1/27/2024 0 Comments Stunnel for mac os![]() (Assuming that you’re using OpenVPN over TCP instead of UDP.)īecause this is more a trial run than anything else, I didn’t do much optimization and securing. Thankfully, this just means that all the connection profiles with random ports that I created can be replaced with a single line: remote localhost 31337. However, OpenVPN needs to be configured to use the new port. Stunnel nicely installs a set of useful shortcuts in its start menu folderĪnd that was all that was needed to be done to get stunnel configured. The easiest way to get at the config file is to find stunnel in your Start menu, right click on the “Edit nf” link and select “Run as administrator”. The upside is that we now only need to bother with one file: nf Which we didn’t actually need, since we’re running in client mode. However, poking at the files revealed that stunnel.cnf was simply used to generate a certificate during the install. By default it comes with two config files – one named nf, and the other named stunnel.cnf. Stunnel on Windows is a bit of a strange beast. It should be possible to do this as a normal user (since we’re not touching the first 1024 ports, Linux should allow it), but I just did it in root’s crontab – start editing it with crontab -e, and add: stunnel /etc/stunnel/nf So the easy way around this is just to add a single line to the crontab. Make stunnel start on bootĪgain, stunnel is weird and doesn’t come with an init or systemd script. (Again, replace the dport with the correct port, whatever you’re using.) 4. Poke a hole in the firewall for stunnelĪgain, it was pretty simple, given that I’ve had to mess around with iptables a lot in the past few days: iptables -A INPUT -p tcp -dport 4948 -j ACCEPT was enough to get a single port punched through. But with this primarily being a test, the next step was to: 3. In theory, we should be running this on port 443 since (I’m hoping) the GFW expects SSL over that port. Regarding the choice of port number, I ‘randomly’ chose the port number from another tutorial about installing stunnel on CentOS. I tried using 127.0.0.1, but the OpenVPN client kept on failing to connect. (YOu can verify this by looking at the output of netstat -nlp|grep openvpn). The important thing to note here is that the IP address of the OpenVPN server needs to be specified – OpenVPN listens on a specific IP address. So I had to create a barebones conf file: cert = /etc/stunnel/stunnel.pem Create the conf filesįor some strange strange reason, Fedora doesn’t come with a set of default config files. This dumps the newly generated cert into the /etc/stunnel directory, where we’ll… 2. Openssl req -new -x509 -days 3650 -nodes -out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem ![]() Next, I setup stunnel on the server side: 1. (My friend’s laptop is going to be a bit harder, since it’s running OS X, but rudix has a stunnel package, so I’m hoping it’s easier than having to install the Mac OS X dev tools and having to compile the stunnel code.) Laptop was a tad more difficult – I had to get the Windows version from the stunnel site, and then install it. Server was easy – since I’m using Fedora, it was simply yum install stunnel, and it was done. The first thing to do was to get stunnel on both my server and laptop. Of course, performance is going to suffer, since we’re now triple layering TCP (first layer: stunnel, second layer: OpenVPN, third layer: the actual web browsing).īut that’s enough theory, onwards to the setup: (Yay for packet inspection.) So, right now, I’m thinking use stunnel to wrap the OpenVPN packets in a pure SSL connection. ![]() My assumption is that the GFW is detecting the OpenVPN packets, since they’re not pure SSL, and then blocking the IP & port combination. Continuing my string of posts on trying to get OpenVPN working through China’s Great Firewall… and a recent (and unexpected but much appreciated) report that TCP & UDP ports are blocked quickly, I’m now looking at getting OpenVPN to work with stunnel.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |