[stunnel-users] Is anyone using Stunnel for tunnelling Voip?

Errol Samuels esamuels at carismatel.com
Tue Jun 3 14:40:25 CEST 2008

> > > Now... stunnel should work just as well as SSH, but it also has just
> > > the same basic "limitation" - or, rather, design goal - stunnel is
> > > used only for forwarding TCP connections.  I'm not sure what your
> > > VoIP model is, but if it is in any way based on UDP packets flying
> > > around, then neither stunnel nor SSH would be of any use to you.
> >
> > My VoIP model is using 10000 - 20000 udp for the media so this is the
> > I have to tunnel OpenVPN through SSH or Stunnel since I can forward my
> > traffic through OpenVPN.
> Oh... so you still want to use OpenVPN?  That is, you want:
> - VoIP traffic
> - UDP packets on a virtual interface
> - OpenVPN encryption with OpenVPN configured for a TCP connection
> - and an additional stunnel or SSH wrapper?

My OpenVPN server is already setup to use TCP connection so I just need to
use additional Stunnel wrapper.  
> Yikes :)  This *will* add some additional overhead, and although
> the overhead will be the same no matter whether you choose SSH or
> stunnel, it will still be there anyway.

However, I think I can set cipher to none in OpenVPN and do a bit more
tweaking to conserve bandwidth since the OpenVPN will be secured within the
Stunnel wrapper.

> > Another alternative that I am exploring is SSH or Stunnels with Socat!
> > http://www.zarb.org/~gc/html/udp-in-ssh-tunneling.html but I need to
> > out how to forward a range of ports through it.
> Well, this might turn out to be a better alternative.  If you use
> the netcat (or socat) method described there, you'll just need to run
> a lot of netcat (or socat) processes, one for each port you need
> to forward.  I've not yet used socat, but from its manual page it seems
> that it cannot listen on more than one port either.

It would be great to use netcat (or socat) but surprisingly it does seem to
support port ranges so I think I may have to use OpenVPN with Stunnel and a
bit of tweaking.

> > > With that in mind, if it's a TCP connection that you want to encrypt,
> > > either stunnel or SSH port forwarding should do the job just fine,
> > > although for "permanent" setups I would rather use stunnel, since SSH
> > > may have some issues with timeouts and dropped control connections
> > > and such.
> >
> > I need to investigate if Stunnel is available as a package for OpenWRT
> > DD-WRT firmware.
> G'luck,
> Peter
> --
> Peter Pentchev	roam at ringlet.net    roam at cnsys.bg
roam at FreeBSD.org
> PGP key:	http://people.FreeBSD.org/~roam/roam.key.asc
> Key fingerprint	FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
> because I didn't think of a good beginning of it.

More information about the stunnel-users mailing list