How to Tunnel OpenVPN Through stunnel on Port 443 to Evade DPI Detection


2 views

When you want to make VPN traffic indistinguishable from regular HTTPS traffic, stunnel acts as the perfect SSL wrapper. Here's why this configuration works:

Your laptop's stunnel client configuration correctly redirects OpenVPN traffic through SSL:

[openvpn]
client = yes
accept = 127.0.0.1:1194
connect = REMOTE_SERVER_IP:443

The corresponding OpenVPN config ensures TCP mode operation:

client
dev tun
proto tcp
remote 127.0.0.1 1194

The server configuration shows proper SSL termination:

[openvpn]
accept = REMOTE_SERVER_IP:443
connect = REMOTE_SERVER_IP:11440
cert=/etc/stunnel/server.pem
key=/etc/stunnel/server.key

To verify your traffic appears as genuine SSL:

  1. Use Wireshark to capture packets on port 443
  2. Check for TLS handshake patterns
  3. Verify packet sizes resemble normal HTTPS traffic

For better obfuscation:

; Add to server config
sslVersion = TLSv1.2
options = NO_COMPRESSION
ciphers = HIGH:!aNULL:!MD5

Sample tcpdump command to verify traffic:

sudo tcpdump -i eth0 'port 443' -A -n -vv | grep -i "client hello"

Expected output should show TLS negotiation similar to web browsers.

If DPI still detects VPN:

  • Ensure MTU settings match (1450-1500)
  • Disable OpenVPN protocol markers
  • Add padding to packets

When attempting to make VPN traffic indistinguishable from regular SSL traffic, we're fundamentally dealing with three layers of network behavior:

  1. Packet-level characteristics (MTU, frame sizes)
  2. Protocol fingerprints (TLS handshake patterns)
  3. Behavioral patterns (flow timing, burst characteristics)

Your current setup establishes a secure tunnel with these components:

# Client-side stunnel config
[openvpn]
client = yes  
accept = 127.0.0.1:1194  
connect = REMOTE_SERVER_IP:443

# Server-side stunnel config
[openvpn]
accept = REMOTE_SERVER_IP:443
connect = REMOTE_SERVER_IP:11440
cert=/etc/stunnel/server.pem
key=/etc/stunnel/server.key

To verify your traffic's SSL appearance, consider these DPI testing methods:

# Sample tshark command for protocol analysis
tshark -i eth0 -Y "tcp.port == 443" -O ssl -V

# Alternative with nDPI
ndpiReader -i eth0 -f "port 443 and host REMOTE_SERVER_IP"

For enhanced SSL camouflage, modify your stunnel server configuration:

# Improved server config
[openvpn]
accept = 443
connect = 11440
cert = /etc/ssl/certs/nginx-selfsigned.crt
key = /etc/ssl/private/nginx-selfsigned.key
ciphers = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
curve = secp384r1
session = 300
sessionCacheSize = 200
sessionCacheTimeout = 300
renegotiation = yes

Critical adjustments for packet size normalization:

# OpenVPN client config additions
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
fragment 1300
sndbuf 393216
rcvbuf 393216

Implement these techniques to mimic browser-like behavior:

  • Enable TLS 1.3 (when supported)
  • Add HTTP CONNECT method simulation
  • Implement randomized packet timing
  • Use common web cipher suites

Create a test harness with these components:

#!/bin/bash
# Traffic capture
tcpdump -i eth0 -w stunnel_test.pcap port 443 &
# Generate test traffic
curl --proxy socks5h://localhost:1080 https://www.cloudflare.com/cdn-cgi/trace
# Analyze results
tshark -r stunnel_test.pcap -Y "ssl" -O ssl