OpenVPN and stunnel and redirect-gateway

myst · Post by **myst** » Sun Jan 13, 2013 4:04 pm

Hello,

I set up an OpenVPN server for a friend in China and it was working perfectly until the end of last year. I think that China has improved their filtering method.

So I have installed stunnel in order to transport OpenVPN traffic inside a real SSL tunnel so that China firewall would think that it is pure SSL and not OpenVPN.

I can connect to the server without any problem, but when the client set the new routes, the connection is lost.

Here is my openvpn server conf:

Code: Select all

port 1194
proto tcp
dev tun
ca ca.crt
cert host1.crt
key host1.key  # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 213.186.33.99"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

Here is my stunnel server conf:

Code: Select all

sslVersion = all
options = NO_SSLv2
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
compression = zlib
[openvpn]
accept = 443
connect = 127.0.0.1:1194
cert=/etc/stunnel/server.pem
key=/etc/stunnel/server.key

Here is my iptables rules:

Code: Select all

Chain INPUT (policy DROP 6 packets, 288 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    any     anywhere             anywhere            state INVALID 
  566 51776 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
    1    60 ACCEPT     all  --  lo     any     anywhere             anywhere            
    0     0 ACCEPT     all  --  venet0 any     anywhere             anywhere            
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ssh 
    2   112 ACCEPT     tcp  --  eth0   any     anywhere             anywhere            tcp dpt:https 
    1    48 ACCEPT     tcp  --  eth0   any     anywhere             anywhere            tcp dpt:81 
    0     0 ACCEPT     udp  --  eth0   any     anywhere             anywhere            udp dpt:81 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    any     anywhere             anywhere            state INVALID 
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
    0     0 ACCEPT     all  --  any    any     10.8.0.0/24          anywhere            
    0     0 ACCEPT     all  --  any    any     10.7.0.0/24          anywhere            

Chain OUTPUT (policy ACCEPT 285 packets, 56829 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  402 63546 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED

Here is my openvpn client conf:

Code: Select all

client
dev tun
redirect-gateway def1
proto tcp
remote 127.0.0.1 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert matthieu.crt
key matthieu.key
comp-lzo
verb 3

And my stunnel client conf:

Code: Select all

client = yes
[openvpn]
accept  = 1194
connect = remote.server.ip:443

Here is my routes before connecting the VPN:

Code: Select all

Destination        Gateway            Flags        Refs      Use   Netif Expire
default            192.168.48.254     UGSc           23      112     en1
10.37.129/24       link#9             UC              1        0   vnic1
10.37.129.2        0:1c:42:0:0:9      UHLWIi          1        2     lo0
10.211.55/24       link#8             UC              1        0   vnic0
10.211.55.2        0:1c:42:0:0:8      UHLWIi          1        2     lo0
127                127.0.0.1          UCS             0        0     lo0
127.0.0.1          127.0.0.1          UH              3    12435     lo0
169.254            link#4             UCS             0        0     en1
192.168.48         link#4             UCS             2        0     en1
192.168.48.1       127.0.0.1          UHS             0        0     lo0
192.168.48.6       14:d6:4d:a6:8a:a3  UHLWIi          2      724     en1   1079
192.168.48.254     94:fe:f4:8d:80:ca  UHLWIi         10      816     en1   1167

And after connecting:

Code: Select all

0/1                10.8.0.5           UGSc            2        0    tun0
default            192.168.48.254     UGSc           21      112     en1
10.8.0.1/32        10.8.0.5           UGSc            0        0    tun0
10.8.0.5           10.8.0.6           UH              5        0    tun0
10.37.129/24       link#9             UC              1        0   vnic1
10.37.129.2        0:1c:42:0:0:9      UHLWIi          1        2     lo0
10.211.55/24       link#8             UC              1        0   vnic0
10.211.55.2        0:1c:42:0:0:8      UHLWIi          1        2     lo0
127                127.0.0.1          UCS             0        0     lo0
127.0.0.1          127.0.0.1          UH              7    12685     lo0
127.0.0.1/32       192.168.48.254     UGSc            0        0     en1
128.0/1            10.8.0.5           UGSc            0        0    tun0
169.254            link#4             UCS             0        0     en1
192.168.48         link#4             UCS             3        0     en1
192.168.48.1       127.0.0.1          UHS             0        0     lo0
192.168.48.6       14:d6:4d:a6:8a:a3  UHLWIi          1      726     en1   1032
192.168.48.254     94:fe:f4:8d:80:ca  UHLWIi          3      816     en1   1196

One the VPN is connected, I can't ping outside my LAN.
Here are OpenVPN loggs:

Code: Select all

an 13 16:57:42 my.remote.server stunnel: LOG5[3339:140690110060288]: openvpn accepted connection from 128.79.246.204:55208
Jan 13 16:57:43 my.remote.server ovpn-openvpn[2892]: MULTI: multi_create_instance called
Jan 13 16:57:43 my.remote.server ovpn-openvpn[2892]: Re-using SSL/TLS context
Jan 13 16:57:43 my.remote.server ovpn-openvpn[2892]: LZO compression initialized
Jan 13 16:57:43 my.remote.server ovpn-openvpn[2892]: Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Jan 13 16:57:43 my.remote.server ovpn-openvpn[2892]: Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Jan 13 16:57:43 my.remote.server ovpn-openvpn[2892]: Local Options hash (VER=V4): 'c0103fa8'
Jan 13 16:57:43 my.remote.server ovpn-openvpn[2892]: Expected Remote Options hash (VER=V4): '69109d17'
Jan 13 16:57:43 my.remote.server ovpn-openvpn[2892]: TCP connection established with [AF_INET]127.0.0.1:60556
Jan 13 16:57:43 my.remote.server ovpn-openvpn[2892]: TCPv4_SERVER link local: [undef]
Jan 13 16:57:43 my.remote.server ovpn-openvpn[2892]: TCPv4_SERVER link remote: [AF_INET]127.0.0.1:60556
Jan 13 16:57:43 my.remote.server stunnel: LOG5[3339:140690110060288]: connect_blocking: connected 127.0.0.1:1194
Jan 13 16:57:43 my.remote.server stunnel: LOG5[3339:140690110060288]: openvpn connected remote server from 127.0.0.1:60556
Jan 13 16:57:43 my.remote.server ovpn-openvpn[2892]: 127.0.0.1:60556 TLS: Initial packet from [AF_INET]127.0.0.1:60556, sid=0ca74aee 7339965e
Jan 13 16:57:44 my.remote.server ovpn-openvpn[2892]: 127.0.0.1:60556 VERIFY OK: *****
Jan 13 16:57:44 my.remote.server ovpn-openvpn[2892]: 127.0.0.1:60556 VERIFY OK: *****
Jan 13 16:57:44 my.remote.server ovpn-openvpn[2892]: 127.0.0.1:60556 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jan 13 16:57:44 my.remote.server ovpn-openvpn[2892]: 127.0.0.1:60556 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 13 16:57:44 my.remote.server ovpn-openvpn[2892]: 127.0.0.1:60556 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jan 13 16:57:44 my.remote.server ovpn-openvpn[2892]: 127.0.0.1:60556 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 13 16:57:44 my.remote.server ovpn-openvpn[2892]: 127.0.0.1:60556 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Jan 13 16:57:44 my.remote.server ovpn-openvpn[2892]: 127.0.0.1:60556 [matthieu] Peer Connection Initiated with [AF_INET]127.0.0.1:60556
Jan 13 16:57:44 my.remote.server ovpn-openvpn[2892]: matthieu/127.0.0.1:60556 TCP/UDP: Closing socket
Jan 13 16:57:44 my.remote.server ovpn-openvpn[2892]: MULTI: new connection by client 'matthieu' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Jan 13 16:57:44 my.remote.server ovpn-openvpn[2892]: MULTI: Learn: 10.8.0.6 -> matthieu/127.0.0.1:60556
Jan 13 16:57:44 my.remote.server ovpn-openvpn[2892]: MULTI: primary virtual IP for matthieu/127.0.0.1:60556: 10.8.0.6
Jan 13 16:57:46 my.remote.server ovpn-openvpn[2892]: matthieu/127.0.0.1:60556 PUSH: Received control message: 'PUSH_REQUEST'
Jan 13 16:57:46 my.remote.server ovpn-openvpn[2892]: matthieu/127.0.0.1:60556 SENT CONTROL [matthieu]: 'PUSH_REPLY,dhcp-option DNS 213.186.33.99,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)

john56477 · Post by **john56477** » Fri Apr 05, 2013 5:29 am

make it simple first, and get it working, then add extras,
does the following stunnel server conf script help ?

Code: Select all

sslVersion = all
options = NO_SSLv2
#chroot = /var/lib/stunnel4/
#setuid = stunnel4
#setgid = stunnel4
#socket = l:TCP_NODELAY=1
#socket = r:TCP_NODELAY=1
#compression = zlib
cert=/etc/stunnel/server.pem
key=/etc/stunnel/server.key
pid = /var/run/stunnel.pid
[openvpn]
accept = 443
connect = 127.0.0.1:1194

#restart stunnel server and try again
sudo /etc/init.d/stunnel4 restart

bertchiang · Post by **bertchiang** » Thu Apr 25, 2013 3:34 am

myst wrote:Hello,

I set up an OpenVPN server for a friend in China and it was working perfectly until the end of last year. I think that China has improved their filtering method.

So I have installed stunnel in order to transport OpenVPN traffic inside a real SSL tunnel so that China firewall would think that it is pure SSL and not OpenVPN.

I can connect to the server without any problem, but when the client set the new routes, the connection is lost.

Here is my openvpn server conf:

Code: Select all

port 1194
proto tcp
dev tun
ca ca.crt
cert host1.crt
key host1.key  # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 213.186.33.99"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

Here is my stunnel server conf:

Code: Select all

sslVersion = all
options = NO_SSLv2
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
compression = zlib
[openvpn]
accept = 443
connect = 127.0.0.1:1194
cert=/etc/stunnel/server.pem
key=/etc/stunnel/server.key

Here is my iptables rules:

Code: Select all

Chain INPUT (policy DROP 6 packets, 288 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    any     anywhere             anywhere            state INVALID 
  566 51776 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
    1    60 ACCEPT     all  --  lo     any     anywhere             anywhere            
    0     0 ACCEPT     all  --  venet0 any     anywhere             anywhere            
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ssh 
    2   112 ACCEPT     tcp  --  eth0   any     anywhere             anywhere            tcp dpt:https 
    1    48 ACCEPT     tcp  --  eth0   any     anywhere             anywhere            tcp dpt:81 
    0     0 ACCEPT     udp  --  eth0   any     anywhere             anywhere            udp dpt:81 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    any     anywhere             anywhere            state INVALID 
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
    0     0 ACCEPT     all  --  any    any     10.8.0.0/24          anywhere            
    0     0 ACCEPT     all  --  any    any     10.7.0.0/24          anywhere            

Chain OUTPUT (policy ACCEPT 285 packets, 56829 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  402 63546 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED

Here is my openvpn client conf:

Code: Select all

client
dev tun
redirect-gateway def1
proto tcp
remote 127.0.0.1 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert matthieu.crt
key matthieu.key
comp-lzo
verb 3

And my stunnel client conf:

Code: Select all

client = yes
[openvpn]
accept  = 1194
connect = remote.server.ip:443

Here is my routes before connecting the VPN:

Code: Select all

Destination        Gateway            Flags        Refs      Use   Netif Expire
default            192.168.48.254     UGSc           23      112     en1
10.37.129/24       link#9             UC              1        0   vnic1
10.37.129.2        0:1c:42:0:0:9      UHLWIi          1        2     lo0
10.211.55/24       link#8             UC              1        0   vnic0
10.211.55.2        0:1c:42:0:0:8      UHLWIi          1        2     lo0
127                127.0.0.1          UCS             0        0     lo0
127.0.0.1          127.0.0.1          UH              3    12435     lo0
169.254            link#4             UCS             0        0     en1
192.168.48         link#4             UCS             2        0     en1
192.168.48.1       127.0.0.1          UHS             0        0     lo0
192.168.48.6       14:d6:4d:a6:8a:a3  UHLWIi          2      724     en1   1079
192.168.48.254     94:fe:f4:8d:80:ca  UHLWIi         10      816     en1   1167

And after connecting:

Code: Select all

0/1                10.8.0.5           UGSc            2        0    tun0
default            192.168.48.254     UGSc           21      112     en1
10.8.0.1/32        10.8.0.5           UGSc            0        0    tun0
10.8.0.5           10.8.0.6           UH              5        0    tun0
10.37.129/24       link#9             UC              1        0   vnic1
10.37.129.2        0:1c:42:0:0:9      UHLWIi          1        2     lo0
10.211.55/24       link#8             UC              1        0   vnic0
10.211.55.2        0:1c:42:0:0:8      UHLWIi          1        2     lo0
127                127.0.0.1          UCS             0        0     lo0
127.0.0.1          127.0.0.1          UH              7    12685     lo0
127.0.0.1/32       192.168.48.254     UGSc            0        0     en1
128.0/1            10.8.0.5           UGSc            0        0    tun0
169.254            link#4             UCS             0        0     en1
192.168.48         link#4             UCS             3        0     en1
192.168.48.1       127.0.0.1          UHS             0        0     lo0
192.168.48.6       14:d6:4d:a6:8a:a3  UHLWIi          1      726     en1   1032
192.168.48.254     94:fe:f4:8d:80:ca  UHLWIi          3      816     en1   1196

One the VPN is connected, I can't ping outside my LAN.
Here are OpenVPN loggs:

Code: Select all

an 13 16:57:42 my.remote.server stunnel: LOG5[3339:140690110060288]: openvpn accepted connection from 128.79.246.204:55208
Jan 13 16:57:43 my.remote.server ovpn-openvpn[2892]: MULTI: multi_create_instance called
Jan 13 16:57:43 my.remote.server ovpn-openvpn[2892]: Re-using SSL/TLS context
Jan 13 16:57:43 my.remote.server ovpn-openvpn[2892]: LZO compression initialized
Jan 13 16:57:43 my.remote.server ovpn-openvpn[2892]: Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Jan 13 16:57:43 my.remote.server ovpn-openvpn[2892]: Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Jan 13 16:57:43 my.remote.server ovpn-openvpn[2892]: Local Options hash (VER=V4): 'c0103fa8'
Jan 13 16:57:43 my.remote.server ovpn-openvpn[2892]: Expected Remote Options hash (VER=V4): '69109d17'
Jan 13 16:57:43 my.remote.server ovpn-openvpn[2892]: TCP connection established with [AF_INET]127.0.0.1:60556
Jan 13 16:57:43 my.remote.server ovpn-openvpn[2892]: TCPv4_SERVER link local: [undef]
Jan 13 16:57:43 my.remote.server ovpn-openvpn[2892]: TCPv4_SERVER link remote: [AF_INET]127.0.0.1:60556
Jan 13 16:57:43 my.remote.server stunnel: LOG5[3339:140690110060288]: connect_blocking: connected 127.0.0.1:1194
Jan 13 16:57:43 my.remote.server stunnel: LOG5[3339:140690110060288]: openvpn connected remote server from 127.0.0.1:60556
Jan 13 16:57:43 my.remote.server ovpn-openvpn[2892]: 127.0.0.1:60556 TLS: Initial packet from [AF_INET]127.0.0.1:60556, sid=0ca74aee 7339965e
Jan 13 16:57:44 my.remote.server ovpn-openvpn[2892]: 127.0.0.1:60556 VERIFY OK: *****
Jan 13 16:57:44 my.remote.server ovpn-openvpn[2892]: 127.0.0.1:60556 VERIFY OK: *****
Jan 13 16:57:44 my.remote.server ovpn-openvpn[2892]: 127.0.0.1:60556 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jan 13 16:57:44 my.remote.server ovpn-openvpn[2892]: 127.0.0.1:60556 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 13 16:57:44 my.remote.server ovpn-openvpn[2892]: 127.0.0.1:60556 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jan 13 16:57:44 my.remote.server ovpn-openvpn[2892]: 127.0.0.1:60556 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 13 16:57:44 my.remote.server ovpn-openvpn[2892]: 127.0.0.1:60556 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Jan 13 16:57:44 my.remote.server ovpn-openvpn[2892]: 127.0.0.1:60556 [matthieu] Peer Connection Initiated with [AF_INET]127.0.0.1:60556
Jan 13 16:57:44 my.remote.server ovpn-openvpn[2892]: matthieu/127.0.0.1:60556 TCP/UDP: Closing socket
Jan 13 16:57:44 my.remote.server ovpn-openvpn[2892]: MULTI: new connection by client 'matthieu' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Jan 13 16:57:44 my.remote.server ovpn-openvpn[2892]: MULTI: Learn: 10.8.0.6 -> matthieu/127.0.0.1:60556
Jan 13 16:57:44 my.remote.server ovpn-openvpn[2892]: MULTI: primary virtual IP for matthieu/127.0.0.1:60556: 10.8.0.6
Jan 13 16:57:46 my.remote.server ovpn-openvpn[2892]: matthieu/127.0.0.1:60556 PUSH: Received control message: 'PUSH_REQUEST'
Jan 13 16:57:46 my.remote.server ovpn-openvpn[2892]: matthieu/127.0.0.1:60556 SENT CONTROL [matthieu]: 'PUSH_REPLY,dhcp-option DNS 213.186.33.99,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)

Just add static route to the remote.server.ip on client pc
like this:
for win:
route add -p x.x.x.x(ovpn server ip) mask 255.255.255.255 x.x.x.x(client pc's gateway)
for linux:
route add -host x.x.x.x(ovpn server ip) gw x.x.x.x(client pc's gateway)

liquordolphin · Post by **liquordolphin** » Sat Feb 04, 2017 10:30 pm

I spent many nights trying to figure this out. Huge appreciation to bertchiang for his post. It worked well for my Windows machine, but required root on Android so I had to continue searching.
The solution appears to be simple: instead of manipulating system routing you can just put "route <VPN_SERVER_IP> 255.255.255.255 net_gateway" to the config file that you supply to your clients.

OpenVPN Support Forum

OpenVPN and stunnel and redirect-gateway

OpenVPN and stunnel and redirect-gateway

Re: OpenVPN and stunnel and redirect-gateway

Re: OpenVPN and stunnel and redirect-gateway

Re: OpenVPN and stunnel and redirect-gateway