Use Stunnel as an HTTPS-proxy for your OpenVPN connection

Last Updated: 2015-11-16

How to install your OpenVPN server and set everything up to connect with a client I already explained. But if you want to tunnel your vpn-connection through an SSL-tunnel to make it look like you are connecting to an HTTPS-Server, follow these instructions - this might help if the described setup with obfsproxy does not work, because blocking all HTTPS-traffic would cripple the internet quite severely.

Installing stunnel4

The easiest way is to just install it via apt-get

$sudo apt-get install stunnel4

This creates a new user/group called stunnel4 so the stunnel-instance is able to run in its own user context. To be able to actually start stunnel, you have to enable it by setting the option in /etc/default/stunnel4 to:

ENABLED = 1

Configuring your stunnel server

The /etc/stunnel/stunnel.conf file should contain these lines:

chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
pid = /stunnel4.pid
debug = 7
output = /stunnel.log
cert = /etc/stunnel/server.crt
key = /etc/stunnel/server.key
verify = 3
CAfile = /etc/stunnel/ca.crt
options = NO_SSLv2
options = SINGLE_ECDH_USE
options = SINGLE_DH_USE
#your client connects to port 443 and your OpenVPN server is listening on port 1194
[OpenVPN]
accept = 443
connect = 127.0.0.1:1194

Start stunnel via sudo service stunnel4 start - now your server is ready for incoming connections.

Configure stunnel on your client

To configure your client to connect to your server, add the following lines to your /etc/stunnel/stunnel.conf file

chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
pid = /stunnel4.pid
debug = 7
output = /stunnel.log
cert = /etc/stunnel/client.crt
key = /etc/stunnel/client.key
verify = 3
CAfile = /etc/stunnel/ca.crt
options = NO_SSLv2
options = SINGLE_ECDH_USE
options = SINGLE_DH_USE
#your client connects to port 443 and your OpenVPN server is listening on port 1194
[OpenVPN]
client = yes
accept = 127.0.0.1:1994
connect = your.vpn.server:443

Configure your OpenVPN client

This is the easiest part, you have to change just one line in your /etc/openvpn/client.conf file to actually use stunnel

remote 127.0.0.1 1194

Now everything is set up, you should be able to connect to your OpenVPN server over an HTTPS-tunnel using stunnel4.

The route your traffic goes looks like this: Client --> OpenVPN-Client --> Stunnel4-Client --> Stunnel4-Server --> OpenVPN-Server --> Internet/LAN.

Rating 3.5 (2 votes)