Skip to content

Instantly share code, notes, and snippets.

@JimmieD

JimmieD/pivpn_with_stunnel.md

Last active September 30, 2023 20:10
Show Gist options
  • Star 5 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
  • Save JimmieD/9cc4e57c0a5da811aadbb36ed7581aee to your computer and use it in GitHub Desktop.
Save JimmieD/9cc4e57c0a5da811aadbb36ed7581aee to your computer and use it in GitHub Desktop.
Download ZIP
PiVPN with stunnel
Raw
pivpn_with_stunnel.md

Using PiVPN with Stunnel

Intro

The following are steps to setting up PiVPN with stunnel. Why would you want to do this? OpenVPN is subject to blocking by several methods of deep packet inspection since OpenVPN traffic, though encrypted, looks slightly different than normal web traffic. If your OpenVPN works, you probably don't need this. But if it is being blocked, you will probably have to wrap your OpenVPN connection in an SSL tunnel to make it look like normal web traffic. For an explation see here: https://proprivacy.com/guides/how-to-hide-openvpn-traffic-an-introduction

The following are steps needed to wrap your OpenVPN in an SSL connection wtih a Linux server (I got it working in ubuntu 18.04; looks to only work with amd64 architecture, not armhf). So far I've only used with a Windows client, so I don't know the exact config for an Android, iOS, Mac, or Linux client.

Credit to "john564" here (https://www.raspberrypi.org/forums/viewtopic.php?t=40389) for the legwork.

The following updates the steps as of 10/9/19.

On the server (I've tested with Ubuntu 18.04, but should work for raspberry pi and probably other debian based set-ups):

Install OpenSSL and stunnel

sudo apt-get install stunnel4 openssl -y

Configure SSL Server Keys

cd /etc/stunnel/
sudo openssl genrsa -out server.key 4096
sudo openssl req -new -key server.key -out server.csr
sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
sudo bash
cat server.key > server.pem && cat server.crt >> server.pem
chmod 400 /etc/stunnel/server.pem
exit

Enable stunnel Server

sudo nano /etc/default/stunnel4

Set the following in the config file:

ENABLED=1    ## set or change this value in the configuration file.

Configure the stunnel Server

sudo nano /etc/stunnel/stunnel.conf

enter or set these in the configuration file

sslVersion = all
cert = /etc/stunnel/server.pem
pid = /var/run/stunnel.pid
output = /var/log/stunnel
  
[openvpn]
client = no
accept=993      ##Can be anything, but will have to match the port on the stunnel client "connect" field (see below).
connect=34567   ##Can be anything, but must match the port you set up in PiVPN

restart stunnel

sudo /etc/init.d/stunnel4 restart

check stunnel status

ps aux | grep ‘stunnel*

can also check status with the following command:

sudo /etc/init.d/stunnel4 status

Install PiVPN. Reference here if needed: http://kamilslab.com/2017/01/22/how-to-turn-your-raspberry-pi-into-a-home-vpn-server-using-pivpn/

curl -L https://install.pivpn.io | bash

Follow the instruction prompts. Default settings are probably fine with the following exceptions/notes

  1. Use TCP instead of UDP on setup. Stunnel does not work with UDP.
  2. Make sure the port selected on setup matches the "connect" port in the stunnel.conf set in the previous step
  3. Domain name or IP address used in the set up needs to match the domain or IP address in the stunnel client config (see below).

Create PiVPN certificates as needed. I use different certs for every device that is connecting to my VPN

PiVPN add

Follow the prompts

Transfer the .ovpn certificates to the client devices

On a Windows Client Device

Install stunnel from here http://www.stunnel.org/downloads.html Follow the prompts

Right Click on the stunnel icon in the tray in the bottom right corner of the taskbar and select "Edit Configuration"

Enter or set the following in the configuration file:

[openvpn]
client = yes
accept = 127.0.0.1:1194
connect = change_this_to_your_to_server_address.com:993

Save and exit

Right click the stunnel icon and select "Reload Configuration"

Install OpenVPN Connect https://openvpn.net/client-connect-vpn-for-windows/

Edit the .opvn file that was transferred from the PiVPN server. You can use notepad or notepad++.

Enter or set the following line:

remote 127.0.0.1  1194

save and exit

Import the .opvn file that was just saved. This is done in the OpenVPN Conect app just downloaded.

Turn the VPN on. Stunnel real-time logs can be seen on Windows by double-clicking the stunnel icon in the taskbar.

Note

PiVPN currently only works with IPv4 address. For IPv6 address configurations see here: https://community.openvpn.net/openvpn/wiki/IPv6

pivpn/pivpn#259

If you don't know if you have IPv4 or IPv6, one easy way is to google "What is my IP." If your IP address is in the form XXX.XXX.XXX.XXX, then it's IPv4. If it's in the form, XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX, then it's IPv6.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment