OpenVPN over Stunnel
This guide provides a step-by-step walkthrough on how to set up OpenVPN over Stunnel on Ubuntu 22.04. By encapsulating OpenVPN traffic within an SSL tunnel using Stunnel, you can enhance security and potentially bypass network restrictions or firewalls that block or throttle VPN connections.
- VPS Server:
- Root or sudo access.
- Client Machine:
- A computer running Ubuntu or any Linux distribution compatible with OpenVPN and Stunnel.
- Root or sudo access.
We will perform the following high-level steps:
- On the VPS Server:
- Install and configure Stunnel.
- Install and configure OpenVPN.
- On the Client Machine:
- Install and configure Stunnel.
- Configure OpenVPN to connect through Stunnel.
Ensure your system packages are up to date.
Explanation: This updates the package list and upgrades installed packages to their latest versions, ensuring you have the latest security patches and features.
Install Stunnel, which will be used to create an SSL tunnel for OpenVPN traffic.
Explanation: Installs the Stunnel package, allowing you to encrypt arbitrary TCP connections inside SSL.
Navigate to the Stunnel configuration directory and generate a self-signed SSL certificate.
Explanation:
- openssl req -new -x509 -days 365 -nodes: Generates a new X.509 certificate valid for 365 days without a passphrase (-nodes).
- -out stunnel.pem -keyout stunnel.pem: Outputs both the certificate and the private key to stunnel.pem.
Note: You'll be prompted to enter information (Country, State, etc.). You can fill these out or leave them blank.
Create a log file for Stunnel to write logs.
Explanation:
- Creates a directory for Stunnel logs.
- Creates an empty log file and sets appropriate ownership.
Open the Stunnel configuration file.
Add the following configuration:
Explanation:
- output: Specifies where to write log output.
- [openvpn]: Defines a service named "openvpn".
- client = no: Runs Stunnel in server mode.
- accept = 443: Listens on port 443 (common HTTPS port, often allowed through firewalls).
- connect = 127.0.0.1:1194: Forwards incoming connections to the local OpenVPN service.
- cert: Specifies the SSL certificate file.
Enable Stunnel to start on boot and start the service.
Explanation:
- enable: Ensures Stunnel starts on system boot.
- restart: Starts or restarts the Stunnel service.
- status: Checks if Stunnel is running correctly.
Download and run the OpenVPN installation script.
Explanation: This script automates OpenVPN installation and configuration. It will prompt for configuration options—choose settings that suit your needs.
Edit the OpenVPN server configuration file to listen on all interfaces.
Find and modify the local directive:
Explanation: Setting local 0.0.0.0 ensures OpenVPN listens on all network interfaces.
Apply the configuration changes.
Explanation: Restarts the OpenVPN service and verifies it's running properly.
Install Stunnel on the client machine.
Navigate to the Stunnel configuration directory and create the configuration file.
Add the following configuration:
Explanation:
- client = yes: Runs Stunnel in client mode.
- accept = 127.0.0.1:1194: Listens locally on port 1194.
- connect = VPS_IP_ADDRESS:443: Connects to the VPS server's Stunnel service.
Note: Replace VPS_IP_ADDRESS with your actual VPS server IP.
Enable Stunnel to start on boot and start the service.
Securely copy the OpenVPN client configuration file from the VPS to your client machine.
Explanation: Copies client.ovpn to your home directory.
Note: Replace VPS_IP_ADDRESS with your VPS IP.
Rename and edit the OpenVPN client configuration file.
Modify the following:
- Change the remote directive to point to the local Stunnel endpoint:
- Add or modify the following directives:
- Optionally, specify a log file:
Explanation:
- remote 127.0.0.1 1194: Connects OpenVPN to the local Stunnel service.
- route-nopull: Prevents automatic route changes.
- script-security 2: Allows the execution of scripts.
- route-up: Executes a script after connection is established.
Create a script to adjust routing after connecting.
Add the following content:
Explanation:
- SERVER_IP: Your VPS server IP.
- GATEWAY: Determines the default gateway to route traffic to the VPS server outside the VPN tunnel.
- The ip route add commands adjust the routing table.
Note: Replace VPS_IP_ADDRESS with your VPS IP.
Make the script executable:
Start the OpenVPN client service.
Explanation: Enables and starts the OpenVPN client using the modified configuration.
Before and after starting the VPN, check your public IP to ensure traffic is routed through the VPN.
Check that Stunnel and OpenVPN services are running.
Ensure you can access internet resources and that traffic is routed through the VPN.
- Stunnel Connection Refused:
- Ensure the VPS firewall allows incoming connections on port 443.
- Verify Stunnel is running on the VPS: sudo systemctl status stunnel4.
- OpenVPN Authentication Failed:
- Check that client and server certificates match.
- Review OpenVPN logs on both client and server for errors.
- Routing Issues:
- Verify the routing.sh script has the correct server IP.
- Ensure the script is executable and the path is correct in the OpenVPN config.
- Service Fails to Start:
- Review logs: journalctl -xe or specific service logs.
- Check for typos or syntax errors in configuration files.
By following this guide, you've successfully set up OpenVPN over Stunnel on Ubuntu 22.04. This configuration provides an additional layer of encryption and can help bypass network restrictions by encapsulating VPN traffic within standard SSL/TLS protocols.
Note: Always ensure that your use of VPNs and encryption complies with local laws and regulations.
