search

jpillora / chisel

A fast TCP/UDP tunnel over HTTP
MIT License
12.74k stars 1.34k forks source link

How to run OpenVPN through chisel? #46

Closed MatejKovacic closed 5 years ago

MatejKovacic commented 6 years ago

I have OpenVPN server running on TCP/443. Is it possible to run it over chisel?

If yes, what commands should be issued on server and what on client?

Any help would be much appreciated.

MatejKovacic commented 6 years ago

On a server I said: chisel server --port 8080 socks5

OpenVPN config on server has line: socks-proxy 127.0.0.1 1080

On a client side I run: chisel client http://myserver.org:8080 socks

And then run OpenVPN client, which has: socks-proxy 127.0.0.1 1080 in its config.

However, chisel on a client side says:

2017/10/26 14:35:28 client: Connected (Latency 2.21344ms)
2017/10/26 14:36:24 client: tunnel#1 127.0.0.1:1080=>socks: conn#1: Stream error: ssh: rejected: administratively prohibited (SOCKS5 is not enabled on the server)

What am I doing wrong?

jpillora commented 6 years ago

--socks5, forgot the dashes

On Thu, 26 Oct 2017 at 11:40 pm Matej Kovacic notifications@github.com wrote:

On a server I said: chisel server --port 8080 socks5

OpenVPN config on server has line: socks-proxy 127.0.0.1 1080

On a client side I run: chisel client http://myserver.org:8080 socks

And then run OpenVPN client, which has: socks-proxy 127.0.0.1 1080 in its config.

However, chisel on a client side says:

2017/10/26 14:35:28 client: Connected (Latency 2.21344ms) 2017/10/26 14:36:24 client: tunnel#1 127.0.0.1:1080=>socks: conn#1: Stream error: ssh: rejected: administratively prohibited (SOCKS5 is not enabled on the server)

What am I doing wrong?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/jpillora/chisel/issues/46#issuecomment-339652549, or mute the thread https://github.com/notifications/unsubscribe-auth/AAmr8ya5JWZEcHc2XeCx98KlIKtT-wLQks5swH3FgaJpZM4QHd4m .

MatejKovacic commented 6 years ago

Thanks.

Anyway, another question... I noticed that every time I run chisel server I get different fingerprint. This is not handy if you plan to autostart chisel in server mode on remote server.

Is there any option to make fingerprint persistent?

MatejKovacic commented 6 years ago

OK, here is my setup now...

On the server (Debian 9):

  1. First I run OpenVPN server: sudo systemctl start openvpn@MyVPN_WS.service

MyVPN_WS.conf has:

...
local XX.XX.XX.XXX
port 8081
...
  1. Then I run Chisel: chisel server --port 8080 --auth me:mypasswd --socks5 &
[1] 30289
root@vpn:/etc/openvpn# 2017/10/26 22:00:14 server: SOCKS5 Enabled
2017/10/26 22:00:14 server: Fingerprint b8:ad:8e:15:60:8f:f7:e0:f6:e8:ce:56:e4:85:d3:c5
2017/10/26 22:00:14 server: User authenication enabled
2017/10/26 22:00:14 server: Listening on 8080...

On the client (Ubuntu 17.04):

  1. First I run Chisel: chisel client --auth me:mypasswd http://myvpnserver.com:8080 socks
2017/10/26 22:01:48 client: Connecting to ws://myvpnserver.com:8080
2017/10/26 22:01:48 client: tunnel#1 127.0.0.1:1080=>socks: Listening
2017/10/26 22:01:58 client: Retrying in 100ms...
2017/10/26 22:02:09 client: Retrying in 200ms...
2017/10/26 22:02:19 client: Fingerprint b8:ad:8e:15:60:8f:f7:e0:f6:e8:ce:56:e4:85:d3:c5
2017/10/26 22:02:19 client: Connected (Latency 37.582275ms)
  1. Then I run my OpenVPN client: openvpn --config MyVPN.conf

MyVPN_WS.conf has:

...
remote XX.XX.XX.XXX 8081
socks-proxy 127.0.0.1 1080
...

OpenVPN connection seems successful. If I type ifconfig into the terminal, I can see tun0 device with correct "local" (VPN) IP.

However, I cannot ping my VPN server and IP forwarding does not work (but it is enabled and routing is done correctly with iptables).

Any idea what could be wrong?

jpillora commented 5 years ago

Is there any option to make fingerprint persistent?

chisel server --help

....

    --key, An optional string to seed the generation of a ECDSA public
    and private key pair. All commications will be secured using this
    key pair. Share the subsequent fingerprint with clients to enable detection
    of man-in-the-middle attacks (defaults to the CHISEL_KEY environment
    variable, otherwise a new key is generate each run).
jpillora commented 5 years ago

Sorry, I'm not very familiar with OpenVPN

CyrusTheV commented 1 year ago

OK, here is my setup now...

On the server (Debian 9):

  1. First I run OpenVPN server: sudo systemctl start openvpn@MyVPN_WS.service

MyVPN_WS.conf has:

...
local XX.XX.XX.XXX
port 8081
...
  1. Then I run Chisel: chisel server --port 8080 --auth me:mypasswd --socks5 &
[1] 30289
root@vpn:/etc/openvpn# 2017/10/26 22:00:14 server: SOCKS5 Enabled
2017/10/26 22:00:14 server: Fingerprint b8:ad:8e:15:60:8f:f7:e0:f6:e8:ce:56:e4:85:d3:c5
2017/10/26 22:00:14 server: User authenication enabled
2017/10/26 22:00:14 server: Listening on 8080...

On the client (Ubuntu 17.04):

  1. First I run Chisel: chisel client --auth me:mypasswd http://myvpnserver.com:8080 socks
2017/10/26 22:01:48 client: Connecting to ws://myvpnserver.com:8080
2017/10/26 22:01:48 client: tunnel#1 127.0.0.1:1080=>socks: Listening
2017/10/26 22:01:58 client: Retrying in 100ms...
2017/10/26 22:02:09 client: Retrying in 200ms...
2017/10/26 22:02:19 client: Fingerprint b8:ad:8e:15:60:8f:f7:e0:f6:e8:ce:56:e4:85:d3:c5
2017/10/26 22:02:19 client: Connected (Latency 37.582275ms)
  1. Then I run my OpenVPN client: openvpn --config MyVPN.conf

MyVPN_WS.conf has:

...
remote XX.XX.XX.XXX 8081
socks-proxy 127.0.0.1 1080
...

OpenVPN connection seems successful. If I type ifconfig into the terminal, I can see tun0 device with correct "local" (VPN) IP.

However, I cannot ping my VPN server and IP forwarding does not work (but it is enabled and routing is done correctly with iptables).

Any idea what could be wrong?

Did you solve the issue?

MatejKovacic commented 1 year ago

Yes.

CyrusTheV commented 1 year ago

Yes.

👍