Re: [stunnel-users] Stunnel 5.44 server side 'exec = pppd' runs second child 'pppd' process after reconnection. Bug?
Yes. Use inetd (or equivalent). Making an independent server work is difficult due to the problems like you are having. Inetd is in many O/S included and essential, others available. It always works. Always. Yes, there is a tiny amount of overhead for making connections. On an ancient AIX IBM I manage 2-4 million XML documents exchanged per day with no problems, all with inetd. Try it – save yourself some misery. Or maybe it won’t help at all except to add information :) E From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Martin Got Sent: Monday, May 13, 2019 9:08 AM To: stunnel-users@stunnel.org Subject: [stunnel-users] Stunnel 5.44 server side 'exec = pppd' runs second child 'pppd' process after reconnection. Bug? I'm trying to make stunnel wrapped ppp connection to achieve bidirectional data transfer over stunnel like shown below. Stunnel client --connect--> Stunnel server pppd client --connect--> pppd server 10.0.1.2 <--data--> 10.0.1.1 OpenBSD 6.4amd64 with Stunnel 5.44 server works till stunnel retries 'exec = pppd' section once stunnel client is reconnected. Also 'exec = pppd' section retries after a short network related communication lag also. Previous 'pppd' child instance haven't killed by stunnel 5.44 before new instance started. So second 'pppd' process started and runs simultaneously with the first 'pppd' and link down. Restarting Stunnel server can clear child 'pppd' processes. So newly reestablished 'pppd' link between 10.0.1.1 <--> 10.0.1.2 endpoints works till next interconnection. Does stunnel server have an option to start only one instance in 'exec' section or what should be done to fix this? Any suggestions highly appreciated. # ps -axu | grep pppd user 43231 0.0 0.0 476 0:00.01 persist lock passive 10.0.1.1:10.0.1.2 local noauth (pppd) user 39187 0.0 0.0 468 0:00.01 persist lock passive 10.0.1.1:10.0.1.2 local noauth (pppd) # tail -n 10 /var/log/daemon pppd[39187] pppd 2.3.5 started by user, uid 0 pppd[43231] Using interface ppp1 pppd[43231] Connect: ppp0 <--> /dev/ttyp2 pppd[43231] Local IP address 10.0.1.1 pppd[43231] Remote IP address 10.0.1.2 pppd[39187] pppd 2.3.5 started by user, uid 0 pppd[39187] Using interface ppp0 pppd[39187] Connect: ppp0 <--> /dev/ttyp5 pppd[39187] Couldn't set interface address: Address 10.0.1.1 or destination 10.0.1.2 already exists Stunnel configurations for server and client: 1. Server's configuration ... foreground = yes debug = 7 socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ;socket = l:SO_LINGER=1:60 ; Session cache sessionCacheSize = 100 sessionCacheTimeout = 600 stack = 65536 TIMEOUTbusy = 600 TIMEOUTconnect = 10 TIMEOUTidle = 43200 TIMEOUTclose = 5 [ppp] accept = LOCAL-IP:PORT exec = /usr/sbin/pppd execargs = lock 10.0.1.1:10.0.1.2 local debug noauth ;execargs = lock passive 10.0.1.1:10.0.1.2 local debug noauth pty = yes CAfile = ca.crt cert = server.crt key = server.key verifyChain = yes 2. Stunnel client's configuration ... foreground = yes debug = 7 socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Session cache sessionCacheSize = 1 sessionCacheTimeout = 600 failover = rr [ppp] client = yes retry = yes connect = REMOTE-IP:PORT exec = /usr/sbin/pppd execargs = defaultroute persist lock passive 10.0.1.2:10.0.1.1 local debug noauth name ppp-client pty = yes CAfile = ca.crt cert = client.crt key = client.key verifyChain = yes checkHost = REMOTE-HOSTNAME ;checkIP = 1.2.3.4
On Mon, May 13, 2019 at 03:03:55PM -0700, Eric Eberhard wrote:
[Martin Got wrote:]
I'm trying to make stunnel wrapped ppp connection to achieve bidirectional data transfer over stunnel like shown below.
Stunnel client --connect--> Stunnel server pppd client --connect--> pppd server 10.0.1.2 <--data--> 10.0.1.1
OpenBSD 6.4amd64 with Stunnel 5.44 server works till stunnel retries 'exec = pppd' section once stunnel client is reconnected. Also 'exec = pppd' section retries after a short network related communication lag also. Previous 'pppd' child instance haven't killed by stunnel 5.44 before new instance started.
So second 'pppd' process started and runs simultaneously with the first 'pppd' and link down. Restarting Stunnel server can clear child 'pppd' processes. So newly reestablished 'pppd' link between 10.0.1.1 <--> 10.0.1.2 endpoints works till next interconnection.
Does stunnel server have an option to start only one instance in 'exec' section or what should be done to fix this?
Any suggestions highly appreciated.
Yes. Use inetd (or equivalent). Making an independent server work is difficult due to the problems like you are having. Inetd is in many O/S included and essential, others available. It always works. Always. Yes, there is a tiny amount of overhead for making connections. On an ancient AIX IBM I manage 2-4 million XML documents exchanged per day with no problems, all with inetd. Try it – save yourself some misery. Or maybe it won’t help at all except to add information :)
(format recovered; top-posting hard to follow) Hi Eric, Over the past couple of years I've seen you suggesting that people use inetd + stunnel in inetd mode instead of stunnel to accept connections. In some situations, like this one, it is not at all relevant to the problem at hand - even if the original poster would use inetd to accept an incoming TCP connection and then run stunnel in inetd mode, this would *still* be a new instance of stunnel that will run a new instance of pppd with exactly the same problems as described in the message that you replied to. Even more so, if stunnel is started in inetd mode, it has absolutely no idea whether there are any other instances of stunnel+pppd already running, so it might be said that in this case using inetd would make the situation worse. G'luck, Peter -- Peter Pentchev roam@{ringlet.net,debian.org,FreeBSD.org} pp@storpool.com PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
participants (2)
-
Eric Eberhard -
Peter Pentchev