The Stunnel4 program is designed to work as an SSL encryption wrapper between remote client and local (inetd-startable) or remote server. It can be used to add SSL functionality to commonly used inetd daemons like POP2, POP3, and IMAP servers without any changes in the program’s code.
What Stunnel basically does is that it turns any insecure TCP port into a secure encrypted port using OpenSSL package for cryptography. It’s somehow like a small secure VPN that runs on specific ports.
stunnel [<filename>] ] -fd <n> | -help | -version | -sockets
<filename> - use specified config file Stunnel4 -fd <n> - read the config file from a file descriptor Stunnel4 -help - get config file help Stunnel4 -version - display version and defaults Stunnel4 -sockets - display default socket options Stunnel4
1. Configure Stunnel on the VPS
Stunnel configures itself using a file named “stunnel.conf“ which by default is located in “/etc/stunnel“.
Create a “stunnel.conf“ file in the “/etc/stunnel“ directory:
sudo gedit /etc/stunnel/stunnel.conf
We’re going to be using a SSL certificate to identify ourselves to the server so we have to set the path to that certificate in “stunnel.conf” file using this line (We will create the certificate file in the next step):
cert = /etc/stunnel/stunnel.pem
Next we specify a service for use with Stunnel. It can be any of the services which use networking such as mail server, proxy server, etc.
Here as an example we’re going to secure traffics between Squid proxy server and a client using Stunnel. We’ll explain how to install and configure Squid in Step 6.
After setting a name for the service you’re going to use, you must tell Stunnel to listen on which port for that service. This can be any of the 65535 ports, as long as it’s not blocked by another service or firewall:
[squid] accept = 8888
Then depending on the service you’re going to use the secure tunnel on, you must specify the port and IP address of that in the configuration file Basically Stunnel takes packets from a secure port and then forwards it to the port and IP address of the service you specified.
Squid proxy by default runs on localhost and port 3128 so we have to tell Stunnel to forward accepted connections to that port:
connect = 127.0.0.1:3128
So overall the “stunnel.conf” file must contain the lines below:
client = no [squid] accept = 8888 connect = 127.0.0.1:3128 cert = /etc/stunnel/stunnel.pem
client = no part isn’t necessary, Stunnel by default is set to server mode.
2. Create SSL Certificates
Stunnel uses SSL certificate to secure its connections, which you can easily create using the OpenSSL package:
cyborg@cyborg:~$ openssl genrsa -out key.pem 2048 Generating RSA private key, 2048 bit long modulus ....................................+++ ....................................................+++ e is 65537 (0x****) cyborg@cyborg:~$ openssl req -new -x509 -key key.pem -out cert.pem -days 1095 You are about to be asked to enter information that will be incorporated into your certificate request. -------------- Country Name (2 letter code) [AU]:IN State or Province Name (full name) [Some-State]:MP Locality Name (eg, city) :JBP Organization Name (eg, company) [Internet Widgits Pty Ltd]:Ztrela Organizational Unit Name (eg, section) :IT Common Name (e.g. server FQDN or YOUR name) :Cyborg Email Address :[email protected] cyborg@cyborg:~$ sudo -s [sudo] password for cyborg: root@cyborg:~# cat key.pem cert.pem >> /etc/stunnel/stunnel.conf
Basically, the commands above is for creating a private key, creating a certificate using that key and combining the two of them into one files named “stunnel.pem“ to use with Stunnel.
Note: When creating the certificate, you will be asked for some information such as country and state, which you can enter whatever you like but when asked for “Common Name” you must enter the correct host name or IP address of your droplet (VPS).
Also, enable Stunnel automatic startup by configuring the “/etc/default/stunnel4“ file, enter command below to open the file in text editor:
sudo gedit /etc/default/stunnel4
And change ENABLED to 1:
Finally, restart Stunnel for configuration to take effect, using this command:
sudo /etc/init.d/stunnel4 restart
Configure Stunnel in Client
Note: This explains the process of installing and configuration of Stunnel as a client in Windows, but Stunnel could also be installed in Linux and even Android and configuration still remains the same. The only difference would be placement of “stunnel.conf“ file required for configuration of Stunnel.
In order for Stunnel to communicate with the server, the SSL certificate we created in Step 5 must be present at the client. There are many ways of obtaining the “stunnel.pem“ file from server, but we’re going to use SFTP which is both easy and very secure.
Using a SFTP client such as Filezilla, connect to your server and download the “stunnel.pem“ file located in “/etc/stunnel/“ directory to the client
Install Stunnel in any place you like. Then go to the Stunnel folder and move the downloaded certificate“stunnel.pem“ to Stunnel folder.
Create a “stunnel.conf“ file in the Stunnel’s folder if one does not exist. Open the file with a text editor such as Notepad.
First of all, we tell Stunnel our certificate’s path, which in Windows is in the Stunnel’s directory (reminder: in Cyborg it is in “/etc/stunnel/“ directory):
cert = stunnel.pem
Since we are going to set up a client, we have to tell Stunnel that this is a client. Put the line below in the configuration file:
client = yes
Then just like the server, we must specify configuration of the service we want to use.
First we specify the service’s name, then the IP address and port, which Stunnel should listen to on the client:
[squid] accept = 127.0.0.1:8080
The accept port could be any port on the client computer, as long as it’s not occupied by another service or blocked by a firewall.
Next, we tell Stunnel to forward packets coming to this port to our Stunnel server’s IP address and port. The IP address is your server’s (droplet) public IP address, which is assigned to you when setting up a droplet, and port is the port you specified when configuring Stunnel in the server. In our case it was 8888 so we’re going to tell Stunnel to connect to that port:
connect = [Server’s Public IP]:8888
So the final “stunnel.conf“ file in the client should look like this:
cert = stunnel.pem client = yes [squid] accept = 127.0.0.1:8080 connect = [Server’s Public IP]:8888