stunnel

From Mark Furneaux's Wiki
Jump to: navigation, search


stunnel is a Linux utility which allows any network connection to be easily wrapped with TLS. This is especially useful to wrap SSH connections so that they are treated by traffic shaping appliances as HTTPS and are thus not throttled.

Installation

Run:
# apt install stunnel4

Configuration

This example configuration shows setting up an SSH tunnel.

Server

Start by creating and installing a key and certificate for encrypting the connection:
$ openssl genrsa 1024 > stunnel.key
$ openssl req -new -key stunnel.key -x509 -days 1000 -out stunnel.crt
$ cat stunnel.crt stunnel.key > stunnel.pem
# mv stunnel.pem /etc/stunnel/

Create a configuration file in /etc/stunnel/stunnel.conf:

client = no
pid = /var/run/stunnel.pid
cert = /etc/stunnel/stunnel.pem

[ssh]
accept = PORTA
connect = 127.0.0.1:22

PORTA refers to the external port on the server the daemon will listen on.

Change the line ENABLED=0 to ENABLED=1 in /etc/default/stunnel.

Start the daemon by running:
# service stunnel start

Client

Copy the /etc/stunnel/stunnel.pem file from the server to the client in the same directory (/etc/stunnel/stunnel.pem).

Create a configuration file in /etc/stunnel/stunnel.conf:

client = yes
pid = /var/run/stunnel.pid
cert = /etc/stunnel/stunnel.pem

[ssh]
accept = PORTB
connect = EXTERNAL_IP:PORTA

PORTA refers to the external port on the server the daemon is listening on.
PORTB refers to the local port on which connections are forwarded to the server.
EXTERNAL_IP refers to the Internet IP that the server possesses. This can also be a FQDN.

Change the line ENABLED=0 to ENABLED=1 in /etc/default/stunnel.

Start the daemon by running:
# service stunnel start

Usage

You can now connect to the server using:
$ ssh -p PORTB user@localhost