openvpn over stunnel

hr1sha

When connecting openvpn via stunnel, the connection to PFsense is broken.
without stunnel everything works correctly.

I need your help and I will be grateful for any information in which direction to dig

here is the server config

local 127.0.0.1
port 1199
proto tcp-server
dev-tun0
ca ca.crt
certserver1.crt
keyserver1.key
dh dh2048.pem
tls-auth ta.key 0
remote-cert-tls client
data-ciphers AES-256-CBC
server 10.0.0.0 255.255.255.0
keep alive 10 120
persist key
persist-tun
status server1.log
duplicate-cn
verb 7
log /var/log/server1.log
status /var/log/server1.log
fast io
sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "route 10.0.0.0 255.255.255.0"
script security 2
up /etc/openvpn/server1_up.sh
down /etc/openvpn/server1_down.sh
client-connect /etc/openvpn/server1_up.sh

interestingly, on the same opensense with the same configuration, everything works correctly.

here is the openvpn server log
2023-06-20 12:45:59 us=279677 MULTI TCP: multi_tcp_dispatch a=TA_TUN_READ mi=0x00000000
2023-06-20 12:45:59 us=279705 GET INST BY VIRT: 10.0.0.6 [failed]
2023-06-20 12:45:59 us=279716 MULTI TCP: multi_tcp_post TA_TUN_READ -> TA_UNDEF
2023-06-20 12:45:59 us=905026 MULTI TCP: multi_tcp_action a=TA_TUN_READ p=0
2023-06-20 12:45:59 us=905073 MULTI TCP: multi_tcp_dispatch a=TA_TUN_READ mi=0x00000000
2023-06-20 12:45:59 us=905095 GET INST BY VIRT: 10.0.0.6 [failed]
2023-06-20 12:45:59 us=905105 MULTI TCP: multi_tcp_post TA_TUN_READ -> TA_UNDEF
2023-06-20 12:46:00 us=544876 MULTI: REAP range 128 -> 144
2023-06-20 12:46:00 us=544927 MULTI TCP: multi_tcp_action a=TA_TUN_READ p=0
2023-06-20 12:46:00 us=544939 MULTI TCP: multi_tcp_dispatch a=TA_TUN_READ mi=0x00000000
2023-06-20 12:46:00 us=544970 GET INST BY VIRT: 10.0.0.6 [failed]
2023-06-20 12:46:00 us=544981 MULTI TCP: multi_tcp_post TA_TUN_READ -> TA_UNDEF
2023-06-20 12:46:01 us=154122 MULTI: REAP range 144 -> 160
2023-06-20 12:46:01 us=154187 MULTI TCP: multi_tcp_action a=TA_TUN_READ p=0
2023-06-20 12:46:01 us=154201 MULTI TCP: multi_tcp_dispatch a=TA_TUN_READ mi=0x00000000
2023-06-20 12:46:01 us=154220 GET INST BY VIRT: 10.0.0.6 [failed]
2023-06-20 12:46:01 us=154229 MULTI TCP: multi_tcp_post TA_TUN_READ -> TA_UNDEF
2023-06-20 12:46:01 us=421428 MULTI TCP: multi_tcp_action a=TA_TUN_READ p=0
2023-06-20 12:46:01 us=421482 MULTI TCP: multi_tcp_dispatch a=TA_TUN_READ mi=0x00000000
2023-06-20 12:46:01 us=421534 GET INST BY VIRT: 10.0.0.6 [failed]
2023-06-20 12:46:01 us=421552 MULTI TCP: multi_tcp_post TA_TUN_READ -> TA_UNDEF
2023-06-20 12:46:01 us=792918 MULTI TCP: multi_tcp_action a=TA_TUN_READ p=0
2023-06-20 12:46:01 us=792963 MULTI TCP: multi_tcp_dispatch a=TA_TUN_READ mi=0x00000000
2023-06-20 12:46:01 us=792990 GET INST BY VIRT: 10.0.0.6 [failed]
2023-06-20 12:46:01 us=793002 MULTI TCP: multi_tcp_post TA_TUN_READ -> TA_UNDEF
2023-06-20 12:46:01 us=957446 MULTI TCP: multi_tcp_action a=TA_TUN_READ p=0
2023-06-20 12:46:01 us=957487 MULTI TCP: multi_tcp_dispatch a=TA_TUN_READ mi=0x00000000
2023-06-20 12:46:01 us=957517 GET INST BY VIRT: 10.0.0.6 [failed]
2023-06-20 12:46:01 us=957538 MULTI TCP: multi_tcp_post TA_TUN_READ -> TA_UNDEF
2023-06-20 12:46:03 us=29428 MULTI: REAP range 160 -> 176
2023-06-20 12:46:03 us=29476 MULTI TCP: multi_tcp_action a=TA_TUN_READ p=0

hr1sha

@hr1sha here is the PFsense client log

//.........
[key#2 state=S_UNDEF id=0 sid=00000000 00000000]
Jun 20 18:42:47 openvpn 28035 TUN READ [60]
Jun 20 18:42:47 openvpn 28035 TLS Warning: no data channel send key available: [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]
Jun 20 18:42:47 openvpn 28035 TUN READ [73]
Jun 20 18:42:47 openvpn 28035 TLS Warning: no data channel send key available: [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]
Jun 20 18:42:47 openvpn 28035 TUN READ [29]
Jun 20 18:42:47 openvpn 28035 TLS Warning: no data channel send key available: [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]
Jun 20 18:42:47 openvpn 28035 TUN READ [76]
Jun 20 18:42:47 openvpn 28035 TLS Warning: no data channel send key available: [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]
Jun 20 18:42:47 openvpn 28035 TUN READ [52]
Jun 20 18:42:47 openvpn 28035 MSS: 1460 -> 1287
Jun 20 18:42:47 openvpn 28035 TLS Warning: no data channel send key available: [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]
Jun 20 18:42:47 openvpn 28035 Connection reset, restarting [-1]
Jun 20 18:42:47 openvpn 28035 PID packet_id_free
Jun 20 18:42:47 openvpn 28035 PID packet_id_free
Jun 20 18:42:47 openvpn 28035 PID packet_id_free
Jun 20 18:42:47 openvpn 28035 PID packet_id_free
Jun 20 18:42:47 openvpn 28035 PID packet_id_free
Jun 20 18:42:47 openvpn 28035 PID packet_id_free
Jun 20 18:42:47 openvpn 28035 PID packet_id_free
Jun 20 18:42:47 openvpn 28035 PID packet_id_free
Jun 20 18:42:47 openvpn 28035 TCP/UDP: Closing socket
Jun 20 18:42:47 openvpn 28035 PID packet_id_free
Jun 20 18:42:47 openvpn 28035 SIGUSR1[soft,connection-reset] received, process restarting
Jun 20 18:42:47 openvpn 28035 Restart pause, 10 second(s)
Jun 20 18:42:52 openvpn 28035 MANAGEMENT: Client connected from /var/etc/openvpn/client2/sock
Jun 20 18:42:52 openvpn 28035 MANAGEMENT: CMD 'state 1'
Jun 20 18:42:52 openvpn 28035 MANAGEMENT: Client disconnected
Jun 20 18:42:54 openvpn 28035 /sbin/route delete -net 10.0.0.0 10.0.0.5 255.255.255.0
Jun 20 18:42:54 openvpn 28035 /sbin/route delete -net 10.0.0.1 10.0.0.5 255.255.255.255
Jun 20 18:42:54 openvpn 28035 /sbin/route delete -net 127.0.0.1 46.46.129.1 255.255.255.255
Jun 20 18:42:54 openvpn 28035 /sbin/route delete -net 0.0.0.0 10.0.0.5 128.0.0.0
Jun 20 18:42:54 openvpn 28035 /sbin/route delete -net 128.0.0.0 10.0.0.5 128.0.0.0
Jun 20 18:42:54 openvpn 28035 Closing TUN/TAP interface
Jun 20 18:42:54 openvpn 28035 /usr/local/sbin/ovpn-linkdown ovpnc2 0 0 10.0.0.6 10.0.0.5 init
Jun 20 18:42:54 openvpn 28035 PID packet_id_free
Jun 20 18:42:54 openvpn 28035 SIGTERM[hard,init_instance] received, process exiting

pst

@hr1sha compare you stunnel configuration with the one in this post, which seems to work:

https://forum.netgate.com/topic/150755/openvpn-through-stunnel/5?_=1687261092731

hr1sha

@pst thanks, I looked. But I get the same logs
Jun 20 20:01:24 openvpn 23836 TLS Warning: no data channel send key available: [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [ key#2 state=S_UNDEF id=0 sid=00000000 00000000]
Jun 20 20:01:24 openvpn 23836 TUN READ [29]
Jun 20 20:01:24 openvpn 23836 TLS Warning: no data channel send key available: [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [ key#2 state=S_UNDEF id=0 sid=00000000 00000000]
Jun 20 20:01:24 openvpn 23836 TUN READ [56]
Jun 20 20:01:24 openvpn 23836 TLS Warning: no data channel send key available: [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [ key#2 state=S_UNDEF id=0 sid=00000000 00000000]
Jun 20 20:01:24 openvpn 23836 TUN READ [48]
Jun 20 20:01:24 openvpn 23836 MSS: 1460 -> 1287
Jun 20 20:01:24 openvpn 23836 TLS Warning: no data channel send key available: [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [ key#2 state=S_UNDEF id=0 sid=00000000 00000000]