This page covers an example stunnel server configuration that will tunnel SSH via stunnel over port 8000.
On the client, port 2222 (where the client will SSH) is mapped to port 8000 (stunnel), which wraps the SSH traffic in an SSL layer and passes it to the stunnel server.
On the server, port 8000 (stunnel) is exposed and listening for incoming connections. When it creates a connection it unwraps the SSL layer on the traffic and forwards it to local port 22.
Stunnel running as a server will open two ports: one to listen for incoming traffic, and one to forward the (unencrypted) traffic onto.
Stunnel Server Ports
Stunnel servers can listen on any port, and the port you choose depends on the application. The configuration we're showing here is intended to bypass a local network that allows only HTTP and HTTPS traffic on ports 80 and 443. Therefore the arrangement we will use is, stunnel will listen on port 443, open to external traffic, for SSL-encrypted stunnel traffic. This means that only stunnel can listen on 443, so this cannot be a server for an HTTPS web site. We can use stunnel on any port that we want, but communicating between stunnel clients and servers on port 443 allows us to disguise arbitrary traffic (HTTP, HTTPS, SSH, database, etc.) as legitimate HTTPS.
(Note that other services like Iodine allow you to do similar things with disguising network connections over port 53, the typical port used by DNS servers.)
Typically, stunnel is forwarding that traffic on to a local port, something like 8443. (Useful if you have a service only exposed to LOCAL traffic from localhost or 127.0.0.1 and not bound to an EXTERNAL ip address like 0.0.0.0).
Stunnel SSL Certificates
See the Stunnel/Certificates page for more info on how to create an SSL certificate for the server.
Also see the stunnel official howto: https://www.stunnel.org/howto.html
The short version: if you control the client and the server, and are using a self-signed certificate, you can skip verification or you can install the server's certificate authority (which, for a self-signed certificate, is the same as the certificate itself).
Stunnel Config File
To set this up, we use the
stunnel.conf configuration file. This is what a simple stunnel config looks like:
output = /var/log/stunnel4/stunnel.log cert = /etc/stunnel/stunnel.fullchain.pem key = /etc/stunnel/stunnel.key.pem client = no debug = 7 [ssh] accept = 8000 connect = 127.0.0.1:22
Starting stunnel is really simple. Just run the stunnel command.
If there are problems, stunnel may or may not print them out when you run the stunnel command.
Here's an example of a permissions error with a certificate file:
$ stunnel [ ] Clients allowed=500 [.] stunnel 5.30 on x86_64-pc-linux-gnu platform [.] Compiled with OpenSSL 1.0.2e 3 Dec 2015 [.] Running with OpenSSL 1.0.2g 1 Mar 2016 [.] Update OpenSSL shared libraries or rebuild stunnel [.] Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP [ ] errno: (*__errno_location ()) [.] Reading configuration from file /etc/stunnel/stunnel.conf [.] UTF-8 byte order mark not detected [.] FIPS mode disabled [ ] Compression disabled [ ] PRNG seeded successfully [ ] Initializing service [http] [ ] Loading certificate from file: /etc/stunnel/stunnel.fullchain.pem [ ] Certificate loaded from file: /etc/stunnel/stunnel.fullchain.pem [ ] Loading private key from file: /etc/stunnel/stunnel.key.pem [!] error queue: 140B0002: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib [!] error queue: 20074002: error:20074002:BIO routines:FILE_CTRL:system lib [!] SSL_CTX_use_PrivateKey_file: 200100D: error:0200100D:system library:fopen:Permission denied [!] Service [http]: Failed to initialize SSL context
Stunnel may also fail silently. In another window you can run tail on the stunnel log:
$ tail -f /var/log/stunnel4/stunnel.log
Once stunnel is running properly, you won't see any startup message:
$ sudo stunnel
The last few lines of the log should also show a clean startup:
2017.03.28 13:01:53 LOG5[ui]: Compiled with OpenSSL 0.9.8zc 19 Mar 2015 2017.03.28 13:01:53 LOG5[ui]: Running with OpenSSL 0.9.8zh 14 Jan 2016 2017.03.28 13:01:53 LOG5[ui]: Update OpenSSL shared libraries or rebuild stunnel 2017.03.28 13:01:53 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,OCSP 2017.03.28 13:01:53 LOG5[ui]: Reading configuration from file /etc/stunnel/stunnel.conf 2017.03.28 13:01:53 LOG5[ui]: UTF-8 byte order mark not detected 2017.03.28 13:01:53 LOG4[ui]: Service [https] needs authentication to prevent MITM attacks 2017.03.28 13:01:53 LOG5[ui]: Configuration successful
Verifying the stunnel server is ok
On Ubuntu you can use the
netstat utility to see open ports:
$ netstat -tulpn (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN - tcp6 0 0 :::80 :::* LISTEN - tcp6 0 0 :::22 :::* LISTEN -
You can also verify that stunnel is running using nmap to check if the stunnel port is open:
$ sudo nmap localhost Starting Nmap 7.01 ( https://nmap.org ) at 2017-03-28 17:00 UTC Nmap scan report for localhost (127.0.0.1) Host is up (0.000016s latency). Other addresses for localhost (not scanned): ::1 Not shown: 999 closed ports PORT STATE SERVICE 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 1.70 seconds
Now Start the Client
stunnelsecure tunnel - create secure encrypted connections on any port to wrap any protocol
Stunnel Over Docker: Stunnel/Docker
Flags · Template:StunnelFlag · e