Home » Categories » Linux

Setting up encrypted tunnel using stunnel

Article Number: 378 | Rating: Unrated | Last Updated: Fri, Sep 28, 2018 7:47 PM

Setting up encrypted tunnel using stunnel

To implement encrypted communication between Redis masters and slaves, we recommend using stunnel. Stunnel works as TLS encryption wrapper between client and server.

This step-by-step tutorial will explain how to install and configure stunnel proxies on FreeBSD client and server. Configuration procedures for other operating systems are very similar. For simplicity, this tutorial only covers replication to one client host as this configuration does not require individual preshared keys for each of the clients.

Assuming we have 3 Redis instances on both server and client, listening sockets on the server (master side):

instanceRedis socketstunnel socket
redis localhost:6379 -
bayes localhost:6378 master.example.com:6478
fuzzy localhost:6377 master.example.com:6477

As the instance named redis should not be mirrored, we will replicate fuzzy and bayes instances. So we need to setup 2 TLS tunnels.

Installation

First install the security/stunnel package:

# pkg install stunnel

Create pid-file directory:

# mkdir /var/run/stunnel && chown stunnel:stunnel /var/run/stunnel

To enable stunnel add the following lines to the /etc/rc.conf:

stunnel_enable="YES"
stunnel_pidfile="/var/run/stunnel/stunnel.pid"

Server configuration (master side)

/usr/local/etc/stunnel/stunnel.conf:

setuid = stunnel
setgid = nogroup

pid = /var/run/stunnel/stunnel.pid

[bayes]
accept  = 6478
connect = 6378
ciphers = PSK
PSKsecrets = /usr/local/etc/stunnel/psk.txt

[fuzzy]
accept  = 6477
connect = 6377
ciphers = PSK
PSKsecrets = /usr/local/etc/stunnel/psk.txt

Client configuration (slave side)

/usr/local/etc/stunnel/stunnel.conf:

setuid = stunnel
setgid = nogroup

pid = /var/run/stunnel/stunnel.pid

[bayes]
client = yes
accept  = localhost:6478
connect = master.example.com:6478
ciphers = PSK
PSKsecrets = /usr/local/etc/stunnel/psk.txt

[fuzzy]
client = yes
accept  = localhost:6477
connect = master.example.com:6477
ciphers = PSK
PSKsecrets = /usr/local/etc/stunnel/psk.txt

Preshared keys

Create /usr/local/etc/stunnel/psk.txt . The psk.txt file contains one line for each client:

test1:oaP4EishaeSaishei6rio6xeeph3az

Do not use example passwords.

As both bayes and fuzzy Redis instances located at the same host we can share the same key between them.

Since this file should be kept secret set secure permissions on it:

# chmod 600 /usr/local/etc/stunnel/psk.txt

Starting stunnel

# service stunnel start

Testing

From the client host use the redis-cli utility to connect to the remote instances:
Posted - Fri, Sep 28, 2018 7:47 PM. This article has been viewed 2700 times.
Filed Under: Linux
0 (0)
Article Rating (No Votes)
Rate this article
Attachments
There are no attachments for this article.
Comments
There are no comments for this article. Be the first to post a comment.
Full Name
Email Address
Security Code Security Code
Related Articles RSS Feed
ZFS: Verify/change properties of a zfs filesystem
Viewed 2757 times since Sun, Jun 3, 2018
Linux RAID Mdadm Cheat Sheet
Viewed 5611 times since Fri, May 15, 2020
6 rsync Examples to Exclude Multiple Files and Directories using exclude-from
Viewed 5160 times since Wed, Oct 31, 2018
Fedora 32: Simple Local File-Sharing with Samba CIFS Linux
Viewed 9016 times since Sun, Dec 6, 2020
RHEL: How to rebuild and/or patch a RPM package
Viewed 8979 times since Sat, Jun 2, 2018
how to list all hard disks in linux from command line
Viewed 3812 times since Mon, Jan 28, 2019
SPRAWDZONA KONFIGURACJA RSYSLOG I LOGROTATE, JAKO ZEWNĘTRZNEGO SERWERA SYSLOG
Viewed 3992 times since Fri, Nov 30, 2018
Deskshare TLS over Stunnel
Viewed 2944 times since Fri, Sep 28, 2018
How To Use Systemctl to Manage Systemd Services and Units
Viewed 7705 times since Mon, Dec 7, 2020
How to enable Proxy Settings for Yum Command on RHEL / CentOS Servers
Viewed 12844 times since Thu, Jul 19, 2018