在Android和OS/X系统使用stunnel代理

vpn.tv的两个教程，设置stunnel加密代理在Android和OS/X系统上使用，道理都是一样的，有兴趣的看看。
Android
Important: this is an allowed but unsupported hack. Please do not contact support if below does not work for you.

Install stunnel

Unfortunately Android does not come with stunnel. We found a pre-compiled and working version here: http://blog.tempest.com.br/marco-carnut/autenticacao-mutua-https-android-stunnel.html. (If you have a hard time finding the actual binary, try this link: http://blog.tempest.com.br/static/attachments/marco-carnut/autenticacao-mutua-https-android-stunnel/stunnel4-android21.tar.bz2). There may be other sources as well.
To install the binary we used the following adb commands:

adb shell mount -o rw,remount /system
adb push stunnel /system/bin/
adb shell chmod ug+rwx /system/bin/stunnel
adb shell mount -o ro,remount /system
adb shell mkdir /data/data/org.stunnel

If you do not understand what these commands do or where to find the adb utility, you should probably not proceed. The data directory is required for stunnel’s PID file.

Configure stunnel

On the phone create a file /etc/stunnel.conf with the following content:

sslVersion = TLSv1
client = yes
pid = /data/data/org.stunnel/stunnel.pid
[proxy]
accept  = 127.0.0.1:8080
connect = automatic.securechromenetwork.com:443

If you’re experiencing problems you may temporarily add:

debug = 7
foreground = yes

Be careful adding the foreground directive if you have stunnel start automatically on startup. During our tests adding debug would prevent stunnel from being started. Adding foreground may cause issues during boot.

(Automatically) start stunnel

Create a file /etc/init.d/99stunnel with the following contents:

#!/system/bin/sh

STUNNEL=/system/bin/stunnel
STUNNEL_CONF=/etc/stunnel.conf
LOG=/data/stunnel.log

if [ -e $LOG ]; then
 rm $LOG;
fi; 

if [ ! -e $STUNNEL ]; then
 echo stunnel binary not found | tee -a $LOG
 exit 1;
fi;

if [ ! -e $STUNNEL ]; then
 echo stunnel configuration file not found | tee -a $LOG
 exit 1;
fi;

echo "$( date +"%Y.%m.%d %H:%M:%S" ) starting stunnel" | tee -a $LOG
$STUNNEL $STUNNEL_CONF | tee -a $LOG

PID="$( pidof stunnel)"
if [ -z $PID ]; then
 echo stunnel was not started properly | tee -a $LOG
 exit 1;
else
 echo stunnel running with pid $PID | tee -a $LOG;
fi;

exit 0;

Make sure the script has the proper permissions and owner/group. (Check other scripts in /etc/init.d/ to see what they use). Reboot your phone and double-check that this actually works for you, not all Android flavors execute init.d scripts automatically.

Configure Android to use VPN.tv

Now we need to configure Android to use the proxy provided by stunnel. Some Android versions allow you to configure the proxy for WiFi only, not for 3G. Sometimes the proxy option is missing entirely.
We prefer using ProxyDroid by Max Lv (who also provided the stunnel we linked to above) which can be found in the Android Market.
The proxy you need to configure is:

• host: 127.0.0.1
• port: 8080
• type: http
• authentication: enabled
• username/password: as provided by VPN.tv
• global proxy: OFF
• DNS proxy: OFF
• individual proxy: use

China

If you’re in China you’ll probably want to enable Global Proxy and DNS Proxy. For this to work you need to do two additional things:

• In stunnel.conf, replace automatic.securechromenetwork.com with the relevant IP address, e.g. change automatic.securechromenetwork.com:8080 to 1.2.3.4:8080.
• In ProxyDroid enter this same IP address Intranet Address, e.g. 1.2.3.4/32.

原文：https://vpn.tv/faq/osx-on-vpn-tv/
OS/X
Important: this is an allowed but unsupported hack. Please do not contact support if below does not work for you.

Install Macports

First install Macports. We need Macports to install stunnel in the next step. Macports and its installation instructions can be found here: http://www.macports.org/install.php.

Install stunnel

Install stunnel using the following command:

sudo port install stunnel

Configure stunnel

Create /opt/local/etc/stunnel/stunnel.conf with the following content:

sslVersion = TLSv1
chroot = /opt/local/var/lib/stunnel/
setuid = nobody
setgid = nogroup
pid = /stunnel.pid
client = yes
libwrap = no

[proxy]
accept  = 127.0.0.1:8080
connect = automatic.securechromenetwork.com:443
TIMEOUTclose = 0

(Automatically) start stunnel

You can now start stunnel simply by typing sudo stunnel in a Terminal window. If you want to make sure stunnel gets started automatically every time you start your computer, please enter the following command:

sudo crontab -e

This opens the crontab in VI. Please add the following line to the file:

@reboot * * * * /opt/local/bin/stunnel

Configure OS/X to use VPN.tv

Open System Preferences and select Network. On the Network window click Advanced… On the Advanced window select the Proxies tab. For both  Web Proxy and Secure Web Proxy set server to localhost : 8080 and fill in your username and password. Click Apply and close the window.
Note that not all OS/X applications automatically use these proxy settings. Some applications will need you to configure the proxy in the application itself.

Know problems

You can not use this hack AND use the Chrome extension. Doing so will cause Chrome to complain about invalid proxy certificates.
原文：https://vpn.tv/faq/android-on-vpn-tv-requires-rooted-phone/

------------------------------------------------------------------------------------

How to run stunnel on your Android device

Overview

In this post we’re going to talk about how to run the amazing stunnel program on your Android device properly.

Later, this would allow us to setup a lot of cool things like:

• Wrapping OpenVPN traffic with it
• Using it as a SOCKS VPN
• Adding proper IMAPS/SMTPS support to our old email apps
• …

For this, we’re not going to use the old and very limited SSLDroid. It’s a bad idea, I don’t know why different sites still keep pushing it. It almost certainly has unpatched vulnerabilities. Please don’t use it.

Instead, we are going to use the official stunnel program, with the help of a proper wrapper.

stunnel Android binary

stunnel already supports Android devices and even the compiled version of it is available in it’s download page.

 This file is compiled for ARM architecture. Even though most Android devices run on ARM, this is particularly important to note for those devices that are not (e.g, Android-x86).

Since we’ll be using the compiled binary, you may need to compile stunnel yourself for your specific Android architecture before continuing¹. Chances are though, that your device is running on ARM and you are ready to go.

Another thing to note, is that the stunnel compiled version, is CLI only. Meaning it can hardly be used by end users, and is mainly suitable for developers.²

While making an Android GUI is in the stunnel author’s TODO list, there is still no official GUI available.

So we need an unofficial GUI (a wrapper if you will), an app that could provide the required front-end to the user and then pass the execution to the stunnel binary.

SSLSocks

I spent quite a good amount of time trying to find a suitable and decent app. There are not so many of them, and most are either not maintained anymore or require you to compile the app yourself (which lets face it, is way less than ideal!)

In the end, I was able to find a decent little-known open-source app which is still maintained by the developer and also regularly updated to include the latest stunnel binary.

It is called SSLSocks by comp500. The app name does not remotely give the impression of stunnel, mainly because it was…

Originally intended to be a socks5 VPN through TLS.

The VPN part is not done yet but the stunnel part is working fine.

This app however, comes with a little to no documentation and could be a little tricky to make it work for the first time.

The rest of this post is dedicated to provide a basic documentation for the said app in hoping that it could help others to make use of it, and to also give back something to the author of the app to know that his app is actually being used.

Compiling

That’s the great part, you don’t need to compile it yourself! While the README file does outline the steps necessary to source the Android binary and compile the app yourself, the compiled version of the app (armed with the required stunnel binary for android), is available on Google Play: link.infra.sslsocks.

 If your Android device does not use ARM architecture, you need to compile the stunnel from source for your device architecture first, then use the binary and compile the SSLSocks app.

Permissions

The app does not need any special permissions to function. Which is yet another plus side.

Installing

Assuming your device uses ARM architecture (which very likely does), you can simply download the app from Google Play: link.infra.sslsocks. Just open that link in your phone and hit “Install”.

GUI

The GUI of this app, is very simple. It consists of couple of tabs:

HOME

This is your landing page. When you are done with your setup, you can start the stunnel process here (and then stop it later on). More on this later.

LOG

This section, outputs the stunnel process log. The amount of log that you get, depends on the debug value set in the stunnel config file (default is 5). You can use this to troubleshoot your stunnel config.

CONFIG

This is where the magic happens! This section, holds your stunnel.conf file. The format is exactly as specified in stunnel documentation, and more or less all the options could be used.

Couple of default options are already specified in the file. You may remove the client = yes option if for whatever reason you want to make your Android device act as a stunnel server, but DO NOT remove the foreground = yes and pid = ... options (these are needed for proper communication and handling of the stunnel process by the SSLSocks).

The question that arises is that where and how do we make and link the external files (like PSKSecrets, CAfile, cert, etc)?

There is a dedicated file for PSKSecrets in the app, called psksecrets.txt. This file is accessible from the same window. Simply click (or touch, w/e!) on the dropdown menu at the top of the text window, and select psksecrets.txt:

Since stunnel starts in the same directory as this file, we specify it in stunnel.conf like this (as we will see shortly, the same applies to cert files as well): :

PSKsecrets = psksecrets.txt

Moving away from this tab, will automatically save the files.

CERTS/KEYS

This is where you’d specify your pem/p12 files. They can either be written manually, or most likely be imported to the app. Simply click the + sign at the bottom right corner of the screen and then click on IMPORT FROM FILE to import your certificate.

All files in this section, must either have pem or p12 extension. Unfortunately this limitation makes it impossible to be used for CRLpath/CApath.

Don’t forget to click on the little save icon at the top right corner of the screen to save your cert.

The line below shows how to specify a cert named my-cert.pem in the stunnel.conf:

cert = my-cert.pem

Settings

Using the top right menu, one could open the Settings window which would provide you with these options:

• Start on boot: To automatically startup stunnel on boot time.
• OpenVPN Profile: Integration with ics-openvpn to automatically start an OpenVPN Profile upon successful stunnel startup.
• About: Showing you the app version and stunnel binary version.
• Open Source Licenses: Self-explanatory.

Starting stunnel

You are now ready to start the stunnel process. As I have mentioned earlier, you may use the HOME tab to start the stunnel process.

If everything goes fine, a sticky notification will appear on your device and will stay there until it’s stopped:

As you can see, the same notification can be used to stop the stunnel process as well.

 If the stunnel process stops right after starting, there is probably an issue with your config file. You may use the LOG tab for troubleshooting.

Also, In recent Android versions (7.1+), You have the option to start the process by long pressing the app icon:

Further considerations

If you decide to run stunnel in server mode on your Android device, you might also want to consider generating static DH parameters to avoid battery draining.

And that’s about it! As always, I would love to know your thoughts. Please share them with me below.

---

1. According to the stunnel author, Michał Trojnara, this is rather easy to achieve. ↩︎
2. If you are interested, one of such uses (which do not require a rooted device), is documented Here. ↩︎
    
   from https://archive.is/mY2pq#selection-465.0-1037.2