OpenVPN over stunnel (Stealth VPN)

This howto describes how to tunnel OpenVPN through stunnel on the Linux terminal. This is identical to the Stealth VPN feature you can activate in the Windows client (obfuscation). These instructions should work on all Linux versions; X-Windows is not necessary. It is also assumed that you know how to install software packages like wget and unzip. If not, please consult the documentation for your package management.

Requirements and preparation

Make sure you have the following components installed:

  • wget
  • sudo with root access (or direct root access)
  • unzip
  • OpenVPN
  • stunnel
  • any text editor like vi, nano, etc.

First change into the /etc/openvpn/ directory

cd /etc/openvpn/

and get the Perfect Privacy TCP configuration with the following line. You will need to change USERNAME and PASSWORD to your Perfect Privacy login credentials.

sudo wget -v --post-data "username=USERNAME&password=PASSWORD&uri=/member/download/?file=linux_tcp.zip" -O linux_tcp.zip "https://www.perfect-privacy.com/member/"

Unpack the file with the following command:

sudo unzip -j linux_tcp.zip

To create a configuration file for the stunnel connection, copy any server configuration. In this howto we are using the file Basel.ovpn.  We are using vim to edit the file, but any text editor like nano works as well.

sudo cp Basel.ovpn Basel-stun.ovpn
sudo vim Basel-stun.ovpn

Remove all lines starting with remote. You will then need to add two lines. The first one tells the VPN to connect to the local stunnel proxy:

remote 127.0.0.1 LOCAL_PORT

LOCAL_PORT can be any port that is not in use on your system. For this howto we are using port 995.

Last thing to add in the configuration is the route to the VPN IP address:

route SECOND_SERVER_IP 255.255.255.255 net_gateway

To tunnel through stunnel, you will need to use the second IP of the VPN server. You can find the IPs on the server page in the member area.

For Basel, the second IP is 82.199.134.164 so we enter this IP in the configuration file.

After you have added the two lines, you can save the file and exit the editor.

To configure stunnel, create the file /etc/stunnel/stunnel.conf and insert the following lines:

[openvpn]
client = yes
accept = 127.0.0.1:LOCAL_PORT
connect = SECOND_SERVER_IP:TUNNEL_PORT

The LOCAL_PORT must be the same that you used in the OpenVPN configuration file, in our case this was 995.

Use the second IP of the VPN server in the connect line, the same one you used in the OpenVPN configuration.

As TUNNEL_PORT you can choose between the following ports: 22, 53, 443, 8085, 9009 and 36315. Generally, 443 (SSL) should work fine for all purposes but port 53 may help to get internet access from hotspots where you normally need to register on a public website first.

Save the file and start stunnel by typing sudo stunnel. It will then be running in the background, you can check with ps aux | grep stunnel.

Now you can start the OpenVPN connection by typing

sudo openvpn --config Basel-stun.ovpn

After you entered your Perfect Privacy user name and password, the connection should be established successfully. The last line should read “Initialization Sequence Completed”.

You can also save your user name and password in a text file so that you don’t have to type it in each time to connect. You can find instructions for this in our OpenVPN howto.

You can verify whether everything is working correctly by calling our Check-IP page with either of the following commands:

curl https://checkip.perfect-privacy.com/csv
wget -q -O - https://checkip.perfect-privacy.com/csv
If you have any questions, comments or other feedback regarding this howto, please use the corresponding thread in our community forums.