OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

OpenVPN+Stunnel+DNScrypt-Proxy Internet Possibly DNS issue

https://forums.openvpn.net/viewtopic.php?t=20278

Page 1 of 1

OpenVPN+Stunnel+DNScrypt-Proxy Internet Possibly DNS issue

Posted: Sun Nov 22, 2015 7:47 pm
by kelleci
Hi
I am running Openvpn server, Stunnel server and Dnscrypt on my raspberry pi2 on debian jessie platform.
My problem is i can access internet without stunnel and dnscrypt works without any problem but when i connect via stunnel i can't access internet and local network.Even i cant ping rpi.
All ip's are masked with "my_router_public_ip"

Here is my config:
Openvpn server config:

Code: Select all

local 192.168.1.24 # SWAP THIS NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
dev tun 
proto tcp #Some people prefer to use tcp. Don't change it if you don't know.
port 1112
ca /etc/openvpn/easy-rsa/keys/ca.crt 
cert /etc/openvpn/easy-rsa/keys/server.crt # SWAP WITH YOUR CRT NAME
key /etc/openvpn/easy-rsa/keys/server.key # SWAP WITH YOUR KEY NAME
dh /etc/openvpn/easy-rsa/keys/dh2048.pem # If you changed to 2048, change that here!
server 10.8.0.0 255.255.255.0 
# server and remote endpoints 
ifconfig 10.8.0.1 10.8.0.2 
# Add route to Client routing table for the OpenVPN Server 
push "route 10.8.0.1 255.255.255.255" 
# Add route to Client routing table for the OpenVPN Subnet 
push "route 10.8.0.0 255.255.255.0" 
# your local subnet 
push "route 192.168.1.0 255.255.255.0" # SWAP THE IP NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
# Set primary domain name server address to the SOHO Router 
# If your router does not do DNS, you can use Google DNS 8.8.8.8 
push "dhcp-option DNS 8.8.8.8" # This should already match your router address and not need to be changed.
# Override the Client default gateway by using 0.0.0.0/1 and 
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of 
# overriding but not wiping out the original default gateway. 
push "redirect-gateway def1" 
#push "redirect-gateway def1 bypass-dhcp"
#push "route my_router_public_ip 255.255.255.255 net_gateway"
client-to-client 
duplicate-cn 
keepalive 10 120 
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 
cipher AES-128-CBC 
comp-lzo 
user nobody 
group nogroup 
persist-key 
persist-tun 
status /var/log/openvpn-status.log 20 
log /var/log/openvpn.log 
verb 1
My stunnel server config file:

Code: Select all

sslVersion = all
options = NO_SSLv2
pid = /var/lib/stunnel4/stunnel.pid
#output = /var/log/stunnel4/stunnel.log
#chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
cert= /etc/stunnel/server.pem
key= /etc/stunnel/server.key
debug = 7
[openvpn]
client = no
accept = 443
connect = 192.168.1.24:1112
delay =yes
Sysctl.conf:

Code: Select all

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
My firewall rules.sh

Code: Select all

#!/bin/sh
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.1.24
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 1112 -j ACCEPT

systemctl status stunnel4.service command output:

Code: Select all

● stunnel4.service - LSB: Start or stop stunnel 4.x (SSL tunnel for network daemons)
   Loaded: loaded (/etc/init.d/stunnel4)
   Active: active (running) since Sun 2015-11-22 21:15:36 EET; 14min ago
  Process: 383 ExecStart=/etc/init.d/stunnel4 start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/stunnel4.service
           └─489 /usr/bin/stunnel4 /etc/stunnel/stunnel.conf

Nov 22 21:24:54 T-800 stunnel[489]: LOG6[2431]: Read socket closed (readsocket)
Nov 22 21:24:54 T-800 stunnel[489]: LOG6[2431]: Read socket closed (hangup)
Nov 22 21:24:54 T-800 stunnel[489]: LOG7[2431]: Sending close_notify alert
Nov 22 21:24:54 T-800 stunnel[489]: LOG7[2431]: SSL alert (write): warning: close notify
Nov 22 21:24:54 T-800 stunnel[489]: LOG6[2431]: SSL_shutdown successfully sent close_notify alert
Nov 22 21:25:54 T-800 stunnel[489]: LOG3[2431]: transfer: s_poll_wait: TIMEOUTclose exceeded: closing
Nov 22 21:25:54 T-800 stunnel[489]: LOG5[2431]: Connection closed: 8352 byte(s) sent to SSL, 5332 byte(s) sent to socket
Nov 22 21:25:54 T-800 stunnel[489]: LOG7[2431]: Remote socket (FD=10) closed
Nov 22 21:25:54 T-800 stunnel[489]: LOG7[2431]: Local socket (FD=9) closed
Nov 22 21:25:54 T-800 stunnel[489]: LOG7[2431]: Service [openvpn] finished (0 left)

systemctl status openvpn.service command output:

Code: Select all

● openvpn.service - OpenVPN service
   Loaded: loaded (/lib/systemd/system/openvpn.service; enabled)
   Active: active (exited) since Sun 2015-11-22 21:15:48 EET; 15min ago
  Process: 1674 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
 Main PID: 1674 (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/openvpn.service

Nov 22 21:15:48 T-800 systemd[1]: Started OpenVPN service.

netstat -putan | grep LISTEN command output:

Code: Select all

tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      1110/mysqld
tcp        0      0 0.0.0.0:5901            0.0.0.0:*               LISTEN      1431/Xtightvnc
tcp        0      0 0.0.0.0:6001            0.0.0.0:*               LISTEN      1431/Xtightvnc
tcp        0      0 127.0.0.2:53            0.0.0.0:*               LISTEN      2596/dnscrypt-proxy
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      505/sshd
tcp        0      0 192.168.1.24:1112       0.0.0.0:*               LISTEN      1749/openvpn
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      489/stunnel4
tcp6       0      0 :::22                   :::*                    LISTEN      505/sshd
journalctl -u dnscrypt-proxy command output:

Code: Select all

-- Logs begin at Sun 2015-11-22 21:15:33 EET, end at Sun 2015-11-22 21:33:42 EET. --
Nov 22 21:15:36 T-800 systemd[1]: Starting Secure connection between your computer and DNS resolver...
Nov 22 21:15:36 T-800 dnscrypt-proxy[509]: [INFO] - [d0wn-nl-ns1] does not support DNS Security Extensions
Nov 22 21:15:36 T-800 dnscrypt-proxy[509]: [INFO] + Namecoin domains can be resolved
Nov 22 21:15:36 T-800 dnscrypt-proxy[509]: [INFO] + Provider supposedly doesn't keep logs
Nov 22 21:15:36 T-800 dnscrypt-proxy[509]: [NOTICE] Starting dnscrypt-proxy 1.6.0
Nov 22 21:15:36 T-800 dnscrypt-proxy[509]: [INFO] Generating a new session key pair
Nov 22 21:15:36 T-800 dnscrypt-proxy[509]: [INFO] Done
Nov 22 21:15:42 T-800 dnscrypt-proxy[509]: [INFO] Server certificate #808464433 received
Nov 22 21:15:42 T-800 dnscrypt-proxy[509]: [INFO] This certificate looks valid
Nov 22 21:15:42 T-800 dnscrypt-proxy[509]: [INFO] Chosen certificate #808464433 is valid from [2015-02-12] to [2016-02-12]
Nov 22 21:15:42 T-800 dnscrypt-proxy[509]: [INFO] Server key fingerprint is EB60:C492:AB1B:EEDF:4A1C:F774:6EE1:3051:84A8:5CD1:926E:69EA:3C88:CD95:3228:3F16
Nov 22 21:15:42 T-800 dnscrypt-proxy[509]: [NOTICE] Proxying from 127.0.0.2:53 to 95.85.9.86:54
client.opvn config:

Code: Select all

client
dev tun
proto tcp
remote localhost 1112
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings 
ns-cert-type server
key-direction 1
cipher AES-128-CBC
comp-lzo
verb 1
mute 20
<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED


-----END RSA PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----
</tls-auth>

Stunnel client config file:

Code: Select all

[openvpn]
client = yes
accept = 127.0.0.1:1112
connect = my_router_public_ip:443
cert = server.pem
key = server.key
/etc/resolv.conf file:(I’ve choose a different local address (127.0.0.2) in order to avoid possible conflicts with 127.0.0.1 already taken by other network daemon of the system.)
nameserver 127.0.0.2

/etc/systemd/system/multi-user.target.wants/dnscrypt-proxy.service file:

Code: Select all

[Unit]
Description=Secure connection between your computer and DNS resolver
After=network.target network-online.target

[Service]
Type=forking
Restart=always
RestartSec=5
PIDFile=/var/run/dnscrypt-proxy.pid
ExecStart=/usr/local/sbin/dnscrypt-proxy –daemonize \
-a 127.0.0.2 \
-R dnscrypt.eu-nl \
–edns-payload-size=4096 \
-p /var/run/dnscrypt-proxy.pid

[Install]
WantedBy=multi-user.target
Can anyone help me please?
Best regards.

Re: OpenVPN+Stunnel+DNScrypt-Proxy Internet Possibly DNS iss

Posted: Mon Nov 23, 2015 6:04 pm
by kelleci
Sorry for flooding but i can't edit my first message.I forget to add my firewall rule to the post:

Code: Select all

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
Best regards.

Re: OpenVPN+Stunnel+DNScrypt-Proxy Internet Possibly DNS iss

Posted: Tue Nov 24, 2015 12:04 am
by ste123
Does your OpenVPN network connection work? If not, provide both server and client logs.

If it's regarding another program/service running over the VPN link, you may need to address your question elsewhere.

Re: OpenVPN+Stunnel+DNScrypt-Proxy Internet Possibly DNS iss

Posted: Tue Nov 24, 2015 1:40 am
by Traffic
You encrypt packets with stunnel .. how do you unencrypt packets ?

Re: OpenVPN+Stunnel+DNScrypt-Proxy Internet Possibly DNS iss

Posted: Tue Nov 24, 2015 12:55 pm
by Skaperen
my favorite best practice is the KISS principle ... why do you need all that other stuff?

Re: OpenVPN+Stunnel+DNScrypt-Proxy Internet Possibly DNS iss

Posted: Tue Nov 24, 2015 1:23 pm
by kelleci
Hi
Yes my opevpn connection works well without stunnel.

I believe client config does unencrypt packets with .pem and .key files.Am i wrong?And i m using android(Ssh tunnel app with pcks12 file) and windows(.pem and .key files)clients.

I need stunnel for dpi firewall (i will go abroad next week) and dnscrypt for dnspoisoning in my country.(Server is in my country now)

Best regards.

Re: OpenVPN+Stunnel+DNScrypt-Proxy Internet Possibly DNS iss

Posted: Thu Nov 26, 2015 6:14 pm
by kelleci
ste123 wrote:Does your OpenVPN network connection work? If not, provide both server and client logs.

If it's regarding another program/service running over the VPN link, you may need to address your question elsewhere.
Yes my connection works well without stunnel.Where can i post my question can you give me a hint please.
Traffic wrote:You encrypt packets with stunnel .. how do you unencrypt packets ?
I assume .pem and .key files provide that with stunnel client and server conf files.Am i wrong?
Skaperen wrote:my favorite best practice is the KISS principle ... why do you need all that other stuff?
Stunnel is for deep packet inspection (dpi) firewall cause i will make a trip to abroad which has level 7 firewall.Dnscyrpt stuff is for dns poisioning in my country.

Thanks all for your kind replys.

Re: OpenVPN+Stunnel+DNScrypt-Proxy Internet Possibly DNS iss

Posted: Wed Dec 23, 2015 1:03 am
by kelleci
Yes my openvpn and stunnel connection works fine on pc platform(windows) but it doesn't work for android.

Re: OpenVPN+Stunnel+DNScrypt-Proxy Internet Possibly DNS iss

Posted: Mon Dec 28, 2015 10:34 am
by kelleci
I figured it out by myself.
All above config files are correct except android client config file and android app.Config file needs this parameter:

Code: Select all

route my.server.ip.com 255.255.255.255 net_gateway
This parameter only works with OpenVPN for Android by Arne Schwabe , offical OpenVPN application doesnt like that parameter :roll:
Offical app complains about fqdn adress.Even i tried

Code: Select all

allow-pull-fqdn
no luck at all.In Arne's application it works like a charm :mrgreen:
Best regards
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/