@eyelessfloppy

Как решить проблему с Stunnel из-за неактивности?

У меня проблемы с Stunnel на Windows. После успешного подключения через Stunnel, соединение разрывается примерно через 9 минут неактивности.
На Linux, эта проблема была решена редактированием этих параметров:
net.ipv4.tcp_keepalive_time
net.ipv4.tcp_keepalive_intvl
net.ipv4.tcp_keepalive_probes
У меня нет доступа к роутеру на серверной стороне, поэтому в нём я не могу ничего поменять.

Stunnel log:
2023.01.25 17:18:10 LOG7[1]: Service [test] started
2023.01.25 17:18:10 LOG7[1]: Setting local socket options (FD=964)
2023.01.25 17:18:10 LOG7[1]: Option TCP_NODELAY set on local socket
2023.01.25 17:18:10 LOG5[1]: Service [test] accepted connection from 127.0.0.1:50145
2023.01.25 17:18:10 LOG6[1]: s_connect: connecting 225.179.85.93:18572
2023.01.25 17:18:10 LOG7[1]: s_connect: s_poll_wait 225.179.85.93:18572: waiting 10 seconds
2023.01.25 17:18:10 LOG7[1]: FD=716 ifds=rwx ofds=---
2023.01.25 17:18:10 LOG5[1]: s_connect: connected 225.179.85.93:18572
2023.01.25 17:18:10 LOG5[1]: Service [onegomed] connected remote server from 192.168.1.84:50146
2023.01.25 17:18:10 LOG7[1]: Setting remote socket options (FD=716)
2023.01.25 17:18:10 LOG7[1]: Option TCP_NODELAY set on remote socket
2023.01.25 17:18:10 LOG7[1]: Remote descriptor (FD=716) initialized
2023.01.25 17:18:10 LOG6[1]: SNI: sending servername: 225.179.85.93
2023.01.25 17:18:10 LOG6[1]: Peer certificate not required
2023.01.25 17:18:10 LOG7[1]: TLS state (connect): before SSL initialization
2023.01.25 17:18:10 LOG7[1]: TLS state (connect): SSLv3/TLS write client hello
2023.01.25 17:18:10 LOG7[1]: TLS state (connect): SSLv3/TLS write client hello
2023.01.25 17:18:10 LOG7[1]: Initializing application specific data for session authenticated
2023.01.25 17:18:10 LOG7[1]: TLS state (connect): SSLv3/TLS read server hello
2023.01.25 17:18:10 LOG7[1]: TLS state (connect): TLSv1.3 read encrypted extensions
2023.01.25 17:18:10 LOG6[1]: Certificate verification disabled
2023.01.25 17:18:10 LOG6[1]: Certificate verification disabled
2023.01.25 17:18:10 LOG6[1]: Certificate verification disabled
2023.01.25 17:18:10 LOG7[1]: TLS state (connect): SSLv3/TLS read server certificate
2023.01.25 17:18:10 LOG7[1]: TLS state (connect): TLSv1.3 read server certificate verify
2023.01.25 17:18:10 LOG7[1]: TLS state (connect): SSLv3/TLS read finished
2023.01.25 17:18:10 LOG7[1]: TLS state (connect): SSLv3/TLS write change cipher spec
2023.01.25 17:18:10 LOG7[1]: TLS state (connect): SSLv3/TLS write finished
2023.01.25 17:18:10 LOG7[1]: 2 client connect(s) requested
2023.01.25 17:18:10 LOG7[1]: 2 client connect(s) succeeded
2023.01.25 17:18:10 LOG7[1]: 0 client renegotiation(s) requested
2023.01.25 17:18:10 LOG7[1]: 0 session reuse(s)
2023.01.25 17:18:10 LOG6[1]: TLS connected: new session negotiated
2023.01.25 17:18:10 LOG6[1]: TLSv1.3 ciphersuite: TLS_AES_256_GCM_SHA384 (256-bit encryption)
2023.01.25 17:18:10 LOG6[1]: Peer temporary key: X25519, 253 bits
2023.01.25 17:18:10 LOG7[1]: Compression: null, expansion: null
2023.01.25 17:18:10 LOG7[1]: TLS state (connect): SSL negotiation finished successfully
2023.01.25 17:18:10 LOG7[1]: TLS state (connect): SSL negotiation finished successfully
2023.01.25 17:18:10 LOG7[1]: Initializing application specific data for session authenticated
2023.01.25 17:18:10 LOG7[1]: Deallocating application specific data for session connect address
2023.01.25 17:18:10 LOG7[1]: New session callback
2023.01.25 17:18:10 LOG7[1]: Deallocating application specific data for session connect address
2023.01.25 17:18:10 LOG6[1]: Session id: 8E91DBE369D9E16221CCA288A7C1F652AB045BAE96C19B4240B1B7F710069CCE
2023.01.25 17:18:10 LOG7[1]: TLS state (connect): SSLv3/TLS read server session ticket
2023.01.25 17:18:10 LOG7[1]: TLS state (connect): SSL negotiation finished successfully
2023.01.25 17:18:10 LOG7[1]: TLS state (connect): SSL negotiation finished successfully
2023.01.25 17:18:10 LOG7[1]: Initializing application specific data for session authenticated
2023.01.25 17:18:10 LOG7[1]: New session callback
2023.01.25 17:18:10 LOG7[1]: Deallocating application specific data for session connect address
2023.01.25 17:18:10 LOG6[1]: Session id: 6UIA254BF9D027B3D4BE5F966BDE9DE2058CF167C4EF0CD5A460958B698DF322
2023.01.25 17:18:10 LOG7[1]: TLS state (connect): SSLv3/TLS read server session ticket
2023.01.25 17:33:25 LOG3[1]: SSL_read: Connection reset by peer (WSAECONNRESET) (10054)
2023.01.25 17:33:25 LOG5[1]: Connection reset: 5184 byte(s) sent to TLS, 10344 byte(s) sent to socket
2023.01.25 17:33:25 LOG7[1]: Remote descriptor (FD=716) closed
2023.01.25 17:33:25 LOG7[1]: Local descriptor (FD=964) closed
2023.01.25 17:33:25 LOG7[1]: Service [test] finished (0 left)`

Я пробовал:
1) редактировать реестр Windows:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveInterval HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmissions HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TdxPrematureConnectIndDisabled HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\InternetSetting\KeepAliveTimeout HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\InternetSetting\ServerInfoTimeout
2) редактировать конфиг stunnel на клиентской стороне:
socket = l:SO_KEEPALIVE=1
socket = r:SO_KEEPALIVE=1
3) редактировать параметры на стороне Linux сервера:
net.ipv4.tcp_keepalive_time = 60
net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_keepalive_probes = 20
4) добавлять сертификат сервера в конфиг Stunnel на клиентской стороне;
5) обновлять и откатывать stunnel.

Конфиг stunnel на клиентской стороне:
[test]
client = yes
accept = 127.0.0.1:18572
connect = 225.179.85.93:18572

Конфиг на серверной стороне:
foreground = no
cert = /home/stunnel/servercert.pem
key = /home/stunnel/serverkey.pem
CApath = /certs
chroot = /home/stunnel
pid = /stunnel.pid
setuid = stunnel
setgid = stunnel
debug = 7
output = /stunnel.log
[connect]
accept = 18572
connect = 127.0.0.1:3050
  • Вопрос задан
  • 414 просмотров
Пригласить эксперта
Ваш ответ на вопрос

Войдите, чтобы написать ответ

Похожие вопросы