Blog

Install and Setup OpenVPN Stealth with Stunnel on Ubuntu 12 +

In this simple step by step tutorial we will be wrapping OpenVPN in Stunnel so that we can bypass any sort of OpenVPN filtering i.e. the Great Firewall of China, this technique is confirmed to work on all latest filtering techniques, CentOS tutorial will follow soon.

What is STUNNEL ?

The stunnel program is designed to work as an SSL (Secure Socket Layer) encryption wrapper between remote clients and local (inetd-startable) or remote servers. The concept is that having non-SSL aware daemons running on your system you can easily set them up to communicate with clients over secure SSL channels. The most common use of stunnel is to listen on a network port and establish communication with either a new port via the connect option, or a new program via the exec option.

Stunnel is available for many platforms, like windows, and linux. You can check it from it’s official site HERE.

To setup OpenVPN on Ubuntu please follow this link. Link.

First you need to make sure the OpenVPN port you use is using TCP, UDP does not work with stunnel – you can either change the default openvpn config you have or create a new config for a different port then just restart OpenVPN in dameon mode. If however you use FreeRADIUS for auth then please follow the tutorial below to setup new ports.

To setup multiple OpenVPN ports when using FreeRADIUS please follow this link. Link.

Now lets get installing, first lets install stunnel:

apt-get install stunnel4

Move to the stunnel directory:

cd /etc/stunnel/

We need to create a self-signed certificate with the following commands:

openssl genrsa -out server.key 4096

Generate a CSR (Certificate Signing Request):

openssl req -new -key server.key -out server.csr

Generating a Self-Signed Certificate:

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Combine key with certificate:

cat server.key > server.pem && cat server.crt >> server.pem

Now lets configure stunnel:

Incase you have any current stunnel configs, lets rename it..

mv /etc/stunnel/stunnel.conf stunnel.conf.old

Now create a config file (stunnel.conf) using your favorite editor (vi, nano, …etc.):

nano /etc/stunnel/stunnel.conf

Then copy the following into the config file:

sslVersion = all
options = NO_SSLv2
chroot = /var/lib/stunnel4/
; PID is created inside the chroot jail
pid = /stunnel4.pid
; Debugging stuff (may useful for troubleshooting)
; debug = 7
; output = /var/log/stunnel4/stunnel4.log
setuid = stunnel4
setgid = stunnel4
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
compression = zlib
[openvpn]
accept = 123.123.123.123:11446
connect = 123.123.123.123:8080
cert=/etc/stunnel/server.pem
key=/etc/stunnel/server.key

The accept port should preferably be a high port number the connect port MUST be the TCP port you are using in OpenVPN. Make sure you change 123.123.123.123 to your server IP.

Save & Exit

Now lets enable stunnel and start it:

nano /etc/default/stunnel4

And change:

ENABLED=0

To

ENABLED=1

Save & Exit

Now lets start stunnel4:

/etc/init.d/stunnel4 start

Restart OpenVPN and make sure stunnel starts at boot time:

chkconfig stunnel4 on

Now have fun browsing anything you want without limitations :)

Have Fun
SafeSrv.net

Tags: , , , ,
14 replies
  1. Roiz says:

    Need a CentOS tutorial!Please help me

    Reply
    • Admin says:

      Hello CentOS is coming shortly :)

      Reply
      • Sonu says:

        Also REALLY looking forawrd to a CentOS (under a OpenVZ VPS) tutorial Your previous guide on setting up openvpn was great, one of the best on the web. With China now blocking all openvpn udp automatically, I think we need to try something like this to get it to work. Hope performance doesn’t get killed.Thanks!

        Reply
  2. Strife says:

    Also REALLY looking forward to a CentOS (under a OpenVZ VPS) tutorial :)

    Your previous guide on setting up openvpn was great, one of the best on the web. With China now blocking all openvpn udp automatically, I think we need to try something like this to get it to work. Hope performance doesn’t get killed.

    Thanks!

    Reply
  3. Strife says:

    How’s the centos guide coming along? :)

    Reply
  4. Strife says:

    So, through various guides and playing around, I can connect to my OpenVPN (on OpenVZ VPS) through stunnel, but I have a problem that hopefully you can answer before your full guide comes out.

    It connects, but no traffic is getting routed through the VPN. It still goes through the local connection gateway (192.168.1.100).

    Do you know what might be the cause of that?

    If I don’t use stunnel and connect directly to the OVPN server, it will pull the gateway redirect and my traffic goes through.

    Thanks

    Reply
    • Admin says:

      Hey there – what port did you set stunnel to ?

      Reply
      • Strife says:

        On my VPS, OpenVPN is listening to 45378. Stunnel is listening on 45383 and forwarding to 45378.

        On my Windows client, stunnel is listening to 45378 and forwarding to my server 45383. My client openvpn is sending to “localhost 45378″.

        I’m not sure if the China Firewall is interfering. During the initial connection, it displays the Verify, blah blah, then it’ll get a connection reset once or twice then it’ll finally connect and I get a VPN IP 10.8.0.10.

        Going to whatismyip.com will show my local network WAN address even though my OpenVPN gui icon is green (connected).

        Can I issue a route command to force all traffic through the vpn?

        Thanks

        Reply
      • Aline says:

        So, through vaouris guides and playing around, I can connect to my OpenVPN (on OpenVZ VPS) through stunnel, but I have a problem that hopefully you can answer before your full guide comes out.It connects, but no traffic is getting routed through the VPN. It still goes through the local connection gateway (192.168.1.100).Do you know what might be the cause of that?If I don’t use stunnel and connect directly to the OVPN server, it will pull the gateway redirect and my traffic goes through.Thanks

        Reply
  5. adl says:

    Hi!

    Need a CentOS tutorial!!

    Tnx.

    Reply

Trackbacks & Pingbacks

  1. [...] securing. However, two documents popped up in my Google searches but were not immediately useful: this, while being aimed at Debian users, has some interesting stuff on optimization (particularly the [...]

  2. [...] hoping that’s enough. But if it isn’t, I’ll also be looking at running OpenVPN through stunnel, or using SSH as a SOCKS proxy. Also, [...]

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Copyright 2013 SafeSrv.net | All Rights Reserved