This page covers a basic configuration for getting secure copy (SCP) working over an stunnel connection.

Overview

Setting up client

To set up the client, use an identical config script to Stunnel/SSH, except change the protocol from [ssh] to [scp]:

# client config,
# will ssh directly to local port 2222
# ssh -p 2222 root@localhost
# stunnel client connects to remote stunnel server at IP A.B.C.D over external port 443

output 	= /var/log/stunnel4/stunnel.log
cert 	= /usr/local/etc/stunnel/stunnel.fullchain.pem
key		= /usr/local/etc/stunnel/stunnel.key.pem
pid 	= /var/run/stunnel4/stunnel.pid
client  = yes
[scp]
accept 	= 2222
connect = 96.126.102.36:443

Now scp commands can be directed through port 2222 using CAPITAL P:

$ scp -P 2222 <...>

This will redirect the scp traffic to port 443, through stunnel, and on to port 22 on the remote server.

Setting up server

We want the stunnel server to listen over 443, and forward traffic to port 22 (scp uses same port as SSH).

Only thing different from Stunnel/SSH server config file is the protocol name:

# server config,
# stunnel server will listen for stunnel clients connecting on port 443
# traffic will be decrypted and forwarded to local port 22

output	= /var/log/stunnel4/stunnel.log
cert	= /etc/stunnel/stunnel.fullchain.pem
key		= /etc/stunnel/stunnel.key.pem
pid		= /var/run/stunnel4/stunnel.pid
client	= no
[scp]
accept	= 443
connect = 127.0.0.1:22