search

xebd / accel-ppp

High performance PPTP/L2TP/PPPoE/IPoE server for Linux
GNU General Public License v2.0
296 stars 108 forks source link

sstp: read: Input/output error #177

Open Masood-Lapeh opened 1 year ago

Masood-Lapeh commented 1 year ago

What could be the reason behind these error: : sstp: read: Input/output errors?

[2022-11-07 12:23:04]:  info: sstp: new connection from 127.0.0.1:59546
[2022-11-07 12:23:04]:  info: sstp: started
[2022-11-07 12:23:04]:  info: : sstp: recv [SSL <SNI o--------r>]
[2022-11-07 12:23:04]: error: : sstp: read: Input/output error
[2022-11-07 12:23:04]:  info: sstp: disconnected

I'm trying to run a SSTP server on an Ubuntu VPS behind sslh.

I could do it via Softether. While I don't know much about these stuff and am doing trial and erro, I'm trying out other solutions too. I've got my certificate by certbot. Here's my config:

[modules]
log_file
log_syslog
log_tcp
sstp
auth_mschap_v2
auth_mschap_v1
auth_chap_md5
auth_pap
chap-secrets
ippool
pppd_compat

[core]
log-error=/var/log/accel-ppp/core.log
thread-count=4

[common]

[ppp]
verbose=1
min-mtu=1280
mtu=1400
mru=1400
ipv4=require
ipv6=deny
ipv6-intf-id=0:0:0:1
ipv6-peer-intf-id=0:0:0:2
ipv6-accept-peer-intf-id=1
lcp-echo-interval=20
lcp-echo-timeout=120
unit-cache=1

[auth]

[pptp]
verbose=1

[pppoe]
verbose=1
called-sid=mac
interface=ens3

[l2tp]
verbose=1

[sstp]
bind=127.0.0.1
port=4432
verbose=1
accept=ssl
ssl-protocol=tlc1.2,tls1.3
ssl-dhparam=/etc/letsencrypt/ssl-dhparams.pem
ssl-pemfile=/etc/letsencrypt/live/o------------r/fullchain.pem
ssl-keyfile=/etc/letsencrypt/live/o------------r/privkey.pem
host-name=o-----------r
timeout=60
hello-interval=60
ip-pool=sstp
ifname=sstp10

[ipoe]
verbose=1
username=ifname
lease-time=600
max-lease-time=3600
shared=0
ifcfg=1
mode=L2
start=dhcpv4
interface=eth0

[dns]
dns1=8.8.8.8
dns2=8.8.4.4

[wins]

[radius]

[client-ip-range]
127.0.0.1/8

[ip-pool]
gw-ip-address=192.168.0.1
attr=Framed-Pool
192.168.0.2-255
192.168.1.1-255,name=pool1
192.168.2.1-255,name=pool2
192.168.3.1-255,name=pool3
192.168.4.1-255,name=pool4,next=pool1
192.168.4.0/24

[log]
log-file=/var/log/accel-ppp/accel-ppp.log
log-emerg=/var/log/accel-ppp/emerg.log
log-fail-file=/var/log/accel-ppp/auth-fail.log
log-debug=/dev/stdout
copy=1
level=4

[log-pgsql]
conninfo=user=log
log-table=log

[pppd-compat]
verbose=1
ip-up=/etc/ppp/ip-up
ip-down=/etc/ppp/ip-down
radattr-prefix=/var/run/radattr

[chap-secrets]
chap-secrets=/etc/ppp/chap-secrets

[shaper]
verbose=1

[cli]
verbose=1
telnet=127.0.0.1:2000
tcp=127.0.0.1:2001

[snmp]
master=0
agent-name=accel-ppp

[connlimit]
limit=10/min
burst=3
timeout=60

[ipv6-pool]
fc00:0:1::/48,64
fc00:0:2::/48,64,name=pool1
fc00:0:3::/48,64,name=pool2,next=pool1
delegate=fc00:1::/36,48
delegate=fc00:2::/36,48,name=pool3
delegate=fc00:3::/36,48,name=pool4,next=pool3

[ipv6-dns]

[ipv6-dhcp]
verbose=1
pref-lifetime=604800
valid-lifetime=2592000
route-via-gw=1
DmitriyEshenko commented 1 year ago

Hi, @Masood-Lapeh. I hope you masked [sstp]bind to 127.0.0.1 but in real config you have public IP address here for your cert from LE. Pay attention, that your client should connects to domain.name not to IP directly, some clients like Windows SSTP client restrict this. If you really use 127.0.0.1, how you get certificate verification?

Masood-Lapeh commented 1 year ago

Hi @DmitriyEshenko. I had a similar setup with softether's SSTP working on both Open SSTP Client and Windows native SSTP Client without messing with clients. First I got letsencrypt certificate for my.domain verified on my public IP address and then I used those certificates for what is listening on 127.0.0.1 behind sslh which listens on mypublicip:443 and filters by SNI. traffic with specific SNI goes to 127.0.0.1:4432 which previously sofether was listening on, and now accel-ppp. So isn't a similar thing possible with accel-ppp and maybe there is more strict checkings with it?