[stunnel-users] More questions on RDP and port forwarding

Carter Browne cbrowne at cbcs-usa.com
Mon Nov 26 14:50:06 CET 2007

I use stunnel to protect RDP for a couple of sites using a mix of
Watchguard Edge and V series firewalls.  For computer ABC that I want to
connect to, I create an entry in the hosts file:
127.0.0.n   ABCs      (where n is greater than 1)

On the client side I have an entry:

accept = ADCs:12345
connect = ABC:54321
client = yes

On the server sid I have an entry:

accept = 54321
connect = 3389
client = no

Port 54321 is enabled in both the Watchguard and the Windows firewalls.

Using the 127.n.n.n ports are not processed by the firewalls.  You can
use for everything, but I needed to connect to more that one
host and wanted a standard setup.  I have had a number of users confused
by this setup whereby the program references a local port to connect to
a remote computer.  For stunnel, it is the connect string that
determines the destination, so any local port works fine for the accept


Richard Woodman wrote:
> I did read through the archives but I cannot determine how to get Stunnel
> working through the firewall.  Here is what I wish to do:
> 1.  Tunnel Windows Remote Desktop through stunnel.
> 2.  I wish to connect from home to work; I have access to the firewall at
> work.
> Here's what I've done:
> 1.  Installed stunnel on Windows XP at home and at work.  I have self-signed
> certificates and am using verify = 3 (on both computers).  Cacert.pem has
> the CA cert, the work cert, and the home cert in a single file.  The
> server-cert.pem has the work computer's key and cert while the
> client-1-cert.pem (home computer) has it's own key and cert.
> 2.  Stunnel at home has client = yes, stunnel at work has this commented
> out.  Stunnel at work will become a "server" where multiple clients connect
> via stunnel and that single computer makes multiple RDP connections.
> Client (home) computer has
> [rdp1]
> accept  = 4391
> connect = <work outside interface IP>:44391
> Server (work) computer has
> [rdp2]
> accept  = 44391
> connect = <work computer name>:3392
> If I try this at work from within the corporate network (change the client
> connect string to the stunnel server's IP or hostname), then everything
> works fine.  However, once I try from outside the work network, nothing
> works.  Firewall is a Watchguard SOHO 6tc and I have a inbound rule
> permitting 44391 and directing it to X.X.X.52 (the stunnel server).  I also
> have other rules allowing RDP (on port 3392 for instance) directly to the
> computer I wish to control and those rules work.  Essentially, RDP directly
> through the firewall works but stunnel through the firewall does not.  I
> assume there is no traffic destined for .52 on 44391 because the log file on
> the server (with debug = 7) only shows the startup sequence and port binding
> (netstat -a shows I am listening on 44391).  I also tried this at home on my
> Juniper 5XT and was unsuccessful.  Please help.
> Richard
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at mirt.net
> http://stunnel.mirt.net/mailman/listinfo/stunnel-users

More information about the stunnel-users mailing list