Any install guides for stunnel?

gsrcrxsi

Explorer
Joined
Apr 15, 2018
Messages
86
Hey guys,

I have OpenVPN running in a jail on my FreeNAS server, all working fine, but i have issues making a connection out of China, server is located in the US. Most likely cause is the GFW is identifying the OpenVPN traffic (it's already on port 443) via DPI and i'm getting nuked/IP banned after less than a day, until my IP changes again.

i've done some searching and it seems like running my OpenVPN traffic though an STunnel connection can fix my problems and make my traffic look like normal HTTPS traffic rather than OpenVPN.

I've created a jail for STunnel via the FreeNAS gui (11.2), and I have installed stunnel in the jail with "pkg install stunnel", but i'm kind of at a loss of where to go from here.

Has anyone done this?
 

jgreco

Resident Grinch
Joined
May 29, 2011
Messages
18,680
Running TCP OpenVPN? UDP on 443 would be an obvious flag. Guessing you know that.

It isn't clear how stunnel would offer anything significantly different. The data flow would look very similar. The initial session creation might be different. OpenVPN is actually the winner there because you can use "tls-crypt" to obscure the initial session setup. If they are identifying your VPN traffic by DPI pattern inspection, you might be better off with frequent disconnect/reconnects so that you do not appear to have long-running sessions.
 

gsrcrxsi

Explorer
Joined
Apr 15, 2018
Messages
86
From what I’ve been reading, the OpenVPN TLS handshake is what usually gives it away and is not the same as a normal tls handshake over https.

Using stunnel wraps the OpenVPN traffic in an additional layer, obfuscating it.

https://greycoder.com/openvpn-china/
 

jgreco

Resident Grinch
Joined
May 29, 2011
Messages
18,680
Well that's why I'm wondering what happens if you use tls-crypt.
 

gsrcrxsi

Explorer
Joined
Apr 15, 2018
Messages
86
Hmm. I can try.

Do I just straight replace tls-auth with tls-crypt on both the server and client config files? Or do both lines need to be there?
 

gsrcrxsi

Explorer
Joined
Apr 15, 2018
Messages
86
I guess I still don’t know how to use it properly. I tried to simply replace “tls-auth” with “tls-crypt” using the same key files as before (ta.key) on the server and client. But now it won’t connect.

Examples I’m seeing online have weird XML flags <tls-crypt></tls-crypt> in their client or server config files and I don’t know why. I didn’t have that previously.

Can you elaborate?

I did check that I have OpenVPN version 2.4.6
 

gsrcrxsi

Explorer
Joined
Apr 15, 2018
Messages
86
actually nevermind, tls-crypt wasnt the issue.

i was actually using UDP protocol previously, and i tried to just change it to proto tcp (as well as changes to my client config and router port forwarding). well i also had a line for "explicit-exit-notify 1" that i guess is incompatible with TCP and it was preventing OpenVPN from starting on the server. I commented that line out and now i can connect to my VPN again with tls-crypt.

now to test with the GFW, will report back if this was enough.
 
Top