🛡️ Setup SSH Over TLS/SSL Using Stunnel (with HTTP Injector)

✅ You can use this method to bypass ISP firewalls or restrictions that block direct SSH connections. Since the SSH traffic is wrapped inside TLS (HTTPS-like), it blends in with regular encrypted web traffic — making it stealthy and harder to detect.

---

📋 Prerequisites

• A VPS running a modern Linux distribution (e.g., Ubuntu, Debian).
• Root or sudo access to the VPS.
• A domain name (e.g., from DuckDNS) pointing to your VPS IP address via Cloudflare.

---

🔧 Step 1: Install Required Software

# Update package list
sudo apt update

# Install stunnel and Certbot (Let's Encrypt)
sudo apt install -y stunnel4 certbot

---

🔐 Step 2: Obtain an SSL Certificate

Use Certbot with the --standalone mode:

sudo certbot certonly --standalone -d xxxxx.duckdns.org

⚠️ Note: If a service like Nginx is using port 80, stop it temporarily:

sudo systemctl stop nginx
sudo certbot certonly --standalone -d xxxxx.duckdns.org
sudo systemctl start nginx

Certificates will be saved in:

/etc/letsencrypt/live/xxxxx.duckdns.org/

---

🧩 Step 3: Combine Certificate & Key

Stunnel expects a single PEM file with both cert and private key:

cat /etc/letsencrypt/live/xxxxx.duckdns.org/fullchain.pem \
    /etc/letsencrypt/live/xxxxx.duckdns.org/privkey.pem \
    > /etc/stunnel/stunnel.pem

chmod 600 /etc/stunnel/stunnel.pem

---

⚙️ Step 4: Configure Stunnel

Edit the config:

sudo nano /etc/stunnel/stunnel.conf

Use this configuration (default to port 443, or use 4443 if 443 is taken):

pid = /var/run/stunnel.pid
output = /var/log/stunnel4/stunnel.log

[ssh-tls]
accept = 4443
connect = 127.0.0.1:22
cert = /etc/stunnel/stunnel.pem

---

🔁 Step 5: Enable Stunnel on Boot

Edit the default config:

sudo nano /etc/default/stunnel4

Change:

ENABLED=0

To:

ENABLED=1

---

🚀 Step 6: Restart & Verify

sudo systemctl restart stunnel4
sudo systemctl enable stunnel4

Check if Stunnel is listening:

sudo ss -tuln | grep 4443

✅ You’ve successfully wrapped your SSH port with TLS encryption!

---

📱 Configure HTTP Injector

🔌 Step 1: Tunnel Type & Source

• Tunnel Type: Secure Shell (SSH)
• Connect From: TLS/SSL (stunnel)

---

🛠️ Step 2: SSH Settings

Navigate to: Settings → Secure Shell (SSH)

Fill in:

• SSH Host (SSL): xxxxx.duckdns.org
• SSH Port (SSL): 4443

And set your SSH account credentials:

• Username: <ssh_username>
• Password: <ssh_password>

---

🧠 Step 3: Set SNI & Connect

Set a valid SNI (e.g., www.youtube.com) and click Start.

After successful connection, you will see:

---

🔍 How to Find SNI Using Wireshark

📥 Step 1: Download & Install Wireshark

Get it from: https://www.wireshark.org/download.html

---

▶️ Step 2: Start Capture

• Launch Wireshark
• Select the correct interface (e.g., eth0, wlan0, or Wi-Fi)

---

🎯 Step 3: Apply Filter

To capture SNI during TLS handshakes, use this filter:

ssl.handshake.extensions_server_name

Or:

tls.handshake.type == 1

(Client Hello packets)

---

🌐 Step 4: Trigger HTTPS Request

Open a browser and visit any HTTPS website (e.g., https://youtube.com).

---

🧾 Step 5: Extract the SNI

Look for Client Hello packets in the list. You will see:

Client Hello (SNI=www.youtube.com)

---

✅ Final Words

You’ve now successfully:

• Set up SSH over TLS using Stunnel
• Configured it to work with the HTTP Injector app
• Learned to find valid SNIs using Wireshark
• 👨‍💻 And bypass ISP restrictions with encrypted, HTTPS-like traffic

🎉 Enjoy secure and stealthy SSH access over TLS!