Français  English 

OpenVPN (wrapped in stunnel)

These instructions should only be used if OpenVPN connections are being actively blocked in your country or by your ISP. Performance will be better if you are able to connect directly, but certain countries (notably China and Iran) employ Deep Packet Inspection to detect and thwart OpenVPN connections. Some companies do the same. If you do not fall into this category, please refer to the standard OpenVPN instructions instead.

Following these steps will wrap your OpenVPN traffic in an encrypted tunnel so it looks like standard SSL traffic being directed to a port where this type of traffic would be expected. This prevents DPI from identifying the true nature of the packets, thereby allowing you to freely use OpenVPN.

A note on client files

For security reasons, OpenVPN clients typically have their own unique certificate and private key. The server you will be connecting to has been configured to allow clients to share the same certificate and private key, but you may still wish to give your phone and laptop different keys, for example.

• Platforms
  • Windows
  • macOS
  • Linux
  • Android
  • iOS

Windows

Stunnel Setup

1. Download and run the stunnel installer.
2. Download the stunnel.conf file that has been customized to work with this server:
   • stunnel.conf
3. Open the directory where you installed stunnel. For most users, this will either be in C:\Program Files\stunnel or C:\Program Files (x86)\stunnel.
4. Drag and drop the downloaded stunnel.conf file into this directory.
5. Double click stunnel.exe in the installation directory to start the service.

Now you are ready to install OpenVPN and configure it to route its traffic through stunnel. A custom .ovpn profile that is preconfigured to work alongside the stunnel.conf file will make this easy.

OpenVPN Setup

1. Download and run the OpenVPN Windows Installer.
2. Click Next and accept the license agreement by clicking I Agree.
3. Click Next on the Choose Components screen. Leave all of the default options checked.
4. Make note of the Destination Folder. This is where you will place the 52.15.254.140-stunnel.ovpn client configuration profile after installation. Click Install.
5. A Windows Security notice will appear and ask Would you like to install this device software?. Click Install.
6. Click Next on the Installation Complete screen.
7. Uncheck Show Readme and click Finish.
8. Right-click on the OpenVPN GUI desktop icon and choose Properties.
9. Go to the Compatibility tab and click the Run this program as an administrator checkbox in the Privilege Level section.
10. Double-click the OpenVPN GUI desktop icon to launch the application.
11. Download one of these unified OpenVPN profiles:
    • brother-various
    • shallow-exotic
    • uncle-task
    • script-pizza
    • rely-inherit
12. Open the config directory that is located in the Destination Folder. For most users, this will either be in C:\Program Files\OpenVPN\config or C:\Program Files (x86)\OpenVPN\config. You will see a single README file in this directory.
13. Drag and drop the downloaded 52.15.254.140-stunnel.ovpn file to this location alongside the README.
14. Right-click on the OpenVPN icon in your taskbar and choose Connect.
15. You will see a log scroll by as the connection is established, followed by a taskbar notification indicating your assigned IP.
16. Success! You can verify that your traffic is being routed properly by looking up your IP address on DuckDuckGo. It should say Your public IP address is 52.15.254.140.

macOS

Stunnel Setup

1. Install Homebrew, if you haven't already.

2. Install stunnel using Homebrew:

   brew install stunnel

   • If installing Homebrew is not an option, you can also download and compile the stunnel source code.
3. Download the stunnel.conf file that has been customized to work with this server:
   • stunnel.conf

4. Replace the default stunnel.conf file with the customized version. Be sure to update the source location if you downloaded the file to a different directory.

   cp ~/Downloads/stunnel.conf /usr/local/etc/stunnel/

5. Start stunnel:

   stunnel

Now you are ready to install OpenVPN and configure it to route its traffic through stunnel. A custom .ovpn profile that is preconfigured to work alongside the stunnel.conf file will make this easy.

OpenVPN Setup

1. Download and open Tunnelblick.
2. Type your password to allow the installation process to complete, and click OK.
3. Click Launch after the installation is finished.
4. Click I have configuration files.
5. Download one of these unified OpenVPN profiles:
   • brother-various
   • shallow-exotic
   • uncle-task
   • script-pizza
   • rely-inherit
6. Double-click the OpenVPN profile.
7. You will be asked to choose whether the profile should be available for all users or only the current user. After making your selection, you will be asked to enter your password.
8. Look for the Tunnelblick icon in your menu bar. Click on it, and choose Connect.
9. Success! You can verify that your traffic is being routed properly by looking up your IP address on DuckDuckGo. It should say Your public IP address is 52.15.254.140.

Linux

Stunnel Setup

1. Make sure stunnel is installed:

   sudo apt-get install stunnel OR sudo yum install stunnel OR esoteric-package-manager hipster stunnel

   • If installing stunnel via your package manager is not an option, you can also download and compile the stunnel source code.
2. Download the stunnel.conf file that has been customized to work with this server:
   • stunnel.conf

3. Copy stunnel.conf to the right destination. Be sure to update the source location if you have moved the directory elsewhere.

   cp ~/Downloads/stunnel.conf /etc/stunnel/

4. Ubuntu users should adjust the /etc/default/stunnel4 file and make sure ENABLED is set to 1.

5. Restart the stunnel service:

   sudo service stunnel4 restart OR sudo service stunnel restart

Now you are ready to install OpenVPN and configure it to route its traffic through stunnel. A custom .ovpn profile that is preconfigured to work alongside the stunnel.conf file will make this easy.

OpenVPN Setup

1. Install OpenVPN:

   sudo apt-get install openvpn OR sudo yum install openvpn OR esoteric-package-manager hipster openvpn

   • If installing OpenVPN via your package manager is not an option, you can also download and compile the OpenVPN source code.
2. Download one of these unified OpenVPN profiles:
   • brother-various
   • shallow-exotic
   • uncle-task
   • script-pizza
   • rely-inherit
3. Copy the downloaded 52.15.254.140-stunnel.ovpn file to the location of your choice. /etc/openvpn/ is a decent option.
4. On some distributions, the pushed DHCP DNS option from the OpenVPN server will be ignored. This means that your DNS queries will still be routed through your ISP's servers which makes them vulnerable to what is known as a DNS leak.
   • You can test whether or not your DNS is leaking here.
   • You can ensure that the correct DNS servers are used by adding the following lines to the top of the 52.15.254.140-stunnel.ovpn file:
     • script-security 2
     • up /etc/openvpn/update-resolv-conf
     • down /etc/openvpn/update-resolv-conf

5. Execute OpenVPN, and pass it the .ovpn profile as an option:

   sudo openvpn 52.15.254.140-stunnel.ovpn

6. Success! You can verify that your traffic is being routed properly by looking up your IP address on DuckDuckGo. It should say Your public IP address is 52.15.254.140.

The OpenVPN plugin for NetworkManager appears to become very confused as to how it should route traffic when you connect to an OpenVPN server through a wrapped stunnel connection. Manually adding route information does not seem to help. Therefore, unlike in the non-stunnel instructions, the steps above are the recommended connection method for Ubuntu as well.

Android

SSLDroid Setup

1. Download the stunnel PKCS #12 formatted key:
   • stunnel.p12
2. Copy the stunnel.p12 file to your phone.
3. Install SSLDroid and launch it.
4. Tap the menu button.
5. Tap Add tunnel.
6. Tap Tunnel name and enter streisand-demo-site.
7. Tap Local port and enter 41194.
8. Tap Remote host and enter 52.15.254.140.
9. Tap Remote port and enter 993.
10. Tap the browse button next to PKCS12 file and select the stunnel.p12 file that you copied to your phone during the first step. You can leave the PKCS12 pass field blank.
11. Tap Apply.

Now you are ready to install OpenVPN for Android and configure it to route its traffic through SSLDroid, which is connected to the stunnel port on the remote server. A custom .ovpn profile that is preconfigured to work alongside SSLDroid will make this easy.

OpenVPN Setup

1. Install OpenVPN for Android.
2. Download one of these unified OpenVPN profiles:
   • brother-various
   • shallow-exotic
   • uncle-task
   • script-pizza
   • rely-inherit
3. Copy the 52.15.254.140-stunnel.ovpn file to your phone.
4. Launch OpenVPN for Android.
5. Tap the folder icon in the lower-right of the screen.
6. Select the 52.15.254.140-stunnel.ovpn profile that you copied to your phone.
7. Tap the save icon (floppy disk) in the lower-right of the screen after the import is complete.
8. Tap the profile.
9. Accept the Android VPN connection warning.
10. Success! You can verify that your traffic is being routed properly by looking up your IP address on DuckDuckGo. It should say Your public IP address is 52.15.254.140.

iOS

There are no stunnel-compatible tunneling applications available in the App Store at this time.