Stunnel + OpenVPN

SSL-certificate:

openssl genrsa -out key.pem 2048
openssl req -new -x509 -key key.pem -out cert.pem -days 1095
cat key.pem cert.pem >> /etc/stunnel/stunnel.pem

either

cd /etc/stunnel/ 
openssl genrsa -out key.pem 2048 
openssl req -new -x509 -key key.pem -out cert.pem -days 3650 
cat key.pem cert.pem >> stunnel.pem 
openssl pkcs12 -export -out stunnel.p12 -inkey key.pem -in cert.pem

or

cd /etc/stunnel/
mkdir certs && cd certs

nano certs.sh

#!/bin/bash
OPENSSL_OPTS="-new -newkey rsa:2048 -nodes -days 5475 -x509"
CN_SERVER="/CN=server"
CN_CLIENT="/CN=client"
echo "Generating keys"
openssl req -keyout key-server.pem -subj "$CN_SERVER" \
 -out cert-server.pem $OPENSSL_OPTS
openssl req -keyout key-client.pem -subj "$CN_CLIENT"\
 -out cert-client.pem $OPENSSL_OPTS

echo "Generating p12 certificate"
openssl pkcs12 -export -nodes -out stunnel_cert.p12 \
 -in cert-client.pem -inkey key-client.pem \
 -certfile cert-server.pem -name "Client" -caname "Server" -passout pass:

echo "Converting .p12 to .pem certificate"
openssl pkcs12 -in stunnel_cert.p12 -out stunnel.pem -nodes

echo "Generating static DH parameters in the certificate file"
openssl dhparam 2048 >> stunnel.pem

chmod a+x certs.sh

./certs.sh

chmod 600 /etc/stunnel/certs/key-server.pem

Preliminary steps for the raw Server

yum install iptables-services

yum install net-tools

SWAP

dd if=/dev/zero of=/swapfile bs=1024 count=2145728

mkswap /swapfile

chmod 0600 /swapfile

nano /etc/fstab

/swapfile          swap            swap    defaults        0 0
systemctl daemon-reload
 swapon /swapfile
 cat /proc/swaps

nano /etc/sysctl.conf

# Minimizing the amount of swapping
#vm.swappiness = 18
vm.swappiness = 60
vm.vfs_cache_pressure = 50
vm.overcommit_memory=1
vm.overcommit_ratio=75
vm.dirty_ratio = 50
vm.dirty_background_ratio = 5

# Change the amount of incoming connections and incoming connections backlog
net.core.somaxconn = 65535
net.core.netdev_max_backlog = 262144

# Increase the maximum amount of memory buffers
net.core.optmem_max = 25165824

# Increase the default and maximum send/receive buffers
net.core.rmem_default = 31457280
net.core.rmem_max = 67108864
net.core.wmem_default = 31457280
net.core.wmem_max = 67108864

# Enable TCP SYN cookie protection
net.ipv4.tcp_syncookies = 1

# Enable IP spoofing protection
net.ipv4.conf.all.rp_filter = 1

# Enable ignoring to ICMP requests and broadcasts request
net.ipv4.icmp_echo_ignore_all = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1

https://linuxize.com/post/how-to-stop-and-disable-firewalld-on-centos-7/

FirewallD is a complete firewall solution that dynamically manages the trust level of network connections and interfaces. It gives you full control over what traffic is allowed or disallowed to and from the system.Starting with CentOS 7, FirewallD replaces iptables as the default firewall management tool.

To view the current status of the FirewallD service you can use the firewall-cmd command:

sudo firewall-cmd --state

If the FirewallD service is running on your CentOS system the command above will print the following message: running

Disable Firewall

You can temporarily stop the FirewallD service with the following command:

sudo systemctl stop firewalld

However this change will be valid for the current runtime session only.

To permanently disable the firewall on your CentOS 7 system, follow the steps below:

1. First, stop the FirewallD service with:

   sudo systemctl stop firewalld

Disable the FirewallD service to start automatically on system boot:

sudo systemctl disable firewalld

The output from the command above will look something like this:

Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.

Mask the FirewallD service which will prevent the firewall from being started by other services:

sudo systemctl mask --now firewalld

As you can see from the output the mask command simply creates a symlink from the firewalld service to /dev/null:

Created symlink from /etc/systemd/system/firewalld.service to /dev/null.

OpenVPN setup: https://drupal.mamatuik.com/vpn

cat /etc/openvpn/server.conf

port 10194
proto tcp
dev tun
user nobody
group nobody
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 1.0.0.1"
push "dhcp-option DNS 1.1.1.1"
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_hQiknLWywMHQO70w.crt
key server_hQiknLWywMHQO70w.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3

OpenVPN Client:

proto tcp-client
#remote ip_address 1194
route ip_address 255.255.255.255 net_gateway
#connect-retry-max 1
remote 127.0.0.1 10194

systemctl status openvpn-server@server.service -l

systemctl restart openvpn-server@server.service

iptables -A INPUT -i eth0 -p tcp ––dport 80 -j ACCEPT

-A = To Append Rules

INPUT = Incoming packets

-i = Interface name (Example : eth0, eth1, venet0 etc)

-p = Protocol (example : tcp, udp etc)

–dport = Destination port

-j = Target

ACCEPT = Allow the packet

Stunnel Installation:

cd /tmp

 wget ftp://ftp.stunnel.org/stunnel/archive/5.x/stunnel-5.70.tar.gz

groupadd -g 51 stunnel && useradd -c "stunnel Daemon" -d /var/lib/stunnel         -g stunnel -s /bin/false -u 51 stunnel

tar xzvf stunnel-5.70.tar.gz

cd stunnel-5.70

./configure --prefix=/usr                    --sysconfdir=/etc                --localstatedir=/var

 make

make docdir=/usr/share/doc/stunnel-5.70 install

install -v -m750 -o stunnel -g stunnel -d /var/lib/stunnel/run

chown stunnel:stunnel /var/lib/stunnel

cat > /etc/stunnel/stunnel.conf << "EOF"
  ; File: /etc/stunnel/stunnel.conf
  ; Note: The pid and output locations are relative to the chroot location.
  pid    = /run/stunnel.pid
  chroot = /var/lib/stunnel
  client = no
  setuid = stunnel
  setgid = stunnel
  cert   = /etc/stunnel/stunnel.pem
  ;debug = 7
 output = /stunnel.log
  ;[https]
;accept  = 443
  ;connect = 80
;; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL
 ;; Microsoft implementations do not use SSL close-notify alert and thus
 ;; they are vulnerable to truncation attacks
 ;TIMEOUTclose = 0
   EOF

make cert

stunnel -version

 stunnel /etc/stunnel/stunnel.conf

cd /tmp/stunnel-5.70/tools

cp stunnel.service  /etc/systemd/system/stunnel.service

mkdir /etc/stunnel/certs

cp openssl.cnf /etc/stunnel/certs/

systemctl enable stunnel

systemctl start stunnel

openssl req -new -newkey rsa:2048 -days 3650   -nodes -x509 -sha256   -subj '/CN=127.0.0.1/O=localhost/C=US'   -keyout /etc/stunnel/stunnel.pem   -out /etc/stunnel/stunnel.pem

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

iptables -I INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

 iptables -I INPUT -p tcp --dport 10194 -m state --state NEW -j ACCEPT

 cat /etc/stunnel/stunnel.conf
; Note: The pid and output locations are relative to the chroot location.
pid    = /run/stunnel.pid
chroot = /var/lib/stunnel
client = no
setuid = stunnel
setgid = stunnel
cert   = /etc/stunnel/stunnel.pem
; Allow only TLS, thus avoiding SSL
;sslVersion = TLSv1

;Either  avoid SSL by replacing the line containing sslVersion = TLSv1 with the following lines:
options = NO_SSLv2
options = NO_SSLv3
options = NO_TLSv1
options = NO_TLSv1.1
sslVersion = TLSv1.2
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

socket — local and remote socket options; in this case, disable Nagle's algorithm to improve network latency

;debug = 7
;output = stunnel.log

;[https]
;accept  = 443
;connect = 80

[openvpn]
accept  = 443
connect = 127.0.0.1:10194
;; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL
;; Microsoft implementations do not use SSL close-notify alert and thus
;; they are vulnerable to truncation attacks
;; TIMEOUTclose — how many seconds to wait for the close_notify alert from the client; 0 instructs stunnel not to wait at all

TIMEOUTclose = 0

Configuring firewall

sudo iptables -A INPUT -p tcp -s localhost --dport 10194 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 10194 -j DROP

The Windows Installer, as well, as the Mobile Version of the Stunnel can be found here: https://www.stunnel.org/downloads.html

stunnel-5.70-win64-installer.exe

S-Tunnel Client:

; Enable support for the insecure SSLv3 protocol
options = -NO_SSLv3

[openvpn]
client = yes
accept = 127.0.0.1:10194
connect = <server_ip_add_ress>:443
cert = stunnel.pem
TIMEOUTclose = 0

Starting, Stopping, and Restarting stunnel

~]# stunnel /etc/stunnel/stunnel.conf

~]# kill `cat /var/run/stunnel/stunnel.pid`

Additional OpenVPN pure Server (without tunneling)

cat /etc/openvpn/direct_server.conf
port 1194
proto udp
dev tun
user nobody
group nobody
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.9.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_PfYlTrwjTJ6o4hsD.crt
key server_PfYlTrwjTJ6o4hsD.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/direct_status.log
verb 3
#reuse certificate
--duplicate-cn
 

iptables -t nat -A POSTROUTING -s 10.9.0.0/24 -o eth0 -j MASQUERADE

cat /etc/systemd/system/openvpn-server-direct@.service
[Unit]
Description=OpenVPN-Direct service for %I
After=syslog.target network-online.target
Wants=network-online.target
Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO

[Service]
Type=notify
PrivateTmp=true
WorkingDirectory=/etc/openvpn
ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status_direct-%i.log --status-version 2 --suppress-timestamps --config direct_server.conf
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
#LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
ProtectSystem=true
ProtectHome=true
KillMode=process
RestartSec=5s
Restart=on-failure

[Install]
WantedBy=multi-user.target

 systemctl enable openvpn-server-direct@server.service
 systemctl start openvpn-server-direct@server.service
systemctl status openvpn-server-direct@server.service
 systemctl restart openvpn-server-direct@server.service

iptables -L --line-numbers

iptables -D INPUT 4

iptables -I INPUT -p tcp --dport 4443 -m state --state NEW -j ACCEPT

netstat -paunt | grep openvpn

ps ffaux | grep openvpn

lsof -i :4443

Enter the following commands to open the port in iptables (in this case, we are opening port 25).

# iptables -I INPUT -p tcp --dport 25 -j ACCEPT
The command above is for opening the incoming port.
# iptables -I OUTPUT -p tcp --sport 25 -j ACCEPT
The command above is for opening the outgoing port.

service iptables save

How to configure STUNNEL+OPENVPN (install stunnel along with openvpn)?
Create using a Centos 7 OS:

1. Install OpenVPN Server:
wget https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.sh -O centos7-vpn.sh
wget centos7-vpn.sh
chmod +x centos7-vpn.sh
./centos7-vpn.sh

nano /etc/openvpn/server.conf
port 11235
proto tcp

if firewall-cmd –state == running
firewall-cmd –list-all
firewall-cmd –add-masquerade –permanent
firewall-cmd –query-masquerade
firewall-cmd –permanent –direct –passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
firewall-cmd –reload

else (when ipTables is used)

iptables -L –line-numbers -n
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
yum install iptables-services
service iptables save

2.Add OpenVPN Client:
mobile_android: https://play.google.com/store/apps/details?id=net.openvpn.openvpn
desktop: https://openvpn.net/community-downloads/

Tick in the app ‘seamless tunnel’

client.ovpn:
proto tcp-client
remote 127.0.0.1 11211
route 255.255.255.255 net_gateway

3. Compile STunnel Server:
cd /tmp
wget ftp://ftp.stunnel.org/stunnel/archive/5.x/stunnel-5.70.tar.gz
groupadd -g 51 stunnel && useradd -c “stunnel Daemon” -d /var/lib/stunnel -g stunnel -s /bin/false -u 51 stunnel
tar xzvf stunnel-5.70.tar.gz
cd stunnel-5.70
./configure –prefix=/usr –sysconfdir=/etc –localstatedir=/var
make
make docdir=/usr/share/doc/stunnel-5.70 install
install -v -m750 -o stunnel -g stunnel -d /var/lib/stunnel/run
chown stunnel:stunnel /var/lib/stunnel

nano /etc/stunnel/stunnel.conf
pid = /var/run/stunnel.pid
cert = /etc/stunnel/certs/servert_cert.pem
output = /var/log/stunnel
client = no
[server_openvpn]
accept = 4443
connect = 127.0.0.1:11235
;; “TIMEOUTclose = 0” is a workaround for a design flaw in Microsoft SSL
;; Microsoft implementations do not use SSL close-notify alert and thus
;; they are vulnerable to truncation attacks
TIMEOUTclose = 0

firewall-cmd –permanent –add-port=4443/tcp
firewall-cmd –reload
iptables -I INPUT -p tcp –dport 4443 -m state –state NEW -j ACCEPT
service iptables save

Make certificate:
openssl req -new -x509 -days 3650 -nodes -out servert_cert.pem -keyout servert_cert.pem
openssl x509 -subject -dates -fingerprint -in servert_cert.pem

chmod 600 /etc/stunnel/servert_cert.pem
stunnel /etc/stunnel/stunnel.conf
openssl dhparam 2048 >> /etc/stunnel/servert_cert.pem

nano /etc/systemd/system/stunnel.service
[Unit]
Description=TLS tunnel for network daemons
After=syslog.target network-online.target
[Service]
LimitNOFILE=20480
ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf
ExecReload=/bin/kill -HUP $MAINPID
Type=forking
WorkingDirectory=/etc/stunnel
TimeoutSec=600
Restart=always
PrivateTmp=false
[Install]
WantedBy=multi-user.target
Alias=stunnel.target

systemctl enable stunnel
systemctl start stunnel

4. Stunnel-client
mobile_android: https://github.com/comp500/SSLSocks
https://play.google.com/store/apps/details?id=link.infra.sslsocks
desktop: https://www.stunnel.org/downloads/stunnel-5.70-win64-installer.exe

stunnel.cnf
client = yes
[openvpn_client]
accept = 127.0.0.1:11211
connect = :4443
CAfile = servert_cert.pem
verifyPeer = yes

systemctl restart openvpn-server@server.service
systemctl status openvpn-server@server.service -l
systemctl restart stunnel
systemctl status stunnel.service -l

*server_cert.pem must be copied from the server to a local gizmo.

It could be interesting: 

GoodbyeDPI — Deep Packet Inspection circumvention utility

https://github.com/ValdikSS/GoodbyeDPI