[stunnel-users] newbie config not running

Fri Nov 2 09:25:21 CET 2007

> Hello list.
> 

Hello's :-)

> I am new to stunnel and do have some problems to get it running.
> 

Welcome to the list :-)

> The server is a WinXPSP2 behind a router. The router has port
> forwarding
> enabled for port 9999 to the stunnel server (4.21). On the same box a
> vnc server is running on port 5900 which I like to tunnel. Firewall is
> opened. The netstat -a -n shows the server listening on the desired
> port
> (9999).
> 
> My server config looks like that:
> 
> cert = stunnel.pem
> ;key = stunnel.pem
> 
> ; Some performance tunings
> socket = l:TCP_NODELAY=1
> socket = r:TCP_NODELAY=1
> 
> ; Workaround for Eudora bug
> ;options = DONT_INSERT_EMPTY_FRAGMENTS
> 
> ; Authentication stuff
> ;verify = 2
> ; Don't forget to c_rehash CApath
> ;CApath = certs
> ; It's often easier to use CAfile
> ;CAfile = certs.pem
> ; Don't forget to c_rehash CRLpath
> ;CRLpath = crls
> ; Alternatively you can use CRLfile
> ;CRLfile = crls.pem
> 
> ; Some debugging stuff useful for troubleshooting
> ;debug = 7
> ;output = stunnel.log
> 
> ; Use it for client mode
> ;client = yes
> 
> [pop3s]
> accept  = 995
> connect = 110
> 
> [imaps]
> accept  = 993
> connect = 143
> 
> [ssmtp]
> accept  = 465
> connect = 25
> 

Change on server

[VNC Server]
accept = 9999
connect = 5900

to

[VNC Server]
accept = 9999
connect = 127.0.0.1:5900

On the server you need to specify the place where the service needs to
connect to. Thus you should specify the localhost ip so that when the server
receives a connect on port 9999 it directs it to the server itself. 

> 
> The client side is a linux box with config setting:
> client = yes
> 

Change on client

[VNC Server]
accept = 5900
connect = 9999

to

[VNC Server]
accept = 5900
connect = your_router_ip:9999

When connecting to the service, you need to specify the servers IP address
where the connection needs to go, if you don't then stunnel won't know where
to direct the traffic to.

What should happen is that you specify your connection in VNC as
127.0.0.1:5900 and then VNC will connect to stunnel that will direct the
traffic to the server which will in return direct it to the VNC service on
itself

Let me know if you get stuck and I will generate a config file for you. Also
it is recommended that you don't use the default stunnel.pem file. Please
create a new certificate on the server and client and use verify = 3 to
completely secure the connection. This will prevent someone else that also
has the stunnel.pem file from connecting to your server.

Let me know if you need help with the creation of the certificates. It's
pretty straight forward ;-)

Cheers,

Craig

> 
> I turned on debugging and stunnel.log seems to be okay - no error
> messages.
> 
> But I am not able to get an connection.
> 
> What am I doing wrong?
> 
> Stefan
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at mirt.net
> http://stunnel.mirt.net/mailman/listinfo/stunnel-users