[stunnel-users] basic usage question

Mark Foley mfoley at novatec-inc.com
Sat Mar 17 00:14:21 CET 2018

Solved! I've fixed up the various ports and now I am able to connect.  For the
edification of other list readers I'll summarize. 

I have a local Linux host acting as firewall/router.  It routes requests on port
1234 to port 3389 on a local Linux workstation which is running x11vnc server
listening on its local port 5900.  I want to connect to this VNC server from a
remote vnc viewer. 

(Why does the router forward to port 3389? Because the workstaion can dual-boot
Windows, so the forward works regardless of booted OS.)

Remote vnc viewer, stunnel client stunnel.conf:

verify = 2
pid = /home/mfoley/.stunnel/stunnel.pid
CAfile = /home/mfoley/.stunnel/certificate.pem
client = yes
accept = 5900
connect = router.obfuscate.org:1234

Local workstation vnc server, stunnel server stunnel.conf:

pid = /var/run/stunnel.pid
debug = 7
accept = 3389
key = /root/privatekey.pem
cert = /root/certificate.pem
connect =

The certificate is self-signed and created on the stunnel/vnc server host using
the following commands:

openssl genrsa -out privatekey.pem 2048
openssl req -new -x509 -days 365 -key privatekey.pem -out certificate.pem

The certificate.pem is copied to the stunnel client host.

With x11vnc listening on 5900 on the local workstation and with 'stunnel
stunnel.conf' running on both stunnel client (as the normal user) and server
hosts, I use the remote vnc viewer, logged in as a normal user, with the

I'm guessing I could configure my vnc viewers to connect to multiple clients with
difference [service] sections, for example:

verify = 2
pid = /home/mfoley/.stunnel/stunnel.pid
CAfile = /home/mfoley/.stunnel/certificate.pem
client = yes

accept = 5900
connect = router.obfuscate.org:1234

accept = 5901
connect = router.obfuscate.org:4321

I haven't tried that, but I will.

I futher guess that I could have different CAfiles per server if I moved that
directive to the respective service defintions (can someone confirm?), but I
haven't tried that either.

Thanks especially to Flo Rance for helping me work through this.

Now, I have to figure out how to do this from a Windows client!


More information about the stunnel-users mailing list