Skip to content

Instantly share code, notes, and snippets.

@Zoobdude

Zoobdude/pivpn_with_stunnel.md

Forked from JimmieD/pivpn_with_stunnel.md
Last active December 20, 2022 02:17
Show Gist options
  • Save Zoobdude/234d0d9f200220ea3d11dd13670aa58d to your computer and use it in GitHub Desktop.
Save Zoobdude/234d0d9f200220ea3d11dd13670aa58d to your computer and use it in GitHub Desktop.
Download ZIP
PiVPN and PI hole with stunnel
Raw
pivpn_with_stunnel.md

Using PiVPN with Stunnel

Intro

The following are steps to setting up PiVPN with stunnel. Why would you want to do this? OpenVPN is subject to blocking by several methods of deep packet inspection since OpenVPN traffic, though encrypted, looks slightly different than normal web traffic. If your OpenVPN works, you probably don't need this. But if it is being blocked, you will probably have to wrap your OpenVPN connection in an SSL tunnel to make it look like normal web traffic. For an explation see here: https://proprivacy.com/guides/how-to-hide-openvpn-traffic-an-introduction

The following are steps needed to wrap your OpenVPN in an SSL connection wtih a Linux server (I got it working in ubuntu 18.04; looks to only work with amd64 architecture, not armhf). So far I've only used with a Windows client, so I don't know the exact config for an Android, iOS, Mac, or Linux client.

Credit to "john564" here for the legwork. Credit to "JimmieD" here for the original Gist

I (@zoobdude) have updated the steps as of 11/06/22 to fix errors I was having and incorporate pi hole.

Required aplications and dependencies

(I've tested with Ubuntu 18.04, but should work for raspberry pi and probably other debian based set-ups):

Installing

Make yourself root (if not already)

sudo su

Get updates

apt-get update
apt-get upgrade

Install Stunnel

apt-get install stunnel4

Install nload (optional)

apt-get install nload

OpenSSL is usually already installed, if not

apt-get install openssl

Curl is usually installed, if not

apt-get install curl
Installation and configuration of stunnel

Configure SSL Server Keys MAKE SURE TO RUN EACH LINE SEPARATELY

cd /etc/stunnel/
openssl genrsa -out server.key 4096
openssl req -new -key server.key -out server.csr

You will be prompted to enter your adress, there is no need, just press enter to each of the prompts

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
cat server.key > server.pem && cat server.crt >> server.pem
chmod 400 /etc/stunnel/server.pem

Enable stunnel Server to start on boot

nano /etc/default/stunnel4

Set the following in the config file:

ENABLED=1

Configure the stunnel Server

nano /etc/stunnel/stunnel.conf

Enter or set these in the configuration file

sslVersion = all
cert = /etc/stunnel/server.pem
pid = /var/run/stunnel.pid
output = /var/log/stunnel
  
[openvpn]
client = no
accept=993
connect=34567

accept can be anything, but will have to match the port on the stunnel client "connect" field (see below) connect can also be anything, but must match the port you set up in PiVPN

Restart stunnel

/etc/init.d/stunnel4 restart

Check stunnel status with the following command:

/etc/init.d/stunnel4 status

If there are any error (anything in red) then you have probaly done something wrong or this guide it out of date

Install PI hole.

There is a sript that can be run that will guide you through the setup. Reference here if needed

curl -sSL https://install.pi-hole.net | bash

Install PIVPN

Install PiVPN using another script. Reference here if needed

curl -L https://install.pivpn.io | bash

Follow the instruction prompts. Default settings are probably fine with the following exceptions/notes

  1. Use TCP instead of UDP on setup. Stunnel does not work with UDP.
  2. Make sure the port selected on setup matches the "connect" port in the stunnel.conf set in the previous step
  3. Domain name or IP address used in the set up needs to match the domain or IP address in the stunnel client config (see below).

Install Firewall

COMING SOON: use step 9 here for now

Create PiVPN certificates as needed. Different certs are needed for every device that is connecting to the VPN so that they are able to connect simultaneously

pivpn add
or
PiVPN add

Follow the prompts

Transfer the .ovpn certificates to the client devices (I use sftp with filezilla)

On a Windows Client Device

Install stunnel from here http://www.stunnel.org/downloads.html Follow the prompts

Right Click on the stunnel icon in the tray in the bottom right corner of the taskbar and select "Edit Configuration"

Enter or set the following in the configuration file:

[openvpn]
client = yes
accept = 127.0.0.1:1194
connect = change_this_to_your_to_server_address.com:993

Save and exit

Right click the stunnel icon and select "Reload Configuration"

Install OpenVPN Connect https://openvpn.net/client-connect-vpn-for-windows/

Edit the .opvn file that was transferred from the PiVPN server. You can use notepad or notepad++.

Enter or set the following line:

remote 127.0.0.1  1194

save and exit

Import the .opvn file that was just saved. This is done in the OpenVPN Conect app just downloaded.

Turn the VPN on. Stunnel real-time logs can be seen on Windows by double-clicking the stunnel icon in the taskbar.

Note

PiVPN currently only works with IPv4 address. For IPv6 address configurations see here: https://community.openvpn.net/openvpn/wiki/IPv6

pivpn/pivpn#259

If you don't know if you have IPv4 or IPv6, one easy way is to google "What is my IP." If your IP address is in the form XXX.XXX.XXX.XXX, then it's IPv4. If it's in the form, XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX, then it's IPv6.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment