[stunnel-users] "Reverse" tunneling with stunnel.

Peter Pentchev roam at ringlet.net
Wed Jul 18 10:43:38 CEST 2018

On Tue, Jul 17, 2018 at 10:51:07PM -0600, C. Petro wrote:
> I have a client who is setting up a logging infrastructure involving a
> couple of DMZs forwarding logs into central logging points.
> They have to pass compliance audits (SOX, PCI at least) and have some
> rather specific desires in regards to how they want the log traffic to
> move, and which servers *initiate* the connections.
> Which is to say they want the internal servers to set up tunnels to the DMZ
> servers and then the forwarders use that tunnel to deliver logs back.
> Lemme see if I can ascii art this:
> central1----------------------------------dmz1
>             \____________________      /
>            _____________________\ _/
>           /                                           \
> central2----------------------------------dmz2
> Something like that.
> Central1=
> Central2=
> DMZ1=
> DMZ2=
> Firewalls are in effect.
> I have gotten it set up so that I can initiate a connection FROM Central1
> to DMZ2.
> [Tunnel_to_DMZ2]
> client = yes
> accept = 3002
> connect =
> And
> [Tunnel_from_Central1]
> accept = 5000
> connect = 3000
> Like I said, I can open a tunnel from Central1 to DMZ2, but can't get
> traffic to pass backwards--I get a message in the log saying the session is
> closed.

So you are saying that the connection is established successfully?
(you can check that in the logs of both stunnel instances and also using
 e.g. netstat or ss or similar tools on the hosts that should be talking to
 each other through the tunnel)
...but then, some indeterminate time later, one of the hosts tries to send
some data through this connection and gets a connection reset or something
like that?

If so, this sounds like something I've seen *a lot* with firewalls and
other devices that try to keep track of connections passing through them
(e.g. for NAT and such) - the firewall/NAT/whatever decides that there has
been no traffic on that particular connection for, say, the last 15 minutes,
so it drops it from its internal state - *obviously* those hosts do not need
to talk to each other any more, who would ever have a 15-minute pause in
a TCP connection, why would anybody want that?  So the next time one of
the hosts tries to send some data, the firewall/NAT/whatever says "hm, well,
I don't know anything about this connection that you think you have, so,
yeah, no".

TL;DR: maybe you should check the settings on some of the firewall devices
and see if you can somehow raise the timeouts for inactive connections or
something like that.

> Is it possible to set stunnel up in a "reverse tunnel" mode--one where the
> connect is initiated from one end, but the other does most of the message
> passing?
> What I am missing?

Hope the above helps.


Peter Pentchev  roam@{ringlet.net,debian.org,FreeBSD.org} pp at storpool.com
PGP key:        http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115  C354 651E EFB0 2527 DF13
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20180718/dd00c4e6/attachment.sig>

More information about the stunnel-users mailing list