Total Pageviews

Friday, 22 April 2016


OpenVPN client -> stunnel client -> stunnel server (port 443) -> OpenVPN
这样对任何防火墙来说都只能看到一个https connection,除非把https封了
否则没有任何办法block it.


setting Stunnel

We are now going to insert Stunnel into the picture, as shown in the diagram at the top of the page. Our connection from OpenVPN client to OpenVPN server:1194 will be tunneled as HTTP SSL traffic on vps_ip:443.

B.1. Stunnel Pre-Shared Key (PSK)

SSH into your vps again. Switch to root and install Stunnel version 4:
apt-get install stunnel4
Change into the directory for Stunnel:
cd /etc/stunnel
Different approaches to authentication are possible. We will use the method of having a Pre-Shared Key (PSK), i.e. a secret known to both server and client. (See for more on authentication in stunnel.)
To generate a 32-character random password, type:
openssl rand -base64 24
This might give, for example:
Copy the answer into a file named psk.txt, i.e.:
vi psk.txt
Type or paste in your random password, preceded by a client identifier. This will allow you, if you wish, to have more than one client, each with its own key.
Write the file psk.txt to disk, and quit the editor.

B.2. Stunnel Server Set Up

Anything in /etc/stunnel ending in .conf will be taken as a configuration file. Each such file will be used to start a daemon process that sets up a tunnel with the given configuration. The directory /etc/stunnel is initially empty.
Copy the sample configuration file into place:
cp /usr/share/doc/stunnel4/examples/stunnel.conf-sample \
Edit the copy of the sample configuration file:
vi stunnel.conf
Comment out the sections for Gmail, which we will not be using, by putting a semi-colon at the start of each line:
;client = yes
;accept =
;connect =
;verify = 2
;CApath = @sysconfdir/ssl/certs
;checkHost =

;client = yes
;accept =
;connect =
;verify = 2
;CApath = @sysconfdir/ssl/certs
;checkHost =

;client = yes
;accept =
;connect =
;verify = 2
;CApath = @sysconfdir/ssl/certs
;checkHost =
Add a section for OpenVPN:
accept =
connect =
ciphers = PSK
PSKsecrets = /etc/stunnel/psk.txt
(Of course, you must replace with your actual server IP address.)
Write the edited stunnel.conf to disk, and quit the editor.
Enable automatic startup:
vi /etc/default/stunnel4
Change to enable:
Write the edited file to disk, and quit the editor.
Open the server firewall:
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
dpkg-reconfigure iptables-persistent
Start Stunnel with all these changes applied:
/etc/init.d/stunnel4 start
Check that it is working with:
journalctl -u stunnel4
systemctl status stunnel4.service
ps -A | grep stunnel4
netstat -tulpn|grep stunnel4
Stop OpenVPN from listening on all interfaces and just make it listen on localhost by editing its configuration file:
vi /etc/openvpn/server.conf
add the line:
Write the edited file to disk, and quit the editor.
Assuming you have another iptables rule that accepts all loopback packets, you can close port 1194 to the public:
iptables -D INPUT -p tcp --dport 1194 -j ACCEPT
dpkg-reconfigure iptables-persistent
Restart OpenVPN with these changes:
service openvpn restart
netstat -tulpn | grep openvpn
That is the end of the server work for now. 

B.3. Stunnel Client Set Up

I’ve found Notepad++ more reliable than Notepad for editing configuration files, so download and installNotepad++ before you begin.
Then, to get your Windows client version of Stunnel, go to the Stunnel downloads page:
Download the latest Stunnel installer executable (exe) file.
In your Downloads folder, right-click on the Stunnel installer executable, and select Run as administrator. During installation, a command window will pop up, prompting you to enter the usual information for a certificate distinguished name (DN).
Run Stunnel from the icon it puts on your desktop (or from C:\Program Files (x86)\stunnel\bin) by right-clicking and selecting Run as administrator.
The Stunnel icon appears in the system tray (bottom right). Right-click on it to bring up the context menu.

Once you have right-clicked to bring up the context menu, select Edit Configuration.
Again, delete or comment out the lines for Gmail. Then at the end, add:
client = yes  
accept =  
connect =
PSKsecrets = pskclient1.txt
(Of course, you must replace with your actual server IP address.)
Save the configuration file.
Using Notepad++, create a file pskclient1.txt with only a single line:
Save the file pskclient1.txt and close it.
Right-click on the Stunnel icon in the system tray, and this time choose Reload Configuration.
Run Notepad++ as administrator to edit the OpenVPN client configuration file, C:\Program Files\OpenVPN\config\windows10.ovpn. Redirect your OpenVPN client to localhost port 1194, where Stunnel is now listening:
remote 1194

Reconnect your OpenVPN connection. It will now send traffic to localhost:1194, which Stunnel client will send out to your server:443 .