Guide

Instructions

Link

Useful link here: http://kyl191.net/2012/12/tunneling-openvpn-through-stunnel/

See Stunnel page for the basics. Reviewing some of those steps here.

Create Stunnel Server SSL Certificate

Main article: Stunnel/Certificates

Start by creating an SSL certificate for the stunnel server:

openssl req -new -x509 -days 3650 -nodes -out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem

This puts the SSL certificate in the /etc/stunnel directory.

Configure Stunnel Server for OpenVPN

Main article: Stunnel/Server

The stunnel server will listen for external, encrypted traffic on port 443. It will decrypt any traffic it receives, and forward it on to OpenVPN at local port 9999. Here is the stunnel configuration file to accomplish this:

[openvpn]
accept	= 443
connect = 127.0.0.1:9999

Here, port 9999 is a local port only, and is closed to the rest of the world. Stunnel listens on port 443 for OpenVPN traffic, and when it hears anything, it encrypts it and forwards it on to local port 9999 (where OpenVPN is listening).

Verify OpenVPN Running on Server

Main article: OpenVPN

Verify OpenVPN process is up and listening:

$ ps aux | grep [o]penvpn

$ netstat -tulpn | grep openvpn

Open Hole in Firewall

Main article: Stunnel/Server

Now use iptables to open up the firewall. Assuming you're using port 443:

iptables -A INPUT -p tcp --dport 443 -j ACCEPT

Configure Stunnel Client

Main article: Stunnel/Client

Now we will edit stunnel.conf on the client. This configuration assumes OpenVPN is running on the client on port 9999 as well:

...

client  = yes

[openvpn]
accept 	= 127.0.0.1:9999
connect = A.B.C.D:443

This assumes you are using TCP for OpenVPN. (If you use OpenVPN in UDP mode, I don't know what will happen.)

References

Useful links:

Flags

OpenVPN/Stunnel

From charlesreid1

Contents