Install Stunnel4 for openvpn connection.

What is Stunnel4?

functionality to existing clients and servers without any changes in the programs’ code. Its architecture is optimized for security, portability, and scalability (including load-balancing), making it suitable for large deployments.

Stunnel uses the OpenSSL library for cryptography, so it supports whatever cryptographic algorithms are compiled into the library. It can benefit from the FIPS 140-2 validation of the OpenSSL FIPS Object Module, as long as the building process meets its Security Policy. A scanned FIPS 140-2 Validation Certificate document is available for download on the NIST web page. The Windows binary installer is compiled with FIPS 140-2 support. The FIPS mode of operation is no longer enabled by default since stunnel 5.00.

Explanation of the process of Stunnel Between openvpn Connection.

Step1: Install Stunnel4

apt-get install stunnel4

Step2: Create Openssl Key

cd /etc/stunnel/
openssl req -new -newkey rsa:2048 -days 3650 
-nodes -x509 -sha256 
-subj '/CN=' 
-keyout /etc/stunnel/stunnel.pem 
-out /etc/stunnel/stunnel.pem

Step3: Create Stunnel.conf under /etc/stunnel/

Insert below string into Stunnel.conf

vim /etc/stunnel/stunnel.conf

client = no   #define client #yes or no
accept = 587   #accept which port coming in from stunnel client
connect =   #after accept 587 will redirect the port to localhost:1194, which is openvpn port
cert = /etc/stunnel/stunnel.pem   #Key that you create in Step2

Save and exit the file.

Step4: Edit /etc/default/stunnel4

vim /etc/default/stunnel4

Find out ENABLED=0
Changes it to 1

Step5: Accept port 587 for incoming traffic.

iptables -A INPUT -p tcp --dport 587 -j ACCEPT

Note: if you dont have iptables on ubuntu, please run below command.

apt-get install iptables-persistent

Step6 : Start Stunnel4

service stunnel4 restart / stunnel4 /systemctl start stunnel4

and check port 587 is it listening under stunnel4

netstat -ntulp |grep stunnel

Client Side


Download  Windows Stunnel application in here

Step2: Edit the file stunnel.conf

client = yes
accept =
connect =
cert = C:Program Files (x86)stunnelconfigstunnel.pem

Step3: Edit your .ovpn file and changes some content.

remote vpn_server_ip

changes to

remote localhost
port 1194

save and exit the file and connect to the vpn.


Step1: Using Brew to install stunnel

From a Terminal, run the following command:

brew install stunnel

Step2: Clear the original Stunnel.conf

command: > /usr/local/etc/stunnel/stunnel.conf

Step3: Open that same file up with a text editor, or a program like vi, e.g.

vim /usr/local/etc/stunnel/stunnel.conf

output = stunnel.log
compression = zlib

client = yes
accept = 1194
connect =
cert = /usr/local/etc/stunnel/stunnel.pem

(This cert can be download from the server, its the key you create using Server Configuration Step2 just now)

Save and exit the file.

Step4: Modify your ovpn file in tunnelblick

remote vpn_server_ip

Changes to

remote localhost

port 1194

and connect it using tunnelblick.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *