fichtner
commented
2 years ago @vogelfreiheit you may want to look at the firewall log first if your traffic isn't blocked there meaning it requires a rule to support it.
Closed ghost closed 2 years ago
fichtner
commented
2 years ago @vogelfreiheit you may want to look at the firewall log first if your traffic isn't blocked there meaning it requires a rule to support it.
ghost
commented
2 years ago Negative, also this should fall under the "allow traffic originating from the firewall" configuration. There is nothing blocked per se, I checked before submitting the report. Feel free to suggest other possible places to verify.
fichtner
commented
2 years ago I don't have any further ideas for this, sorry. Hopefully someone else wants to chime in.
Cheers, Franco
ghost
commented
2 years ago Did a quick test with ss-local configured to listen at localhost:8989:
2021-12-09T13:54:30 | openvpn[30113] | TCP: connect to [AF_INET]127.0.0.1:8989 failed: Can't assign requested address |
-- | -- | -- | --
2021-12-09T13:54:30 | openvpn[30113] | Attempting to establish TCP connection with [AF_INET]127.0.0.1:8989 [nonblock] |
2021-12-09T13:54:30 | openvpn[30113] | Socket Buffers: R=[65228->524288] S=[65228->524288] |
2021-12-09T13:54:30 | openvpn[30113] | TCP/UDP: Preserving recently used remote address: [AF_INET]127.0.0.1:8989Instead of a time out, it fails with Can't assign requested address.
kulikov-a
commented
2 years ago I thought that the --socks-proxy option was used to connect through the socks5. The proxy parameter in the gui defines the --http-proxy option
ghost
commented
2 years ago I thought that the
--socks-proxyoption was used to connect through the socks5. The proxy parameter in the gui defines the--http-proxyoption
I have tested both. UI setting and socks-proxy in the custom directives.
kulikov-a
commented
2 years ago with socks-proxy option in gui "Advanced configuration". Shadowsocks server and local enabled. TCP openvpn from one OPNSense to another (certs not trusted. so connection fail):
..
2021-12-09T16:28:31 | Error | openvpn | OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2021-12-09T16:28:31 | Error | openvpn | VERIFY ERROR: depth=1, error=* sanitized* |
2021-12-09T16:28:31 | Notice | openvpn | TLS: Initial packet from [AF_INET]127.0.0.1:1080, sid=186f7700 f9a7ab3d |
2021-12-09T16:28:31 | Notice | openvpn | TCPv4_CLIENT link remote: [AF_INET]127.0.0.1:1080 |
2021-12-09T16:28:31 | Notice | openvpn | TCPv4_CLIENT link local: (not bound) |
2021-12-09T16:28:31 | Notice | openvpn | TCP connection established with [AF_INET]127.0.0.1:1080 |
2021-12-09T16:28:31 | Notice | openvpn | Attempting to establish TCP connection with [AF_INET]127.0.0.1:1080 [nonblock]
..
all the states created are visible in Firewall: Diagnostics: States looks like it should work
ghost
commented
2 years ago Could you provide screenshots from the ss-local config? This is interesting. What version are you running?
kulikov-a
commented
2 years ago all settings are default
os-shadowsocks (installed) | 1.0_2
OPNsense 21.7.6-amd64
ghost
commented
2 years ago Revisiting this: we had to configure it to listen on ANY/0.0.0.0, otherwise it would not work. I'm not sure why you are using a local SS server though (not the SOCKS client, the server itself). The whole point of SS is to serve as a remote encrypted tunnel. Whatever you are using is routing out the normal WAN, for no added benefit.
kulikov-a
commented
2 years ago I'm not sure why you are using a local SS server
im not ). it was just interesting to add it and try to understand the issue (and help if possible) if everything works for you now, then I'm happy :wink:
OPNsense-bot
commented
2 years ago This issue has been automatically timed-out (after 180 days of inactivity).
For more information about the policies for this repository, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.
If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.
burbilog
commented
1 year ago I've just stumbled upon this ticket while trying for hours to solve a problem quite similar to this. In my case it's not a shadowsocks but v2ray daemon + socks-proxy 127.0.0.1 1080 option in openvpn page.
I solved the issue changing openvpn's interface to Localhost. V2Ray daemon is bound to 127.0.0.1 and if openvpn is bound to localhost too, everything works without additional fiddling.
Just in case somebody's search lands here.
LindaFerum
commented
1 year ago @burbilog Please excuse me for late tagging but what does "changing openvpn's interface to Localhost" mean in this context ? Could you post your client conf ?
burbilog
commented
1 year ago @burbilog Please excuse me for late tagging but what does "changing openvpn's interface to Localhost" mean in this context ? Could you post your client conf ?
plus this line in "advanced" field:
socks-proxy 127.0.0.1 1082This way OpenVPN connects to v2ray daemon, bound to localhost.
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Describe the bug
Configuring a client in the OpenVPN service to use a SOCKS proxy does not work. This has been tested with Shadowsocks-local, assigning a listening IP for one of the local interfaces (or localhost too) and then configuring the VPN client to use the proxy for its connections.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The OpenVPN client connection is established through the SOCKS proxy successfully.
Describe alternatives you considered
Also tested with the custom directives for socks in the client configuration.
Relevant log files
Sanitized PROXY_IP:PROXY_PORT for the local interface IP address and the port where SS-local is listening.
Environment
Latest stable OPNsense as of today.