Stunnel/Client: Difference between revisions
From charlesreid1
(→Flags) |
|||
| Line 30: | Line 30: | ||
To start stunnel, you'll run the stunnel binary. This will attempt to silently establish a connection in the background to the specified stunnel server. | To start stunnel, you'll run the stunnel binary. This will attempt to silently establish a connection in the background to the specified stunnel server. | ||
if the connection is successful, the command will be totally silent. Otherwise, it will print out whatever error results from running the command. | if the connection is successful, the command will be totally silent. Otherwise, it will print out whatever error results from running the command. Here's what an unsuccessful command looks like: | ||
<pre> | |||
$ sudo stunnel | |||
[ ] Clients allowed=2375 | |||
[ ] Cron thread initialized | |||
[.] stunnel 5.30 on x86_64-apple-darwin14.5.0 platform | |||
[.] Compiled with OpenSSL 0.9.8zc 19 Mar 2015 | |||
[.] Running with OpenSSL 0.9.8zh 14 Jan 2016 | |||
[.] Update OpenSSL shared libraries or rebuild stunnel | |||
[.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,OCSP | |||
[ ] errno: (*__error()) | |||
[.] Reading configuration from file /usr/local/etc/stunnel/stunnel.conf | |||
[.] UTF-8 byte order mark not detected | |||
[ ] Compression disabled | |||
[ ] Snagged 64 random bytes from /Volumes/noospace/Users/charles/.rnd | |||
[ ] Wrote 1024 new random bytes to /Volumes/noospace/Users/charles/.rnd | |||
[ ] PRNG seeded successfully | |||
[ ] Initializing service [https] | |||
[ ] Loading certificate from file: /usr/local/etc/stunnel/stunnel.fullchain.pem | |||
[ ] Certificate loaded from file: /usr/local/etc/stunnel/stunnel.fullchain.pem | |||
[ ] Loading private key from file: /usr/local/etc/stunnel/stunnel.key.pem | |||
[ ] Private key loaded from file: /usr/local/etc/stunnel/stunnel.key.pem | |||
[ ] Private key check succeeded | |||
[:] Service [https] needs authentication to prevent MITM attacks | |||
[ ] SSL options: 0x03000004 (+0x03000000, -0x00000000) | |||
[.] Configuration successful | |||
[ ] Listening file descriptor created (FD=6) | |||
[ ] Service [https] (FD=6) bound to 127.0.0.1:2200 | |||
[!] Cannot open log file: /var/log/stunnel4/stunnel.log | |||
[ ] Closing service [https] | |||
[ ] Service [https] closed (FD=6) | |||
[ ] Service [https] closed | |||
</pre> | |||
==Flags== | ==Flags== | ||
Revision as of 17:41, 28 March 2017
Stunnel Client
Running an stunnel client requires installing stunnel and setting up a configuration file just like if you were setting up an Stunnel/Server, except swapping the accept and connect ports, since we want the client to accept local traffic (on port 8443) and send it on to the server that it connects to with SSL (on port 443).
Ports/Arrangement
The stunnel server will be listening on port 443. We want to connect to the external server on 443, and forward the traffic to a local port 8443.
Stunnel Config File
If we want to establish a connection on port 443 (externally) to forward on to port 8443 (locally), we can use the following config file:
output = /var/log/stunnel4/stunnel.log cert = /usr/local/etc/stunnel/stunnel.pem key = /usr/local/etc/stunnel/stunnel.pem pid = /var/run/stunnel4/stunnel.pid client = yes [https] accept = 127.0.0.1:8443 connect = 10.11.12.13:443
Note the server certificate and key files must be the same ones as are on the stunnel server. This is how you verify the identity of the server - if you can receive their public key over a trusted, published, public channel, then you can exchange encrypted communications with them. Use a trusted, encrypted channel like SSH or a USB key if you have physical access to the server.
If using Homebrew stunnel as your client, the server's certificate file should go in /usr/local/etc/stunnel/. On unix, try /etc/stunnel
Starting Stunnel
To start stunnel, you'll run the stunnel binary. This will attempt to silently establish a connection in the background to the specified stunnel server.
if the connection is successful, the command will be totally silent. Otherwise, it will print out whatever error results from running the command. Here's what an unsuccessful command looks like:
$ sudo stunnel [ ] Clients allowed=2375 [ ] Cron thread initialized [.] stunnel 5.30 on x86_64-apple-darwin14.5.0 platform [.] Compiled with OpenSSL 0.9.8zc 19 Mar 2015 [.] Running with OpenSSL 0.9.8zh 14 Jan 2016 [.] Update OpenSSL shared libraries or rebuild stunnel [.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,OCSP [ ] errno: (*__error()) [.] Reading configuration from file /usr/local/etc/stunnel/stunnel.conf [.] UTF-8 byte order mark not detected [ ] Compression disabled [ ] Snagged 64 random bytes from /Volumes/noospace/Users/charles/.rnd [ ] Wrote 1024 new random bytes to /Volumes/noospace/Users/charles/.rnd [ ] PRNG seeded successfully [ ] Initializing service [https] [ ] Loading certificate from file: /usr/local/etc/stunnel/stunnel.fullchain.pem [ ] Certificate loaded from file: /usr/local/etc/stunnel/stunnel.fullchain.pem [ ] Loading private key from file: /usr/local/etc/stunnel/stunnel.key.pem [ ] Private key loaded from file: /usr/local/etc/stunnel/stunnel.key.pem [ ] Private key check succeeded [:] Service [https] needs authentication to prevent MITM attacks [ ] SSL options: 0x03000004 (+0x03000000, -0x00000000) [.] Configuration successful [ ] Listening file descriptor created (FD=6) [ ] Service [https] (FD=6) bound to 127.0.0.1:2200 [!] Cannot open log file: /var/log/stunnel4/stunnel.log [ ] Closing service [https] [ ] Service [https] closed (FD=6) [ ] Service [https] closed
Flags
 |
stunnel secure tunnel - create secure encrypted connections on any port to wrap any protocol
Using: Client: Stunnel/Client Server: Stunnel/Server Stunnel Over Docker: Stunnel/Docker Certificates: Stunnel/Certificates
Protocols: Stunnel/Rsync · Stunnel/SSH · Stunnel/Scp · Stunnel/HTTP · Stunnel/OpenVPN
Other Links: RaspberryPi/Headless · RaspberryPi/Reverse SSH Category:Stunnel · Category:SSH · Category:Networking
|