Setting Up OpenVPN over Stunnel on Ubuntu 22.04
Introduction
This guide provides a step-by-step walkthrough on how to set up OpenVPN over Stunnel on Ubuntu 22.04. By encapsulating OpenVPN traffic within an SSL tunnel using Stunnel, you can enhance security and potentially bypass network restrictions or firewalls that block or throttle VPN connections.Prerequisites
- VPS Server:
- An EDIS Global VPS running Ubuntu 22.04.
- Root or sudo access.
- Client Machine:
- A computer running Ubuntu or any Linux distribution compatible with OpenVPN and Stunnel.
- Root or sudo access.
Overview
We will perform the following high-level steps:- On the VPS Server:
- Install and configure Stunnel.
- Install and configure OpenVPN.
- On the Client Machine:
- Install and configure Stunnel.
- Configure OpenVPN to connect through Stunnel.
Steps on the VPS Server
1. Update and Upgrade System Packages
Ensure your system packages are up to date.2. Install Stunnel
Install Stunnel, which will be used to create an SSL tunnel for OpenVPN traffic.3. Generate SSL Certificates for Stunnel
Navigate to the Stunnel configuration directory and generate a self-signed SSL certificate.openssl req -new -x509 -days 365 -nodes
: Generates a new X.509 certificate valid for 365 days without a passphrase (-nodes
).-out stunnel.pem -keyout stunnel.pem
: Outputs both the certificate and the private key tostunnel.pem
.
4. Create a Log File for Stunnel
Create a log file for Stunnel to write logs.- Creates a directory for Stunnel logs.
- Creates an empty log file and sets appropriate ownership.
5. Configure Stunnel
Open the Stunnel configuration file.output
: Specifies where to write log output.[openvpn]
: Defines a service named “openvpn”.client = no
: Runs Stunnel in server mode.accept = 443
: Listens on port 443 (common HTTPS port, often allowed through firewalls).connect = 127.0.0.1:1194
: Forwards incoming connections to the local OpenVPN service.cert
: Specifies the SSL certificate file.
6. Enable and Start Stunnel Service
Enable Stunnel to start on boot and start the service.enable
: Ensures Stunnel starts on system boot.restart
: Starts or restarts the Stunnel service.status
: Checks if Stunnel is running correctly.
7. Install OpenVPN
Download and run the OpenVPN installation script.8. Modify OpenVPN Server Configuration
Edit the OpenVPN server configuration file to listen on all interfaces.local
directive:
local 0.0.0.0
ensures OpenVPN listens on all network interfaces.
9. Restart OpenVPN Service
Apply the configuration changes.Steps on the Client Machine
1. Install Stunnel
Install Stunnel on the client machine.2. Configure Stunnel
Navigate to the Stunnel configuration directory and create the configuration file.client = yes
: Runs Stunnel in client mode.accept = 127.0.0.1:1194
: Listens locally on port 1194.connect = VPS_IP_ADDRESS:443
: Connects to the VPS server’s Stunnel service.
VPS_IP_ADDRESS
with your actual VPS server IP.
3. Enable and Start Stunnel Service
Enable Stunnel to start on boot and start the service.4. Copy OpenVPN Client Configuration File
Securely copy the OpenVPN client configuration file from the VPS to your client machine.client.ovpn
to your home directory.
Note: Replace VPS_IP_ADDRESS
with your VPS IP.
5. Modify OpenVPN Client Configuration
Rename and edit the OpenVPN client configuration file.- Change the
remote
directive to point to the local Stunnel endpoint: - Add or modify the following directives:
- Optionally, specify a log file:
remote 127.0.0.1 1194
: Connects OpenVPN to the local Stunnel service.route-nopull
: Prevents automatic route changes.script-security 2
: Allows the execution of scripts.route-up
: Executes a script after connection is established.
6. Create a Routing Script
Create a script to adjust routing after connecting.SERVER_IP
: Your VPS server IP.GATEWAY
: Determines the default gateway to route traffic to the VPS server outside the VPN tunnel.- The
ip route add
commands adjust the routing table.
VPS_IP_ADDRESS
with your VPS IP.
Make the script executable:
7. Start OpenVPN Client
Start the OpenVPN client service.Verification
1. Check IP Address
Before and after starting the VPN, check your public IP to ensure traffic is routed through the VPN.2. Verify Services
Check that Stunnel and OpenVPN services are running.3. Test Connectivity
Ensure you can access internet resources and that traffic is routed through the VPN.Troubleshooting
- Stunnel Connection Refused:
- Ensure the VPS firewall allows incoming connections on port 443.
- Verify Stunnel is running on the VPS:
sudo systemctl status stunnel4
.
- OpenVPN Authentication Failed:
- Check that client and server certificates match.
- Review OpenVPN logs on both client and server for errors.
- Routing Issues:
- Verify the
routing.sh
script has the correct server IP. - Ensure the script is executable and the path is correct in the OpenVPN config.
- Verify the
- Service Fails to Start:
- Review logs:
journalctl -xe
or specific service logs. - Check for typos or syntax errors in configuration files.
- Review logs:
Conclusion
By following this guide, you’ve successfully set up OpenVPN over Stunnel on Ubuntu 22.04. This configuration provides an additional layer of encryption and can help bypass network restrictions by encapsulating VPN traffic within standard SSL/TLS protocols.References
Note: Always ensure that your use of VPNs and encryption complies with local laws and regulations.