# OpenVPN and Stunnel problem [SOLVED]

## esperto

Hi all,

I'm going to china and would like to get to my home VPN, reading over the internet a recommendation was to wrap openVPN connection into SSL to avoid being cut off by the GFW, as openVPN is not pure SSL.

I've followed the instructions (they are quite easy actually) and created a tunnel for openVPN, the issue is I can connect but no packet goes through after that, it is very odd.

OpenVPN log shows the connection starting, I can even authenticate with a local user, but after that, nothing.

To test if there was a problem with the tunnel I used netcat and was able to connected over the tunnel and get messages across both ways in the first try.

Does anyone has experience with this?

I'm putting below my config with some critical parts removed (like certs and keys)

stunnel server config file

```

# Sample stunnel configuration file by Michal Trojnara 2002-2005

# Some options used here may not be adequate for your particular configuration

# Please make sure you understand them (especially the effect of chroot jail)

# Certificate/key is needed in server mode and optional in client mode

 cert = /etc/stunnel/stunnel.pem

 key = /etc/stunnel/stunnel.pem

# Some security enhancements for UNIX systems - comment them out on Win32

# chroot = /chroot/stunnel/

setuid = stunnel

setgid = stunnel

# PID is created inside chroot jail

pid = /run/stunnel/stunnel.pid

# Some performance tunings

socket = l:TCP_NODELAY=1

socket = r:TCP_NODELAY=1

#compression = rle

# Workaround for Eudora bug

options = NO_SSLv2

# Some debugging stuff useful for troubleshooting

#debug = 7

output = /var/log/stunnel.log

# Service-level configuration

[openvpn]

accept = 4600

connect = 127.0.0.1:4500

[nc]

accept = 10000

connect = 127.0.0.1:11000

```

stunnel client config

```

#stunnel para openvpn de casa

#pid = /run/stunnel/stunnel.pid

#output = /var/log/stunnel4/stunnel.log

[openvpn]

client = yes

accept = 127.0.0.1:4500

connect = remote_ip:4600

[nc]

client = yes

accept = 127.0.0.1:11000

connect = remote_ip:10000

```

OpenVPN server config

```

plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so system-auth

port 4500

proto tcp

dev tun

ca /etc/openvpn/certs/ca.crt

cert /etc/openvpn/certs/cert.crt

key /etc/openvpn/certs/key.key

dh /etc/openvpn/certs/dh2048.pem

tls-auth /etc/openvpn/certs/ta.key 0

server 192.168.10.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push "redirect-gateway def1 bypass-dhcp"

client-to-client

keepalive 1800 4000

cipher AES-256-CBC 

comp-lzo

max-clients 4

user nobody

group nobody

persist-key

persist-tun

log        /var/log/openvpn.log

status     openvpn-status.log

status-version 1

verb 5

mute 20

```

OpenVPN client config

```

client 

remote 127.0.0.1 4500

ca /home/user/OpenVPN/ca.crt

cert /home/user/OpenVPN/cert-client.crt

key /home/user/OpenVPN/key-client.key

cipher AES-256-CBC

comp-lzo yes

dev tun

proto tcp

tls-auth ./ta.key 1

nobind

auth-nocache

script-security 2

persist-key

persist-tun

user user

group user

auth-user-pass

```

Thanks in advance!

----------

## bbgermany

Hi,

please try adding "pull" to your client config. 

Greets, bb

----------

## esperto

 *bbgermany wrote:*   

> Hi,
> 
> please try adding "pull" to your client config. 
> 
> Greets, bb

 

Just tried, didn't work   :Sad: 

----------

## bbgermany

Hi,

Please post the output of "netstat -rn" and "ifconfig -a" after you tried to establish the openvpn tunnel.

Thx and greets, bb

----------

## esperto

Ok, weird thing, I don't have the results asked on the post above right now, but tested using a windows machine and the tunnel + openVPN worked   :Shocked: 

My android phone and my notebook running Mint both showed the same problem, connects but nothing after that, so this indicates to something at the client side.

The "pull" command at the client config didn't make any difference, any other suggestions?

----------

## bbgermany

Hi,

please try posting the output of the commands, this can maybe help us debuggung the issue. You can also post the kernel config, maybe there is an option missing. Additionally you should post the logfile of openvpn (at least client side).

greets, bb

----------

## esperto

BB,

thanks for the support, the problem was a routing issue, found the answer on this reddit thread:

https://www.reddit.com/r/OpenVPN/comments/4crgcs/openvpn_with_ssl_tunnel/

I just had to add, before connecting, a route to my server with the gateway from the "normal" connection, or the packets seems to get routed in a loop inside the VPN connection.

```

route add -host <VPN-server-public-IP> gw <Gateway-as-defined-by-default-route>

```

----------

## bbgermany

Hi,

good to see it working now, maybe you should consider adding the route at boot via /etc/conf.d/net, if possible  :Wink: 

https://wiki.gentoo.org/wiki/Static_Routing#Adding_a_Permanent_Static_Route

greets, bb

----------

