Stunnel/Troubleshooting: Difference between revisions
From charlesreid1
(Created page with "Having issues getting stunnel client and server to connect. Have been following this Digital Ocean guide: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ss...") |
No edit summary |
||
| Line 5: | Line 5: | ||
=Problem Description= | =Problem Description= | ||
I am trying to create an stunnel connection from client to server. The stunnel client will route traffic from local port 2222 to local port 8000. This traffic will then be encrypted by Stunnel and sent out over the network, to the stunnel server on the remote machine, also listening for traffic and connections on port 8000. Once the traffic reaches the stunnel server, it is decrypted and forwarded to the server's local port 22, the SSH service. | |||
This allows the execution of an SSH command to localhost that ultimately connects to the remote server: | |||
<pre> | <pre> | ||
[local] $ ssh -p 2222 zappa@localhost | |||
...login message... | |||
[remote] $ | |||
[ | |||
</pre> | </pre> | ||
This is useful because: | |||
* You can wrap arbitrary traffic from any local port, and send it encrypted with SSL over any other port. | |||
* You can bypass any firewall that allows HTTPS traffic only by disguising your traffic using Stunnel. | |||
==Server== | |||
===Server configuration=== | |||
Here is the server stunnel.conf (Ubuntu): | Here is the server stunnel.conf (Ubuntu): | ||
| Line 35: | Line 40: | ||
The debug level of 7 is maximum and gives a more detailed description of what's happening in the log file. | The debug level of 7 is maximum and gives a more detailed description of what's happening in the log file. | ||
==Server behavior== | ===Server behavior=== | ||
On the server, starting the stunnel client using the following steps: | On the server, starting the stunnel client using the following steps: | ||
| Line 65: | Line 70: | ||
2017.03.29 04:59:15 LOG7[ui]: Listening file descriptor created (FD=7) | 2017.03.29 04:59:15 LOG7[ui]: Listening file descriptor created (FD=7) | ||
2017.03.29 04:59:15 LOG7[ui]: Service [ssh] (FD=7) bound to 0.0.0.0:8000 | 2017.03.29 04:59:15 LOG7[ui]: Service [ssh] (FD=7) bound to 0.0.0.0:8000 | ||
</pre> | |||
I can also see the open ports on the server using the <code>netstat</code> utility: | |||
<pre> | |||
$ netstat -tulpn | |||
(Not all processes could be identified, non-owned process info | |||
will not be shown, you would have to be root to see it all.) | |||
Active Internet connections (only servers) | |||
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name | |||
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - | |||
tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN - | |||
tcp6 0 0 :::80 :::* LISTEN - | |||
tcp6 0 0 :::22 :::* LISTEN - | |||
</pre> | </pre> | ||
| Line 70: | Line 90: | ||
==Client behavior== | ==Client== | ||
===Client configuration=== | |||
Here is the client stunnel.conf (Mac): | |||
<pre> | |||
output = /var/log/stunnel4/stunnel.log | |||
cert = /usr/local/etc/stunnel/stunnel.fullchain.pem | |||
key = /usr/local/etc/stunnel/stunnel.key.pem | |||
client = yes | |||
debug = 7 | |||
[ssh] | |||
accept = 127.0.0.1:22 | |||
connect = 92.126.102.36:8000 | |||
</pre> | |||
===Client behavior=== | |||
When the stunnel command is run on the client, | When the stunnel command is run on the client, | ||
Revision as of 05:08, 29 March 2017
Having issues getting stunnel client and server to connect.
Have been following this Digital Ocean guide: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ssl-tunnel-using-stunnel-on-ubuntu
Problem Description
I am trying to create an stunnel connection from client to server. The stunnel client will route traffic from local port 2222 to local port 8000. This traffic will then be encrypted by Stunnel and sent out over the network, to the stunnel server on the remote machine, also listening for traffic and connections on port 8000. Once the traffic reaches the stunnel server, it is decrypted and forwarded to the server's local port 22, the SSH service.
This allows the execution of an SSH command to localhost that ultimately connects to the remote server:
[local] $ ssh -p 2222 zappa@localhost ...login message... [remote] $
This is useful because:
- You can wrap arbitrary traffic from any local port, and send it encrypted with SSL over any other port.
- You can bypass any firewall that allows HTTPS traffic only by disguising your traffic using Stunnel.
Server
Server configuration
Here is the server stunnel.conf (Ubuntu):
output = /var/log/stunnel4/stunnel.log cert = /etc/stunnel/stunnel.fullchain.pem key = /etc/stunnel/stunnel.key.pem client = no debug = 7 [ssh] accept = 8000 connect = 127.0.0.1:22
The debug level of 7 is maximum and gives a more detailed description of what's happening in the log file.
Server behavior
On the server, starting the stunnel client using the following steps:
Check the stunnel conf:
$ cat /etc/stunnel/stunnel.conf
Open port 8000 if needed:
$ iptables -A INPUT -p tcp --dport 8000 -j ACCEPT
Stop previous stunnel instances and start a new one:
$ killall stunnel && stunnel
Look at the last few lines of the log to verify it is running correctly and bound to port 8000:
$ tail /var/log/stunnel4/stunnel.log ... 2017.03.29 04:59:15 LOG5[ui]: Configuration successful 2017.03.29 04:59:15 LOG7[ui]: Listening file descriptor created (FD=7) 2017.03.29 04:59:15 LOG7[ui]: Service [ssh] (FD=7) bound to 0.0.0.0:8000
I can also see the open ports on the server using the netstat utility:
$ netstat -tulpn (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN - tcp6 0 0 :::80 :::* LISTEN - tcp6 0 0 :::22 :::* LISTEN -
Client
Client configuration
Here is the client stunnel.conf (Mac):
output = /var/log/stunnel4/stunnel.log cert = /usr/local/etc/stunnel/stunnel.fullchain.pem key = /usr/local/etc/stunnel/stunnel.key.pem client = yes debug = 7 [ssh] accept = 127.0.0.1:22 connect = 92.126.102.36:8000
Client behavior
When the stunnel command is run on the client,