In this simple step by step tutorial we will be wrapping OpenVPN in Stunnel so that we can bypass any sort of OpenVPN filtering i.e. the Great Firewall of China, this technique is confirmed to work on all latest filtering techniques, CentOS tutorial will follow soon.
What is STUNNEL ?
The stunnel program is designed to work as an SSL (Secure Socket Layer) encryption wrapper between remote clients and local (inetd-startable) or remote servers. The concept is that having non-SSL aware daemons running on your system you can easily set them up to communicate with clients over secure SSL channels. The most common use of stunnel is to listen on a network port and establish communication with either a new port via the connect option, or a new program via the exec option.
Stunnel is available for many platforms, like windows, and linux. You can check it from it’s official site HERE.
First you need to make sure the OpenVPN port you use is using TCP, UDP does not work with stunnel – you can either change the default openvpn config you have or create a new config for a different port then just restart OpenVPN in dameon mode. If however you use FreeRADIUS for auth then please follow the tutorial below to setup new ports.
Now lets get installing, first lets install stunnel:
apt-get install stunnel4
Move to the stunnel directory:
We need to create a self-signed certificate with the following commands:
openssl genrsa -out server.key 4096
Generate a CSR (Certificate Signing Request):
openssl req -new -key server.key -out server.csr
Generating a Self-Signed Certificate:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Combine key with certificate:
cat server.key > server.pem && cat server.crt >> server.pem
Now lets configure stunnel:
Incase you have any current stunnel configs, lets rename it..
mv /etc/stunnel/stunnel.conf stunnel.conf.old
Now create a config file (stunnel.conf) using your favorite editor (vi, nano, …etc.):
Then copy the following into the config file:
sslVersion = all options = NO_SSLv2 chroot = /var/lib/stunnel4/ ; PID is created inside the chroot jail pid = /stunnel4.pid ; Debugging stuff (may useful for troubleshooting) ; debug = 7 ; output = /var/log/stunnel4/stunnel4.log setuid = stunnel4 setgid = stunnel4 socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 compression = zlib [openvpn] accept = 184.108.40.206:11446 connect = 220.127.116.11:8080 cert=/etc/stunnel/server.pem key=/etc/stunnel/server.key
The accept port should preferably be a high port number the connect port MUST be the TCP port you are using in OpenVPN. Make sure you change 18.104.22.168 to your server IP.
Save & Exit
Now lets enable stunnel and start it:
Save & Exit
Now lets start stunnel4:
Restart OpenVPN and make sure stunnel starts at boot time:
chkconfig stunnel4 on
Now have fun browsing anything you want without limitations