How to Tunnel OpenVPN Through stunnel on Port 443 to Evade DPI Detection


15 views

When you want to make VPN traffic indistinguishable from regular HTTPS traffic, stunnel acts as the perfect SSL wrapper. Here's why this configuration works:

Your laptop's stunnel client configuration correctly redirects OpenVPN traffic through SSL:

[openvpn]
client = yes
accept = 127.0.0.1:1194
connect = REMOTE_SERVER_IP:443

The corresponding OpenVPN config ensures TCP mode operation:

client
dev tun
proto tcp
remote 127.0.0.1 1194

The server configuration shows proper SSL termination:

[openvpn]
accept = REMOTE_SERVER_IP:443
connect = REMOTE_SERVER_IP:11440
cert=/etc/stunnel/server.pem
key=/etc/stunnel/server.key

To verify your traffic appears as genuine SSL:

  1. Use Wireshark to capture packets on port 443
  2. Check for TLS handshake patterns
  3. Verify packet sizes resemble normal HTTPS traffic

For better obfuscation:

; Add to server config
sslVersion = TLSv1.2
options = NO_COMPRESSION
ciphers = HIGH:!aNULL:!MD5

Sample tcpdump command to verify traffic:

sudo tcpdump -i eth0 'port 443' -A -n -vv | grep -i "client hello"

Expected output should show TLS negotiation similar to web browsers.

If DPI still detects VPN:

  • Ensure MTU settings match (1450-1500)
  • Disable OpenVPN protocol markers
  • Add padding to packets

When attempting to make VPN traffic indistinguishable from regular SSL traffic, we're fundamentally dealing with three layers of network behavior:

  1. Packet-level characteristics (MTU, frame sizes)
  2. Protocol fingerprints (TLS handshake patterns)
  3. Behavioral patterns (flow timing, burst characteristics)

Your current setup establishes a secure tunnel with these components:

# Client-side stunnel config
[openvpn]
client = yes  
accept = 127.0.0.1:1194  
connect = REMOTE_SERVER_IP:443

# Server-side stunnel config
[openvpn]
accept = REMOTE_SERVER_IP:443
connect = REMOTE_SERVER_IP:11440
cert=/etc/stunnel/server.pem
key=/etc/stunnel/server.key

To verify your traffic's SSL appearance, consider these DPI testing methods:

# Sample tshark command for protocol analysis
tshark -i eth0 -Y "tcp.port == 443" -O ssl -V

# Alternative with nDPI
ndpiReader -i eth0 -f "port 443 and host REMOTE_SERVER_IP"

For enhanced SSL camouflage, modify your stunnel server configuration:

# Improved server config
[openvpn]
accept = 443
connect = 11440
cert = /etc/ssl/certs/nginx-selfsigned.crt
key = /etc/ssl/private/nginx-selfsigned.key
ciphers = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
curve = secp384r1
session = 300
sessionCacheSize = 200
sessionCacheTimeout = 300
renegotiation = yes

Critical adjustments for packet size normalization:

# OpenVPN client config additions
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
fragment 1300
sndbuf 393216
rcvbuf 393216

Implement these techniques to mimic browser-like behavior:

  • Enable TLS 1.3 (when supported)
  • Add HTTP CONNECT method simulation
  • Implement randomized packet timing
  • Use common web cipher suites

Create a test harness with these components:

#!/bin/bash
# Traffic capture
tcpdump -i eth0 -w stunnel_test.pcap port 443 &
# Generate test traffic
curl --proxy socks5h://localhost:1080 https://www.cloudflare.com/cdn-cgi/trace
# Analyze results
tshark -r stunnel_test.pcap -Y "ssl" -O ssl