OpenVPN/Stunnel: Difference between revisions

From charlesreid1
Line 27: Line 27:
<pre>
<pre>
[openvpn]
[openvpn]
accept=9999
accept = 9999
connect=ip.add.re.ss:1337
connect = A.B.C.D:1337
</pre>
</pre>


Here, port 9999 is a local port only, and is closed to the rest of the world. Stunnel listens on port 9999 for OpenVPN traffic, and when it hears anything, it encrypts it and forwards it on to port 1337 (which is externally bound). Also, vice-versa: stunnel listens on the external port for incoming traffic through port 1337, decrypts it, and forwards it on to local port 9999, where OpenVPN is listening.
Here, port 9999 is a local port only, and is closed to the rest of the world. Stunnel listens on port 9999 for OpenVPN traffic, and when it hears anything, it encrypts it and forwards it on to external IP address A.B.C.D via port 1337 (which is externally bound). Also, vice-versa: stunnel listens on the external port for incoming traffic through port 1337, decrypts it, and forwards it on to local port 9999, where OpenVPN is listening.


===Verify OpenVPN Running===
===Verify OpenVPN Running===

Revision as of 19:26, 30 April 2017

Guide

Instructions

Link

Useful link here: http://kyl191.net/2012/12/tunneling-openvpn-through-stunnel/

See Stunnel page for the basics. Reviewing some of those steps here.

Create Stunnel Server SSL Certificate

Main article: Stunnel/Certificates

Start by creating an SSL certificate for the stunnel server: 

openssl req -new -x509 -days 3650 -nodes -out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem

This puts the SSL certificate in the /etc/stunnel directory.

Configure Stunnel for OpenVPN

Here is the stunnel configuration file section that specifies how stunnel should run OpenVPN through stunnel: 

[openvpn]
accept = 9999
connect = A.B.C.D:1337

Here, port 9999 is a local port only, and is closed to the rest of the world. Stunnel listens on port 9999 for OpenVPN traffic, and when it hears anything, it encrypts it and forwards it on to external IP address A.B.C.D via port 1337 (which is externally bound). Also, vice-versa: stunnel listens on the external port for incoming traffic through port 1337, decrypts it, and forwards it on to local port 9999, where OpenVPN is listening.

Verify OpenVPN Running

Verify OpenVPN process is up and listening: 

$ ps aux | grep [o]penvpn

$ netstat -tulpn | grep openvpn

Open Hole in Firewall

Now use iptables to open up the firewall. Assuming you're using port 9999: 

iptables -A INPUT -p tcp --dport 9999 -j ACCEPT

Run Stunnel on Boot

Make stunnel run on boot by editing crontab crontab -e and adding: 

@reboot stunnel /etc/stunnel/stunnel.conf

Configure Stunnel

Now we will edit stunnel.conf (ignore the .cnf file). Edit this file to include the following 4 lines: 

[openvpn]
client = yes
accept = 127.0.0.1:31337
connect = ip.add.re.ss:9999

OpenVPN needs to be configured to use this port 9999. This means you can replace connection profiles with ports with "remote localhost 31337". (Assumes TCP not UDP.) <-- ?

References

Useful link: http://home.arcor.de/lightsky/docs/stunnel_openssl_synergy.pdf

Another useful link: http://kyl191.net/2012/12/tunneling-openvpn-through-stunnel/

Flags


Defcon.png
OpenVPN
a tool for creating and connecting to virtual private networks.


OpenVPN  · Category:OpenVPN

Creating a Static Key VPN: OpenVPN/Static Key

Configuring Your DNS: DNS


Category:VPN  · Category:Security  · Category:Anonymous Browsing  · Category:Networking


Flags  · Template:OpenVPNFlag  · e




Retrieved from "https://charlesreid1.com/w/index.php?title=OpenVPN/Stunnel&oldid=17082"