Stunnel on server and client

Task

Provide access from “everywhere where there is internet” to a certain software. Encrypt traffic between the client and server parts of the application that cannot work over SSL. You also need to be able to restrict access to some users, if necessary. For various reasons, the basic VPN implementations have disappeared. In the process of finding a solution, I stumbled upon Stunnel, who fit perfectly. In this article I will try to describe the configuration process in detail.

The article is mostly made up of working notes in the appendage with claims on the tutorial, so please calmly refer to the captaincy of the form - “The first thing we will do is update the system”.

General idea of ​​the scheme of work:

Client software (windows)> Stunnel> Internet> Stunnel> Server software (linux)

System: freshly installed ubuntu server 14.04 x64.
')
The application whose traffic you want to encrypt, I will not call. Instead, I will specify ssh. For the test fits perfectly, in my opinion.

Let's get started

The first thing we will do is update the system:

sudo apt-get update sudo apt-get upgrade 

Configure and enable ufw:

 sudo ufw allow 22/tcp sudo ufw allow 443/tcp sudo ufw enable 

Install stunnel:

 sudo apt-get install stunnel4 

During installation are created:
- user and group stunnel4;
- interesting catalogs to us:

• / var / lib / stunnel4 here will be the chroot environment
• / etc / stunnel any file in this directory ending in .conf will be considered a config
• / usr / share / doc / stunnel4 / examples with an example of the config inside

We will hold some preparatory activities.

Enable autostart. In the / etc / default / stunnel4 file, replace ENABLED = 0 with ENABLED = 1:

 sudo nano /etc/default/stunnel4 

Create folders for client certificates. certs - allowed, crls - prohibited (withdrawn). About the certificates themselves later.

 sudo mkdir /var/lib/stunnel4/certs sudo mkdir /var/lib/stunnel4/crls 

Create a log file and change the owner.

I do not think placing logs in a place other than / var / log is a good idea, but I could not get stunnel to write logs outside the environment.

 sudo touch /var/lib/stunnel4/stunnel.log sudo chown stunnel4:stunnel4 /var/lib/stunnel4/stunnel.log 

I will use my config, but if it does not suit you, you can take an example in / usr / share / doc / stunnel4 / examples

Create a configuration file:

 sudo nano /etc/stunnel/stunnel.conf 

With the following content:

 ; ************************************************************************** ; * Global options * ; ************************************************************************** ;  chroot . chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 ;    pid = /stunnel4.pid ;   debug = 7 ; - output = /stunnel.log ;   syslog syslog = no ; ************************************************************************** ; * Service defaults may also be specified in individual service sections * ; ************************************************************************** ; /  cert = /etc/stunnel/servercert.pem key = /etc/stunnel/serverkey.pem ;  . 0 -  , 1 -   , 2 -  , ... verify = 2 ;    . ;   .      - CApath = /certs ;    () . ;   .      - CRLpath = /crls ;   SSLv2 options = NO_SSLv2 ; ************************************************************************** ; * Service definitions (remove all services for inetd mode) * ; ************************************************************************** [ssh] ;    :   .  accept = 192.168.0.1:443 accept = 443 ;    :   .  connect = 127.0.0.1:22 connect = 22 

Keys and certificates

Not a big digression. In our case, stunnel checks only the correctness of the certificate / key pair and the presence of the certificate in allowed or prohibited. The self-signed certificate is more than enough, both on the technical side (stunnel) and on the part of the task. There is no point in bothering with your own CA or with the presence of a root certificate in the trusted list on the client or server.

We need certificate / key pairs for the server and each client.

Using openssl, create a pair for the server:

 sudo openssl req -nodes -new -days 365 -newkey rsa:1024 -x509 -keyout serverkey.pem -out servercert.pem 

We answer questions:

 Generating a 1024 bit RSA private key ....................++++++ ..............................++++++ writing new private key to 'serverkey.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:RU State or Province Name (full name) [Some-State]:MyProvince Locality Name (eg, city) []:MyCity Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany Organizational Unit Name (eg, section) []:IT dep Common Name (eg server FQDN or YOUR name) []:server Email Address []: 

And move them to the destination:

 sudo mv serverkey.pem /etc/stunnel/ sudo mv servercert.pem /etc/stunnel/ 

How and where to store client certificates with keys (with the exception of the certs and crls directories created earlier) is up to you. I will simply create a clients directory in my user's home directory and store them there at first.

Create a directory and go into it:

 mkdir /home/myuser/clients cd /home/myuser/clients 

Create a pair for the client:

 sudo openssl req -nodes -new -days 365 -newkey rsa:1024 -x509 -keyout clientkey.pem -out clientcert.pem 

As well as at creation of the certificate for the server we answer questions. Common Name will be different for example client.

Create another pair:

 sudo openssl req -nodes -new -days 365 -newkey rsa:1024 -x509 -keyout dnclientkey.pem -out dnclientcert.pem 

Assume that clientcert.pem has a client certificate that is allowed access, and dnclientcert.pem client certificate that is denied access. We copied certificates on the necessary directories.

 sudo cp clientcert.pem /var/lib/stunnel4/certs sudo cp dnclientcert.pem /var/lib/stunnel4/crls 

For each certificate you need to create a hash link (Perhaps the “hash link” is not a correct name, but it conveys the essence very precisely). This can be done using the c_rehash utility from the openssl package. We will create a small script for this purpose.

 nano /home/myuser/certlink.sh 

With the following content:

 #!/bin/sh # # usage: certlink.sh filename [filename ...] for CERTFILE in "$@"; do # ,       test -f "$CERTFILE" || continue HASH=$(openssl x509 -noout -hash -in "$CERTFILE") test -n "$HASH" || continue #      for ITER in 0 1 2 3 4 5 6 7 8 9; do test -f "${HASH}.${ITER}" && continue ln -s "$CERTFILE" "${HASH}.${ITER}" test -L "${HASH}.${ITER}" && break done done 

It may be more appropriate to place certlink.sh somewhere in / usr / bin. I have not done this yet. But the choice is yours.
Give rights:

 chmod +x /home/myuser/certlink.sh 

Create links:

 cd /var/lib/stunnel4/certs sudo /home/myuser/certlink.sh clientcert.pem cd /var/lib/stunnel4/crls sudo /home/myuser/certlink.sh dnclientcert.pem 

As a result, in the catalogs we should have links of the form 7469493f.0.

Run stunnel:

 sudo /etc/init.d/stunnel4 start 

Stunnel on the client

On the client, we will use a version of stunnel similar to the server one. On the server we have 4.53. We take away from one of the mirrors .

If the direct link fails, you can find the version you need:

• Go to stunnel.org in downloads ;
• In the Code Repositories section, select a mirror and go. For example, usenix.org.uk ;
• Go to the archive ;
• Then at 4.x ;
• We take away the necessary version.

We will not install the downloaded stunnel-4.53-installer.exe file, just unpack the contents into the stunnel4 directory. In the same directory, copy the certificate and the client key and server certificate.

Editing the stunnel.conf file. I have it has the following form:

 debug = 7 ;  /  cert = clientcert.pem key = clientkey.pem verify = 2 ;   CAfile = servercert.pem options = NO_SSLv2 [ssh] client = yes accept = 127.0.0.1:22 connect = 192.168.0.1:443 

Here, debug = 7 only at the time of debugging, then it can be lowered to 3 or 4. There are also options for “silent mode” and hiding the icon in the tray everything is in man'e.

Run stunnel.exe, and try using putty to connect to 127.0.0.1. We are testing. You can try to connect with a banned certificate.

Useful materials

• stunnel (8) manual . No comments;
• Protection of network services using stunnel on opennet.ru. Large, useful article. The author examines several scenarios of stunnel application in detail. Must read;
• OpenSSL xgu.ru. Lots of useful information about openssl. The script certlink.sh is taken from this source.

The instructions given here are fully functional. Verified on 12/26/2014 ubuntu 04/14/01, stunnel 4.53.

At the moment I am working on parsing stunnel logs with report output and automating the creation / management of certificates. Since I’m interested in golang recently, it will be implemented with the help of it. If the material on this topic is interesting - let me know.