0

I've created an Ubuntu 16.04 lxd container and setup Stunnel, Tinyproxy and OpenVPN client in it.

The goal is to connect to Tinyproxy through Stunnel and force Tinyproxy to use OpenVPN's interface for outgoing connections.

Stunnel -> Tinyproxy works fine - pages in browser are loading as expected, however, as soon as I start OpenVPN service, Stunnel on the client side fails with timeout and browser keeps wating for response.

Since Tinyproxy 1.8.3 (the newest version for ubuntu 16.04) not supporting an option to bind outgoing connections to a specific interface, I had to let OpenVPN add the default routes through its tun0 interface.

OpenVPN client works as expexted - all packets from the container goes through VPN. The host with the container is a remote host with public IP. DNAT is setup to the container.

I am not really acquainted with routing internals, I could only set up SNAT/DNAT and filtering with iptables. Therefore, I can't understand the root of the problem.

Here are the most important parameters of the environment:

ifconfig

$ ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:16:3e:5f:46:ba
          inet addr:10.227.60.197  Bcast:10.227.60.255  Mask:255.255.255.0
          inet6 addr: fe80::216:3eff:fe5f:46ba/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:16291 errors:0 dropped:0 overruns:0 frame:0
          TX packets:15632 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:5044056 (5.0 MB)  TX bytes:4171187 (4.1 MB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:2446 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2446 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:2483699 (2.4 MB)  TX bytes:2483699 (2.4 MB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.3  P-t-P:10.8.0.3  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:3 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:252 (252.0 B)  TX bytes:252 (252.0 B)

route

$ route -v -e
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         10.8.0.1        128.0.0.0       UG        0 0          0 tun0
default         10.227.60.1     0.0.0.0         UG        0 0          0 eth0
10.8.0.0        *               255.255.255.0   U         0 0          0 tun0
10.227.60.0     *               255.255.255.0   U         0 0          0 eth0
128.0.0.0       10.8.0.1        128.0.0.0       UG        0 0          0 tun0
<vpn server IP> 10.227.60.1     255.255.255.255 UGH       0 0          0 eth0

stunnel.cong

...
accept = 10.227.60.197:8081
connect = 127.0.0.1:8080
...

tinyproxy.conf

...
Port 8080
Listen 127.0.0.1
...

vpnclient.conf

dev tun
proto udp
remote <vpn server ip> 1195
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
key-direction 1
verb 3
#route-nopull 
...

iptables are empty.

Mishgun_
  • 101
  • 2
  • 1
    Ubuntu 16.04 will reach its End Of Life (EOL) in April 2021. I recommend you to upgrade now to the current version *before* tackling this problem. – sebix Jan 10 '21 at 19:38

1 Answers1

0

The problem was with routing table configuration.

I noticed that when removing routes added by OpenVPN:

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         10.8.0.1        128.0.0.0       UG        0 0          0 tun0

and trying to perform ping 8.8.8.8 -I tun0 and simultaneously monitoring packets with tcpdump -nn icmp, reply icmp requests actualy hit eth0 but don't proceed any further. After some investigation I found out that there should also be a separate routing table for tun0 and rules for it since the server has 2 interfaces.

Eventually, I updated tinyproxy to the latest version, in order to be able to specify outbound interface, and disabled OpenVPN to push default routes like the one I remove above.

Then, I added table to /etc/iproute2/rt_tables:

...
12 vpn

added routes to this table and rules:

ip route add 10.8.0.0/24 dev tun0 src 10.8.0.3 table vpn
ip route add default via 10.8.0.1 dev tun0 table vpn

ip rule add from 10.8.0.3/32 table vpn
ip rule add to 10.8.0.3/32 table vpn

After that everything statred to work as expected.

Mishgun_
  • 101
  • 2