Tunneling OpenVPN with HTTPS with Stunnel and Ubuntu

Things to do

  1. Install and configure Stunnel server on machine running openvpn server
  2. Install and configure Stunnel client on machine running openvpn client

Just a few steps. Not that hard to make my OpenVPN traffic looks like https traffic.

Assumption

  • Assume OpenVPN server is using TCP port 1194.
  • Assume OpenVPN server is using virtual subnet 192.168.33.0/255.255.255.0
  • Assume OpenVPN server is using 192.168.1.100 as internal network IP
  • OpenVPN server must use TCP instead of UDP!!
  • For OpenVPN client, assume Internet Network is using address 192.168.1.0/255.255.255.0, gateway 192.168.1.1

Install and Configure Stunnel Server

Run the following commands in sequence and as root

# sudo apt-get install stunnel4
# mkdir /etc/ssl/certs/stunnel
# cd /etc/ssl/certs/stunnel
# openssl genrsa -out stunnel.key 2048
# openssl req -new -x509 -key stunnel.key -out stunnel.crt -days 36500
# cat stunnel.key stunnel.crt > /etc/stunnel/stunnel.pem
# vi /etc/stunnel/stunnel.conf

Copy and paste the following to the new stunnel.conf

cert = /etc/stunnel/stunnel.pem
[openvpn-stunnel]
accept = 443
connect = 127.0.0.1:1194

Launch a web browser and enter the router administration console, perform the following tasks

  • Add a port forwarding with TCP port 443, forward to the OpenVPN server with stunnel server installed.
  • Add a route to the router
    Destination IP Subnet Mask Gateway Interface
    192.168.33.0 255.255.255.0 192.168.1.100 LAN

Now run the stunnel server

# service stunnel4 start

Install and Configure Stunnel Client on Mac book 10.10.2

Install homebrew (http://brew.sh/)

# ruby -e “$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)”

Install Stunnel client

# brew install stunnel

Configure Stunnel client

# vi /usr/local/etc/stunnel/stunnel.conf

pid = /usr/local/etc/stunnel/stunnel.pid
output = /usr/local/etc/stunnel/stunnel.log

sslVersion = all

debug = 7

[openvpn]
client = yes
accept = 1194
connect = your.dyndns.org:443
sslVersion = all
options = NO_SSLv2
options = DONT_INSERT_EMPTY_FRAGMENTS

Configure OpenVPN client

You need to modify the OpenVPN client such that it connect to the stunnel client on localhost instead.

client
proto tcp
remote localhost 1194
remote-cert-tls server
route 192.168.1.0 255.255.255.0

Below is my working example

client
dev tun
proto tcp
remote localhost 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /Users/ray/OpenVPN/ca.crt
cert /Users/ray/OpenVPN/mbp.crt
key /Users/ray/OpenVPN/mbp.key
remote-cert-tls server
tls-auth /Users/ray/OpenVPN/ta.key 1
cipher AES-256-CBC
comp-lzo
verb 7
auth-user-pass
route 192.168.1.0 255.255.255.0

Now run Stunnel client

# stunnel

ALL DONE. Now I can access my home network on the road with openvpn using HTTPS tunneling.

Routing all Internet traffic to OpenVPN server

Edit OpenVPN client’s configuration, add the following lines to the end of the configuration.

redirect-gateway def1
allow-pull-fqdn
route your.dyndns.org 255.255.255.255 192.168.1.1

Now all my Internet traffic are routing to OpenVPN server through real SSL 🙂



2 thoughts on “Tunneling OpenVPN with HTTPS with Stunnel and Ubuntu

  1. Nas

    You could a lot more clear about private sub nets and the routes. Seems you’ve been in a rush to write this article.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *