1. Stunnel notes

1. Stunnel notes

1.1. What is Stunnel

stunnel is an open source cross-platform communication encryption software. It can provide encryption functions on the upper layer for services that do not natively support encrypted communication (such as FTP, Telnet, etc.) without modifying the codes of these services.
Stunnel is a program that can encrypt any TCP connection with SSL. It can run on a variety of UNIX and Windows, it is based on OpenSSL, so it requires OpenSSL has been installed, and properly configured.
Since Stunnel uses an encrypted connection, no one can see the data transmitted by the server and client.
stunnel is an open source cross-platform communication encryption software. It can provide encryption functions on the upper layer for services that do not natively support encrypted communication (such as FTP, Telnet, etc.) without modifying the codes of these services.
Stunnel is a global encrypted transmission software ( https://www.stunnel.org/ ), working on Unix and Windows platforms, as a proxy, it can encrypt the plaintext TCP traffic sent by the application without reconfiguring the application itself . Examples of cleartext data include POP3, IMAP, SMTP, and anything generated by HTTP applications. Once stunnel is configured as an encrypted data tunnel, anything sent over that port will be encrypted using SSL. Stunnel needs to be installed on both ends to return the traffic to cleartext before being passed on to the appropriate application.

1.2. Stunnel installation

sudo apt-get install stunnel4

1.3. Stunnel/SSH

1.3.1. Overview

-------------------------------------------------------     -------------------------------------------------------
| terminal, ssh client --> (port 3333) stunnel client | --> | (port 2222) stunnel server --> (port 22) ssh server |
-------------------------------------------------------     -------------------------------------------------------
                         local                                                remote server

1.3.2. Setting up client

# client config,
# will ssh directly to local port 3333
# ssh -p 3333 root@localhost
# stunnel client connects to remote stunnel server at IP A.B.C.D over external port 2222

output = /var/log/stunnel4/stunnel.log
cert   = /etc/stunnel/stunnel.pem
key	   = /etc/stunnel/stunnel.pem
pid    = /var/run/stunnel4/stunnel.pid
client = yes
[ssh]
accept 	= 127.0.0.1:3333
connect = A.B.C.D:2222    # A.B.C.D is the remote server address.

1.3.3. Setting up server

# server config,
# stunnel server will listen for stunnel clients connecting on port 2222
# traffic will be decrypted and forwarded to local port 22

output = /var/log/stunnel4/stunnel.log
cert   = /etc/stunnel/stunnel.pem
key    = /etc/stunnel/stunnel.pem
pid    = /var/run/stunnel4/stunnel.pid
client = no
[ssh]
accept	= 2222
connect = 127.0.0.1:22

1.3.4. Testing

[client] $ ssh -p 2222 root@localhost

<enter root password for the remote server>

[remote] $ whoami
root

[remote] $

1.3.5. MacOS settings

brew install stunnel

1.3.6. Reference

Stunnel/SSH

1.4. Troubleshooting

1.4.1. You should check that you have specified the pid= in you configuration file

This error message may make you think that there is an error in the configuration, but by checking the log, you will find that the original cause of the error is that the port is already occupied.

1.4.2. SSL: EE_KEY_TOO_SMALL

The reason is that the length of the private key used is too short and needs to be higher than 1024 bits, and a 2048-bit key and certificate need to be regenerated.

1.4.3. Generate certificate

This is only for reference. It is too troublesome to operate. One-click is recommended: use OpenSSL to generate HTTPS certificates

openssl genrsa 2048 > stunnel.key
openssl req -new -key stunnel.key -x509 -days 1000 -out stunnel.crt
cat stunnel.crt stunnel.key > stunnel.pem

Reference from here

Stunnel notes

Table of contents