Temat: OpenVPN + sTunnel - problem z konfiguracją.
Potrzebuję pomocy w ustawieniu pakietu Stunnel z OpenVPN.
SSLDroid niby daje przy kazdej probie połączenia informacje o Tunelowaniu a zaraz potem jest quiting
OpenVPN w telefonie wygląda, że nie dostaje żadnej odpowiedzi.
Port 443 przekierowany z WAN na router gdzie wszystko stoi.
Konfiguracja wygląda tak:
1) vi /etc/config/openvpn
config openvpn 'custom_config'
option enabled '0'
option config '/etc/openvpn/my-vpn.conf'config openvpn 'sample_server'
option enabled '0'
option port '1194'
option proto 'udp'
option dev 'tun'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/server.crt'
option key '/etc/openvpn/server.key'
option dh '/etc/openvpn/dh1024.pem'
option server '10.8.0.0 255.255.255.0'
option ifconfig_pool_persist '/tmp/ipp.txt'
option keepalive '10 120'
option compress 'lzo'
option persist_key '1'
option persist_tun '1'
option user 'nobody'
option status '/tmp/openvpn-status.log'
option verb '3'config openvpn 'sample_client'
option enabled '0'
option client '1'
option dev 'tun'
option proto 'udp'
list remote 'my_server_1 1194'
option resolv_retry 'infinite'
option nobind '1'
option persist_key '1'
option persist_tun '1'
option user 'nobody'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/client.crt'
option key '/etc/openvpn/client.key'
option compress 'lzo'
option verb '3'config openvpn 'home'
option enabled '1'
option dev 'tun'
option tun-mtu '1500'
option tun-mtu-extra '32'
option mssfix '1450'
option port '1194'
option log '/tmp/openvpn.log'
option verb '3'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/serwer.crt'
option key '/etc/openvpn/serwer.key'
option server '10.8.0.0 255.255.255.0'
option dh '/etc/openvpn/dh2048.pem'
option proto 'tcp'
list push 'redirect-gateway def1 bypass dhcp'
list push 'dhcp-option DNS 8.8.8.8'
list push 'dhcp-option DNS 8.8.4.4'
option keepalive '5 30'
option comp_lzo 'yes'
option persist_key '1'
option persist_tun '1'
option verb '3'
2) ustawienia stunnel: vi /etc/stunnel/stunnel.conf
; Sample stunnel configuration file by Michal Trojnara 2002-2009
;
; some options used here may not be adequate for your particular configuration
; please read the manual and make sure you understand them; certificate/key is needed in server mode and optional in client mode
;;cert = /etc/stunnel/stunnel.pem
;key = /etc/stunnel/stunnel.pem; protocol version (all, SSLv2, SSLv3, TLSv1)
;;sslVersion = all; security enhancements for UNIX systems - comment them out on Win32
; for chroot a copy of some devices and files is needed within the jail
;;chroot = /var
;;setuid = nobody
;;setgid = nogroup
; PID is created inside the chroot jail
;;pid = /stunnel.pid; performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = zlib; workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS; authentication stuff needs to be configured to prevent MITM attacks
; it is not enabled by default!
;verify = 2
; don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; it's often easier to use CAfile
;CAfile = /etc/stunnel/certs.pem
; don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; alternatively CRLfile can be used
;CRLfile = /etc/stunnel/crls.pem; debugging stuff (may useful for troubleshooting)
;debug = 7
;output = /var/log/stunnel.log; SSL client mode
;client = yes; service-level configuration
;[pop3s]
;accept = 995
;connect = 110;[imaps]
;accept = 993
;connect = 143;[ssmtp]
;accept = 465
;connect = 25;;[https]
;;accept = 443
;;connect = 80
;;TIMEOUTclose = 0;;[chilli]
;;accept = 3443
;;connect = 3442
;;TIMEOUTclose = 0; vim:ft=dosini
cert = /etc/stunnel/stunnel.pem
[opevvpn]
accept = 443
connect = localhost:1194
cert = /etc/stunnel/stunnel.pem
do tego ustawiałem:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -A INPUT -p tcp --dport 443 -j ACCEPT