The following are steps to setting up PiVPN with stunnel. Why would you want to do this? OpenVPN is subject to blocking by several methods of deep packet inspection since OpenVPN traffic, though encrypted, looks slightly different than normal web traffic. If your OpenVPN works, you probably don't need this. But if it is being blocked, you will probably have to wrap your OpenVPN connection in an SSL tunnel to make it look like normal web traffic. For an explation see here: https://proprivacy.com/guides/how-to-hide-openvpn-traffic-an-introduction
The following are steps needed to wrap your OpenVPN in an SSL connection wtih a Linux server (I got it working in ubuntu 18.04; looks to only work with amd64 architecture, not armhf). So far I've only used with a Windows client, so I don't know the exact config for an Android, iOS, Mac, or Linux client.
Credit to "john564" here (https://www.raspberrypi.org/forums/viewtopic.php?t=40389) for the legwork.
The following updates the steps as of 10/9/19.
On the server (I've tested with Ubuntu 18.04, but should work for raspberry pi and probably other debian based set-ups):
Install OpenSSL and stunnel
sudo apt-get install stunnel4 openssl -y
Configure SSL Server Keys
cd /etc/stunnel/
sudo openssl genrsa -out server.key 4096
sudo openssl req -new -key server.key -out server.csr
sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
sudo bash
cat server.key > server.pem && cat server.crt >> server.pem
chmod 400 /etc/stunnel/server.pem
exit
Enable stunnel Server
sudo nano /etc/default/stunnel4
Set the following in the config file:
ENABLED=1 ## set or change this value in the configuration file.
Configure the stunnel Server
sudo nano /etc/stunnel/stunnel.conf
enter or set these in the configuration file
sslVersion = all
cert = /etc/stunnel/server.pem
pid = /var/run/stunnel.pid
output = /var/log/stunnel
[openvpn]
client = no
accept=993 ##Can be anything, but will have to match the port on the stunnel client "connect" field (see below).
connect=34567 ##Can be anything, but must match the port you set up in PiVPN
restart stunnel
sudo /etc/init.d/stunnel4 restart
check stunnel status
ps aux | grep ‘stunnel*’
can also check status with the following command:
sudo /etc/init.d/stunnel4 status
Install PiVPN. Reference here if needed: http://kamilslab.com/2017/01/22/how-to-turn-your-raspberry-pi-into-a-home-vpn-server-using-pivpn/
curl -L https://install.pivpn.io | bash
Follow the instruction prompts. Default settings are probably fine with the following exceptions/notes
- Use TCP instead of UDP on setup. Stunnel does not work with UDP.
- Make sure the port selected on setup matches the "connect" port in the stunnel.conf set in the previous step
- Domain name or IP address used in the set up needs to match the domain or IP address in the stunnel client config (see below).
Create PiVPN certificates as needed. I use different certs for every device that is connecting to my VPN
PiVPN add
Follow the prompts
Transfer the .ovpn certificates to the client devices
Install stunnel from here http://www.stunnel.org/downloads.html Follow the prompts
Right Click on the stunnel icon in the tray in the bottom right corner of the taskbar and select "Edit Configuration"
Enter or set the following in the configuration file:
[openvpn]
client = yes
accept = 127.0.0.1:1194
connect = change_this_to_your_to_server_address.com:993
Save and exit
Right click the stunnel icon and select "Reload Configuration"
Install OpenVPN Connect https://openvpn.net/client-connect-vpn-for-windows/
Edit the .opvn file that was transferred from the PiVPN server. You can use notepad or notepad++.
Enter or set the following line:
remote 127.0.0.1 1194
save and exit
Import the .opvn file that was just saved. This is done in the OpenVPN Conect app just downloaded.
Turn the VPN on. Stunnel real-time logs can be seen on Windows by double-clicking the stunnel icon in the taskbar.
PiVPN currently only works with IPv4 address. For IPv6 address configurations see here: https://community.openvpn.net/openvpn/wiki/IPv6
If you don't know if you have IPv4 or IPv6, one easy way is to google "What is my IP." If your IP address is in the form XXX.XXX.XXX.XXX, then it's IPv4. If it's in the form, XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX, then it's IPv6.