OpenVPN over SSH (Stealth VPN)

This howto describes how to tunnel OpenVPN through SSH on the Linux terminal. This is identical to the Stealth VPN feature you can activate in the Windows client (obfuscation). These instructions should work on all Linux versions; X-Windows is not necessary. It is also assumed that you know how to install software packages like wget and unzip. If not, please consult the documentation for your package management.

Requirements and preparation

Make sure you have the following components installed:

  • wget
  • sudo with root access (or direct root access)
  • unzip
  • OpenVPN
  • SSH
  • any text editor like vi, nano, etc.

First change into the /etc/openvpn/ directory

cd /etc/openvpn/

and get the Perfect Privacy TCP configuration with the following line. You will need to change USERNAME and PASSWORD to your Perfect Privacy login credentials.

sudo wget -v --post-data "username=USERNAME&password=PASSWORD&uri=/member/download/?file=linux_tcp.zip" -O linux_tcp.zip "https://www.perfect-privacy.com/member/"

Unpack the file with the following command:

sudo unzip -j linux_tcp.zip

To create a configuration file for the SSH connection, copy any server configuration. In this howto we are using the file Basel.ovpn. We are using vim to edit the file, but any text editor like nano works as well.

sudo cp Basel.ovpn Basel-ssh.ovpn
sudo vim Basel-ssh.ovpn

Remove all lines starting with remote. You will then need to add the following two lines:

remote localhost LOCAL_PORT
route THIRD_SERVER_IP 255.255.255.255 net_gateway

LOCAL_PORT can be any port that is not in use on your system. In this howto we are using port 10000.

To use SSH for tunneling, you will need to use the third IP of the VPN server.  You can find the server IP addresses on the server page in the member area. For Basel the third IP address is 82.199.134.165 so we are using this for the configuration.

Once you added these lines you can save the file and exit the editor.

Now you can start the ssh tunnel with the following command:

ssh -N -p TUNNEL_PORT USERNAME@THIRD_SERVER_IP -L LOCAL_PORT:PRIMARY_SERVER_IP:152

For TUNNEL_PORT you can choose between the following ports: 22, 53, 443, 8085, 9009 and 36315. Generally, 443 (SSL) should work fine for all purposes but port 53 may help to get internet access from hotspots where you normally need to register on a public website first.

USERNAME is your Perfect Privacy user name. You will be prompted for your Perfect Privacy password when issuing this command.

Same as in the OpenVPN configuration file, you need to connect to the third IP address of the VPN server. Again we are using 82.199.134.165.

The LOCAL_PORT must be the same that you used in the OpenVPN configuration file, in our case this was 10000.

Finally you will need to include the primary (first) IP of the VPN server and the OpenVPN TCP Port (either 152 or 1152, you can find these on the server page as well).

The configuration is finished, you can now start the OpenVPN connection with the following line:

sudo openvpn --config /etc/openvpn/Basel-ssh.ovpn

You will need to enter your Perfect Privacy credentials. You can also store them in a text file as described in our OpenVPN documentation.

You can verify whether everything is working correctly by calling our Check-IP website with either of the following commands:

curl https://checkip.perfect-privacy.com/csv
wget -q -O - https://checkip.perfect-privacy.com/csv
If you have any questions, comments or other feedback regarding this howto, please use the corresponding thread in our community forums.