The following are steps to setting up PiVPN with stunnel. Why would you want to do this? OpenVPN is subject to blocking by several methods of deep packet inspection since OpenVPN traffic, though encrypted, looks slightly different than normal web traffic. If your OpenVPN works, you probably don't need this. But if it is being blocked, you will probably have to wrap your OpenVPN connection in an SSL tunnel to make it look like normal web traffic. For an explation see here: https://proprivacy.com/guides/how-to-hide-openvpn-traffic-an-introduction
The following are steps needed to wrap your OpenVPN in an SSL connection wtih a Linux server (I got it working in ubuntu 18.04; looks to only work with amd64 architecture, not armhf). So far I've only used with a Windows client, so I don't know the exact config for an Android, iOS, Mac, or Linux client.
Credit to "john564" here for the legwork. Credit to "JimmieD" here for the original Gist
I (@zoobdude) have updated the steps as of 11/06/22 to fix errors I was having and incorporate pi hole.
(I've tested with Ubuntu 18.04, but should work for raspberry pi and probably other debian based set-ups):
Make yourself root (if not already)
sudo su
Get updates
apt-get update
apt-get upgrade
Install Stunnel
apt-get install stunnel4
Install nload (optional)
apt-get install nload
OpenSSL is usually already installed, if not
apt-get install openssl
Curl is usually installed, if not
apt-get install curl
Configure SSL Server Keys MAKE SURE TO RUN EACH LINE SEPARATELY
cd /etc/stunnel/
openssl genrsa -out server.key 4096
openssl req -new -key server.key -out server.csr
You will be prompted to enter your adress, there is no need, just press enter to each of the prompts
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
cat server.key > server.pem && cat server.crt >> server.pem
chmod 400 /etc/stunnel/server.pem
Enable stunnel Server to start on boot
nano /etc/default/stunnel4
Set the following in the config file:
ENABLED=1
Configure the stunnel Server
nano /etc/stunnel/stunnel.conf
Enter or set these in the configuration file
sslVersion = all
cert = /etc/stunnel/server.pem
pid = /var/run/stunnel.pid
output = /var/log/stunnel
[openvpn]
client = no
accept=993
connect=34567
accept can be anything, but will have to match the port on the stunnel client "connect" field (see below) connect can also be anything, but must match the port you set up in PiVPN
Restart stunnel
/etc/init.d/stunnel4 restart
Check stunnel status with the following command:
/etc/init.d/stunnel4 status
If there are any error (anything in red) then you have probaly done something wrong or this guide it out of date
There is a sript that can be run that will guide you through the setup. Reference here if needed
curl -sSL https://install.pi-hole.net | bash
Install PiVPN using another script. Reference here if needed
curl -L https://install.pivpn.io | bash
Follow the instruction prompts. Default settings are probably fine with the following exceptions/notes
- Use TCP instead of UDP on setup. Stunnel does not work with UDP.
- Make sure the port selected on setup matches the "connect" port in the stunnel.conf set in the previous step
- Domain name or IP address used in the set up needs to match the domain or IP address in the stunnel client config (see below).
COMING SOON: use step 9 here for now
Create PiVPN certificates as needed. Different certs are needed for every device that is connecting to the VPN so that they are able to connect simultaneously
pivpn add
or
PiVPN add
Follow the prompts
Transfer the .ovpn certificates to the client devices (I use sftp with filezilla)
Install stunnel from here http://www.stunnel.org/downloads.html Follow the prompts
Right Click on the stunnel icon in the tray in the bottom right corner of the taskbar and select "Edit Configuration"
Enter or set the following in the configuration file:
[openvpn]
client = yes
accept = 127.0.0.1:1194
connect = change_this_to_your_to_server_address.com:993
Save and exit
Right click the stunnel icon and select "Reload Configuration"
Install OpenVPN Connect https://openvpn.net/client-connect-vpn-for-windows/
Edit the .opvn file that was transferred from the PiVPN server. You can use notepad or notepad++.
Enter or set the following line:
remote 127.0.0.1 1194
save and exit
Import the .opvn file that was just saved. This is done in the OpenVPN Conect app just downloaded.
Turn the VPN on. Stunnel real-time logs can be seen on Windows by double-clicking the stunnel icon in the taskbar.
PiVPN currently only works with IPv4 address. For IPv6 address configurations see here: https://community.openvpn.net/openvpn/wiki/IPv6
If you don't know if you have IPv4 or IPv6, one easy way is to google "What is my IP." If your IP address is in the form XXX.XXX.XXX.XXX, then it's IPv4. If it's in the form, XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX, then it's IPv6.