Quiero una configuración como esta:
Cliente OpenVPN <==> Cliente Stunnel <==> INTERNET <==> Servidor Stunnel <==> Servidor OpenVPN
(El cliente OpenVPN solo habla con el cliente Stunnel y así sucesivamente)
Básicamente quiero hacer un túnel de mi conexión OpenVPN a través de Stunnel. Tengo dos máquinas Ubuntu y dos enrutadores VPN GL-INET.
Problema: Sin embargo, después de configurar las configuraciones de stunnel y del cliente y servidor OpenVPN, parece que los paquetes del cliente OpenVPN no pueden llegar al servidor stunnel. Recibo el error Conexión rechazada (111) en el cliente Stunnel (que se ejecuta en una máquina Ubuntu).
A continuación se detallan varios puntos finales:
Cliente OpenVPN: enrutador GL-Inet OpenVPN, LAN conectada al enrutador principal Bell
Cliente Stunnel: Ubuntu, LAN conectada al enrutador principal de Bell
Servidor Stunnel: Ubuntu, LAN conectada a un enrutador wifi principal
Servidor OpenVPN: Ubuntu, LAN conectada a un enrutador wifi principal
Ahora, cuando inicio la conexión en el Cliente OpenVPN, aparece el siguiente error en el Cliente UBUNTU: 2023.11.04 21:42:19 LOG3[366]: s_connect: connect 142.198.10.52:443: Conexión rechazada (111)
¿Cómo puedo solucionar este problema y conectarme al servidor Stunnel y, eventualmente, a OpenVPN?
=========================================
Configuraciones:
Cliente OpenVPN:
client
dev tun
proto tcp
remote 192.168.8.229 2222
resolv-retry infinite
nobind
persist-key
persist-tun
auth SHA256
cipher AES-256-GCM
nice 0
mute 5
verb 3
<ca>
-----BEGIN CERTIFICATE-----
MIIDCzCCAfOgAwIBAgIUQrgdPuYAe1NsB5pLVpHmJv35mUswDQYJKoZIhvcNAQEF
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIICtTCCAZ0CFG2ihbYNKpQ9vcnoU8/F+yuYalEPMA0GCSqGSIb3DQEBBQUAMBUx
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDhutA0gHv08iEn
-----END PRIVATE KEY-----
</key>
Configuración del cliente STUNNEL:
pid = /var/run/stunnel4/stunnel.pid
output = /var/log/stunnel4/stunnel.log
setuid = stunnel4
setgid = stunnel4
# https://www.stunnel.org/faq.html
socket = r:TCP_NODELAY=1
socket = l:TCP_NODELAY=1
debug = 7
#[yahoo_imaps-client]
#client = yes
#accept = 127.0.0.1:143
#connect = imap.mail.yahoo.com:993
# This requires ca-certificates package
#CApath = /etc/ssl/certs/
#verifyChain = yes
#checkHost = imap.mail.yahoo.com
[ssh_tls-server]
client = yes
accept = 2222
connect = 142.198.10.52:443
PSKsecrets = /etc/stunnel/psk1.txt
Registros de conexión del cliente:
2023.11.04 21:42:19 LOG7[main]: FD=4 events=0x2001 revents=0x0
2023.11.04 21:42:19 LOG7[main]: FD=9 events=0x2001 revents=0x1
2023.11.04 21:42:19 LOG7[main]: Service [ssh_tls-server] accepted (FD=3) from 192.168.8.1:37032
2023.11.04 21:42:19 LOG7[366]: Service [ssh_tls-server] started
2023.11.04 21:42:19 LOG7[366]: Setting local socket options (FD=3)
2023.11.04 21:42:19 LOG7[366]: Option TCP_NODELAY set on local socket
2023.11.04 21:42:19 LOG5[366]: Service [ssh_tls-server] accepted connection from 192.168.8.1:37032
2023.11.04 21:42:19 LOG6[366]: s_connect: connecting 142.198.10.52:443
2023.11.04 21:42:19 LOG7[366]: s_connect: s_poll_wait 142.198.10.52:443: waiting 10 seconds
2023.11.04 21:42:19 LOG7[366]: FD=6 events=0x2001 revents=0x0
2023.11.04 21:42:19 LOG7[366]: FD=11 events=0x2005 revents=0x0
2023.11.04 21:42:19 LOG3[366]: s_connect: connect 142.198.10.52:443: Connection refused (111)
2023.11.04 21:42:19 LOG3[366]: No more addresses to connect
2023.11.04 21:42:19 LOG5[366]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2023.11.04 21:42:19 LOG7[366]: Local descriptor (FD=3) closed
2023.11.04 21:42:19 LOG7[366]: Service [ssh_tls-server] finished (0 left)
Servidor OpenVPN:
client
dev tun
proto tcp
remote 142.198.10.52 443
resolv-retry infinite
nobind
persist-key
persist-tun
auth SHA256
cipher AES-256-GCM
nice 0
mute 5
verb 3
<ca>
-----BEGIN CERTIFICATE-----
MIIDCzCCAfOgAwIBAgIUQrgdPuYAe1NsB5pLVpHmJv35mUswDQYJKoZIhvcNAQEF
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIICtTCCAZ0CFG2ihbYNKpQ9vcnoU8/F+yuYalEPMA0GCSqGSIb3DQEBBQUAMBUx
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDhutA0gHv08iEn
-----END PRIVATE KEY-----
</key>
Servidor Ubuntu Stunnel:
pid = /var/run/stunnel4/stunnel.pid
output = /var/log/stunnel4/stunnel.log
setuid = stunnel4
setgid = stunnel4
# https://www.stunnel.org/faq.html
socket = r:TCP_NODELAY=1
socket = l:TCP_NODELAY=1
debug = 7
#[yahoo_imaps-client]
#client = yes
#accept = 127.0.0.1:143
#connect = imap.mail.yahoo.com:993
# This requires ca-certificates package
#CApath = /etc/ssl/certs/
#verifyChain = yes
#checkHost = imap.mail.yahoo.com
[openvpn]
client = no
cert = /etc/stunnel/stunnel.pem
accept = 192.168.2.167:9999
connect = 192.168.2.75:1194
ciphers = PSK
PSKsecrets = /etc/stunnel/psk1.txt
Registros de inicio del servidor (aunque no sucede nada cuando se inicia la conexión):
Registros de inicio del servidor
2023.11.04 17:31:57 LOG7[main]: Found 1 ready file descriptor(s)
2023.11.04 17:31:57 LOG7[main]: FD=4 events=0x2001 revents=0x0
2023.11.04 17:31:57 LOG7[main]: FD=9 events=0x2001 revents=0x1
2023.11.04 17:31:57 LOG7[main]: Service [openvpn] accepted (FD=3) from 172.104.242.173:40259
2023.11.04 17:31:57 LOG7[0]: Service [openvpn] started
2023.11.04 17:31:57 LOG7[0]: Setting local socket options (FD=3)
2023.11.04 17:31:57 LOG7[0]: Option TCP_NODELAY set on local socket
2023.11.04 17:31:57 LOG5[0]: Service [openvpn] accepted connection from 172.104.242.173:40259
2023.11.04 17:31:57 LOG6[0]: Peer certificate not required
2023.11.04 17:31:57 LOG7[0]: TLS state (accept): before SSL initialization
2023.11.04 17:36:57 LOG6[0]: ssl_start: s_poll_wait: TIMEOUTbusy exceeded: sending reset
2023.11.04 17:36:57 LOG7[0]: FD=6 events=0x2001 revents=0x0
2023.11.04 17:36:57 LOG7[0]: FD=3 events=0x2001 revents=0x0
2023.11.04 17:36:57 LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2023.11.04 17:36:57 LOG7[0]: Local descriptor (FD=3) closed
2023.11.04 17:36:57 LOG7[0]: Service [openvpn] finished (0 left)