Stunnel/Server

This page covers an example stunnel server configuration that will tunnel SSH via stunnel over port 8000.

On the client, port 2222 (where the client will SSH) is mapped to port 8000 (stunnel), which wraps the SSH traffic in an SSL layer and passes it to the stunnel server.

On the server, port 8000 (stunnel) is exposed and listening for incoming connections. When it creates a connection it unwraps the SSL layer on the traffic and forwards it to local port 22.

Stunnel Server

Stunnel running as a server will open two ports: one to listen for incoming traffic, and one to forward the (unencrypted) traffic onto.

Stunnel Server Ports

Stunnel servers can listen on any port, and the port you choose depends on the application. The configuration we're showing here is intended to bypass a local network that allows only HTTP and HTTPS traffic on ports 80 and 443. Therefore the arrangement we will use is, stunnel will listen on port 443, open to external traffic, for SSL-encrypted stunnel traffic. This means that only stunnel can listen on 443, so this cannot be a server for an HTTPS web site. We can use stunnel on any port that we want, but communicating between stunnel clients and servers on port 443 allows us to disguise arbitrary traffic (HTTP, HTTPS, SSH, database, etc.) as legitimate HTTPS.

(Note that other services like Iodine allow you to do similar things with disguising network connections over port 53, the typical port used by DNS servers.)

Typically, stunnel is forwarding that traffic on to a local port, something like 8443. (Useful if you have a service only exposed to LOCAL traffic from localhost or 127.0.0.1 and not bound to an EXTERNAL ip address like 0.0.0.0).

Stunnel SSL Certificates

See the Stunnel/Certificates page for more info on how to create an SSL certificate for the server.

Also see the stunnel official howto: https://www.stunnel.org/howto.html

The short version: if you control the client and the server, and are using a self-signed certificate, you can skip verification or you can install the server's certificate authority (which, for a self-signed certificate, is the same as the certificate itself).

Stunnel Config File

To set this up, we use the stunnel.conf configuration file. This is what a simple stunnel config looks like:

output 	= /var/log/stunnel4/stunnel.log
cert	= /etc/stunnel/stunnel.fullchain.pem
key	= /etc/stunnel/stunnel.key.pem
client 	= no
debug	= 7
[ssh]
accept = 8000
connect = 127.0.0.1:22

Starting Stunnel

Starting stunnel is really simple. Just run the stunnel command.

If there are problems, stunnel may or may not print them out when you run the stunnel command.

Here's an example of a permissions error with a certificate file:

$ stunnel
[ ] Clients allowed=500
[.] stunnel 5.30 on x86_64-pc-linux-gnu platform
[.] Compiled with OpenSSL 1.0.2e 3 Dec 2015
[.] Running  with OpenSSL 1.0.2g  1 Mar 2016
[.] Update OpenSSL shared libraries or rebuild stunnel
[.] Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP
[ ] errno: (*__errno_location ())
[.] Reading configuration from file /etc/stunnel/stunnel.conf
[.] UTF-8 byte order mark not detected
[.] FIPS mode disabled
[ ] Compression disabled
[ ] PRNG seeded successfully
[ ] Initializing service [http]
[ ] Loading certificate from file: /etc/stunnel/stunnel.fullchain.pem
[ ] Certificate loaded from file: /etc/stunnel/stunnel.fullchain.pem
[ ] Loading private key from file: /etc/stunnel/stunnel.key.pem
[!] error queue: 140B0002: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib
[!] error queue: 20074002: error:20074002:BIO routines:FILE_CTRL:system lib
[!] SSL_CTX_use_PrivateKey_file: 200100D: error:0200100D:system library:fopen:Permission denied
[!] Service [http]: Failed to initialize SSL context

Stunnel may also fail silently. In another window you can run tail on the stunnel log:

$ tail -f /var/log/stunnel4/stunnel.log

Once stunnel is running properly, you won't see any startup message:

$ sudo stunnel

The last few lines of the log should also show a clean startup:

2017.03.28 13:01:53 LOG5[ui]: Compiled with OpenSSL 0.9.8zc 19 Mar 2015
2017.03.28 13:01:53 LOG5[ui]: Running  with OpenSSL 0.9.8zh 14 Jan 2016
2017.03.28 13:01:53 LOG5[ui]: Update OpenSSL shared libraries or rebuild stunnel
2017.03.28 13:01:53 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,OCSP
2017.03.28 13:01:53 LOG5[ui]: Reading configuration from file /etc/stunnel/stunnel.conf
2017.03.28 13:01:53 LOG5[ui]: UTF-8 byte order mark not detected
2017.03.28 13:01:53 LOG4[ui]: Service [https] needs authentication to prevent MITM attacks
2017.03.28 13:01:53 LOG5[ui]: Configuration successful

Verifying the stunnel server is ok

On Ubuntu you can use the netstat utility to see open ports:

$ netstat -tulpn

(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:8000            0.0.0.0:*               LISTEN      -
tcp6       0      0 :::80                   :::*                    LISTEN      -
tcp6       0      0 :::22                   :::*                    LISTEN      -

You can also verify that stunnel is running using nmap to check if the stunnel port is open:

$ sudo nmap localhost

Starting Nmap 7.01 ( https://nmap.org ) at 2017-03-28 17:00 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000016s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 999 closed ports
PORT    STATE SERVICE
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 1.70 seconds

Now Start the Client

See Stunnel/Client

Flags