stunnel + openvpn some problems encountered

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
ganhehe
OpenVpn Newbie
Posts: 2
Joined: Thu Mar 14, 2019 1:10 am

stunnel + openvpn some problems encountered

Post by ganhehe » Thu Mar 14, 2019 6:56 am

environment
server : centos7+stunnel+openvpn2.4.6
client: win10 pro+stunnel+openvpn-guiv11.12

connect successed

when use chome/ie to access web site: dns query dose not traffic throuth VPN,but http/https traffic throuth VPN
when use WinMTR(traceroute tools):host:www.example.com and start to traceroute, dns query also not traffic throuth VPN
when use cmd--》nslookup command: dns query traffic throute vpn
other applications only use ip but not domain name also work fine throuth VPN

by the way:
1.use udp mode the same problems
2.on the same server and cilent test ocserv+Cisco AnyConnect client all traffice inclued dns query throuth VPN


server.conf

local 127.0.0.1
port 11194
proto tcp
dev tun
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/server.crt
dh /etc/openvpn/pki/dh.pem
server 10.8.110.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 1.0.0.1"
keepalive 10 120
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3




client.conf

client
dev tun
proto tcp
remote 127.0.0.1 18080
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1
cipher AES-256-CBC
comp-lzo
verb 3
redirect-gateway def1



route print
===========================================================================
接口列表
17...88 51 fb 5d 89 d2 ......Intel(R) 82579LM Gigabit Network Connection
7...02 00 4c 4f 4f 50 ......Npcap Loopback Adapter
6...88 51 fb 5d 89 d3 ......Intel(R) 82574L Gigabit Network Connection
11...00 ff b0 12 8f 50 ......TAP-Windows Adapter V9
1...........................Software Loopback Interface 1
===========================================================================

IPv4 路由表
===========================================================================
活动路由:
网络目标 网络掩码 网关 接口 跃点数
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.221 291
0.0.0.0 128.0.0.0 10.8.110.5 10.8.110.6 291
10.8.110.1 255.255.255.255 10.8.110.5 10.8.110.6 291
10.8.110.4 255.255.255.252 在链路上 10.8.110.6 291
10.8.110.6 255.255.255.255 在链路上 10.8.110.6 291
10.8.110.7 255.255.255.255 在链路上 10.8.110.6 291
127.0.0.0 255.0.0.0 在链路上 127.0.0.1 331
127.0.0.1 255.255.255.255 在链路上 127.0.0.1 331
127.0.0.1 255.255.255.255 192.168.1.254 192.168.1.221 291
127.255.255.255 255.255.255.255 在链路上 127.0.0.1 331
128.0.0.0 128.0.0.0 10.8.110.5 10.8.110.6 291
169.254.0.0 255.255.0.0 在链路上 169.254.139.40 281
169.254.139.40 255.255.255.255 在链路上 169.254.139.40 281
169.254.255.255 255.255.255.255 在链路上 169.254.139.40 281
192.168.1.0 255.255.255.0 在链路上 192.168.1.221 291
192.168.1.221 255.255.255.255 在链路上 192.168.1.221 291
192.168.1.255 255.255.255.255 在链路上 192.168.1.221 291
224.0.0.0 240.0.0.0 在链路上 127.0.0.1 331
224.0.0.0 240.0.0.0 在链路上 10.8.110.6 291
224.0.0.0 240.0.0.0 在链路上 169.254.139.40 281
224.0.0.0 240.0.0.0 在链路上 192.168.1.221 291
255.255.255.255 255.255.255.255 在链路上 127.0.0.1 331
255.255.255.255 255.255.255.255 在链路上 10.8.110.6 291
255.255.255.255 255.255.255.255 在链路上 169.254.139.40 281
255.255.255.255 255.255.255.255 在链路上 192.168.1.221 291
===========================================================================
永久路由:
网络地址 网络掩码 网关地址 跃点数
0.0.0.0 0.0.0.0 192.168.1.254 默认
===========================================================================
Last edited by ganhehe on Fri Mar 15, 2019 1:20 am, edited 1 time in total.

TinCanTech
OpenVPN Protagonist
Posts: 11139
Joined: Fri Jun 03, 2016 1:17 pm

Re: stunnel + openvpn some problems encountered

Post by TinCanTech » Thu Mar 14, 2019 3:24 pm

ganhehe wrote:
Thu Mar 14, 2019 6:56 am
client: win10
ganhehe wrote:
Thu Mar 14, 2019 6:56 am
dns query dose not traffic throuth VPN
Use --block-outside-dns

ganhehe
OpenVpn Newbie
Posts: 2
Joined: Thu Mar 14, 2019 1:10 am

Re: stunnel + openvpn some problems encountered

Post by ganhehe » Fri Mar 15, 2019 2:22 am

Thanks @TinCanTech

I use push "block-outside-dns" on server.conf
Use tcpdump tools i can see dns query throuth vpn server, but the source ip is my cilent virtual tun ip(10.8.110.6)
and the query results can`t route to my cilent,still can`t access any web site

tcpdump -nn port 53:

18:20:54.993546 IP 10.8.110.6.55566 > 1.1.1.1.53: 6+ A? www.google.com. (32)
18:20:57.015337 IP 10.8.110.6.55567 > 1.1.1.1.53: 7+ AAAA? www.google.com. (32)
18:20:59.030747 IP 10.8.110.6.55568 > 1.1.1.1.53: 8+ A? www.google.com. (32)
18:21:01.046823 IP 10.8.110.6.55569 > 1.1.1.1.53: 9+ AAAA? www.google.com. (32)

TinCanTech
OpenVPN Protagonist
Posts: 11139
Joined: Fri Jun 03, 2016 1:17 pm

Re: stunnel + openvpn some problems encountered

Post by TinCanTech » Fri Mar 15, 2019 4:32 am

--block-outside-dns is a client directive.

santer
OpenVpn Newbie
Posts: 1
Joined: Sun Feb 02, 2025 2:19 pm

Re: stunnel + openvpn some problems encountered

Post by santer » Sun Feb 02, 2025 3:17 pm

Hi there,

Unfortunately I cannot start a new topic so I found similar subject and would write here.

I have a problem with my Asus RT-AC68U (Firmware:386.14_2) when trying to use OpenVPN through stunnel.
I use the same configuration separately on my MacBook, VM on Linux, Windows. It works fine (openvpn to 127.0.0.1 + stunnel to external vpn server).
When I'm trying to repeat this configuration on my router (without need to do it on each client) I see this working only from router console (ssh) but not for connected clients.
OpenVPN
client

client
dev tun
proto tcp
remote 127.0.0.1 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun

remote-cert-tls server
cipher AES-256-GCM
verb 3


Stunnel
client

foreground = yes
[openvpn]
client = yes
accept = 127.0.0.1:1194
connect = 83.10.10.10:1111
verifyPeer = yes


My steps:
1. Check internet connection
- from router console (working)

Code: Select all

curl api.myip.com
{"ip":"my_ISP_ip","country":"my_country","cc":"XX"}
- from client (working)

Code: Select all

curl api.myip.com
{"ip":"my_ISP_ip","country":"my_country","cc":"XX"}
2. Turn OpenVPN client ON.

Code: Select all

ip route show table ovpnc1
8.8.4.4 via 100.88.0.1 dev vlan2  metric 1
10.8.8.5 dev tun0  proto kernel  scope link  src 10.8.8.6
10.8.8.1 via 10.8.8.5 dev tun0
100.88.0.1 dev vlan2  proto kernel  scope link
8.8.8.8 via 100.88.0.1 dev vlan2  metric 1
127.0.0.1 via 100.88.0.1 dev vlan2
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1
100.88.0.0/16 dev vlan2  proto kernel  scope link  src 100.88.25.57
127.0.0.0/8 dev lo  scope link
default via 10.8.8.5 dev tun0
3. Check internet connection
- from router console (not working)

Code: Select all

curl api.myip.com
curl: (28) Failed to connect to api.myip.com port 80 after 150026 ms: Operation timed out
4. Manually add route which was in the log but actually wasn't in the route table

Code: Select all

ip route add 83.10.10.10 via 10.8.8.5 table ovpnc1 #where 83.10.10.10 e.g. my external VPN server ip
5. Check internet connection
- from router console (working)

Code: Select all

curl api.myip.com
{"ip":"my_VPN_ip","country":"VPN_country","cc":"YY"}
- from client (not working)

Code: Select all

curl api.myip.com
curl: (28) Failed to connect to api.myip.com port 80 after 150026 ms: Operation timed out
So, there are 2 problems:
1. VPN external ip is not added to the ovpnc1 table
2. When it was fixed manually internet vpn connection works from router itself but doesn't from clients.

Please advice.

additional info
ip rule

Code: Select all

0:  from all lookup local
32766:  from all lookup main
32767:  from all lookup default
ip rule (VPN ON)

Code: Select all

0:  from all lookup local
10001:  from all lookup ovpnc1
32766:  from all lookup main
32767:  from all lookup default

Post Reply