OpenVPN的协议很容易识别出来,公司的防火墙都能block,更别说国内的墙了
上OpenVPN的同时还要上stunnel
OpenVPN client -> stunnel client -> stunnel server (port 443) -> OpenVPN
server
这样对任何防火墙来说都只能看到一个https connection,除非把https封了
否则没有任何办法block it.
这是个好思路!
上OpenVPN的同时还要上stunnel
OpenVPN client -> stunnel client -> stunnel server (port 443) -> OpenVPN
server
这样对任何防火墙来说都只能看到一个https connection,除非把https封了
否则没有任何办法block it.
这是个好思路!
https://kyle.io/2012/12/tunneling-openvpn-through-stunnel/
https://serverfault.com/questions/675553/stunnel-vpn-traffic-and-ensure-it-looks-like-ssl-traffic-on-port-443
https://charlesreid1.com/wiki/OpenVPN/Stunnel
https://my.hostvpn.com/knowledgebase/32/Stunnel-with-OpenVPN-Client-in-Linux.html
https://forums.openvpn.net/viewtopic.php?t=18110
https://www.stunnel.org/pipermail/stunnel-users/2014-July/004672.html
https://airvpn.org/topic/16444-stunnel-openvpn-howto-for-airvpn-ssl-tunneling/
https://www.raspberrypi.org/forums/viewtopic.php?f=36&t=40389
https://charlesreid1.com/wiki/OpenVPN/Stunnel
https://my.hostvpn.com/knowledgebase/32/Stunnel-with-OpenVPN-Client-in-Linux.html
https://forums.openvpn.net/viewtopic.php?t=18110
https://www.stunnel.org/pipermail/stunnel-users/2014-July/004672.html
https://airvpn.org/topic/16444-stunnel-openvpn-howto-for-airvpn-ssl-tunneling/
https://www.raspberrypi.org/forums/viewtopic.php?f=36&t=40389
使用Stunnel隐藏OpenVPN流量,实现科学上网:
https://www.linuxops.fun/2017/05/31/8a64b922.html
https://insidelinuxdev.net/article/a03krd.html
https://qhh.me/2019/06/23/%E4%BD%BF%E7%94%A8-Stunnel-%E9%9A%90%E8%97%8F-OpenVPN-%E6%B5%81%E9%87%8F/
https://www.hawu.me/operation/886
-------------------------setting Stunnel
We are now going to insert Stunnel into the picture, as shown in the diagram at the top of the page. Our connection from OpenVPN client to OpenVPN server:1194 will be tunneled as HTTP SSL traffic on vps_ip:443.
B.1. Stunnel Pre-Shared Key (PSK)
SSH into your vps again. Switch to root and install Stunnel version 4:
apt-get install stunnel4
Change into the directory for Stunnel:
cd /etc/stunnel
Different approaches to authentication are possible. We will use the method of having a Pre-Shared Key (PSK), i.e. a secret known to both server and client. (See https://www.stunnel.org/auth.html for more on authentication in stunnel.)
To generate a 32-character random password, type:
openssl rand -base64 24
This might give, for example:
j5JAGgu/+3vRobIMRhwVuqwbEmmfI1zI
Copy the answer into a file named
psk.txt
, i.e.:vi psk.txt
Type or paste in your random password, preceded by a client identifier. This will allow you, if you wish, to have more than one client, each with its own key.
client1:j5JAGgu/+3vRobIMRhwVuqwbEmmfI1zI
Write the file
psk.txt
to disk, and quit the editor.B.2. Stunnel Server Set Up
Anything in
/etc/stunnel
ending in .conf
will be taken as a configuration file. Each such file will be used to start a daemon process that sets up a tunnel with the given configuration. The directory /etc/stunnel
is initially empty.
Copy the sample configuration file into place:
cp /usr/share/doc/stunnel4/examples/stunnel.conf-sample \ stunnel.conf
Edit the copy of the sample configuration file:
vi stunnel.conf
Comment out the sections for Gmail, which we will not be using, by putting a semi-colon at the start of each line:
;[gmail-pop3] ;client = yes ;accept = 127.0.0.1:110 ;connect = pop.gmail.com:995 ;verify = 2 ;CApath = @sysconfdir/ssl/certs ;checkHost = pop.gmail.com ;[gmail-imap] ;client = yes ;accept = 127.0.0.1:143 ;connect = imap.gmail.com:993 ;verify = 2 ;CApath = @sysconfdir/ssl/certs ;checkHost = imap.gmail.com ;[gmail-smtp] ;client = yes ;accept = 127.0.0.1:25 ;connect = smtp.gmail.com:465 ;verify = 2 ;CApath = @sysconfdir/ssl/certs ;checkHost = smtp.gmail.com
Add a section for OpenVPN:
[openvpn] accept = 123.45.67.89:443 connect = 127.0.0.1:1194 ciphers = PSK PSKsecrets = /etc/stunnel/psk.txt
(Of course, you must replace
123.45.67.89
with your actual server IP address.)
Write the edited
stunnel.conf
to disk, and quit the editor.
Enable automatic startup:
vi /etc/default/stunnel4
Change to enable:
ENABLED=1
Write the edited file to disk, and quit the editor.
Open the server firewall:
iptables -A INPUT -p tcp --dport 443 -j ACCEPT dpkg-reconfigure iptables-persistent
Start Stunnel with all these changes applied:
/etc/init.d/stunnel4 start
Check that it is working with:
journalctl -u stunnel4 q systemctl status stunnel4.service ps -A | grep stunnel4 netstat -tulpn|grep stunnel4
Stop OpenVPN from listening on all interfaces and just make it listen on localhost by editing its configuration file:
vi /etc/openvpn/server.conf
add the line:
local 127.0.0.1
Write the edited file to disk, and quit the editor.
Assuming you have another
iptables
rule that accepts all loopback packets, you can close port 1194 to the public:iptables -D INPUT -p tcp --dport 1194 -j ACCEPT dpkg-reconfigure iptables-persistent
Restart OpenVPN with these changes:
service openvpn restart netstat -tulpn | grep openvpn
That is the end of the server work for now.
B.3. Stunnel Client Set Up
I’ve found Notepad++ more reliable than Notepad for editing configuration files, so download and installNotepad++ before you begin.
Then, to get your Windows client version of Stunnel, go to the Stunnel downloads page:
Download the latest Stunnel installer executable (
exe
) file.
In your Downloads folder, right-click on the Stunnel installer executable, and select Run as administrator. During installation, a command window will pop up, prompting you to enter the usual information for a certificate distinguished name (DN).
Run Stunnel from the icon it puts on your desktop (or from C:\Program Files (x86)\stunnel\bin) by right-clicking and selecting Run as administrator.
The Stunnel icon appears in the system tray (bottom right). Right-click on it to bring up the context menu.
Once you have right-clicked to bring up the context menu, select Edit Configuration.
Again, delete or comment out the lines for Gmail. Then at the end, add:
[openvpn] client = yes accept = 127.0.0.1:1194 connect = 123.45.67.89:443 PSKsecrets = pskclient1.txt
(Of course, you must replace
123.45.67.89
with your actual server IP address.)
Save the configuration file.
Using Notepad++, create a file
pskclient1.txt
with only a single line:client1:j5JAGgu/+3vRobIMRhwVuqwbEmmfI1zI
Save the file
Right-click on the Stunnel icon in the system tray, and this time choose Reload Configuration.pskclient1.txt
and close it.
Run Notepad++ as administrator to edit the OpenVPN client configuration file, C:\Program Files\OpenVPN\config\windows10.ovpn. Redirect your OpenVPN client to localhost port 1194, where Stunnel is now listening:
remote 127.0.0.1 1194
Reconnect your OpenVPN connection. It will now send traffic to localhost:1194, which Stunnel client will send out to your server:443 .
---------------------
---------------------
OpenVPN Cloaking with Stunnel or Obfsproxy
Given here are two methods of maintaining OpenVPN service against filtering attacks by governments opposed to anonymity, security, and freedom of access on the internet. Both methods have come about due to the deployment of advanced surveillance technologiy, known as "deep packet inspection (DPI)," which identifies and enables blocking of VPN connections. OpenVPN connections are high priority targets due to the protocol's speed, security, and high popularity among internet users. Stunnel and Obfsproxy both conceal the VPN packets within an encrypted shell and make them resistant to deep packet inspection "find and block" activities. At some point in the future, expect OpenVPN to alter its protocol for more immunity to detection and blocking. Until that time, use these instructions to evade DPI. These methods are not perfect - a determined attacker, with enough time, can find and block anything it can't identify or decrypt. By regularly changing server IP addresses and keys, national firewalls will be ineffective against cloaked OpenVPN.
Note: The instructions given here for cloaking OpenVPN with Stunnel or Obfsproxy were accomplished on a system running Debian Sid Gnu/Linux. They should be applicable, with minor changes, to other Linux systems. Mac OSX and Windows systems can also use Stunnel or Obfsproxy with OpenVPN, but the installation method differs from what is shown here.
Configuring an OpenVPN System for Stunnel
Stunnel will sit between the server and the internet. Inbound packets from clients will be decrypted and routed to the openVPN server. Outbound packets will be encrypted and sent to clients, looking like pure SSL data to any surveillance agents on the network.
Stunnel on the OpenVPN Server
Install Stunnel:
apt-get install stunnel4
Move to the stunnel directory:
cd /etc/stunnel/
Create a self-signed security certificate for the server:
openssl genrsa -out server.key 4096
Create a "Certificate Signing Request":
openssl req -new -key server.key -out server.csr
Create another self-signed certificate:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Put the key and certificate into a pem file:
cat server.key > server.pem && cat server.crt >> server.pem
After the keys security certificates are created, specify the confiuration for stunnel. Create a config file, named stunnel.conf, and edit it using any suitable editor (vi, nano, gedit, for example). Copy the following into stunnel.conf:
sslVersion = all setuid = stunnel4 setgid = stunnel4 socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 debug = 7 client = yes compression = zlib [openvpn] client = yes accept = 127.0.0.1:3389 connect = ENDPOINT_IP:16080
The accept port should preferably be a high port number not used by other applications. The connect port MUST be the TCP port to be used by OpenVPN. After editing and double checking the entries, save the file and quit the editor.
Enable stunnel and start stunnel. First, open the file /etc/default/stunnel4 in a text editor. Find the ENABLED parameter and change it from Find the enabling parameter and change ENABLED=0 to ENABLED=1. After editing and double checking the entries, save the file and quit the editor. Start stunnel4 with the command:
/etc/init.d/stunnel4 start
To start stunnel automatically at system boot time, put the above start-up command into the file /etc/init.d/rc.local.
Restart OpenVPN with the command:
service openvpn restart
Stunnel on the OpenVPN Client
Install Stunnel:
sudo apt-get install stunnel4
Use the following configuration data for the client's /etc/stunnel/stunnel.conf. ENDPOINT_IP should be written as the actual IP address of the OpenVPN server.
client = yes compression = zlib [openvpn] client = yes accept = 127.0.0.1:16080 connect = ENDPOINT_IP:16080
Edit the openvpn config file "remote" line:
remote 127.0.0.1 16080
Add the following line to the openvpn config file:
route ENDPOINT_IP 255.255.255.255 net_gateway
Add the following iptables rule:
sudo iptables -A INPUT -p tcp -m tcp --dport 16080 -j ACCEPT
from https://www.ab9il.net/crypto/openvpn-cloaking.html