Stunnel
Configuration
Path:
/etc/stunnel
Configure /etc/stunnel/stunnel.conf example:
cert = /etc/stunnel/oeey.com.pem [https] accept = 10.10.10.3:443 connect = 127.0.0.1:80
Set certificate permissions:
chmod 600 oeey.com.pem
See #Startup Script
Common Ports
[https] accept = 10.10.10.3:443 connect = 127.0.0.1:80 [smtps] accept = 10.10.10.3:465 connect = 127.0.0.1:25 [pop3s] accept = 10.10.10.3:995 connect = 127.0.0.1:110 [imaps] accept = 10.10.10.3:993 connect = 127.0.0.1:143
client mode
client mode (remote service uses SSL)
[google] client = yes accept = 127.0.0.1:8000 connect = google.com:443
References:
- The Goldfish » Stunnel in client mode - http://www.thegoldfish.org/2010/01/stunnel-in-client-mode/
Logs
Logs get dumped to syslog under /var/log/secure.
SSL to SSH Tunnel
SSL to SSH tunneling (stunnel) | JAKERI - http://www.jakeri.net/2009/01/ssl-to-ssh-tunneling-stunnel/
Sometimes it can be handy to reach your home server even if you have all sorts of proxy servers and firewalls between you and your home server (e.g. from work).
Stunnel to the rescue!.
Server:
cert=stunnel.pem pid=/tmp/stunnel.pid [stunnel443] accept = 192.168.1.7:443 connect = 192.168.1.7:22
Client:
#cert = stunnel.pem pid=/tmp/stunnelclient.pid #foreground=yes client=yes [21222] accept=21222 connect=192.168.1.7:443
Client:
ssh -p 21222 localhost
Startup Script
#!/bin/bash
#
# Script to run stunnel in daemon mode at boot time.
#
# Check http://www.gaztronics.net/ for the
# most up-to-date version of this script.
#
# This script is realeased under the terms of the GPL.
# You can source a copy at:
# http://www.fsf.org/copyleft/copyleft.html
#
# Please feel free to modify the script to suite your own needs.
# I always welcome email feedback with suggestions for improvements.
# Please do not email for general support. I do not have time to answer
# personal help requests.
# Author: Gary Myers MIIE MBCS
# email: http://www.gaztronics.net/webform/
# Revision 1.0 - 4th March 2005
#====================================================================
# Run level information:
#
# chkconfig: 2345 99 99
# description: Secure Tunnel
# processname: stunnel
#
# Run "/sbin/chkconfig --add stunnel" to add the Run levels.
# This will setup the symlinks and set the process to run at boot.
#====================================================================
#====================================================================
# Paths and variables and system checks.
# Source function library (It's a Red Hat thing!)
. /etc/rc.d/init.d/functions
# Check that networking is up.
#
[ ${NETWORKING} ="yes" ] || exit 0
# Path to the executable.
#
SEXE=/usr/sbin/stunnel
# Path to the configuration file.
#
CONF=/etc/stunnel/stunnel.conf
# Check the configuration file exists.
#
if [ ! -f $CONF ] ; then
echo "The configuration file cannot be found!"
exit 0
fi
# Path to the lock file.
#
LOCK_FILE=/var/lock/subsys/stunnel
#====================================================================
#====================================================================
# Run controls:
prog=$"stunnel"
RETVAL=0
# Start stunnel as daemon.
#
start() {
if [ -f $LOCK_FILE ]; then
echo "stunnel is already running!"
exit 0
else
echo -n $"Starting $prog: "
$SEXE $CONF
fi
RETVAL=$?
[ $RETVAL -eq 0 ] && success
echo
[ $RETVAL -eq 0 ] && touch $LOCK_FILE
return $RETVAL
}
# Stop stunnel.
#
stop() {
if [ ! -f $LOCK_FILE ]; then
echo "stunnel is not running!"
exit 0
else
echo -n $"Shutting down $prog: "
killproc stunnel
RETVAL=$?
[ $RETVAL -eq 0 ]
rm -f $LOCK_FILE
echo
return $RETVAL
fi
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
condrestart)
if [ -f $LOCK_FILE ]; then
stop
start
RETVAL=$?
fi
;;
status)
status stunnel
RETVAL=$?
;;
*)
echo $"Usage: $0 {start|stop|restart|condrestart|status}"
RETVAL=1
esac
exit $RETVAL