Stealthy tunnel with stunnel, OpenVPN on Mac OS and Debian

stunnel openvpn stealthy
OpenVPN is more and less banned in some countries, therefore to be able to use it there, we need to make it stealthy by installing a 3rd party software like Tor, SSH Tunnel or Stunnel which hides openVPN traffic from governmental firewall detection. The principle is quite simple, we create a tunnel between our computer and the openVPN server which is encrypted by a certificate, then we send our openVPN traffic through this tunnel.

Debian 8 stunnel server installation

First OpenVPN should be configured to use TCP instead of UDP, on this example we open port number 1000 and redirect the traffic to localhost port number 443 which is my openVPN server port. We will start by installing the package, run this command to install sTunnel:

apt-get install stunnel4

Follow the installation wizard and edit /etc/stunnel/stunnel.conf with your favorite editor like bellow:

# Location of the certificate that we created
cert = /etc/stunnel/stunnel.pem
client = no
output = /var/log/stunnel4/stunnel.log
# Name of the connection
accept = 1000
connect =

After the installation if there’s no stunnel.pem file, we need to create the certificate by running this following command.

openssl genrsa -out key.pem 2048
openssl req -new -x509 -key key.pem -out cert.pem -days 1095
cat key.pem cert.pem >> /etc/stunnel/stunnel.pem

Start sTunnel

service stunnel4 start

check stunnel.log to make sure there’s no error.

Mac OS X stunnel client installation and configuration

First we need to install homebrew, installation guide is on HomeBrew‘s website. After completing homebrew installation run this command:

brew install stunnel

Then edit stunnel.conf file, run this command:

vi /usr/local/etc/stunnel/stunnel.conf
pid = /usr/local/etc/stunnel/
output = /usr/local/etc/stunnel/stunnel.log
client = yes
accept =
connect =

This config file will create a tunnel from localhost on port 1000 to the remote ip on port 1000, change the ip and the port following your current network configuration.

Mac OS X openVPN configuration

I will not describe how to setup the openVPN client, but there’s 2 mandatory modifications to bring to our conf file. Change the remote ip address to localhost with the right port we just set before on sTunnel config file and add those new directives redirect-gateway def1 and route remote_vpn_ip_address net_gateway that will route all internet traffic to the VPN gateway except the one in destination to our remote vpn ip address.

remote localhost 1000
redirect-gateway def1
route remote_vpn_ip_address net_gateway

Save the modification.

Start sTunnel on Mac OS X

Make sure the sTunnel server is up and running before starting stunnel on the client:

sudo stunnel

use netstat -an | grep :1000 from command line to check if Stunnel has successfully started, if you have a result, now you should be able to use your new openVPN config file to connect to your openVPN server in stealth mode.

2 thoughts on “Stealthy tunnel with stunnel, OpenVPN on Mac OS and Debian

  1. Olivier Reply


    On client side, i get an error when i try to launch my .conf :
    “pid : /usr/local/etc/stunnel/” : Specified option name is not valid here

    Any idea ?

    Thanks !

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.