Check the blog | Go to the home page
If your find something here useful, don’t hesitate to buy me a coffee!
Imagine the scenario of setting up your own home VPN and then testing it from a public wifi and having your connection blocked !
Therefore, there are several possible scenarios :
- Either the connection port : if it is an unconventional port, it may be closed by firewall rules. It is therefore necessary to use TCP ports 80 or 443.
- Or a filtering is established to check the packets.
Don’t panic! There are several ways to bypass these firewall rules.
In this post, we will use the obfuscation method through the OpenWRT firmware (version 21.02.2). In plain English, this method will allow us to encrypt our OpenVPN encryption which will be masked and considered as a normal HTTPS traffic.
The Stunnel software will take care of this, but first of all, OpenVPN server is mandatory, I used this guide from the OpenWRT Wiki.
Context
443 with the TCP protocol and it is catched by our ISP’s router. From there we forward this port to 42854 on a private router (where OpenWRT is installed), the connection is then intercepted by the Stunnel server which redirects it to the port 1194 (the OpenVPN server) on the same machine. 
Stunnel installation
Command line (SSH)
Update list of available packages :
opkg updateInstall Stunnel :
opkg install stunnelLuci (web interface)
Update list of available packages :
Install Stunnel :
Firewall
Check your firewall, if you followed the OpenVPN server tutorial from the OpenWRT wiki, you already have an enabled rule.
Go to Network -> Firewall -> Traffic Rules :
Add : 
Configuration
First, establish a SSH connection to OpenWRT, I recommend using Tabby, but you can also use the Windows command prompt :
ssh root@[openwrt_ip_address]Go to the Stunnel directory :
cd /etc/stunnelCreate pid and log file :
touch stunnel.pid stunnel.logGrant permission for stunnel to access pid and log file :
chown -R nobody:nogroup /etc/stunnel/Generate a new certificate :
openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pemImportant note : The Common Name (FQDN) should be the hostname of the machine running stunnel.
stunnel.conf) : pid = /etc/stunnel/stunnel.pid
output = /etc/stunnel/stunnel.log
[openvpn]
client = no
accept = 0.0.0.0:42854
connect = localhost:1194
cert = /etc/stunnel/stunnel.pemRestart Stunnel service :
service stunnel restartCheck if the Stunnel service is listening :
netstat -lpt | grep "42854"The netstat arguments mean :
- [-l] : list only listening sockets.
- [-p] : show PID / program name for sockets.
- [-t] : list only TCP sockets.
The command must return :
tcp 0 0 0.0.0.0:42854 0.0.0.0:* LISTEN 2461/stunnelClient side (Windows)
Stunnel
We need to put the stunnel.pem certificate in the config folder (located at C:\Program Files (x86)\stunnel\config).
From there, we must modify the stunnel.conf file by adding these lines :
[openvpn]
client = yes
accept = localhost:1194
connect = [server_domain / server_ip]:443
cert = C:\Program Files (x86)\stunnel\config\stunnel.pemThen launch the Stunnel service by searching Stunnel Service Start in Windows.
Check if the Stunnel service is listening by opening the command prompt with the administrative privileges :
netstat -anp tcp | findstr "1194"The netstat arguments mean :
- [-a] : displays all connections and listening ports.
- [-n] : displays addresses and port numbers in numeric format.
- [-p] : displays the connections for the specified protocol.
TCP 127.0.0.1:1194 0.0.0.0:0 LISTENINGOpenVPN
After installing OpenVPN, you should see the following icon on system tray :
client.ovpn file by adding the following line at the begining : route [server_domain / server_ip] 255.255.255.255 net_gatewayThen, modify the line :
remote [server_domain / server_ip] 1194 tcpBy this line :
remote localhost 1194 tcpThe remote server is from now localhost because we need to connect to the Stunnel service who is listening through port 1194.
And that concludes the end. Now your OpenVPN connection will be obfuscated through Stunnel.
Application Support Engineer