From charlesreid1

This page covers the basic procedure required to carry SSH traffic over an stunnel connection.

This is a similar configuration to what was used at the RaspberryPi/SSH Stunnel page.


This guide will cover how to get an stunnel client and stunnel server to create an encrypted connection on an arbitrary port, and how to forward SSH traffic from any local port on the client end through that encrypted tunnel and on to any local port on the server end.

We will use a specific example here: the client wants to be able to SSH to a local port, say port 2222, and have this transparently forwarded to another local port on the server, say port 22.

In that way, the client transparently sees:

[client] $ ssh -p 2222 root@localhost

[server ~ via client] $ whoami

[server ~ via client] $ 

No information about the server needs to be specified - the connection happens transparently on the networking layer.

Setting up client

The following sets up the client to listen for SSH connections on local port 2222, and forward them to port 443.

This is a way to bypass firewalls that only accept HTTP and HTTPS traffic - wrap the SSH traffic in an HTTPS layer that the firewall can't inspect.

Port 2222 (local ssh) --> Port 443 (stunnel client)

# client config,
# will ssh directly to local port 443
# ssh -p 443 root@localhost
# stunnel client connects to remote stunnel server at IP A.B.C.D over external port 443

output 	= /var/log/stunnel4/stunnel.log
cert 	= /etc/stunnel/stunnel.pem
key	= /etc/stunnel/stunnel.pem
pid 	= /var/run/stunnel4/
client  = yes
accept 	=
connect = A.B.C.D:443


Setting up server

This configuration will set up an stunnel server that listens on port 443 for stunnel client connections, and forwards any traffic received on to local port 22 (a local SSH service).

In this way, the SSH connection happens on an entirely different port from either 2222 (on the client) or 22 (on the server) - it happens on 443.

# server config,
# stunnel server will listen for stunnel clients connecting on port 443
# traffic will be decrypted and forwarded to local port 22

output	= /var/log/stunnel4/stunnel.log
cert	= /etc/stunnel/stunnel.pem
key		= /etc/stunnel/stunnel.pem
pid		= /var/run/stunnel4/
client	= no
accept	= 443
connect =



Run stunnel on both machines, check that everything is operating correctly.

See Stunnel/Client and Stunnel/Server pages for how to check if stunnel is operating correctly on client and server ends, respectively.


Now you can test that your SSH connection is being forwarded via stunnel:

[client] $ ssh -p 2222 root@localhost

<enter root password for the remote server>

[remote] # whoami

[remote] #

This should work even if root login has been disabled, since stunnel forwards the traffic to ssh and therefore it appears to SSH as local and not external traffic.

Note that you should, in theory, be able to log in as a non-root user, but this has not worked consistently:

[client] $ ssh -p 2222 zappa@localhost

[remote] $ whoami 

[remote] $