Skip to content

Stunnel: Creating an SSL Tunnel

Introduction

If you have software that doesn't support SSL, and you want to secure network connections, you can encapsulate it in an SSL tunnel. This tunnel will encrypt data from end to end.

Installation

Debian

1
apt-get install stunnel4

Red-Hat

1
2
3
4
wget http://www.stunnel.org/download/stunnel/src/stunnel-4.20.tar.gz
tar -xzvf stunnel-4.20.tar.gz
cd stunnel-4.20
./configure && make && make install

Windows

Download the client: https://www.stunnel.org/download/binaries.html
On Windows, all configuration files are in "C:\Program Files\stunnel", so adapt the examples below according to file paths

Configuration

Serveur

Don't modify the /etc/stunnel/stunnel.conf file; it's preferable to create a separate file (for example "/etc/stunnel/services.conf").
Here's an example of the file contents that will forward telnet and a VNC connection (assuming a VNC server is running on port "5901").

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
cert = /etc/stunnel/stunnel.pem         # Certificate to use
CAfile = /etc/stunnel/stunnel.pem       # same
verify = 3                              # Certificate verification level

##Service Definitions##
[Telnet]                                # Service Name
accept = 88.191.31.151:12345            # Server address hosting the service: Secure alternative port
connect = 127.0.0.1:23                  # Local server address: Real service port

[VNC]                                   # Service Name
accept = 88.191.31.151:54321            # Server address hosting the service: Secure alternative port
connect = 127.0.0.1:5901                # Local server address: Real service port

Client

As with the server, it's preferable to create a separate configuration file (still "/etc/stunnel/services.conf"). This file will be similar to the server file except that the service logic is reversed and the "Client" option is defined:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
client = yes                            # Indicates this is the client
cert = /etc/stunnel/stunnel.pem         # Certificate to use
CAfile = /etc/stunnel/stunnel.pem       # same
verify = 3                              # Certificate verification level

##Service Definitions##
[Telnet]                                # Service Name
accept = 127.0.0.1:23                   # Server address hosting the service: Secure alternative port
connect = 88.191.31.151:12345           # Local server address: Real service port

[VNC]                                   # Service Name
accept = 127.0.0.1:5901                 # Server address hosting the service: Secure alternative port
connect = 88.191.31.151:54321           # Local server address: Real service port

Generation du Certificat

Create a file "/etc/stunnel/cert.conf" with the following lines:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
[ req ]
default_bits = 1024 # Set 2056 if you're paranoid
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
C=FR
ST=France
L=Paris
O=Deimos
OU=Deimos Network Team
CN=deimos.fr
emailAddress=xxx@mycompany.com

[ cert_type ]
nsCertType = server

Then, to generate the certificate, navigate to the "/etc/stunnel" directory and type:

1
openssl req -new -days 365 -nodes -config /etc/stunnel/cert.conf -out stunnel.pem -x509 -keyout stunnel.pem

Utilisation

Now that the configuration files are created, stunnel is ready to be launched.

Linux: 

1
stunnel4 /etc/stunnel/services.conf

Windows: 

1
2
cd "C:\Programe Files\stunnel"
stunnel.exe services.conf

The client can then connect to the remote service this way: 

1
2
telnet 127.0.0.1
vnc4client 127.0.0.1:5901