Any install guides for stunnel?

[gsrcrxsi]

Hey guys,

I have OpenVPN running in a jail on my FreeNAS server, all working fine, but i have issues making a connection out of China, server is located in the US. Most likely cause is the GFW is identifying the OpenVPN traffic (it's already on port 443) via DPI and i'm getting nuked/IP banned after less than a day, until my IP changes again.

i've done some searching and it seems like running my OpenVPN traffic though an STunnel connection can fix my problems and make my traffic look like normal HTTPS traffic rather than OpenVPN.

I've created a jail for STunnel via the FreeNAS gui (11.2), and I have installed stunnel in the jail with "pkg install stunnel", but i'm kind of at a loss of where to go from here.

Has anyone done this?

 

[jgreco]

Running TCP OpenVPN? UDP on 443 would be an obvious flag. Guessing you know that.

It isn't clear how stunnel would offer anything significantly different. The data flow would look very similar. The initial session creation might be different. OpenVPN is actually the winner there because you can use "tls-crypt" to obscure the initial session setup. If they are identifying your VPN traffic by DPI pattern inspection, you might be better off with frequent disconnect/reconnects so that you do not appear to have long-running sessions.

 

[gsrcrxsi]

From what I’ve been reading, the OpenVPN TLS handshake is what usually gives it away and is not the same as a normal tls handshake over https.

Using stunnel wraps the OpenVPN traffic in an additional layer, obfuscating it.

https://greycoder.com/openvpn-china/

 

[jgreco]

Well that's why I'm wondering what happens if you use tls-crypt.

 

[gsrcrxsi]

Hmm. I can try.

Do I just straight replace tls-auth with tls-crypt on both the server and client config files? Or do both lines need to be there?

 

[jgreco]

tls-crypt is a cool new directive in 2.4 that is used to encrypt the initial TLS negotiation. See discussion for ex at

https://security.stackexchange.com/questions/151194/openvpns-new-tls-crypt-option

This should ideally be used with certificates. tls-auth is pretty awful in comparison, if I recall.

 

[gsrcrxsi]

I guess I still don’t know how to use it properly. I tried to simply replace “tls-auth” with “tls-crypt” using the same key files as before (ta.key) on the server and client. But now it won’t connect.

Examples I’m seeing online have weird XML flags <tls-crypt></tls-crypt> in their client or server config files and I don’t know why. I didn’t have that previously.

Can you elaborate?

I did check that I have OpenVPN version 2.4.6

 

[gsrcrxsi]

actually nevermind, tls-crypt wasnt the issue.

i was actually using UDP protocol previously, and i tried to just change it to proto tcp (as well as changes to my client config and router port forwarding). well i also had a line for "explicit-exit-notify 1" that i guess is incompatible with TCP and it was preventing OpenVPN from starting on the server. I commented that line out and now i can connect to my VPN again with tls-crypt.

now to test with the GFW, will report back if this was enough.