OpenVPN is more and less banned in some countries, therefore to be able to use it there, we need to make it stealthy by installing a 3rd party software like Tor, SSH Tunnel or Stunnel which hides openVPN traffic from governmental firewall detection. The principle is quite simple, we create a tunnel between our computer and the openVPN server which is encrypted by a certificate, then we send our openVPN traffic through this tunnel.
Debian 8 stunnel server installation
First OpenVPN should be configured to use TCP instead of UDP, on this example we open port number 1000 and redirect the traffic to localhost port number 443 which is my openVPN server port. We will start by installing the package, run this command to install sTunnel:
apt-get install stunnel4
Follow the installation wizard and edit /etc/stunnel/stunnel.conf with your favorite editor like bellow:
# Location of the certificate that we created cert = /etc/stunnel/stunnel.pem client = no output = /var/log/stunnel4/stunnel.log # Name of the connection [openvpn] accept = 1000 connect = 127.0.0.1:443
After the installation if there’s no stunnel.pem file, we need to create the certificate by running this following command.
openssl genrsa -out key.pem 2048 openssl req -new -x509 -key key.pem -out cert.pem -days 1095 cat key.pem cert.pem >> /etc/stunnel/stunnel.pem
service stunnel4 start
check stunnel.log to make sure there’s no error.
Mac OS X stunnel client installation and configuration
First we need to install homebrew, installation guide is on HomeBrew‘s website. After completing homebrew installation run this command:
brew install stunnel
Then edit stunnel.conf file, run this command:
pid = /usr/local/etc/stunnel/stunnel.pid output = /usr/local/etc/stunnel/stunnel.log [openvpn-localhost] client = yes accept = 127.0.0.1:1000 connect = 22.214.171.124:1000
This config file will create a tunnel from localhost on port 1000 to the remote ip 126.96.36.199 on port 1000, change the ip 188.8.131.52 and the port following your current network configuration.
Mac OS X openVPN configuration
I will not describe how to setup the openVPN client, but there’s 2 mandatory modifications to bring to our conf file. Change the remote ip address to localhost with the right port we just set before on sTunnel config file and add those new directives
redirect-gateway def1 and
route remote_vpn_ip_address 255.255.255.255 net_gateway that will route all internet traffic to the VPN gateway except the one in destination to our remote vpn ip address.
remote localhost 1000 redirect-gateway def1 route remote_vpn_ip_address 255.255.255.255 net_gateway
Save the modification.
Start sTunnel on Mac OS X
Make sure the sTunnel server is up and running before starting stunnel on the client:
netstat -an | grep :1000 from command line to check if Stunnel has successfully started, if you have a result, now you should be able to use your new openVPN config file to connect to your openVPN server in stealth mode.
2 thoughts on “Stealthy tunnel with stunnel, OpenVPN on Mac OS and Debian”
On client side, i get an error when i try to launch my .conf :
“pid : /usr/local/etc/stunnel/stunnel.pid” : Specified option name is not valid here
Any idea ?
What is your full conf file ?