Will pihole + openVPN + stunnel work?

Did a search in this forum, there's 0 posts about stunnel.
Welp, guess this is the first..

So I followed this hour long tutorial on setting up openVPN and stunnel

I have pihole and openVPN working but stunnel (so far) seems a little off...

I was just wondering if the setup: pihole + openVPN + stunnel would work together nicely?

Pihole + OpenVPN yes....plus Stunnel? havent tried that yet.

Has anyone here tried it yet?

It seems like there isn't an answer here..

I think it will work fine.
https://www.raspberrypi.org/forums/viewtopic.php?f=36&t=40389

I will give it a try

1 Like

Update: I installed it on my test machine, it's not reliable, it worked only with windows. However in Android it failed to route the traffic. Hope this helps

1 Like

Oh wow, sorry for the 3 days late reply ! :sweat_smile:

What tutorial did you follow? Mind linking me to it?

I followed this guide and some googling:)

3 Likes

So by googling you meant that it didn't work at first and you had to troubleshoot?

Mind sharing what went wrong and how you fixed it?

EDIT: I've followed that tutorial exactly, (except changing the port from 1194 to mine) my openVPN works but my stunnel logs show no activity. I'm testing this on my windows machine.

Here's my openVPN log if it helps:

Wed May 31 14:08:45 2017 OpenVPN 2.4.2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on May 11 2017
Wed May 31 14:08:45 2017 Windows version 6.2 (Windows 8 or greater) 64bit
Wed May 31 14:08:45 2017 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.10
Enter Management Password:
Wed May 31 14:08:45 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed May 31 14:08:45 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]publicIP:4096
Wed May 31 14:08:45 2017 Attempting to establish TCP connection with [AF_INET]publicIP:4096 [nonblock]
Wed May 31 14:08:46 2017 TCP connection established with [AF_INET]publicIP:4096
Wed May 31 14:08:46 2017 TCP_CLIENT link local: (not bound)
Wed May 31 14:08:46 2017 TCP_CLIENT link remote: [AF_INET]publicIP:4096
Wed May 31 14:08:48 2017 [server] Peer Connection Initiated with [AF_INET]publicIP:4096
Wed May 31 14:08:50 2017 open_tun
Wed May 31 14:08:50 2017 TAP-WIN32 device [Ethernet 2] opened: \.\Global{0883BC25-95CD-4121-A087-7D4EFAD22A18}.tap
Wed May 31 14:08:50 2017 Set TAP-Windows TUN subnet mode network/local/netmask = 10.8.0.0/10.8.0.2/255.255.255.0 [SUCCEEDED]
Wed May 31 14:08:50 2017 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.2/255.255.255.0 on interface {0883BC25-95CD-4121-A087-7D4EFAD22A18} [DHCP-serv: 10.8.0.254, lease-time: 31536000]
Wed May 31 14:08:50 2017 Successful ARP Flush on interface [9] {0883BC25-95CD-4121-A087-7D4EFAD22A18}
Wed May 31 14:08:50 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed May 31 14:08:55 2017 Initialization Sequence Completed


Stunnel log (no activity):

2017.05.31 14:06:26 LOG5[main]: stunnel 5.41 on x86-pc-msvc-1500 platform
2017.05.31 14:06:26 LOG5[main]: Compiled/running with OpenSSL 1.0.2k-fips 26 Jan 2017
2017.05.31 14:06:26 LOG5[main]: Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
2017.05.31 14:06:26 LOG5[main]: Reading configuration from file stunnel.conf
2017.05.31 14:06:26 LOG5[main]: UTF-8 byte order mark detected
2017.05.31 14:06:26 LOG5[main]: FIPS mode disabled
2017.05.31 14:06:26 LOG4[main]: Service [openvpn] needs authentication to prevent MITM attacks
2017.05.31 14:06:26 LOG5[main]: Configuration successful
2017.05.31 14:07:43 LOG5[main]: Reading configuration from file stunnel.conf
2017.05.31 14:07:43 LOG5[main]: UTF-8 byte order mark detected
2017.05.31 14:07:43 LOG5[main]: FIPS mode disabled
2017.05.31 14:07:43 LOG4[main]: Service [openvpn] needs authentication to prevent MITM attacks
2017.05.31 14:07:43 LOG5[main]: Configuration successful
2017.05.31 14:07:49 LOG5[main]: Reading configuration from file stunnel.conf
2017.05.31 14:07:49 LOG5[main]: UTF-8 byte order mark detected
2017.05.31 14:07:49 LOG5[main]: FIPS mode disabled
2017.05.31 14:07:49 LOG4[main]: Service [openvpn] needs authentication to prevent MITM attacks
2017.05.31 14:07:49 LOG5[main]: Configuration successful


Raspberry pi stunnel.conf:

sslVersion = all
options = NO_SSLv2
cert = /etc/stunnel/server.pem
pid = /var/run/stunnel.pid
output = /var/log/stunnel

[openvpn]
client = no
accept = 993
connect = 34567


Windows stunnel.conf:

[openvpn]
client = yes
accept = 127.0.0.1:4096
connect = routerNoIpDomain:993

Port forwarded port 993 on my router to point to my pi.

You are having problems with connectivity or it's not routing any traffic?

Also this is not an error it's a warning

That warning from stunnel is common I believe, it's also in the hour long tutorial and it worked fine for that guy.

Connectivity wise, the openVPN works perfectly fine, both locally and remotely.

My problem is, looking at the youtube tutorial, each time they connect to the VPN the stunnel log would update itself indicating something is happening. In my case, the stunnel logs shows no activity as if the openVPN is not being routed through stunnel.

I think it has something to do with my ports? It is either the stunnel.conf on the raspiberry pi or windows machine that has a problem...but then, I'm not sure.

@Anudeep I've been watching and reading other tutorials on the internet, still couldn't get it working. I guess I'm a little confused on the accept and connect part of the config...Could you post your config? I want to know what worked for you.

Sorry for the late reply, follow this tutorial, there are many commands to go through. You can test stunnel setup as stated here.

Following the tutorial solved my problem. I was using the wrong ports all along.

So now my openVPN and stunnel works properly. All except one thing: My samba shares.

I have a samba share running on my local network, I am able to log in to my home's router remotely which means my traffic is being routed correctly. It works if I access the samba shares from my android phone via the network browser app but not through the windows network tab.

This is beyond my understanding, I've searched through the openVPN forums and I found nothing useful there.

I tried disabling all firewalls and antiviruses, and kept refreshing the network tab hopefully my samba share would show up, but nothing.

I need help on this, do you know how to get the samba shares working remotely ?

EDIT: I am even able to VNC to my raspberry pi remotely ! Samba not working remotely is weird..:thinking::thinking:

Do you know about Nextcloud? I think it's better than Samba...

Some general Samba pointers.
Check if Samba daemon is listening on ports 139/445 TCP on server side:

sudo netstat -nltp | grep 'Proto\|:139 \|:445 '

Check samba status on server:

sudo smbstatus

Check firewall not blocking 139/445 TCP on server:

sudo iptables -L -n

Try if telnet can connect to 445 TCP without errors on server:

echo hello | telnet localhost 445

Try do telnet test on a client to see if can connect to 445 TCP without errors:

echo hello | telnet <IP_ADDRESS_SAMBA_SERVER> 445

I know ownCloud, but Nextcloud is great too and it's open source !

I think I'll just put up NextCloud and all will be good...tired of troubleshooting sometimes, it gets tiring..

Just make sure to run Nextcloud on different port if you're using same device for both pihole and Nextcloud

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      1099/smbd       
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      1099/smbd       
tcp6       0      0 :::139                  :::*                    LISTEN      1099/smbd       
tcp6       0      0 :::445                  :::*                    LISTEN
Samba version 4.2.14-Debian
PID     Username      Group         Machine            Protocol Version       
------------------------------------------------------------------------------

Service      pid     machine       Connected at


No locked files
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 
Trying ::1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.

Connection closed by foreign host, problem's there maybe. I'm going to try out Nextcloud first..fancy web interface and all that, can't resist..

No more pihole, sometimes it blocks some of the websites I use and in the long run, this gets annoying quick so I uninstalled it, I like the idea of the pihole though..

No problems, this is a correct response without errors.
And on a client ?