OpenVPN through SSLdroid tunnel (StealthVPN)

This manual describes how to tunnel your OpenVPN traffic through a SSL tunnel using SSLDroid. This will obfuscate the VPN traffic and may get around certain network-enforced restrictions. Note that using a VPN connection may cause increased battery usage and slightly more traffic.

Preparation

  • Download and install SSLDroid from the Google Play Store. (Direct link)
  • Download and install OpenVPN from the Google Play Store. (Direct link)
  • Download the Perfect Privacy TCP configuration for Android (Direct link, login required)
  • Download the Perfect Privacy certificates and keys (Direct link, login required)

Start SSLDroid, tap on the options icon on the top right and choose “Add tunnel”.

Choose a Perfect Privacy server of your choice, in this documentation we use Basel. As tunnel name you can enter any name you like.

The local port can be any high port (1025-65535), in this documentation we are using 1196. For remote port you can use either 22 (SSH), 53 (DNS) or 443 (HTTPS). As remote host use the second IP address of the VPN server. You can find the IPs on the server page in the member area. For Basel the second IP is 82.199.134.164.

The PKCS12 file for Basel is in the ZIP file with the Perfect Privacy keys and certificates, import basel.p12.

Now tap on “Apply”. The tunnel will be automatically established as indicated by the green SSLdroid icon on the top left.

Now start OpenVPN for Android and tap on the import icon on the top right (downward arrow).

Import the appropriate *.ovpn file, in this case basel.ovpn from the Perfect Privacy configuration files.

Give the profile a name and tap on the checkmark on the top right.

Switch to the “Server List” tab and disable or delete all but one server. Modify the remaining entry with the following settings:

Server Address: 127.0.0.1 and Server Port 1196 (the same that was used in the SSLDroid configuration)

Protocol: TCP, Connect Timeout: 120, Custom Options OFF.

In the “IP and DNS” tab use the following settings:

Pull Settings ON, No local binding ON, Override DNS By Server: OFF.

In the “Routing” tab use the following settings:

Ignore pushed routes: OFF

Bypass VPN for local network: ON

IPv4 Use default route: ON

IPv6 Use default route: ON

Configure the “Authentication/Encryption” tab as follows:

Expect TLS server certificate: OFF

Certificate Hostname Check: OFF

Use TLS Authentication: ON

TLS Auth File: This was already imported with the .ovpn configuration, it should read [[Inline file data]]

TLS Direction: 1

Encryption cipher: AES-128-CBC

Packet Authentication: SHA512

In the “Advanced” tab use the following options:

Persistent tun: ON

Push Peer Info: OFF

Random Host Prefix: OFF

Allow floating server: OFF

Override MSS value of TCP payload: OFF

Enable Custom Options: OFF

Connection Retries: Unlimited

Seconds between connections: 2

Maximum Time between connection attempts: 300s

Under “Allowed Apps” make sure that the option “VPN is used for all apps but exclude selected” is active.

Scroll down the list until you find the “SSLDroid” and activate the exception for it.

This will exempt SSLDroid from using the OpenVPN connection. (Since instead the OpenVPN App will be using the tunnel that was previously configured for SSLDroid.)

Then exit the configuration (just tap the left arrow in the Android navigation bar at the bottom).

Now tap the new connection once to establish the VPN tunnel. You will be asked to enter your Perfect Privacy username and password. If you tap on “Save Password” you will not need to enter it gain on the next connection.  VPN should now be running through SSLdroid. Visit CheckIP to verify that everything is working correctly.

If you have any questions, comments or other feedback regarding this howto, please use the corresponding thread in our community forums.
This website uses cookies to analyze the traffic and to control our advertising. By using this site, you agree to the use of cookies. More information can be found in our privacy policy.