10.8.8.5 dev tun0  proto kernel  scope link  src 10.8.8.6
10.8.8.1 via 10.8.8.5 dev tun0
100.88.0.1 dev vlan2  proto kernel  scope link
8.8.8.8 via 100.88.0.1 dev vlan2  metric 1
127.0.0.1 via 100.88.0.1 dev vlan2
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1
100.88.0.0/16 dev vlan2  proto kernel  scope link  src 100.88.25.57
127.0.0.0/8 dev lo  scope link
default via 10.8.8.5 dev tun0

3. Check internet connection
- from router console (not working)

Code: Select all

curl api.myip.com
curl: (28) Failed to connect to api.myip.com port 80 after 150026 ms: Operation timed out

4. Manually add route which was in the log but actually wasn't in the route table

Code: Select all

ip route add 83.10.10.10 via 10.8.8.5 table ovpnc1 #where 83.10.10.10 e.g. my external VPN server ip

5. Check internet connection
- from router console (working)

Code: Select all

curl api.myip.com
{"ip":"my_VPN_ip","country":"VPN_country","cc":"YY"}

- from client (not working)

Code: Select all

curl api.myip.com
curl: (28) Failed to connect to api.myip.com port 80 after 150026 ms: Operation timed out

So, there are 2 problems:
1. VPN external ip is not added to the ovpnc1 table
2. When it was fixed manually internet vpn connection works from router itself but doesn't from clients.

Please advice.

additional info
ip rule

Code: Select all

0:  from all lookup local
32766:  from all lookup main
32767:  from all lookup default

ip rule (VPN ON)

Code: Select all

0:  from all lookup local
10001:  from all lookup ovpnc1
32766:  from all lookup main
32767:  from all lookup default

OpenVPN Support Forum

stunnel + openvpn some problems encountered

stunnel + openvpn some problems encountered

Re: stunnel + openvpn some problems encountered

Re: stunnel + openvpn some problems encountered

Re: stunnel + openvpn some problems encountered

Re: stunnel + openvpn some problems encountered