Stunnel/Troubleshooting: Difference between revisions
From charlesreid1
| Line 71: | Line 71: | ||
2017.03.29 04:59:15 LOG7[ui]: Service [ssh] (FD=7) bound to 0.0.0.0:8000 | 2017.03.29 04:59:15 LOG7[ui]: Service [ssh] (FD=7) bound to 0.0.0.0:8000 | ||
</pre> | </pre> | ||
===Verification that server is ok=== | |||
I can also see the open ports on the server using the <code>netstat</code> utility: | I can also see the open ports on the server using the <code>netstat</code> utility: | ||
| Line 92: | Line 94: | ||
<pre> | <pre> | ||
$ nmap localhost; echo | $ nmap localhost; echo; nmap 196.116.112.336 | ||
Starting Nmap 7.01 ( https://nmap.org ) at 2017-03-29 05:12 UTC | Starting Nmap 7.01 ( https://nmap.org ) at 2017-03-29 05:12 UTC | ||
| Line 105: | Line 107: | ||
Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds | Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds | ||
Starting Nmap 7.01 ( https://nmap.org ) at 2017-03-29 05:12 UTC | Starting Nmap 7.01 ( https://nmap.org ) at 2017-03-29 05:12 UTC | ||
Revision as of 05:15, 29 March 2017
Having issues getting stunnel client and server to connect.
Have been following this Digital Ocean guide: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ssl-tunnel-using-stunnel-on-ubuntu
Problem Description
I am trying to create an stunnel connection from client to server. The stunnel client will route traffic from local port 2222 to local port 8000. This traffic will then be encrypted by Stunnel and sent out over the network, to the stunnel server on the remote machine, also listening for traffic and connections on port 8000. Once the traffic reaches the stunnel server, it is decrypted and forwarded to the server's local port 22, the SSH service.
This allows the execution of an SSH command to localhost that ultimately connects to the remote server:
[local] $ ssh -p 2222 zappa@localhost ...login message... [remote] $
This is useful because:
- You can wrap arbitrary traffic from any local port, and send it encrypted with SSL over any other port.
- You can bypass any firewall that allows HTTPS traffic only by disguising your traffic using Stunnel.
Server
Server configuration
Here is the server stunnel.conf (Ubuntu):
output = /var/log/stunnel4/stunnel.log cert = /etc/stunnel/stunnel.fullchain.pem key = /etc/stunnel/stunnel.key.pem client = no debug = 7 [ssh] accept = 8000 connect = 127.0.0.1:22
The debug level of 7 is maximum and gives a more detailed description of what's happening in the log file.
Server behavior
On the server, starting the stunnel client using the following steps:
Check the stunnel conf:
$ cat /etc/stunnel/stunnel.conf
Open port 8000 if needed:
$ iptables -A INPUT -p tcp --dport 8000 -j ACCEPT
Stop previous stunnel instances and start a new one:
$ killall stunnel && stunnel
Look at the last few lines of the log to verify it is running correctly and bound to port 8000:
$ tail /var/log/stunnel4/stunnel.log ... 2017.03.29 04:59:15 LOG5[ui]: Configuration successful 2017.03.29 04:59:15 LOG7[ui]: Listening file descriptor created (FD=7) 2017.03.29 04:59:15 LOG7[ui]: Service [ssh] (FD=7) bound to 0.0.0.0:8000
Verification that server is ok
I can also see the open ports on the server using the netstat utility:
$ netstat -tulpn (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN - tcp6 0 0 :::80 :::* LISTEN - tcp6 0 0 :::22 :::* LISTEN -
(The SSH service is available on this machine on port 22, so we could just connect to the machine that way, but consider a scenario in which port 22 is blocked on a local network and port 8000 is not.)
Finally, an nmap scan of localhost and the server's IP also shows ports 22, 80, and 8000 open and listening:
$ nmap localhost; echo; nmap 196.116.112.336 Starting Nmap 7.01 ( https://nmap.org ) at 2017-03-29 05:12 UTC Nmap scan report for localhost (127.0.0.1) Host is up (0.00016s latency). Other addresses for localhost (not scanned): ::1 Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 8000/tcp open http-alt Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds Starting Nmap 7.01 ( https://nmap.org ) at 2017-03-29 05:12 UTC Nmap scan report for 196.116.112.336 Host is up (0.00013s latency). Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 8000/tcp open http-alt Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds
Client
Client configuration
Here is the client stunnel.conf (Mac):
output = /var/log/stunnel4/stunnel.log cert = /usr/local/etc/stunnel/stunnel.fullchain.pem key = /usr/local/etc/stunnel/stunnel.key.pem client = yes debug = 7 [ssh] accept = 127.0.0.1:22 connect = 92.126.102.36:8000
Client behavior
When the stunnel command is run on the client,