Jump to content
vBWarez - Rest In Peace

[OpenVPN] Set-up a completly stealth VPN [Stunnel - HTTPS]


Recommended Posts

  • Admin
[FONT=franklin gothic medium]Full guide on how to set-up a Stunnel with OpenVPn to bypass even the most restrictives firewall, as soon as you have HTTPS access then it's fine.

This method is used by companies in China for example to bypass ISPs restrictions, the method used to block the VPN is DPI (Deep Pack Inspection).

The DPI allow the network handler to detect and block non-true HTTPS traffic (OpenVPN does that).

So we are going to connect to a tunnel to trick our firewall.

Enough talking, if you want more informations about this stuff, you can google it, many people already explained it better than me.

I will not cover the OpenVPN installation part because there already are a shitload of tutorials online.

Your OpenVPN server [COLOR=#ff0000][B]MUST[/B][/COLOR] be using [COLOR=#ff0000][B]TCP[/B][/COLOR] btw.
[COLOR=#00ff00]
[/COLOR][COLOR=#ff8c00][B]This tutorial will be based on:[/B][/COLOR]
[code]
[COLOR=#ee82ee][B]Server:[/B] [/COLOR]Debian 7.0 with TUN Device available
[COLOR=#ee82ee][B]Client:[/B] [/COLOR]Windows 8.1 64
[/code]

[B]First we need to install Stunnel[/B]
[code]
[COLOR=#ee82ee]apt-get install stunnel4[/COLOR]
[/code]

So of course we need SSL Certificates to get proper traffic, so we have to generate them using OpenSSL :)

CD to stunnel folder (/etc/stunnel)

[B]Generate the KEY[/B]
[code]
[COLOR=#ee82ee]openssl genrsa -out server.key 4096[/COLOR]
[/code]Generate the CSR
[code]
[COLOR=#ee82ee]openssl req -new -key server.key -out server.csr[/COLOR]
[/code]

[B]Generate the CRT[/B]
[code]
[COLOR=#ee82ee]openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt[/COLOR]
[/code]

[B]Combine[/B]
[code]
[COLOR=#ee82ee]cat server.key > server.pem && cat server.crt >> server.pem[/COLOR][/code]

[B]Edit /etc/stunnel/stunnel.conf[/B]

[code]
sslVersion = all
options = NO_SSLv2
chroot = /var/lib/stunnel4/
pid = /stunnel4.pid
setuid = stunnel4
setgid = stunnel4
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
compression = zlib
[openvpn]
accept = 80
connect = 443
cert=/etc/stunnel/server.pem
key=/etc/stunnel/server.key
[/code]

Accept will listen on the TCP Port used in Stunnel Client conf.
Then will redirect to connect so just put your OpenVPN server port here (in my case it is 443, also if fail just put your openvpn server IP [netstat will help u])


Start your Stunnel :)

If your firewall is restrictive, you will have to ACCEPT TCP on port 80 (or wutever you used in accept conf)


Time to set-up your client now !

[code]
[openvpn]
client = yes
accept = 1337
connect = server_pub_ip:80
[/code]

Then edit your client OpenVPN config file, and change remote to
[code]
localhost 1337
[/code]

UPDATE: You also need to edit following file:

[code]
/etc/default/stunnel4

-> [COLOR=#ff0000]ENABLED = 1[/COLOR]

[/code]
Start your Stunnel client, and connect to your VPN.

VoilĂ , you now fcked up the firewall or your governement, enjoy the free web.
[/FONT]
Link to post
Share on other sites
  • 2 weeks later...
  • 1 year later...
  • 4 weeks later...
Ahm - sorry for jumping in but wouldn't it be easier to rely on OpenVPN also client-side ? So both sides can rely on UDP and one is able to fire up a server at port 53, which is usually not blocked, or another UDP port.
That way DPI's (like Bluecoat's or similar devices) won't be able that easy to inject wrong packages to detect a VPN connection due to the stateless state of UDP packages.
Still, outgoing TCP port 80 is usually not blocked so that might be an option too.

Oh and:

[CODE]
options = NO_SSLv2
options = NO_SSLv3
[/CODE]

Are meanwhile the default options in Stunnel, still it wouldn't hurt to set them anyways - better safe then sorry.
Link to post
Share on other sites
  • Admin
[quote name='phobos']Ahm - sorry for jumping in but wouldn't it be easier to rely on OpenVPN also client-side ? So both sides can rely on UDP and one is able to fire up a server at port 53, which is usually not blocked, or another UDP port.
That way DPI's (like Bluecoat's or similar devices) won't be able that easy to inject wrong packages to detect a VPN connection due to the stateless state of UDP packages.
Still, outgoing TCP port 80 is usually not blocked so that might be an option too.

Oh and:

[CODE]
options = NO_SSLv2
options = NO_SSLv3
[/CODE]

Are meanwhile the default options in Stunnel, still it wouldn't hurt to set them anyways - better safe then sorry.[/QUOTE]

Many solutions can be figured out of course, this is just one :D

I wouldn't trust UDP for the vpn btw.

As for the topic, which is DPI prevention, TCP acts like websites, if "simulated" properly, the VPN traffic is undetectable & acts liek a normal http/https website :D which is what we want.
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...