In this post we’re going to talk about how to run the amazing stunnel program on android, and do so properly!
Later, this would allow us to setup a lot of cool things like:
- Wrapping OpenVPN traffic with it
- Using it as a SOCKS VPN
- Adding proper IMAPS/SMTPS support to our old email app
For this, we’re not going to use the old and very limited SSLDroid. It’s a bad idea, I don’t know why different sites still keep pushing it. It almost certainly has unpatched vulnerabilities. Please don’t use it.
Instead, we are going to use the official stunnel program, with the help of a proper wrapper.
stunnel android binary
stunnel already supports android devices and even the compiled version of it is available in it’s download page.
This file is compiled for ARM architecture. Even though most android devices run on ARM, this is particularly important to note for those devices that are not (e.g, Android-x86).
Since we’ll be using the compiled binary, you may need to compile stunnel yourself for your specific android architecture before continuing1. The chances are though, that your device is running on ARM and you are ready to go.
Another thing to note, is that the stunnel compiled version, is
CLI only. Meaning it can hardly be used by end users, and is only suitable for developers or hobbyists.2
While making an android GUI is in the stunnel author’s TODO list, there is still no official GUI available.
So we need an unofficial GUI (a wrapper if you will), an app that could provide the required front-end to the user and then pass the execution to the stunnel binary.
I spent quite a good amount of time trying to find a suitable and decent app. There are not so many of them, and most are either not maintained anymore or require you to compile the app yourself (which lets face it, is way less than ideal!)
In the end, I was able to find a decent little-known open-source app which is still maintained by the developer and also regularly updated to include the latest stunnel binary.
Originally intended to be a socks5 VPN through TLS.
The VPN part is not done yet but the stunnel part is working fine.
This app however, comes with a little to no documentation and could be a little tricky to make it work for the first time.
The rest of this post is dedicated to provide a basic documentation for the said app in hoping that it could help others to make use of it, and to also give back something to the author of the app to know that his app is actually being used.
That’s the great part, you don’t need to compile it yourself! While the README file does outline the steps necessary to source the android binary and compile the app yourself, at the time of writing, the latest release of the app (v0.0.6-beta, comes with the latest official stunnel android binary (v5.50).
If your android device does not use ARM architecture, you need to compile the stunnel from source for your device architecture first, then use the binary and compile the SSLSocks app.
The app does not need any special permissions to function. Which is yet another plus side.
Since the app is not offered in google play (at least at the time of writing), it will be considered as “Unknown App” by android OS.
Newer android versions, should just give a warning and allow you to continue your installation. If that’s not the case for you, you may need to enable “Install Unknown Apps” in your device settings.
The GUI of this app, is very simple. It consists of couple of tabs:
This is your landing page. When you are done with your setup, you can start the stunnel process here (and then stop it later on).
When the stunnel process is successfully started, a sticky notification will appear on your device (and will stay there until it’s stopped).
This section, outputs the stunnel process log. The amount of log that you get, depends on the
debug value set in the stunnel config file (default is
5). You can use this to troubleshoot your stunnel config file.
This is where the magic happens! This section, holds your
stunnel.conf file. The format is exactly as specified in stunnel documentation, and more or less all the options could be used.
Couple of default options are already specified in the file. You may remove the
client = yes option if for whatever reason you want to make your android device act as a stunnel server, but DO NOT remove the
foreground = yes and
pid = ... options (these are needed for proper communication and handling of the stunnel process by the SSLSocks).
There is a dedicated file for PSKSecrets in the app, called
psksecrets.txt. This file is accessible from the same window. Simply click (or touch, w/e!) on the dropdown menu at the top of the text window, and select psksecrets.txt:
Now this file is located in a special place which needs to be specified in stunnel.conf. This is how you specify it:
PSKsecrets = /data/data/link.infra.sslsocks/files/psksecrets.txt
As we will see shortly, the same format (and location) also applies to cert files.
Moving away from this tab, will automatically save the files.
This is where you’d specify your
p12 files. They can either be written manually, or most likely be imported to the app. Simply click the
+ sign at the bottom right corner of the screen and then click on
IMPORT FROM FILE to import your certificate.
Don’t forget to click on
OK after you’ve imported each cert to save it.
The line below shows how to specify a cert named test.pem in the
cert = /data/data/link.infra.sslsocks/files/test.pem
Using the top right menu, one could open the Advanced Settings window which right now provides you with automatic Start on boot option3.
If you decide to run stunnel in server mode on your android device, you might also want to consider generating static DH parameters to avoid battery draining.
And that’s about it! As always, I would love to know your thoughts. Please share them with me below.