Starting Stunnel and OpenVPN using a Bash Script

Gecksu · October 2, 2016, 5:24pm

Apart from one other individual attempting to write a similar, albeit more complicated script in python to achieve much the same result, after scouring the net, I’ve been stumped for some basic information, never mind an example of a similar script.

I am using a VPN service that offers a way to configure a VPN tunnel within an SSL wrapper. (the point of this is to avoid DPI)

To begin the processes, you have to open two terminals with superuser rights, in my case Konsole. In one you enter
*** sudo stunnel <SSL Vendor config file.ssl>,

then upon successful completion, into the other terminal you enter
***sudo openvpn <SSL vendor config file.opvn>

***Once both processes have completed, both terminals remain open, neither of which return to a command prompt, so you close them both and the SSL over VPN simply runs.

I have managed to write two scripts, that initiated from the command line achieve the desired result. And here, I am stuck in neutral.

Writing a script and entering it into a terminal window is no faster than simply entering the commands at the command line manually, but it was a learning exercise for me. The goal is to write a script that I can click on, that will open a terminal window with root privileges, launch a script to initiate Stunnel and upon completion, open the next terminal window, launch the next script to initiate OpenVPN. Stunnel must successfully complete before OpenVPN can begin to connect. The windows need to remain open to confirm the processes have successfully completed. If a means is available for the computer to confirm success, optionally the terminals could be automatically closed.

This is what I have managed to cobble together myself with KWrite:

$ cat go.sh
#! /bin/sh
export PATH=$PATH:bin
cd /home/user/vpnconfigrepo
sudo stunnel <VendorConfigfile.ssl>

and then:

$ cat go2.sh
#! /bin/sh
export PATH=$PATH:bin
cd /home/user/vpnconfigrepo
sudo openvpn <VendorConfigFile.ovpn>

If one script could achieve all this then great, but if I could even get these two scripts to actually open up a terminal and visibly, in succession, enter the commands to be run, it would be great. But I have yet to be able to get a script to run without entering it first into the command line. This shouldn’t be that hard should it?

Appreciate your input, thanks.

OpenSUSE Leap 42.1

Gecksu · October 10, 2016, 7:08pm

Folks, I’m looking for some basic help here, not comments really. Would appreciate it.

tsu2 · October 10, 2016, 8:07pm

I guess I’d have to start by asking why you want to run OpenVPN within stunnel.

I haven’t used stunnel for years, but I remember I did that because the particular connection/protocol wasn’t encrypted and stunnel was a fast, easy way to wrap the connection within an encrypted tunnel.

OpenVPN has no such problem, it supports encryption by default and is integrated into the connection setup.

TSU

Gecksu · October 28, 2016, 8:22pm

Nobody wants to help. All I get are irrelevant questions.

malcolmlewis · October 28, 2016, 9:11pm

Hi
Do the programs support creating a pid file, then you could check for the presence of the pid before starting the second action.

You could also look at using visudo and add the two commands to the sudoers file for your user, then won’t need a password.

Then create a desktop file (aka shortcut) to start it, then if needed could add the option to display the terminal window.

tsu2 · October 28, 2016, 9:17pm

Well,
If you really wanted to do so, you could probably create a Here Document which runs your commands sequentially, ie First establishing your stunnel, then running OpenVPN within it.

An example of a Here Document that automatically answers questions setting up security for MySQL/MariaDB, with links to other recommended guides on the topic
https://en.opensuse.org/User:Tsu2/MySQL_and_Mariadb

The basic idea is that if you can construct your stunnel and OpenVPN individually by answering or providing answers interactively, the Here Document enables providing those same answers in script form easily, embedding one within the otther.

TSU

hendersj · October 29, 2016, 12:53am

On Mon, 10 Oct 2016 18:16:01 +0000, tsu2 wrote:

> OpenVPN has no such problem, it supports encryption by default and is
> integrated into the connection setup.

https://www.bestvpn.com/blog/5919/how-to-hide-openvpn-traffic-an-
introduction/ explains it pretty well. As the OP says, deep packet
inspection (DPI) can tell when using openVPN vs. just regular SSL because
openVPN’s implementation has some idiosyncrasies that are unique to the
implementation.

Jim

Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

jetchisel · November 7, 2016, 12:15am

Hi,

Not sure what you’re looking for but xterm comes into mind for the “launching of terminal” like the example below.

xterm -e 'read -p "How are you? "'

Also AFAIk openvpn has an option to write and monitor the PID of its own process so you can kill it any time. Not sure about stunnel though.

tsu2 · November 7, 2016, 4:58am

Been awhile since I’ve looked into what is generally called “Deep Packet Inspection.”
I’d be very surprised if what the author of that link describes is deep at all, is more likely “normal packet inspection,” ie. regular packet headers and not necessarily the payload.

That’s because AFAIK OpenVPN secures and encrypts no differently than stronger versions of TLS/SSL, there’s nothing mysterious or unique about what OpenVPN is doing… In fact, IMO the strength of what OpenVPN does is that it doesn’t try to be unusual, it implements well known and proven methods. The only time it normally suffers is when the underlying technology suffers a failure like a couple years ago when OpenSSL was found to have a major flaw so OpenVPN suffered that same vulnerability until it was fixed.

And, if I had the capability I might take a look at the pattern of packets since OpenVPN content would likely be much heavier with a different pattern than surfing a web page.

The methods to avoid detection in the article are probably fine… In particular using the common SSL port. Since the encryption method is the same, of course it would be very difficult to separate OpenVPN traffic from other TLS/SSL traffic. If you want to, forge the headers as well. Or, wrap again in something like stunnel, but if I were filtering and all of a sudden saw some stunnel traffic, that might make me wonder what was happening, too if it didn’t look like regular HTTPS.

IMO,
TSU

carlforrester78 · July 18, 2017, 3:02pm

I dont have Bash script idea but still using VPN. I have Windows 10 laptop using the Best VPN OS for it. its great