[stunnel-users] More questions on RDP and port forwarding

richard.woodman at cox.net richard.woodman at cox.net
Mon Nov 26 21:04:05 CET 2007

I took my configs, my certs, etc. and put them on two boxes in the lab - then I ensured I could use stunnel to connect using VNC.  I then put a NAT box (Linksys BEFSR81) between the two and configured the Linksys to provide port forwarding.  I then reconnected and everything worked first time.  Therefore, I can only assume that either port-forwarding is misconfigured on my Watchguard SOHO 6tc -or- that the Windows firewall is causing problems (neither lab box has a firewall running).  I'll keep you posted on what I find.  Thanks.


My original post:

I did read through the archives but I cannot determine how to get Stunnel
working through the firewall.  Here is what I wish to do:

1.  Tunnel Windows Remote Desktop through stunnel.
2.  I wish to connect from home to work; I have access to the firewall at

Here's what I've done:

1.  Installed stunnel on Windows XP at home and at work.  I have self-signed
certificates and am using verify = 3 (on both computers).  Cacert.pem has
the CA cert, the work cert, and the home cert in a single file.  The
server-cert.pem has the work computer's key and cert while the
client-1-cert.pem (home computer) has it's own key and cert.
2.  Stunnel at home has client = yes, stunnel at work has this commented
out.  Stunnel at work will become a "server" where multiple clients connect
via stunnel and that single computer makes multiple RDP connections.

Client (home) computer has

accept  = 4391
connect = <work outside interface IP>:44391

Server (work) computer has

accept  = 44391
connect = <work computer name>:3392

If I try this at work from within the corporate network (change the client
connect string to the stunnel server's IP or hostname), then everything
works fine.  However, once I try from outside the work network, nothing
works.  Firewall is a Watchguard SOHO 6tc and I have a inbound rule
permitting 44391 and directing it to X.X.X.52 (the stunnel server).  I also
have other rules allowing RDP (on port 3392 for instance) directly to the
computer I wish to control and those rules work.  Essentially, RDP directly
through the firewall works but stunnel through the firewall does not.  I
assume there is no traffic destined for .52 on 44391 because the log file on
the server (with debug = 7) only shows the startup sequence and port binding
(netstat -a shows I am listening on 44391).  I also tried this at home on my
Juniper 5XT and was unsuccessful.  Please help.


More information about the stunnel-users mailing list