OpenVPN + Stunnel: Stunnel Listen on wrong port

I'm trying to configure OpenVPN to work with Stunnel.
The problem is that, even I have tried to apply the config of Stunnel to Listen on 443 TCP, stunnel keep listening on 6000.

The config of stunnel.conf:

pid = /var/run/

setuid = nobody 
setgid = nogroup
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
cert = /etc/stunnel/stunnel.pem
foreground = yes
output = /var/log/stunnel.log

client = no
accept =
connect = localhost:5567

OpenVPN could connect properly without Stunnel, but when using Stunnel, the log say that the connection is refused on 443 tcp post of server.
Any suggestion or solutions for this, it made me mad 2 days already :'(.

P/s: I found that everytime I start stunnel, the conf in /var/etc/stunnel.conf will automatically re-gen by uci

; STunnel configuration file generated by uci
; Written Fri Mar 12 17:42:55 2021

Is there anyway to change the conf location? I want to change it to /etc/stunnel/stunnel.conf.

Running stunnel only:

root@MiRouter:~# stunnel
[ ] Initializing inetd mode configuration
[ ] Clients allowed=500
[.] stunnel 5.58 on mipsel-openwrt-linux-gnu platform
[.] Compiled/running with OpenSSL 1.1.1j  16 Feb 2021
[ ] errno: (*__errno_location())
[ ] Initializing inetd mode configuration
[.] Reading configuration from file /etc/stunnel/stunnel.conf
[.] UTF-8 byte order mark not detected
[.] FIPS mode disabled
[ ] No PRNG seeding was required
[ ] Initializing service [openvpn]
[ ] stunnel default security level set: 2
[ ] Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK
[ ] TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256
[ ] TLS options: 0x02100004 (+0x00000000, -0x00000000)
[ ] Loading certificate from file: /etc/stunnel/stunnel.pem
[ ] Certificate loaded from file: /etc/stunnel/stunnel.pem
[ ] Loading private key from file: /etc/stunnel/stunnel.pem
[:] Insecure file permissions on /etc/stunnel/stunnel.pem
[ ] Private key loaded from file: /etc/stunnel/stunnel.pem
[ ] Private key check succeeded
[ ] DH initialization skipped: no DH ciphersuites
[ ] ECDH initialization
[ ] ECDH initialized with curves X25519:P-256:X448:P-521:P-384
[.] Configuration successful
[ ] Deallocating deployed section defaults
[ ] Binding service [openvpn]
[ ] Listening file descriptor created (FD=10)
[ ] Setting accept socket options (FD=10)
[ ] Option SO_REUSEADDR set on accept socket
[ ] Service [openvpn] (FD=10) bound to
[!] Cannot open log file: /var/log/stunnel.log
[ ] Unbinding service [openvpn]
[ ] Service [openvpn] closed (FD=10)
[ ] Service [openvpn] closed


1 Like

Hi! Same question! Anybody know?

@Vicrius-rogan - what is your specific question/issue (there are several in the OP)?

In the case of the OP, OpenVPN and Stunnel are configured to listen on the same port. This won't work. Instead, one of them should be listening on a different port, and Stunnel will connect to the OpenVPN port by means of the connect line.

The conf file can be changed quite easily.

The following inside the /etc/config/stunnel file will allow you to put the config file elsewhere, such as in /etc/stunnel/stunnel.conf

config globals 'globals'
	option alt_config_file '/etc/stunnel/stunnel.conf'
1 Like

The problem is some kind of lame.
Stunnel could not find the log file so it refused to start.

You only need to creat pid and log file:


Change in stunnel.conf

output = /etc/stunnel/stunnel.log
pid = /etc/stunnel/

And put these in Local Startup to grant permission for stunnel to access pid and log file.

chown -R nobody:nogroup /etc/stunnel/
chown -R nobody:nogroup /etc/stunnel/
chown -R nobody:nogroup /etc/stunnel/stunnel.log

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.