Total Pageviews

Friday 22 April 2016

替OpenVPN套上stunnel,以顺利连上openvpn服务器

OpenVPN的协议很容易识别出来,公司的防火墙都能block,更别说国内的墙了
上OpenVPN的同时还要上stunnel
OpenVPN client -> stunnel client -> stunnel server (port 443) -> OpenVPN
server
这样对任何防火墙来说都只能看到一个https connection,除非把https封了
否则没有任何办法block it.
这是个好思路!



https://kyle.io/2012/12/tunneling-openvpn-through-stunnel/

https://serverfault.com/questions/675553/stunnel-vpn-traffic-and-ensure-it-looks-like-ssl-traffic-on-port-443

https://charlesreid1.com/wiki/OpenVPN/Stunnel

https://my.hostvpn.com/knowledgebase/32/Stunnel-with-OpenVPN-Client-in-Linux.html

https://forums.openvpn.net/viewtopic.php?t=18110

https://www.stunnel.org/pipermail/stunnel-users/2014-July/004672.html

https://airvpn.org/topic/16444-stunnel-openvpn-howto-for-airvpn-ssl-tunneling/

https://www.raspberrypi.org/forums/viewtopic.php?f=36&t=40389  


使用Stunnel隐藏OpenVPN流量,实现科学上网:

https://www.linuxops.fun/2017/05/31/8a64b922.html

https://insidelinuxdev.net/article/a03krd.html

https://qhh.me/2019/06/23/%E4%BD%BF%E7%94%A8-Stunnel-%E9%9A%90%E8%97%8F-OpenVPN-%E6%B5%81%E9%87%8F/

https://www.hawu.me/operation/886

-------------------------

setting Stunnel

We are now going to insert Stunnel into the picture, as shown in the diagram at the top of the page. Our connection from OpenVPN client to OpenVPN server:1194 will be tunneled as HTTP SSL traffic on vps_ip:443.

B.1. Stunnel Pre-Shared Key (PSK)

SSH into your vps again. Switch to root and install Stunnel version 4:
apt-get install stunnel4
Change into the directory for Stunnel:
cd /etc/stunnel
Different approaches to authentication are possible. We will use the method of having a Pre-Shared Key (PSK), i.e. a secret known to both server and client. (See https://www.stunnel.org/auth.html for more on authentication in stunnel.)
To generate a 32-character random password, type:
openssl rand -base64 24
This might give, for example:
j5JAGgu/+3vRobIMRhwVuqwbEmmfI1zI
Copy the answer into a file named psk.txt, i.e.:
vi psk.txt
Type or paste in your random password, preceded by a client identifier. This will allow you, if you wish, to have more than one client, each with its own key.
client1:j5JAGgu/+3vRobIMRhwVuqwbEmmfI1zI
Write the file psk.txt to disk, and quit the editor.

B.2. Stunnel Server Set Up

Anything in /etc/stunnel ending in .conf will be taken as a configuration file. Each such file will be used to start a daemon process that sets up a tunnel with the given configuration. The directory /etc/stunnel is initially empty.
Copy the sample configuration file into place:
cp /usr/share/doc/stunnel4/examples/stunnel.conf-sample \
    stunnel.conf
Edit the copy of the sample configuration file:
vi stunnel.conf
Comment out the sections for Gmail, which we will not be using, by putting a semi-colon at the start of each line:
;[gmail-pop3]
;client = yes
;accept = 127.0.0.1:110
;connect = pop.gmail.com:995
;verify = 2
;CApath = @sysconfdir/ssl/certs
;checkHost = pop.gmail.com

;[gmail-imap]
;client = yes
;accept = 127.0.0.1:143
;connect = imap.gmail.com:993
;verify = 2
;CApath = @sysconfdir/ssl/certs
;checkHost = imap.gmail.com

;[gmail-smtp]
;client = yes
;accept = 127.0.0.1:25
;connect = smtp.gmail.com:465
;verify = 2
;CApath = @sysconfdir/ssl/certs
;checkHost = smtp.gmail.com
Add a section for OpenVPN:
[openvpn]
accept = 123.45.67.89:443
connect = 127.0.0.1:1194
ciphers = PSK
PSKsecrets = /etc/stunnel/psk.txt
(Of course, you must replace 123.45.67.89 with your actual server IP address.)
Write the edited stunnel.conf to disk, and quit the editor.
Enable automatic startup:
vi /etc/default/stunnel4
Change to enable:
ENABLED=1
Write the edited file to disk, and quit the editor.
Open the server firewall:
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
dpkg-reconfigure iptables-persistent
Start Stunnel with all these changes applied:
/etc/init.d/stunnel4 start
Check that it is working with:
journalctl -u stunnel4
q
systemctl status stunnel4.service
ps -A | grep stunnel4
netstat -tulpn|grep stunnel4
Stop OpenVPN from listening on all interfaces and just make it listen on localhost by editing its configuration file:
vi /etc/openvpn/server.conf
add the line:
local 127.0.0.1
Write the edited file to disk, and quit the editor.
Assuming you have another iptables rule that accepts all loopback packets, you can close port 1194 to the public:
iptables -D INPUT -p tcp --dport 1194 -j ACCEPT
dpkg-reconfigure iptables-persistent
Restart OpenVPN with these changes:
service openvpn restart
netstat -tulpn | grep openvpn
That is the end of the server work for now. 

B.3. Stunnel Client Set Up

I’ve found Notepad++ more reliable than Notepad for editing configuration files, so download and installNotepad++ before you begin.
Then, to get your Windows client version of Stunnel, go to the Stunnel downloads page:
Download the latest Stunnel installer executable (exe) file.
In your Downloads folder, right-click on the Stunnel installer executable, and select Run as administrator. During installation, a command window will pop up, prompting you to enter the usual information for a certificate distinguished name (DN).
Run Stunnel from the icon it puts on your desktop (or from C:\Program Files (x86)\stunnel\bin) by right-clicking and selecting Run as administrator.
The Stunnel icon appears in the system tray (bottom right). Right-click on it to bring up the context menu.

Once you have right-clicked to bring up the context menu, select Edit Configuration.
Again, delete or comment out the lines for Gmail. Then at the end, add:
[openvpn]
client = yes  
accept = 127.0.0.1:1194  
connect = 123.45.67.89:443
PSKsecrets = pskclient1.txt
(Of course, you must replace 123.45.67.89 with your actual server IP address.)
Save the configuration file.
Using Notepad++, create a file pskclient1.txt with only a single line:
client1:j5JAGgu/+3vRobIMRhwVuqwbEmmfI1zI
Save the file pskclient1.txt and close it.
Right-click on the Stunnel icon in the system tray, and this time choose Reload Configuration.
Run Notepad++ as administrator to edit the OpenVPN client configuration file, C:\Program Files\OpenVPN\config\windows10.ovpn. Redirect your OpenVPN client to localhost port 1194, where Stunnel is now listening:
remote 127.0.0.1 1194

Reconnect your OpenVPN connection. It will now send traffic to localhost:1194, which Stunnel client will send out to your server:443 .
---------------------

OpenVPN Cloaking with Stunnel or Obfsproxy

Given here are two methods of maintaining OpenVPN service against filtering attacks by governments opposed to anonymity, security, and freedom of access on the internet. Both methods have come about due to the deployment of advanced surveillance technologiy, known as "deep packet inspection (DPI)," which identifies and enables blocking of VPN connections. OpenVPN connections are high priority targets due to the protocol's speed, security, and high popularity among internet users. Stunnel and Obfsproxy both conceal the VPN packets within an encrypted shell and make them resistant to deep packet inspection "find and block" activities. At some point in the future, expect OpenVPN to alter its protocol for more immunity to detection and blocking. Until that time, use these instructions to evade DPI. These methods are not perfect - a determined attacker, with enough time, can find and block anything it can't identify or decrypt. By regularly changing server IP addresses and keys, national firewalls will be ineffective against cloaked OpenVPN.
Note: The instructions given here for cloaking OpenVPN with Stunnel or Obfsproxy were accomplished on a system running Debian Sid Gnu/Linux. They should be applicable, with minor changes, to other Linux systems. Mac OSX and Windows systems can also use Stunnel or Obfsproxy with OpenVPN, but the installation method differs from what is shown here.

Configuring an OpenVPN System for Stunnel

Stunnel will sit between the server and the internet. Inbound packets from clients will be decrypted and routed to the openVPN server. Outbound packets will be encrypted and sent to clients, looking like pure SSL data to any surveillance agents on the network.

Stunnel on the OpenVPN Server

Install Stunnel:
apt-get install stunnel4
Move to the stunnel directory:
cd /etc/stunnel/
Create a self-signed security certificate for the server:
openssl genrsa -out server.key 4096
Create a "Certificate Signing Request":
openssl req -new -key server.key -out server.csr
Create another self-signed certificate:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Put the key and certificate into a pem file:
cat server.key > server.pem && cat server.crt >> server.pem
After the keys security certificates are created, specify the confiuration for stunnel. Create a config file, named stunnel.conf, and edit it using any suitable editor (vi, nano, gedit, for example). Copy the following into stunnel.conf:
sslVersion = all
setuid = stunnel4
setgid = stunnel4
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
debug = 7
client = yes
compression = zlib
[openvpn]
client = yes
accept = 127.0.0.1:3389
connect = ENDPOINT_IP:16080
The accept port should preferably be a high port number not used by other applications. The connect port MUST be the TCP port to be used by OpenVPN. After editing and double checking the entries, save the file and quit the editor.
Enable stunnel and start stunnel. First, open the file /etc/default/stunnel4 in a text editor. Find the ENABLED parameter and change it from Find the enabling parameter and change ENABLED=0 to ENABLED=1. After editing and double checking the entries, save the file and quit the editor. Start stunnel4 with the command:
/etc/init.d/stunnel4 start
To start stunnel automatically at system boot time, put the above start-up command into the file /etc/init.d/rc.local.
Restart OpenVPN with the command:
service openvpn restart

Stunnel on the OpenVPN Client

Install Stunnel:
sudo apt-get install stunnel4
Use the following configuration data for the client's /etc/stunnel/stunnel.conf. ENDPOINT_IP should be written as the actual IP address of the OpenVPN server.
client = yes
compression = zlib
[openvpn]
client = yes
accept = 127.0.0.1:16080
connect = ENDPOINT_IP:16080
Edit the openvpn config file "remote" line:
remote 127.0.0.1 16080
Add the following line to the openvpn config file:
route ENDPOINT_IP 255.255.255.255 net_gateway
Add the following iptables rule:

sudo iptables -A INPUT -p tcp -m tcp --dport 16080 -j ACCEPT
from https://www.ab9il.net/crypto/openvpn-cloaking.html