OpenVPN and stunnel, routing problem

blacksun · Post by **blacksun** » Sun Sep 20, 2020 7:17 pm

Hello,

i have a working ovpn-tcp config:
Server:

mode server
tls-server
ifconfig 10.0.9.1 255.255.255.0
ifconfig-pool 10.0.9.30 10.0.9.50 255.255.255.0
ifconfig-pool-persist  (...)
topology subnet
proto tcp-server
dev tun1
port 55554
push "topology subnet"
push "dhcp-option DNS 192.168.3.102"
push "route 192.168.3.0 255.255.255.0 10.0.9.1"
push "route-gateway 10.0.9.1"
push "redirect-gateway def1 bypass-dhcp"
push "ping 10"
push "ping-restart 60"
push "ping-timer-rem"
client-config-dir  (...)
client-to-client
...
status   (...)

Client

Code: Select all

]tls-client
remote something.dyndns.org
proto tcp-client
dev tun0
port 55554
remote-cert-tls server
pull
...
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Now I tried this stunnel & OVPN-Config:

Stunnel-Server:

Code: Select all

[openvpn]
accept = 0.0.0.0:55552
connect = 127.0.0.1:55554
....
verifyPeer = yes

Stunnel-Client:

Code: Select all

[openvpn]
accept = 127.0.0.1:55554
connect = something.dyndns.org:443
...
verifyChain = yes

OVPN-Client:

Code: Select all

tls-client
remote 127.0.0.1
proto tcp-client
dev tun0
port 55554
remote-cert-tls server
pull
...
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Server = behind a Router, OVPN-Server and stunnel-server are the same machine
Server-LAN-IP: 192.168.3.101
Router-LAN-IP: 192.168.3.1
OVPN-Server-IP: 10.0.9.1
Public-IP: something.dyndns.org

The OVPN-Client can connect successfully through the stunnel-tunnel to the Server.
But there is a problem with the routings.
The Client cannot reach neither one of the Server-IPs nor a public ip.

Can anyone help me?
Where is the mistake?

I read something that I have to add an additional route-entry, but I dont know which one.

Thanks.

TinCanTech · Post by **TinCanTech** » Sun Sep 20, 2020 7:40 pm

blacksun wrote: ↑
Sun Sep 20, 2020 7:17 pm
Server:
Code: Select all
push "redirect-gateway def1 bypass-dhcp"

Try without that

blacksun · Post by **blacksun** » Sun Sep 20, 2020 8:32 pm

TinCanTech wrote: ↑
Sun Sep 20, 2020 7:40 pm
blacksun wrote: ↑
Sun Sep 20, 2020 7:17 pm
Server:
Code: Select all
push "redirect-gateway def1 bypass-dhcp"
Try without that

Is it possible to overwrite that pushed option on the client-side?
Then I can use the server-instance for both, direct OVPN-tcp-connect and OVPN-tcp-connect over stunnel.

TinCanTech · Post by **TinCanTech** » Sun Sep 20, 2020 9:13 pm

Did you try it ?

blacksun · Post by **blacksun** » Mon Sep 21, 2020 6:18 am

TinCanTech wrote: ↑
Sun Sep 20, 2020 9:13 pm
Did you try it ?

now, yes.

But it doesnt work in the right way.

Of course, the LAN and the Server (192.168.3.0) is now reachable.
But because the gateway is not changed, all inet traffic is routed directly to the inet and not through the VPN-Tunnel which is one of my intensions of using a vpn.

I think redirecting gateway is neccessary to route all traffic though the vpn.
With my config, see above, it works on android and win10. On android, i had to make a exception for stunnel in the openvpn-Client --> Routing all traffic through the tunnel, but not the outgoing traffic of the stunnel-Client.
on win10, it works also without any exceptions, but i do not know why.

TinCanTech · Post by **TinCanTech** » Mon Sep 21, 2020 11:24 am

--redirect-gateway is using the wrong routes because it does not know about stunnel.

You will have to read what --redirect-gateway does and then apply those routes your self.

OpenVPN Support Forum

OpenVPN and stunnel, routing problem

OpenVPN and stunnel, routing problem

Re: OpenVPN and stunnel, routing problem

Re: OpenVPN and stunnel, routing problem

Re: OpenVPN and stunnel, routing problem

Re: OpenVPN and stunnel, routing problem

Re: OpenVPN and stunnel, routing problem