Stunnel



The stunnel program is designed to work as an SSL encryption wrapperbetween remote client and local (inetd-startable) or remote servers. Itcan be used to add SSL functionality to commonly used inetd daemons likePOP2, POP3, and IMAP servers without any changes in the program’s code.

Stunnel is a program that allows you to encrypt arbitrary TCP connections inside SSL (Secure Sockets Layer) available on both UNIX and Windows. Stunnel can allow you to secure non-SSL aware daemons and protocols (like POP, IMAP, LDAP, etc) by having stunnel provide the encryption, requiring no changes to the daemon’s code. We all know how awesome stunnel is, but setting it up properly on Ubuntu (and on most other distros, really), can be a little tricky. This post is dedicated to show you how to properly install and configure this magnificent piece of software on Ubuntu.

  1. Stunnel overview Short description The stunnel program is designed to work as an SSL encryption wrapper between remote client and local (inetd-startable) or remote servers. The goal is to facilitate SSL encryption and authentication for non-SSL-aware programs.
  2. The stunnel client configuration is very similar to the server configuration, to specify this stunnel instance is a client we will add client = yes to the configuration.
  3. This is where stunnel comes into play. I've featured it in earlier articles but for those who are new to stunnel, stunnel is a proxy that allows you to create a TLS tunnel between two or more systems. In this article we will use stunnel to create a TLS tunnel between the HTTP client system and TinyProxy.

It will negotiate an SSL connection using the OpenSSL or SSLeaylibraries. It calls the underlying crypto libraries, allowing stunnel tosupport whatever cryptographic algorithms were compiled into the cryptopackage.

Note

Stunnel.org

The pfSense® package implements only a subset of the configurationoptions available in stunnel. For more advanced configurations, pleaseconsider configuring stunnel manually on the pfSense host, run it ina dedicated jail, or on a different system.

The package has two configuration screens (tabs):

  • Tunnel definitions

  • Certificates

Stunnel Elte

Tunnels¶

For each tunnel, the following options are available:

  • Listening socket IP address and port.

  • Certificate to use for the listening socket.

  • Target IP address and port.

  • IP address to bind to when connecting to the target.

If no certificate is specified for a tunnel, the default certificatewill be used. This is a self-signed certificate which is generated uponpackage (re)installation, and is not suited for production use.

Stunnel

Certificates¶

Certificates are managed in the simplest possible way, by requiring theuser to provide RSA key and certificates/chains in PEM format. TheCertificates tab will list the configured certificates along withstatus information, indicating whether the certificate is valid, willexpire soon, or is already expired. A sanity check is also performed tomake sure the key and certificate matches.

Note that for private certificates and certain commercial ones (ExtendedValidation), a complete certificate chain may be required. This is toensure that the client is able to verify the certificate validity. Achain should be built in the following way:

  1. Root certificate of the certificate issuer/CA

  2. Any intermediate certificates between the root and the servercertificate

  3. Server certificate

Stunnel For Linux

See also

Refer to the stunnel documentation for more information on how to format acertificate chain.

See also

The pfSense bug tracker contains a list of known issues withthis package. Theme mac os x for ubuntu.

Adjust configuration

Using WinSCP (of course alternatively the ssh terminal may be used) in the /etc/openvpn/ directory of your OpenWRT router create the file up.sh with the following lines as content

and the file down.sh with the following content

Open the properties of the files up.sh and down.sh to set the permissions to 755. Korg legacy for mac.

In /var/log/openvpn.log you later may view the log, in case any issues with the OpenVPN connections should occur.

Stunnel configuration

Replace the SERVER_IP with the stunnel-specific IP address of the respective server. You can look it up in the overview of stunnel ports and IPs.

For the STUNNEL_PORT you can choose between the following ports: 22, 53, 443, 8085, 9009, 36315. To circumvent blocking, ports 53 and 443 are particularly recommended. The schema is:

To use the VPN server in Basel, use WinSCP (or the terminal) to open the file stunnel in the /etc/config/ directory and in this example replace the content with the data for Basel1. Then save the file:

Stunnel Windows

Should you later decide to disable OpenVPN, then do not forget to also disable Stunnel. To do so open the file stunnel in the /etc/config/ directory and change the line:

to