Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN through Stunnel

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 3 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kellytrinh
      last edited by

      Looked at various guides in getting openvpn to work through stunnel on my fairly-fresh/mint Linode VPS server. (running Ubuntu 18.04 LTS in case it matters)

      no luck all afternoon and fresh out of ideas. What I've done is below. welcome any ideas on how to fix.

      I have openvpn (without the stunnel) working on my windows laptop
      copy the .ovpn file - change the line with the VPS IP and 1194 to 127.0.0.1 20000

      Have the stunnel sorted to take the openvpn from port 20000 and put to my VPS on port 20001

      tcpdump shows activity on 20001 when I try to connect

      however the openvpn log is

      client openvpn is showing:

      Sun Feb 23 22:31:06 2020 TCP connection established with [AF_INET]127.0.0.1:20000
      Sun Feb 23 22:31:06 2020 TCP_CLIENT link local: (not bound)
      Sun Feb 23 22:31:06 2020 TCP_CLIENT link remote: [AF_INET]127.0.0.1:20000
      Sun Feb 23 22:31:06 2020 MANAGEMENT: >STATE:1582468266,WAIT,,,,,,
      Sun Feb 23 22:31:08 2020 Connection reset, restarting [-1]
      Sun Feb 23 22:31:08 2020 SIGUSR1[soft,connection-reset] received, process restarting
      Sun Feb 23 22:31:08 2020 MANAGEMENT: >STATE:1582468268,RECONNECTING,connection-reset,,,,,
      Sun Feb 23 22:31:08 2020 Restart pause, 5 second(s)

      server side openvpn logs show the following:

      linode_tcp/XXXXX:60802 Incoming Data Channel: Cipher 'AES-256-GCM' initi
      alized with 256 bit key
      linode_tcp/XXXXX:60802 Connection reset, restarting [-1]
      linode_tcp/XXXXX:60802 SIGUSR1[soft,connection-reset] received, client-i
      nstance restarting

      JKnottJ 1 Reply Last reply Reply Quote 0
      • JKnottJ
        JKnott @kellytrinh
        last edited by

        @kellytrinh

        Two questions, why are you trying to run a VPN over another encrypted connection? Also, doesn't Stunnel only support TCP? That means you'd have to run OpenVPN via TCP, instead of the normal UDP.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • K
          kellytrinh
          last edited by

          I am planning to use this setup in China where they block OpenVPN by packet inspection. By using stunnel, hoping to have additional layer so the Govt can't tell it is VPN traffic. I understand there is a performance hit but would be better than being blocked.

          JKnottJ 1 Reply Last reply Reply Quote 0
          • JKnottJ
            JKnott @kellytrinh
            last edited by

            @kellytrinh

            Ah yes, the Great Firewall of China. Still, if you run OpenVPN, you'll need to use TCP. Are you doing that?

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            1 Reply Last reply Reply Quote 0
            • D
              Docop2
              last edited by

              After a whole day i'm able to run stunnel with openvpn. From a fesh install of Pf. Vpn, nat,rule give the vpn working fine. i don't set any dns. Dns leak , as it seem not possible to set DOH or dot in pfsense with just : providerdns.com/dns-query.

              the how: make sure Vpn is set to tcp 1194 and work fine before.
              So install stunnel package / then put:
              client mode check / listen ip : 127.0.0.1 /listen port: 1194
              redirect to ip : vpnprovider.com / redirect to port: 443
              log: notice / timeout : 0 / custom option: it,s exactly as your provider conf file. if they write option = noSslv2 , you put it all. If not it will just not work. The box custom option could be rename to : extra setting to be more clear. This is the first guide on internet.
              Also, passing from a first ovpn inudp1194 do work fine, no forward port or anything else. A bit slow to get the page load directly, but all fine, dual vpn back to back.

              1 Reply Last reply Reply Quote 0
              • P pst referenced this topic on
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.