[stunnel-users] Connecting stunnels

Carter Browne cbcs at comcast.net
Thu Mar 31 16:39:03 CEST 2016



On 3/31/2016 10:26 AM, Ludolf Holzheid wrote:
> On Thu, 2016-03-31 09:39:49 -0400, Carter Browne wrote:
>> A single instance of stunnel can be a server or a client depending on
>> the settings.  For this configuration, you would want host3 to be a
>> server not a client.
>> Thus, you need the intermediate port on server2 to server as both a
>> client and a server:
>>
>> In your configuration files you would need:
>>
>> Host1:
>> [secure_telnet]
>> accept = local:23
>> connect = host2:host2port1
>> client = yes
>>
>> Host2:
>> [incoming_telnet_relay]
>> accept = host2:host2port1
>> connect = local:host2port2
>> client = no
>>
>> [outgoing_telnet_relay]
>> accept =local:host2port2
>> connect = host3:host3port1
>> client = yes
>>
>> Host3:
>> [incoming_telnet]
>> accept = host3:host3port1
>> connect = local:23
> Carter,
>
> What's the advantage of this setup over a direct connection from Host1
> to Host3?
>
>   Host1:
>
>   [secure_telnet]
>   accept  = local:23
>   connect = host3:host3port1
>   client  = yes
>
>   Host3:
>
>   [incoming_telnet]
>   accept  = host3:host3port1
>   connect = local:23
>   client  = no
>
> If e.g. Host3 isn't directly reachable from Host1, a simple port
> forwarding (without decryption and re-encryption) on Host2 would
> suffice.
>
> Ludolf
>
Ludolf,

I didn't ask the reason why in this case - I have had instances where I 
wanted the communication to be encrypted, but I count not go directly 
from Host1 to Host3.  If he can go directly from Host1 to Host3, then 
your configuration is correct.  However, in these days of firewalls, 
network segmentation, etc. the direct path may not be available or desired.

Carter

-- 
Carter Browne
cbrowne at cbcs-usa.com



More information about the stunnel-users mailing list