This page covers the basic procedure required to carry SSH traffic over an stunnel connection.
This is a similar configuration to what was used at the RaspberryPi/SSH Stunnel page.
This guide will cover how to get an stunnel client and stunnel server to create an encrypted connection on an arbitrary port, and how to forward SSH traffic from any local port on the client end through that encrypted tunnel and on to any local port on the server end.
We will use a specific example here: the client wants to be able to SSH to a local port, say port 2222, and have this transparently forwarded to another local port on the server, say port 22.
In that way, the client transparently sees:
[client] $ ssh -p 2222 root@localhost [server ~ via client] $ whoami root [server ~ via client] $
No information about the server needs to be specified - the connection happens transparently on the networking layer.
Setting up client
The following sets up the client to listen for SSH connections on local port 2222, and forward them to port 443.
This is a way to bypass firewalls that only accept HTTP and HTTPS traffic - wrap the SSH traffic in an HTTPS layer that the firewall can't inspect.
Port 2222 (local ssh) --> Port 443 (stunnel client)
# client config, # will ssh directly to local port 443 # ssh -p 443 root@localhost # stunnel client connects to remote stunnel server at IP A.B.C.D over external port 443 output = /var/log/stunnel4/stunnel.log cert = /etc/stunnel/stunnel.pem key = /etc/stunnel/stunnel.pem pid = /var/run/stunnel4/stunnel.pid client = yes [ssh] accept = 127.0.0.1:443 connect = A.B.C.D:443
Setting up server
This configuration will set up an stunnel server that listens on port 443 for stunnel client connections, and forwards any traffic received on to local port 22 (a local SSH service).
In this way, the SSH connection happens on an entirely different port from either 2222 (on the client) or 22 (on the server) - it happens on 443.
# server config, # stunnel server will listen for stunnel clients connecting on port 443 # traffic will be decrypted and forwarded to local port 22 output = /var/log/stunnel4/stunnel.log cert = /etc/stunnel/stunnel.pem key = /etc/stunnel/stunnel.pem pid = /var/run/stunnel4/stunnel.pid client = no [ssh] accept = 443 connect = 127.0.0.1:22
Run stunnel on both machines, check that everything is operating correctly.
Now you can test that your SSH connection is being forwarded via stunnel:
[client] $ ssh -p 2222 root@localhost <enter root password for the remote server> [remote] # whoami root [remote] #
This should work even if root login has been disabled, since stunnel forwards the traffic to ssh and therefore it appears to SSH as local and not external traffic.
Note that you should, in theory, be able to log in as a non-root user, but this has not worked consistently:
[client] $ ssh -p 2222 zappa@localhost [remote] $ whoami zappa [remote] $
stunnelsecure tunnel - create secure encrypted connections on any port to wrap any protocol
Stunnel Over Docker: Stunnel/Docker
Flags · Template:StunnelFlag · e