How to Set Up OpenVPN with Stunnel on Ubuntu 22.04/20.04 Server

This tutorial is going to show you how to run your own OpenVPN server on Ubuntu 22.04/20.04. OpenVPN is an open-source, robust, and highly flexible VPN solution. Stunnel is a tool that tunnels OpenVPN traffic over TCP port 443 in TLS mode, so as to bypass firewall blocking.

Why Set Up Your Own VPN Server?

  • Maybe you are a VPN service provider or a system administrator, which behooves you to set up your own VPN server.
  • You don’t trust the no-logging policy of VPN service providers, so you go the self-host route.
  • You can use VPN to implement network security policy. For example, if you run your own email server, you can require users to log in only from the IP address of the VPN server by creating an IP address whitelist in the firewall. Thus, your email server is hardened to prevent hacking activities.
  • Perhaps you are just curious to know how VPN server works.

Set Up OpenVPN with Stunnel on Ubuntu

Features of OpenVPN Server

  • Lightweight and fast. In my test, I can watch YouTube 4K videos with OpenVPN. YouTube is blocked in my country (China).
  • Runs on Linux and most BSD servers.
  • There is OpenVPN client software for Linux, macOS, Windows, Android, and iOS, and OpenWRT.
  • Supports RADIUS accounting.
  • Supports virtual hosting (multiple domains).
  • Easy to set up
  • Supports SSL/TLS security, ethernet bridging, TCP or UDP tunnel transport through proxies or NAT.
  • Support for dynamic IP addresses and DHCP
  • Scalability to hundreds or thousands of users
  • Supports conventional encryption using a pre-shared secret key (Static Key mode) or public key security (SSL/TLS mode) using client & server certificates

Requirements

To follow this tutorial, you will need a VPS (Virtual Private Server) that can access blocked websites freely (Outside of your country or Internet filtering system). I recommend Kamatera VPS, which features:

  • 30 days free trial.
  • Starts at $4/month (1GB RAM)
  • High-performance KVM-based VPS
  • 9 data centers around the world, including United States, Canada, UK, Germany, The Netherlands, Hong Kong, and Isreal.

Follow the tutorial linked below to create your Linux VPS server at Kamatera.

Once you have a VPS running Ubuntu 22.04/20.04, follow the instructions below.

Step 1: Install OpenVPN Server on Ubuntu 22.04/20.04

Log into your Ubuntu 22.04/20.04 server. Then use apt to install the openvpn package from the default Ubuntu repository.

sudo apt update
sudo apt install -y openvpn openvpn-systemd-resolved easy-rsa

Step 2: Set Up Certificate Authentication in OpenVPN

OpenVPN supports password authentication (pre-shared key), but it’s very limited. You can generate only one pre-share key. To support multiple users, we need to use certificate authentication. Each user will have their own certificate.

To accomplish this, we need to set up a public key infrastructure (PKI), which includes:

  • Set up a certificate authority (CA)
  • Create server key and certificate
  • Create client key and certificate

Set up a certificate authority (CA)

A certificate authority issues server certificates and client certificates. For example, Let’s Encrypt is a certificate authority that issues free TLS server certificates. However, Let’s Encrypt doesn’t issue client certificates, so we need to set up a private certificate authority for OpenVPN.

The openssl utility is widely used to set up a certificate authority, but its command line syntax is complex. Instead, we can use the easy-rsa utility, which is installed in step 1. As its name implies, it’s easier than openssl.

First, run the following command to copy the /usr/share/easy-rsa/ directory to /etc/openvpn/.

sudo make-cadir /etc/openvpn/easy-rsa

Switch to the root user.

sudo su -

Change to the /etc/openvpn/easy-rsa/ directory.

cd /etc/openvpn/easy-rsa/

Initialize a public key infrastructure.

./easyrsa init-pki

Initialize a public key infrastructure.

Then create a certificate authority.

./easyrsa build-ca

You will be asked to enter a passphrase for the CA. When asked about setting a common name for the CA, you can press Enter to choose the default name: Easy-RSA CA.

easy rsa build ca

Create server key and certificate

Generate a keypair and certificate request for the OpenVPN server. Replace openvpn.example.com with a real sub-domain for your OpenVPN server. You will need to enter a common name. Use this subdomain as the common name.

./easyrsa gen-req openvpn.example.com nopass

easy rsa Create server key and certificate request

Generate Diffie Hellman parameters.

./easyrsa gen-dh

easy rsa Generate Diffie Hellman parameters

Now sign the certificate request. The server certificate will be created.

./easyrsa sign-req server openvpn.example.com

easy rsa sign certificate request

Generate an OpenVPN static key to enhance SSL/TLS security.

openvpn --genkey tls-auth /etc/openvpn/easy-rsa/pki/ta.key

Create client key and certificate

Generate a certificate request for the user user01.

./easyrsa gen-req user01 nopass

openvpn Generate a certificate request.

Sign this certificate request. The client certificate will be created. You will need to enter the CA passphrase.

./easyrsa sign-req client user01

openvpn Create client key and certificate

Each VPN user should have their own certificate/key.

Step 3: Edit OpenVPN Server Configuration File

Copy the sample server configuration file.

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/server.conf

Edit this file.

sudo nano /etc/openvpn/server.conf

At the beginning of this file, you can find the following line, which enables UDP port on the server’s public IPv4 address.

proto udp

Add a second directive to support IPv6.

proto udp
proto udp6

Then find the following lines.

ca ca.crt
cert server.crt
key server.key # This file should be kept secret

The 3 lines specify the location of the CA certificate, server certificate, and server private key. We need to use the actual location.

ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/openvpn.linuxbabe.com.crt
key /etc/openvpn/easy-rsa/pki/private/openvpn.linuxbabe.com.key

Then find the Diffie hellman parameters setting.

dh dh2048.pem

Change it to:

dh /etc/openvpn/easy-rsa/pki/dh.pem

The following line specifies the private IPv4 network for OpenVPN. The OpenVPN server will have the 10.8.0.1 private IP address.

server 10.8.0.0 255.255.255.0

Add a second directive to enable IPv6 private addressing.

server 10.8.0.0 255.255.255.0
server-ipv6 2001:db8:0:123::/64

By default, OpenVPN uses the net30 network topology, which is deprecated. Find the follownig line.

;topology subnet

Uncomment it to use the subnet network topology.

topology subnet

Find the following line

;push "redirect-gateway def1 bypass-dhcp"

Uncomment it (remove the beginning semicolon) and also add a second push directive, so the OpenVPN server will become the gateway for VPN clients. They will also use the OpenVPN as the DNS server.

push "redirect-gateway def1 bypass-dhcp"
push "route-ipv6 2000::/3"

If you want VPN clients to use a particular DNS server, find the following two lines.

;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"

Uncomment them and change the DNS server IP address.

;push "dhcp-option DNS 8.8.8.8"
;push "dhcp-option DNS 1.1.1.1"

Find the following line.

;client-to-client

Uncomment it, so VPN clients can ping each other.

;client-to-client

Finally, find the following line.

tls-auth ta.key 0 # This file is secret

Specify the actual location of OpenVPN static key.

tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0

Save and close the file. Start OpenVPN server.

sudo systemctl enable --now openvpn@server

Check its status:

sudo systemctl status openvpn@server

sudo systemctl status openvpn@server

As you can see, it’s active (running) and automatic start at boot time is enabled.

Step 4: Enable IP Forwarding

In order for the VPN server to route packets between VPN clients and the Internet, we need to enable IP forwarding by running the following command.

echo "net.ipv4.ip_forward = 1" | sudo tee /etc/sysctl.d/60-custom.conf

Also, run the following two commands to enable TCP BBR algorithm to boost TCP speed.

echo "net.core.default_qdisc=fq" | sudo tee -a /etc/sysctl.d/60-custom.conf

echo "net.ipv4.tcp_congestion_control=bbr" | sudo tee -a /etc/sysctl.d/60-custom.conf

Then apply the changes with the below command. The -p option will load sysctl settings from /etc/sysctl.d/60-custom.conf file. This command will preserve our changes across system reboots.

sudo sysctl -p /etc/sysctl.d/60-custom.conf

Step 5: Configure IP Masquerading in Firewall

We need to set up IP masquerading in the server firewall, so that the server becomes a virtual router for VPN clients. I will use UFW, which is a front end to the iptables/nftable firewall. Install UFW on Ubuntu with:

sudo apt install ufw

First, you need to allow SSH traffic.

sudo ufw allow 22/tcp

Then find the name of your server’s main network interface.

ip addr

As you can see, it’s named ens3 on my Ubuntu server.

openconnect-ubuntu 20.04-command-line

To configure IP masquerading, we have to add iptables command in a UFW configuration file.

sudo nano /etc/ufw/before.rules

By default, there are some rules for the filter table. Add the following lines at the end of this file. Replace ens3 with your own network interface name.

# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -o ens3 -j MASQUERADE

# End each table with the 'COMMIT' line or these rules won't be processed
COMMIT

In Nano text editor, you can go to the end of the file by pressing Ctrl+W, then pressing Ctrl+V.

ufw masquerade rule openvpn ubuntu

The above lines will append (-A) a rule to the end of POSTROUTING chain of nat table. It will link your virtual private network with the Internet. And also hide your network from the outside world. So the Internet can only see your VPN server’s IP, but can’t see your VPN client’s IP, just like your home router hides your private home network.

By default, UFW forbids packet forwarding. We can allow forwarding for our private network. Find the ufw-before-forward chain in this file and add the following 3 lines, which will accept packet forwarding if the source IP or destination IP is in the 10.8.0.0/24 range.

# allow forwarding for trusted network
-A ufw-before-forward -s 10.8.0.0/24 -j ACCEPT
-A ufw-before-forward -d 10.8.0.0/24 -j ACCEPT

ufw allow packet forwarding openvpn

Save and close the file. Then enable UFW.

sudo ufw enable

If you have enabled UFW before, then you can use systemctl to restart UFW.

sudo systemctl restart ufw

Now if you list the rules in the POSTROUTING chain of the NAT table by using the following command:

sudo iptables -t nat -L POSTROUTING

You can see the Masquerade rule.

openvpn-IP-Masquerading-ufw-ubuntu

It can take some time for UFW to process the firewall rules. If the masquerade rule doesn’t show up, then restart UFW again (sudo systemctl restart ufw).

Step 6: Open Port 1194 in Firewall

Run the following command to open TCP and UDP port 1194.

sudo ufw allow 1194/tcp
sudo ufw allow 1194/udp

Now OpenVPN server is ready to accept client connections.

If you run a local DNS Resolver

For those of you who run a local DNS resolver, if you specified 10.10.10.1 as the DNS server for VPN clients, then you must allow VPN clients to connect to port 53 with the following UFW rule.

sudo ufw insert 1 allow in from 10.8.0.0/24

You also need to edit the BIND DNS server’s configuration file (/etc/bind/named.conf.options) to allow VPN clients to send recursive DNS queries like below.

allow-recursion { 127.0.0.1; 10.8.0.0/24; };

Then restart BIND.

sudo systemctl restart named

How to Install and Use OpenVPN client on Ubuntu 22.04/20.04 Desktop

Run the following command to install OpenVPN command line client on Ubuntu desktop.

sudo apt install openvpn

Then you need to copy the CA certificate, client certificate, client private key, and the static key file from the OpenVPN server to the client’s computer. The path for the files on the OpenVPN server.

  • CA cert: /etc/openvpn/easy-rsa/pki/ca.crt
  • Client cert: /etc/openvpn/easy-rsa/pki/issued/user01.crt
  • Client key: /etc/openvpn/easy-rsa/pki/private/user01.key
  • Static key: /etc/openvpn/easy-rsa/pki/ta.key

I stored them under the /etc/openvpn/client/ directory on the client’s computer.

Next, copy the sample client config file.

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/

Edit the file.

sudo nano /etc/openvpn/client.conf

Find the following lines.

remote my-server-1 1194

Specify the public IP address of your OpenVPN server.

remote 12.34.56.78 1194

Then find the following lines.

ca ca.crt
cert client.crt
key client.key

Use the actual path for the CA cert, client cert, and client private key.

ca /etc/openvpn/client/ca.crt
cert /etc/openvpn/client/user01.crt
key /etc/openvpn/client/user01.key

Find the following line.

tls-auth ta.key 1

Use the actual path for the static key.

tls-auth /etc/openvpn/client/ta.key 1

Save and close the file. Then start the OpenVPN client

sudo systemctl start openvpn@client

Check status:

sudo systemctl status openvpn@client

sudo systemctl status openvpn@client

Check if you can ping the OpenVPN server.

ping 10.8.0.1

Then go to https://icanhazip.com. If everything is working properly, you should see the public IP address of the OpenVPN server.

If you are successfully connected to the VPN server, but your public IP address doesn’t change, that’s because IP forwarding or IP masquerading is not working. I once had a typo in my iptables command (using a wrong IP address range), which caused my computer not being able to browse the Internet.

To stop this Systemd service, run

sudo systemctl stop openvpn@client

If you want to use Network Manager to manage OpenVPN connection, then you also need to install these packages.

sudo apt install network-manager-openvpn network-manager-openvpn-gnome

OpenVPN GUI Client for Windows and macOS

You can use the free and open-source Pritunl OpenVPN client: https://client.pritunl.com/

Speed

OpenVPN is pretty fast. I can use it to watch 4k videos on YouTube. As you can see, my connection speed is 63356 Kbps, which translates to 61 Mbit/s.

ocserv vpn speed test singapore server

And here’s the test results on speedtest.net.

ocserv vpn speed test singapore

Debugging

If there’s problem establishing VPN connection, you can edit the OpenVPN server config file (/etc/openvpn/server.conf) and increase the level of log file verbosity to 6.

verb 6

This directive is located at the bottom of the file.

Then you can check the logs.

  • client: sudo journalctl -eu openvpn@client
  • server: sudo journalctl -eu openvpn@server

Set Up Stunnel (optional)

If you live in a country like China, or Iran, then your national firewall may block OpenVPN connections. You can wrap the OpenVPN traffic inside a TLS tunnel to hide the fact that you are using OpenVPN.

Configure Stunnel on the OpenVPN server

Edit the OpenVPN server config file.

sudo nano /etc/openvpn/server.conf

Enable the TCP port.

proto tcp
proto udp
proto udp6

Save and close the file. Then install Stunnel on the OpenVPN server.

sudo apt install -y stunnel4

Copy the sample configuration file:

sudo cp /usr/share/doc/stunnel4/examples/stunnel.conf-sample /etc/stunnel/openvpn.conf

Edit the new file.

sudo nano /etc/stunnel/openvpn.conf

Find the following lines and uncomment them.

;setuid = stunnel4
;setgid = stunnel4

;pid = /var/run/stunnel.pid

;output = /var/log/stunnel.log

Change them to:

setuid = stunnel4
setgid = stunnel4

pid = /var/run/stunnel/stunnel.pid

output = /var/log/stunnel/stunnel.log

Find the following lines.

[gmail-pop3]
client = yes
accept = 127.0.0.1:110
connect = pop.gmail.com:995
verifyChain = yes
CApath = /etc/ssl/certs
checkHost = pop.gmail.com
OCSPaia = yes

[gmail-imap]
client = yes
accept = 127.0.0.1:143
connect = imap.gmail.com:993
verifyChain = yes
CApath = /etc/ssl/certs
checkHost = imap.gmail.com
OCSPaia = yes

[gmail-smtp]
client = yes
accept = 127.0.0.1:25
connect = smtp.gmail.com:465
verifyChain = yes
CApath = /etc/ssl/certs
checkHost = smtp.gmail.com
OCSPaia = yes

This enables tunnels for SMTP, IMAP, and POP3 server. Delete them and add the following lines instead, so Stunnel will be able to pass traffic to the OpenVPN server listen on port 1194.

[openvpn]
cert=/etc/openvpn/easy-rsa/pki/issued/openvpn.example.com.crt
key=/etc/openvpn/easy-rsa/pki/private/openvpn.example.com.key
accept = 0.0.0.0:443
connect = 127.0.0.1:1194

Save and close the file.

Create the PID file and log file.

sudo mkdir /var/run/stunnel /var/log/stunnel

Grant permission to the user.

sudo chown stunnel4:stunnel4 /var/run/stunnel/ -R
sudo chown stunnel4:stunnel4 /var/log/stunnel/ -R
sudo setfacl -R -m u:stunnel4:rx /etc/openvpn/easy-rsa/

Start Stunnel.

sudo /usr/bin/stunnel4 /etc/stunnel/openvpn.conf

You should see that Stunnel is using port 443.

sudo ss -lnpt | grep 443

If it failed to start, then check the log file: /var/log/stunnel/stunnel.log. If your server has another process listening on TCP port 443, you need to stop it, or Stunnel won’t be able to bind to TCP port 443.

Open TCP port 443 in firewall, so VPN clients will be able to connect to this port.

sudo ufw allow 443/tcp

Configure Stunnel on the OpenVPN client

Install Stunnel on the OpenVPN client.

sudo apt install -y stunnel4

Create Stunnel config file.

sudo nano /etc/stunnel/client.conf

Add the following lines in this file.

output = /var/log/stunnel/stunnel.log
pid = /var/run/stunnel/stunnel.pid
client = yes
[openvpn]
sni = openvpn.example.com
accept = 127.0.0.1:1194
connect = 12.34.56.78:443

Save and close the file. Create the log directory and pid directory.

sudo mkdir /var/log/stunnel/ /var/run/stunnel/

Start the Stunnel client.

sudo stunnel /etc/stunnel/client.conf

It listens on 127.0.0.1:1194 and passes requests to the Stunnel server.

sudo ss -lnpt | grep 1194

Next, edit the OpenVPN client config file.

sudo nano /etc/openvpn/client.conf

Enable TCP and disable UDP.

proto tcp
;proto udp

Change remote server address to 127.0.0.1:1194.

remote 127.0.0.1 1194

Save and close the file. Then restart OpenVPN client.

Wrapping Up

That’s it! I hope this tutorial helped you install and configure OpenVPN on Ubuntu 22.04/20.04. As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks 🙂

Rate this tutorial
[Total: 8 Average: 5]

19 Responses to “How to Set Up OpenVPN with Stunnel on Ubuntu 22.04/20.04 Server

  • My client is Windows. I think I did not configure the Windows client correctly. Is it possible to help me configure the Windows client? I am from Iran and if you guide me for the correct configuration of the Windows client, you have helped me a lot. I installed the Pritunl and Stunnel software on Windows and put the files related to the client that I downloaded from the server into a folder. I made the configuration settings from the settings you gave for Linux, but unfortunately I cant connect to the server. OpenVpn is active and running on my server without error.

    [email protected] - OpenVPN connection to server
         Loaded: loaded (/lib/systemd/system/[email protected]; enabled; vendor preset: enabled)
         Active: active (running) since Tue 2022-10-18 18:22:19 UTC; 2s ago
           Docs: man:openvpn(8)
                 https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
                 https://community.openvpn.net/openvpn/wiki/HOWTO
       Main PID: 25863 (openvpn)
         Status: "Initialization Sequence Completed"
          Tasks: 1 (limit: 2241)
         Memory: 1.8M
            CPU: 26ms
         CGroup: /system.slice/system-openvpn.slice/[email protected]
                 └─25863 /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/server.conf --writepid /run/openvpn/server.pid
    
    Oct 18 18:22:19 vm693204.stark-industries.solutions ovpn-server[25863]: Socket Buffers: R=[16777216->16777216] S=[16777216->16777216]
    Oct 18 18:22:19 vm693204.stark-industries.solutions ovpn-server[25863]: setsockopt(IPV6_V6ONLY=0)
    Oct 18 18:22:19 vm693204.stark-industries.solutions ovpn-server[25863]: UDPv6 link local (bound): [AF_INET6][undef]:1070
    Oct 18 18:22:19 vm693204.stark-industries.solutions ovpn-server[25863]: UDPv6 link remote: [AF_UNSPEC]
    Oct 18 18:22:19 vm693204.stark-industries.solutions ovpn-server[25863]: MULTI: multi_init called, r=256 v=256
    Oct 18 18:22:19 vm693204.stark-industries.solutions ovpn-server[25863]: IFCONFIG POOL IPv4: base=10.8.0.2 size=253
    Oct 18 18:22:19 vm693204.stark-industries.solutions ovpn-server[25863]: IFCONFIG POOL IPv6: base=2001:db8:0:123::1000 size=65536 netbits=64
    Oct 18 18:22:19 vm693204.stark-industries.solutions ovpn-server[25863]: NOTE: IPv4 pool size is 253, IPv6 pool size is 65536. IPv4 pool size limits the number of clients that can be served from the pool
    Oct 18 18:22:19 vm693204.stark-industries.solutions ovpn-server[25863]: IFCONFIG POOL LIST
    Oct 18 18:22:19 vm693204.stark-industries.solutions ovpn-server[25863]: Initialization Sequence Completed
     

    thank you in advance

    • Xiao Guoan (Admin)
      2 years ago

      If you found the following error in the Stunnel log,

      TLS fd: Connection reset by peer (104)

      It might be that your national firewall is able to detect and block Stunnel traffic. You can try other VPN solutions instead, such as SoftEtherVPN SSTP protocol and OpenConnect VPN protocol.

    • Xiao Guoan (Admin)
      2 years ago

      Some Iran folks report that Stunnel works on Linux client, but fails on Windows client. You might consider switching to Linux?

      • Thanks for help my friend.
        I have 2 Linux virtual servers. Can I set up a OpenVPN+Stunnel server on one of them and then connect to the server from the second Linux (client) and then connect to the second Linux (client) from Windows (my client computer) and bypass the filter? In short, I want to connect to the Linux client from Windows and access the Internet of the main server. Also, I need my connection to be a UDP connection and the SSH tunnel method is not suitable for me. Can you please help me?? I will be very grateful. In the meantime, I am currently running a Wireguard+WSTunnel server, but the download speed is very low and the latency is very fluctuating. A tutorial for the Tunneling over WebSocket would be very helpful. Thank you for all your hard work.

        • Arash
          2 years ago

          Hi , I am from Iran. I have two linux servers : one in Iran , one outside of Iran. None of UDP based VPN solutions that I have tested so far ( IPsec , Wireguard, OpenVPN in UDP ) didn’t work for me even for connecting to server in Iran. Right now I use SSH Tunnel with OpenVPN in TCP mode and also Openconnect with/without SSH Tunnel. I didn’t test UDP in TCP tunnel solutions but I don’t think these solutions work very well. I suggest you also try TCP based solutions.

        • alihsi
          2 years ago

          The best solution for me was Wireguard over WStunnel and Softether. There are solutions for passing UDP through SSH, but I have not been able to do them so far. Using an IRAN server for SSH Tunneling is not a good option in terms of security and privacy. A solution must be found to connect directly to the main server using tunnels. Like WSTunnel or passing UDP over SSH.

        • Arash
          2 years ago

          You can set SSH Tunnel directly between Client and Server outside of Iran and run Openvpn over that ( just like Openvpn+stunnel) . I use server in Iran primarily as an intermediate for sharing VPN connections ; Also Internet on mobile devices is more restricted and server in Iran allows me to have access to VPN on mobile devices.

    • Hello, I am form Iran. I think TLSv1.3 traffic is blocked in Iran so I just
      added:

      sslVersionMin = TLSv1.2
      sslVersionMax = TLSv1.2

      to client’s config file and It worked ( including on Windows ).

      • I am getting this error
        Options error: Unrecognized option or missing or extra parameter(s) in client.conf:17: sslVersionMin (2.5.7)
        Can you tell me how to configure it more precisely?

        • Arash
          2 years ago

          sure ,

          server openvpn (version 2.5.5) config :

          local 127.0.0.1
          port 5678
          proto tcp
          ...
          

          server stunnel (version 5.63 ) config :

          ...
          [openvpnx]
          cert=/etc/openvpn/server/easy-rsa/pki/issued/xx.yy.zz.crt
          key=/etc/openvpn/server/easy-rsa/pki/private/xx.yy.zz.key
          accept = 12.34.56.78:1234
          connect = 127.0.0.1:5678
          

          client stunnel (version 5.66) config :

          client = yes
          [openvpnx]
          sni = xx.yy.zz
          accept = 127.0.0.1:12345
          connect = 12.34.56.78:1234
          sslVersionMin = TLSv1.2
          sslVersionMax = TLSv1.2
          

          client openvpn (version 2.5.7) config

          client
          dev tun
          proto tcp
          remote 127.0.0.1 12345
          ...
          
  • 2022.10.19 10:04:56 LOG6[ui]: Initializing inetd mode configuration
    2022.10.19 10:04:56 LOG5[ui]: stunnel 5.63 on x86_64-pc-linux-gnu platform
    2022.10.19 10:04:56 LOG5[ui]: Compiled/running with OpenSSL 3.0.2 15 Mar 2022
    2022.10.19 10:04:56 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,OCSP,PSK,SNI Auth:LIBWRAP
    2022.10.19 10:04:56 LOG6[ui]: Initializing inetd mode configuration
    2022.10.19 10:04:56 LOG5[ui]: Reading configuration from file /etc/stunnel/openvpn.conf
    2022.10.19 10:04:56 LOG5[ui]: UTF-8 byte order mark detected
    2022.10.19 10:04:56 LOG5[ui]: FIPS mode disabled
    2022.10.19 10:04:56 LOG6[ui]: Compression enabled: 0 methods
    2022.10.19 10:04:56 LOG6[ui]: Initializing service [openvpn]
    2022.10.19 10:04:56 LOG6[ui]: OpenSSL security level is used: 2
    2022.10.19 10:04:56 LOG6[ui]: Session resumption enabled
    2022.10.19 10:04:56 LOG6[ui]: Loading certificate from file: /etc/openvpn/easy-rsa/pki/issued/****.crt
    2022.10.19 10:04:56 LOG6[ui]: Certificate loaded from file: /etc/openvpn/easy-rsa/pki/issued/****.crt
    2022.10.19 10:04:56 LOG6[ui]: Loading private key from file: /etc/openvpn/easy-rsa/pki/private/****.key
    2022.10.19 10:04:56 LOG6[ui]: Private key loaded from file: /etc/openvpn/easy-rsa/pki/private/****.key
    2022.10.19 10:04:56 LOG6[ui]: DH initialization skipped: no DH ciphersuites
    2022.10.19 10:04:56 LOG5[ui]: Configuration successful
    2022.10.19 10:04:56 LOG6[ui]: Service [openvpn] (FD=9) bound to 0.0.0.0:443
    2022.10.19 10:04:56 LOG3[main]: Cannot create pid file /var/run/stunnel.pid
    2022.10.19 10:04:56 LOG3[main]: create: Permission denied (13)

    • Xiao Guoan (Admin)
      2 years ago

      I just made some changes to the “Configure Stunnel on the OpenVPN server” section. Please re-configure it and the error should be gone.

  • I have a error when a put this command line –> ./easyrsa init-pki

    root@XXXXX:/etc/openvpn/easy-rsa# ./easyrsa init-pki

    
    WARNING!!!
    
    You are about to remove the EASYRSA_PKI at: /etc/openvpn/easy-rsa/pki
    and initialize a fresh PKI here.
    
    Type the word 'yes' to continue, or any other input to abort.
      Confirm removal: yes
    
    init-pki complete; you may now create a CA or requests.
    Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki
    
    • Xiao Guoan (Admin)
      2 years ago

      That’s a warning, not an error.

      It means you have previously created a PKI, but now you create a new one, that’s why it displays this warning.

  • How can use this method in android and IOS ??

  • Can we use Radius to authenticate users in this mothod?

  • James Dean
    1 year ago

    I am trying to pass OPENVPN+Stunnel through a CDN (Cloudflare) in order to hide server ip from the national firewall, but i haven’t managed yet. It seems like Cloudflare is still able to distinguish Stunnel packages from HTTPS packages and can drop them. Here is the Stunnel log when i try to connect OPN VPN profile through a stunnel whose domain is behind Cloudflare:

    SSL_read: ssl/record/rec_layer_s3.c:320: error:0A000126:SSL routines::unexpected eof while reading
    Connection reset: 16 byte(s) sent to TLS, 316 byte(s) sent to socket

    Do you think there is anyway to pass Stunnel through Cloudflare?

  • Hello, I’m sorry for this tutorial that you said, how to create a client file for a user with the ovpn extension, what is the command?

  • second2falcon
    5 months ago

    Client on macOS here, but the connection resets every few seconds, probably because there is never actually a connection. Any ideas?

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • Please use the community (https://community.linuxbabe.com) for questions unrelated to this article.
  • I don't have time to answer every question. Making a donation would incentivize me to spend more time answering questions.

The maximum upload file size: 2 MB. You can upload: image. Links to YouTube, Facebook, Twitter and other services inserted in the comment text will be automatically embedded. Drop file here