Tutorial

How To Set Up an SSL Tunnel Using Stunnel on Ubuntu

Published on October 21, 2013
Default avatar

By Nima Karimi

How To Set Up an SSL Tunnel Using Stunnel on Ubuntu

Status: Deprecated

This article is deprecated and no longer maintained.

Reason

Ubuntu 12.04 reached end of life (EOL) on April 28, 2017 and no longer receives security patches or updates.

See Instead

This article may still be useful as a reference, but may not follow best practices or work on this or other Ubuntu releases. We strongly recommend using a recent article written for the version of Ubuntu you are using.

If you are currently operating a server running Ubuntu 12.04, we highly recommend upgrading or migrating to a supported version of Ubuntu:

What’s Stunnel


The Stunnel program is designed to work as an SSL encryption wrapper between remote client and local (inetd-startable) or remote server. It can be used to add SSL functionality to commonly used inetd daemons like POP2, POP3, and IMAP servers without any changes in the program’s code.

What Stunnel basically does is that it turns any insecure TCP port into a secure encrypted port using OpenSSL package for cryptography. It’s somehow like a small secure VPN that runs on specific ports.

Step 1: Create an Ubuntu Droplet


So far I have tested it on Ubuntu 12.04 x32/x64, Ubuntu 12.10 x32/x64, Ubuntu 13.04 x32/x64.

Step 2: Update and Upgrade Ubuntu


Using these commands update your Ubuntu’s package list and also upgrade the existing packages to the latest version:

apt-get update
apt-get upgrade

Step 3: Install Stunnel on your VPS


Install Stunnel package using the code below:

apt-get install stunnel4 -y

Step 4: Configure Stunnel on the VPS


Stunnel configures itself using a file named “stunnel.conf” which by default is located in “/etc/stunnel”.

Create a “stunnel.conf” file in the “/etc/stunnel” directory:

nano /etc/stunnel/stunnel.conf

We’re going to be using a SSL certificate to identify ourselves to the server so we have to set the path to that certificate in “stunnel.conf” file using this line (We will create the certificate file in the next step):

cert = /etc/stunnel/stunnel.pem

Next we specify a service for use with Stunnel. It can be any of the services which use networking such as mail server, proxy server, etc.

Here as an example we’re going to secure traffics between Squid proxy server and a client using Stunnel. We’ll explain how to install and configure Squid in Step 6.

After setting a name for the service you’re going to use, you must tell Stunnel to listen on which port for that service. This can be any of the 65535 ports, as long as it’s not blocked by another service or firewall:

[squid]
accept = 8888

Then depending on the service you’re going to use the secure tunnel on, you must specify the port and IP address of that in the configuration file Basically Stunnel takes packets from a secure port and then forwards it to the port and IP address of the service you specified.

Squid proxy by default runs on localhost and port 3128 so we have to tell Stunnel to forward accepted connections to that port: connect = 127.0.0.1:3128

So overall the “stunnel.conf” file must contain the lines below:

client = no
[squid]
accept = 8888
connect = 127.0.0.1:3128
cert = /etc/stunnel/stunnel.pem

Note: The client = no part isn’t necessary, Stunnel by default is set to server mode.

Step 5: Create SSL Certificates


Stunnel uses SSL certificate to secure its connections, which you can easily create using the OpenSSL package:

openssl genrsa -out key.pem 2048
openssl req -new -x509 -key key.pem -out cert.pem -days 1095
cat key.pem cert.pem >> /etc/stunnel/stunnel.pem

Basically, the commands above is for creating a private key, creating a certificate using that key and combining the two of them into one files named “stunnel.pem” to use with Stunnel.

Note: When creating the certificate, you will be asked for some information such as country and state, which you can enter whatever you like but when asked for “Common Name” you must enter the correct host name or IP address of your droplet (VPS).

Also, enable Stunnel automatic startup by configuring the “/etc/default/stunnel4” file, enter command below to open the file in text editor:

nano /etc/default/stunnel4

And change ENABLED to 1:

ENABLED=1

Finally, restart Stunnel for configuration to take effect, using this command:

/etc/init.d/stunnel4 restart

Step 6: Install Squid Proxy


Install Squid using the command below:

apt-get install squid3 -y

Step 7: Configure Stunnel in Client


Note: This explains the process of installing and configuration of Stunnel as a client in Windows, but Stunnel could also be installed in Linux and even Android and configuration still remains the same. The only difference would be placement of “stunnel.conf” file required for configuration of Stunnel.

In order for Stunnel to communicate with the server, the SSL certificate we created in Step 5 must be present at the client. There are many ways of obtaining the “stunnel.pem” file from server, but we’re going to use SFTP which is both easy and very secure.

Using a SFTP client such as Filezilla, connect to your server and download the “stunnel.pem” file located in “/etc/stunnel/” directory to the client.

There’s also a good tutorial on SFTP here:

How To Use SFTP to Securely Transfer Files with a Remote Server

Download Stunnel from their website.

Install Stunnel in any place you like. Then go to the Stunnel folder and move the downloaded certificate “stunnel.pem” to Stunnel folder.

Create a “stunnel.conf” file in the Stunnel’s folder if one does not exist. Open the file with a text editor such as Notepad.

First of all, we tell Stunnel our certificate’s path, which in Windows is in the Stunnel’s directory (reminder: in Ubuntu it is in “/etc/stunnel/” directory):

cert = stunnel.pem

Since we are going to set up a client, we have to tell Stunnel that this is a client. Put the line below in the configuration file:

client = yes

Then just like the server, we must specify configuration of the service we want to use.

First we specify the service’s name, then the IP address and port, which Stunnel should listen to on the client:

[squid]
accept = 127.0.0.1:8080

The accept port could be any port on the client computer, as long as it’s not occupied by another service or blocked by a firewall.

Next, we tell Stunnel to forward packets coming to this port to our Stunnel server’s IP address and port. The IP address is your server’s (droplet) public IP address, which is assigned to you when setting up a droplet, and port is the port you specified when configuring Stunnel in the server. In our case it was 8888 so we’re going to tell Stunnel to connect to that port:

connect = [Server’s Public IP]:8888

So the final “stunnel.conf” file in the client should look like this:

cert = stunnel.pem
client = yes
[squid]
accept = 127.0.0.1:8080
connect = [Server’s Public IP]:8888

Save and close the file and run “stunnel.exe”.

That’s it. Now our client is configured to communicate securely with the virtual server using a secure SSL tunnel. From now on when trying to connect to any service on our VPS, instead of connecting directly to IP address of server, we must use the IP address and port specified in the Stunnel’s “accept” part of configuration for each service.

As an example, when we want to connect to Squid proxy on our cloud server, we must configure our client to connect to 127.0.0.1:8080, and Stunnel automatically connects us through a secure tunnel to the service specified for that port. Here you can configure your web browser to use IP 127.0.0.1 and port 8080 as a proxy to secure your web traffic.

<div class=“author”>Submitted by: <a href=“http://about.me/nimak”>Nima Karimi</div>

Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.

Learn more about us


About the authors
Default avatar
Nima Karimi

author

Still looking for an answer?

Ask a questionSearch for more help

Was this helpful?
 
10 Comments


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

mail616243 and sjf202 both bring up valid points. While technically this does work, it’s pretty weak from a security standpoint.

Personally, I prefer to generate a key on the client side and a key on the server side:

(on the server) openssl genrsa -out server.key 2048 openssl req -new -x509 -nodes -days 365 -key server.key -out server.crt

(on the client) openssl genrsa -out client.key 2048 openssl req -new -x509 -nodes -days 365 -key client.key -out client.crt

From there I copy the public cert from the client to the server and vice versa. Then I set verify = 3, which causes both the client and server to validate against one another.


Example Server config:

client = no pid = /var/run/stunnel.pid [squid] accept = 8888 connect = 127.0.0.1:3128 cert = /etc/stunnel/server.crt key = /etc/stunnel/server.key CAfile = /etc/stunnel/client.crt verify = 3


Example Client config:

client = yes pid = /var/run/stunnel.pid [squid] accept = 127.0.0.1:8080 connect = [server ip]:8888 cert = /etc/stunnel/client.crt key = /etc/stunnel/client.key CAfile = /etc/stunnel/server.crt verify = 3

first of all, I want to thank the author for this guide.

there is a problem though, which I need to mention.

By not configuring the server correctly, you are basically opening up your server to anyone. You need to set verify = 2 on the server side, in order for the server to check the client certificate!

client = no verify = 2 chroot = /etc/stunnel/ pid = /stunnel.pid

[squid] accept = 8888 connect = 3128 cert = /etc/stunnel/stunnel.pem CAfile = /etc/stunnel/stunnel.pem

https://www.stunnel.org/pipermail/stunnel-users/2013-September/004337.html http://www.stunnel.org/static/stunnel.html

But I still can not find how to download Stunnel.PEM from the remote server. I use MAC.

Good!

These instructions work and are helpful, but I’m getting the warning message in the browser console: “This site makes use of a SHA-1 Certificate; it’s recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.”

Any idea what to change in the certificate generation step that would change the encryption algorithm used, e.g. SHA-256 ?

Kamal Nasser
DigitalOcean Employee
DigitalOcean Employee badge
June 30, 2014

@zhuyilun8: Thanks – I’ve fixed it.

A tiny error: In ‘create stunnel client’ cert = stunnel.conf should be cert = stunnel.pem

(but the final conf file is correct)

Newbie question. Why is the private key being put on the client side? Does this not defeat the purpose?

Andrew SB
DigitalOcean Employee
DigitalOcean Employee badge
April 9, 2014

@kinergy

You shouldn’t need to upgrade stunnel itself. Though you need to upgrade openssl itself and recreate the certificate you are using.

In the wake of Heartbleed, any thoughts on upgrading to stunnel 5.0.1 on Ubuntu 12.04?

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Join the Tech Talk
Success! Thank you! Please check your email for further details.

Please complete your information!

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more
DigitalOcean Cloud Control Panel