- The same server hosts both sTunnel and OpenVPN.
- I am unaware if traffic from every application will use the tunnel.
- This assumes you already know the basics of setting up sTunnel and OpenVPN. (How to install them, create keys, set up iptables, etc.)
Since I found so little information on this topic on the web, I thought I'd share the result of must wasted time trying to get OpenVPN through sTunnel working on an non-rooted Android system. (Tested on Galaxy S3, Android 4.4.2, WiFi and OTA.)
Server config files:
Code: Select all
sslVersion = all options = NO_SSLv2 chroot = /var/lib/stunnel4/ ; PID is created inside the chroot jail pid = /stunnel4.pid ; Debugging stuff (may be useful for troubleshooting) ; debug = 7 # Log should be created in the jail at /var/lib/stunnel4/stunnel.log output = stunnel.log setuid = stunnel4 setgid = stunnel4 socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 #Enable this if you like. It is disabled on Debian-based distros. #compression = zlib [openvpn] # sTunnel Listening port Accept = 993 # Connect to the local OpenVPN server Connect = 127.0.0.1:1194 # Certificates cert=/etc/stunnel/cert-server.pem key=/etc/stunnel/key-server.pem CAfile=/etc/stunnel/cert-client.pem
openvps config file:
Code: Select all
mode server tls-server port 1194 proto tcp dev tun ca ca.crt cert server.crt key server.key dh dh2048.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 192.168.0.1 255.255.255.255" push "redirect-gateway def1" push "dhcp-option DNS 192.168.0.1" keepalive 10 120 tls-auth ta.key 0 cipher AES-128-CBC comp-lzo max-clients 100 user nobody group nogroup persist-key persist-tun status openvpn-status.log log openvpn.log verb 3
Android Client Instructions:
1. Download and install the app "OpenVPN for Android" by Arne Schwabe from the Google Play Store.
2. Download and install the app "SSLDroid" by Balint Kovacs from the Google Play Store.
3. Based on the server configs above, open SSLDroid and create a new connection with the following settings:
Local Port: 1195 (Local listening port -- your choice, but must match OpenVPN server port below)
Remote Host: (fqdn or public ip address of your server)
Remote Port: 993
PKCS12 file: (import from file)
PKCS12 pass: (enter it if you created the PKCS12 with a password)
4. In OpenVPN for Android:
OpenVPN Global Settings:
Use system proxy: ON
Create a new profile, then in the profile settings page:
LZO Compression: ON
CA Cert: (import from ca.crt)
Client Certificate: (import from client cert file)
Client Certificate Key: (import from client key file)
Server Address: 127.0.01
Server Port: 1195
Custom Options: OFF
IP and DNS:
Pull Settings: Request IP addresses, routes... ON
No local binding: ON
Override DNS Settings By Server: OFF
Ignore pushed routes: OFF
Bypass VPN for local network: ON
IPv4 Use default Route: ON
IPv6 Use default Route: ON
Expect TLS server certificate: ON
Certificate Hostname Check: OFF
Use TLS Authentication: ON
TLS Auth File: (import ta.key)
TLS Direction: 1
Encryption cipher: AES-128-CBC
Persistent tun: ON
Connection Retries: Five
Seconds between connections: 5s
Random Host Prefix: OFF
Allow floating server: OFF
Override MSS value of TCP p...: OFF
Enable Custom Options: ON
Custom Options: route (fqdn or public ip address of your OpenVPN server) 255.255.255.255 net_gateway
The key item here is the Custom Option above which tells OpenVPN not to route SSLDroid's SSL tunnel through the VPN. Without this option, the SSL tunnel will be broken when OpenVPN connects because SSLDroid can no longer reach the server.
5. Start the SSL tunnel in SSLDroid.
6. Start the OpenVPN tunnel.
7. Go to dnsleaktest.com in your browser and test.
I apologize for any mistakes as I am unable to edit the post at this time. Thanks!