Stunnel/Server

From charlesreid1

Revision as of 07:19, 29 March 2017 by Admin (talk | contribs)

This page covers an example stunnel server configuration that will tunnel SSH via stunnel over port 8000.

On the client, port 2222 (where the client will SSH) is mapped to port 8000 (stunnel), which wraps the SSH traffic in an SSL layer and passes it to the stunnel server.

On the server, port 8000 (stunnel) is exposed and listening for incoming connections. When it creates a connection it unwraps the SSL layer on the traffic and forwards it to local port 22.

Stunnel Server

Stunnel running as a server will open two ports: one to listen for incoming traffic, and one to forward the (unencrypted) traffic onto.

Stunnel Server Ports

Stunnel servers can listen on any port, and the port you choose depends on the application. The configuration we're showing here is intended to bypass a local network that allows only HTTP and HTTPS traffic on ports 80 and 443. Therefore the arrangement we will use is, stunnel will listen on port 443, open to external traffic, for SSL-encrypted stunnel traffic. This means that only stunnel can listen on 443, so this cannot be a server for an HTTPS web site. We can use stunnel on any port that we want, but communicating between stunnel clients and servers on port 443 allows us to disguise arbitrary traffic (HTTP, HTTPS, SSH, database, etc.) as legitimate HTTPS.

(Note that other services like Iodine allow you to do similar things with disguising network connections over port 53, the typical port used by DNS servers.)

Typically, stunnel is forwarding that traffic on to a local port, something like 8443. (Useful if you have a service only exposed to LOCAL traffic from localhost or 127.0.0.1 and not bound to an EXTERNAL ip address like 0.0.0.0).

Stunnel Config File

To set this up, we use the stunnel.conf configuration file. This is what a simple stunnel config looks like: 

output 	= /var/log/stunnel4/stunnel.log
cert	= /etc/stunnel/stunnel.fullchain.pem
key	= /etc/stunnel/stunnel.key.pem
client 	= no
debug	= 7
[ssh]
accept = 8000
connect = 127.0.0.1:22

Starting Stunnel

Starting stunnel is really simple. Just run the stunnel command.

If there are problems, stunnel may or may not print them out when you run the stunnel command.

Here's an example of a permissions error with a certificate file: 

$ stunnel
[ ] Clients allowed=500
[.] stunnel 5.30 on x86_64-pc-linux-gnu platform
[.] Compiled with OpenSSL 1.0.2e 3 Dec 2015
[.] Running  with OpenSSL 1.0.2g  1 Mar 2016
[.] Update OpenSSL shared libraries or rebuild stunnel
[.] Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP
[ ] errno: (*__errno_location ())
[.] Reading configuration from file /etc/stunnel/stunnel.conf
[.] UTF-8 byte order mark not detected
[.] FIPS mode disabled
[ ] Compression disabled
[ ] PRNG seeded successfully
[ ] Initializing service [http]
[ ] Loading certificate from file: /etc/stunnel/stunnel.fullchain.pem
[ ] Certificate loaded from file: /etc/stunnel/stunnel.fullchain.pem
[ ] Loading private key from file: /etc/stunnel/stunnel.key.pem
[!] error queue: 140B0002: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib
[!] error queue: 20074002: error:20074002:BIO routines:FILE_CTRL:system lib
[!] SSL_CTX_use_PrivateKey_file: 200100D: error:0200100D:system library:fopen:Permission denied
[!] Service [http]: Failed to initialize SSL context

Stunnel may also fail silently. In another window you can run tail on the stunnel log: 

$ tail -f /var/log/stunnel4/stunnel.log

Once stunnel is running properly, you won't see any startup message: 

$ sudo stunnel

The last few lines of the log should also show a clean startup: 

2017.03.28 13:01:53 LOG5[ui]: Compiled with OpenSSL 0.9.8zc 19 Mar 2015
2017.03.28 13:01:53 LOG5[ui]: Running  with OpenSSL 0.9.8zh 14 Jan 2016
2017.03.28 13:01:53 LOG5[ui]: Update OpenSSL shared libraries or rebuild stunnel
2017.03.28 13:01:53 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,OCSP
2017.03.28 13:01:53 LOG5[ui]: Reading configuration from file /etc/stunnel/stunnel.conf
2017.03.28 13:01:53 LOG5[ui]: UTF-8 byte order mark not detected
2017.03.28 13:01:53 LOG4[ui]: Service [https] needs authentication to prevent MITM attacks
2017.03.28 13:01:53 LOG5[ui]: Configuration successful

You can verify that stunnel is running using nmap to check if the stunnel port is open: 

$ sudo nmap localhost

Starting Nmap 7.01 ( https://nmap.org ) at 2017-03-28 17:00 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000016s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 999 closed ports
PORT    STATE SERVICE
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 1.70 seconds

Now Start the Client

See Stunnel/Client

Flags


SSH9999Success.png
stunnel
secure tunnel - create secure encrypted connections on any port to wrap any protocol


Stunnel  · Category:Stunnel


Using:

Client: Stunnel/Client

Server: Stunnel/Server

Stunnel Over Docker: Stunnel/Docker

Certificates: Stunnel/Certificates


Protocols:

Stunnel/Rsync  · Stunnel/SSH  · Stunnel/Scp  · Stunnel/HTTP  · Stunnel/OpenVPN


Other Links:

RaspberryPi/Headless  · RaspberryPi/Reverse SSH

Category:Stunnel  · Category:SSH  · Category:Networking


Flags  · Template:StunnelFlag  · e



Retrieved from "https://charlesreid1.com/w/index.php?title=Stunnel/Server&oldid=15694"