This page covers the basic procedure required to carry SSH traffic over an stunnel connection.

Overview

This guide will cover how to get an stunnel client and stunnel server to create an encrypted connection on an arbitrary port, and how to forward SSH traffic from any local port on the client end through that encrypted tunnel and on to any local port on the server end.

We will use a specific example here: the client wants to be able to SSH to a local port, say port 2222, and have this transparently forwarded to another local port on the server, say port 22.

In that way, the client transparently sees:

[client] $ ssh -p 2222 root@localhost

[server ~ via client] $

No information about the server needs to be specified - the connection happens transparently on the networking layer.

Setting up client

The following sets up the client to listen for SSH connections on local port 2222, and forward them to port 443.

This is a way to bypass firewalls that only accept HTTP and HTTPS traffic - wrap the SSH traffic in an HTTPS layer that the firewall can't inspect.

Port 2222 (local ssh) --> Port 443 (stunnel client)

# client config,
# will ssh directly to local port 443
# ssh -p 443 root@localhost
# stunnel client connects to remote stunnel server at IP A.B.C.D over external port 443

output 	= /var/log/stunnel4/stunnel.log
cert 	= /etc/stunnel/stunnel.pem
key	= /etc/stunnel/stunnel.pem
pid 	= /var/run/stunnel4/stunnel.pid
client  = yes
[ssh]
accept 	= 127.0.0.1:443
connect = A.B.C.D:443

Also see Stunnel/Client

Setting up server

See Stunnel/Server

port 2222 port 8000

Connecting

Run stunnel on both machines, check that everything is operating correctly.

Testing

ssh -p 2222 root@localhost

Flags

Stunnel/SSH

From charlesreid1

Contents