Tunneling OpenVPN with HTTPS with Stunnel and Ubuntu

April 12, 2015

Things to do

  1. Install and configure Stunnel server on machine running openvpn server
  2. Install and configure Stunnel client on machine running openvpn client

Just a few steps. Not that hard to make my OpenVPN traffic looks like https traffic.


  • Assume OpenVPN server is using TCP port 1194.
  • Assume OpenVPN server is using virtual subnet
  • Assume OpenVPN server is using as internal network IP
  • OpenVPN server must use TCP instead of UDP!!
  • For OpenVPN client, assume Internet Network is using address, gateway

Install and Configure Stunnel Server

Run the following commands in sequence and as root

# sudo apt-get install stunnel4
# mkdir /etc/ssl/certs/stunnel
# cd /etc/ssl/certs/stunnel
# openssl genrsa -out stunnel.key 2048
# openssl req -new -x509 -key stunnel.key -out stunnel.crt -days 36500
# cat stunnel.key stunnel.crt > /etc/stunnel/stunnel.pem
# vi /etc/stunnel/stunnel.conf

Copy and paste the following to the new stunnel.conf

cert = /etc/stunnel/stunnel.pem
accept = 443
connect =

Launch a web browser and enter the router administration console, perform the following tasks

  • Add a port forwarding with TCP port 443, forward to the OpenVPN server with stunnel server installed.
  • Add a route to the router
    Destination IP Subnet Mask Gateway Interface LAN

Now run the stunnel server

# service stunnel4 start

Install and Configure Stunnel Client on Mac book 10.10.2

Install homebrew (http://brew.sh/)

# ruby -e “$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)”

Install Stunnel client

# brew install stunnel

Configure Stunnel client

# vi /usr/local/etc/stunnel/stunnel.conf

pid = /usr/local/etc/stunnel/stunnel.pid
output = /usr/local/etc/stunnel/stunnel.log

sslVersion = all

debug = 7

client = yes
accept = 1194
connect = your.dyndns.org:443
sslVersion = all
options = NO_SSLv2

Configure OpenVPN client

You need to modify the OpenVPN client such that it connect to the stunnel client on localhost instead.

proto tcp
remote localhost 1194
remote-cert-tls server

Below is my working example

dev tun
proto tcp
remote localhost 1194
resolv-retry infinite
ca /Users/ray/OpenVPN/ca.crt
cert /Users/ray/OpenVPN/mbp.crt
key /Users/ray/OpenVPN/mbp.key
remote-cert-tls server
tls-auth /Users/ray/OpenVPN/ta.key 1
cipher AES-256-CBC
verb 7

Now run Stunnel client

# stunnel

ALL DONE. Now I can access my home network on the road with openvpn using HTTPS tunneling.

Routing all Internet traffic to OpenVPN server

Edit OpenVPN client’s configuration, add the following lines to the end of the configuration.

redirect-gateway def1
route your.dyndns.org

Now all my Internet traffic are routing to OpenVPN server through real SSL 🙂

2 thoughts on “Tunneling OpenVPN with HTTPS with Stunnel and Ubuntu

  1. Nas

    You could a lot more clear about private sub nets and the routes. Seems you’ve been in a rush to write this article.


Leave a Reply

Your email address will not be published. Required fields are marked *