I set up an OpenVPN server for a friend in China and it was working perfectly until the end of last year. I think that China has improved their filtering method.
So I have installed stunnel in order to transport OpenVPN traffic inside a real SSL tunnel so that China firewall would think that it is pure SSL and not OpenVPN.
I can connect to the server without any problem, but when the client set the new routes, the connection is lost.
Here is my openvpn server conf:
Code: Select all
port 1194
proto tcp
dev tun
ca ca.crt
cert host1.crt
key host1.key # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 213.186.33.99"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
Code: Select all
sslVersion = all
options = NO_SSLv2
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
compression = zlib
[openvpn]
accept = 443
connect = 127.0.0.1:1194
cert=/etc/stunnel/server.pem
key=/etc/stunnel/server.key
Code: Select all
Chain INPUT (policy DROP 6 packets, 288 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any anywhere anywhere state INVALID
566 51776 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
1 60 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT all -- venet0 any anywhere anywhere
0 0 ACCEPT icmp -- any any anywhere anywhere
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
2 112 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:https
1 48 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:81
0 0 ACCEPT udp -- eth0 any anywhere anywhere udp dpt:81
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any anywhere anywhere state INVALID
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- any any 10.8.0.0/24 anywhere
0 0 ACCEPT all -- any any 10.7.0.0/24 anywhere
Chain OUTPUT (policy ACCEPT 285 packets, 56829 bytes)
pkts bytes target prot opt in out source destination
402 63546 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
Code: Select all
client
dev tun
redirect-gateway def1
proto tcp
remote 127.0.0.1 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert matthieu.crt
key matthieu.key
comp-lzo
verb 3
Code: Select all
client = yes
[openvpn]
accept = 1194
connect = remote.server.ip:443
Code: Select all
Destination Gateway Flags Refs Use Netif Expire
default 192.168.48.254 UGSc 23 112 en1
10.37.129/24 link#9 UC 1 0 vnic1
10.37.129.2 0:1c:42:0:0:9 UHLWIi 1 2 lo0
10.211.55/24 link#8 UC 1 0 vnic0
10.211.55.2 0:1c:42:0:0:8 UHLWIi 1 2 lo0
127 127.0.0.1 UCS 0 0 lo0
127.0.0.1 127.0.0.1 UH 3 12435 lo0
169.254 link#4 UCS 0 0 en1
192.168.48 link#4 UCS 2 0 en1
192.168.48.1 127.0.0.1 UHS 0 0 lo0
192.168.48.6 14:d6:4d:a6:8a:a3 UHLWIi 2 724 en1 1079
192.168.48.254 94:fe:f4:8d:80:ca UHLWIi 10 816 en1 1167
Code: Select all
0/1 10.8.0.5 UGSc 2 0 tun0
default 192.168.48.254 UGSc 21 112 en1
10.8.0.1/32 10.8.0.5 UGSc 0 0 tun0
10.8.0.5 10.8.0.6 UH 5 0 tun0
10.37.129/24 link#9 UC 1 0 vnic1
10.37.129.2 0:1c:42:0:0:9 UHLWIi 1 2 lo0
10.211.55/24 link#8 UC 1 0 vnic0
10.211.55.2 0:1c:42:0:0:8 UHLWIi 1 2 lo0
127 127.0.0.1 UCS 0 0 lo0
127.0.0.1 127.0.0.1 UH 7 12685 lo0
127.0.0.1/32 192.168.48.254 UGSc 0 0 en1
128.0/1 10.8.0.5 UGSc 0 0 tun0
169.254 link#4 UCS 0 0 en1
192.168.48 link#4 UCS 3 0 en1
192.168.48.1 127.0.0.1 UHS 0 0 lo0
192.168.48.6 14:d6:4d:a6:8a:a3 UHLWIi 1 726 en1 1032
192.168.48.254 94:fe:f4:8d:80:ca UHLWIi 3 816 en1 1196
Here are OpenVPN loggs:
Code: Select all
an 13 16:57:42 my.remote.server stunnel: LOG5[3339:140690110060288]: openvpn accepted connection from 128.79.246.204:55208
Jan 13 16:57:43 my.remote.server ovpn-openvpn[2892]: MULTI: multi_create_instance called
Jan 13 16:57:43 my.remote.server ovpn-openvpn[2892]: Re-using SSL/TLS context
Jan 13 16:57:43 my.remote.server ovpn-openvpn[2892]: LZO compression initialized
Jan 13 16:57:43 my.remote.server ovpn-openvpn[2892]: Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Jan 13 16:57:43 my.remote.server ovpn-openvpn[2892]: Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Jan 13 16:57:43 my.remote.server ovpn-openvpn[2892]: Local Options hash (VER=V4): 'c0103fa8'
Jan 13 16:57:43 my.remote.server ovpn-openvpn[2892]: Expected Remote Options hash (VER=V4): '69109d17'
Jan 13 16:57:43 my.remote.server ovpn-openvpn[2892]: TCP connection established with [AF_INET]127.0.0.1:60556
Jan 13 16:57:43 my.remote.server ovpn-openvpn[2892]: TCPv4_SERVER link local: [undef]
Jan 13 16:57:43 my.remote.server ovpn-openvpn[2892]: TCPv4_SERVER link remote: [AF_INET]127.0.0.1:60556
Jan 13 16:57:43 my.remote.server stunnel: LOG5[3339:140690110060288]: connect_blocking: connected 127.0.0.1:1194
Jan 13 16:57:43 my.remote.server stunnel: LOG5[3339:140690110060288]: openvpn connected remote server from 127.0.0.1:60556
Jan 13 16:57:43 my.remote.server ovpn-openvpn[2892]: 127.0.0.1:60556 TLS: Initial packet from [AF_INET]127.0.0.1:60556, sid=0ca74aee 7339965e
Jan 13 16:57:44 my.remote.server ovpn-openvpn[2892]: 127.0.0.1:60556 VERIFY OK: *****
Jan 13 16:57:44 my.remote.server ovpn-openvpn[2892]: 127.0.0.1:60556 VERIFY OK: *****
Jan 13 16:57:44 my.remote.server ovpn-openvpn[2892]: 127.0.0.1:60556 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jan 13 16:57:44 my.remote.server ovpn-openvpn[2892]: 127.0.0.1:60556 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 13 16:57:44 my.remote.server ovpn-openvpn[2892]: 127.0.0.1:60556 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jan 13 16:57:44 my.remote.server ovpn-openvpn[2892]: 127.0.0.1:60556 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 13 16:57:44 my.remote.server ovpn-openvpn[2892]: 127.0.0.1:60556 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Jan 13 16:57:44 my.remote.server ovpn-openvpn[2892]: 127.0.0.1:60556 [matthieu] Peer Connection Initiated with [AF_INET]127.0.0.1:60556
Jan 13 16:57:44 my.remote.server ovpn-openvpn[2892]: matthieu/127.0.0.1:60556 TCP/UDP: Closing socket
Jan 13 16:57:44 my.remote.server ovpn-openvpn[2892]: MULTI: new connection by client 'matthieu' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Jan 13 16:57:44 my.remote.server ovpn-openvpn[2892]: MULTI: Learn: 10.8.0.6 -> matthieu/127.0.0.1:60556
Jan 13 16:57:44 my.remote.server ovpn-openvpn[2892]: MULTI: primary virtual IP for matthieu/127.0.0.1:60556: 10.8.0.6
Jan 13 16:57:46 my.remote.server ovpn-openvpn[2892]: matthieu/127.0.0.1:60556 PUSH: Received control message: 'PUSH_REQUEST'
Jan 13 16:57:46 my.remote.server ovpn-openvpn[2892]: matthieu/127.0.0.1:60556 SENT CONTROL [matthieu]: 'PUSH_REPLY,dhcp-option DNS 213.186.33.99,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)