OpenVPN through SSLdroid tunnel (StealthVPN)

This manual describes how to tunnel your OpenVPN traffic through stunnel using SSLDroid. This will obfuscate the VPN traffic and may get around certain network-enforced restrictions. Note that using a VPN connection causes increased battery usage and slightly more traffic.

Preparation

  • Download and install SSLDroid from the Google Play Store. (Direct link)
  • Download and install OpenVPN from the Google Play Store. (Direct link)
  • Download the Perfect Privacy TCP configuration for Android (Direct link, member login required)
  • Download the Perfect Privacy certificates and keys (Direct link, member login required).

Start SSLDroid, tap on the options icon on the top right and choose “Add tunnel”.

Choose a Perfect Privacy server of your choice, in this documentation we use Basel. As tunnel name you can enter any name you like.

The local port can be any high port (1025-65535), in this documentation we are using 1196. For remote port you can use either 22 (SSH), 53 (DNS) or 443 (HTTPS). As remote host use the second IP address of the VPN server. You can find the IPs on the server page in the member area. For Basel the second IP is 82.199.134.164.

The PKCS12 file for Basel is in the zipfile with the Perfect Privacy keys and certificates, import basel.p12.

Now tap on “Apply”. The stunnel will be automatically established as indicated by the green SSLdroid icon on the top left.

Now start OpenVPN for Android and tap on the import icon on the top right (downward arrow).

Import the appropriate *.ovpn file, in this case basel.ovpn from the Perfect Privacy configuration files.

Give the profile a name and tap on the checkmark on the top right.

Switch to the “Server List” tab and disable or delete all but one server. Modify the remaining entry with the following settings:

Server Address: 127.0.0.1 and Server Port 1196 (the same that was used in the SSLDroid configuration)

Protocol: TCP, Connect Timeout: 120, Custom Options OFF.

In the “IP and DNS” tab use the following settings:

Pull Settings ON, No local binding ON, Override DNS By Server: OFF.

In the “Routing” tab use the following settings:

Ignore pushed routes: OFF

Bypass VPN for local network: ON

IPv4 Use default route: ON

IPv6 Use default route: ON

Configure the “Authentication/Encryption” tab as follows:

Expect TLS server certificate: OFF

Certificate Hostname Check: OFF

Use TLS Authentication: ON

TLS Auth File: This was already imported with the .ovpn configuration, it should read [[Inline file data]]

TLS Direction: 1

Encryption cipher: AES-128-CBC

Packet Authentication: SHA512

In the “Advanced” tab use the following options:

Persistent tun: ON

Connection Retries: Five

Seconds between connections: 5

Random Host Prefix: OFF

Allow floating server: OFF

Override MSS value of TCP payload: OFF

Then tap on Custom Options which will open an editor window with the current configuration.

You will need to add the following line to to the configuration:

route SECOND_SERVER_IP 255.255.255.255 net_gateway

This is the same IP you used in the SSLdroid configuration, for Basel this is 82.199.134.164.

You can insert that line anywhere, just make sure it is an extra line.

Then exit the configuration (just tap the left arrow in the Android navigation bar at the bottom).

Now tap the new connection once to establish the VPN tunnel. You will be asked to enter your Perfect Privacy username and password. If you tap on “Save Password” you will not need to enter it gain on the next connection.  VPN should now be running through SSLdroid. Visit CheckIP to verify that everything is working correctly.

If you have any questions, comments or other feedback regarding this howto, please use the corresponding thread in our community forums.