Installing and Configuring stunnel on CentOS 6

Here's how to get stunnel up and running on a CentOS 6 server, and configure your local stunnel client to work with it.

Server-side installation and configuration

First, install stunnel itself on the server:

    [root@host ~]# yum -y install stunnel

Next, create a key and a self-signed certificate for stunnel to use:

    [root@host ~]# cd /etc/pki/tls/certs/ && make stunnel.pem

Now, generate a set of Diffie-Hellman parameters using a 2048-bit group instead of the default 1024-bit size. A 2048-bit group is recommended by the discoverers of the Logjam attack.

    [root@host certs]# dd if=/dev/urandom count=64 | openssl dhparam -rand - 2048

    0 semi-random bytes loaded
    Generating DH parameters, 2048 bit long safe prime, generator 2
    This is going to take a long time
    64+0 records in
    64+0 records out
    32768 bytes (33 kB) copied, 0.00312777 s, 10.5 MB/s
    ....................+..[snip lots of output]...++*++*++*
    -----BEGIN DH PARAMETERS-----
    MIGHAoGBAN1puC8VOxyqydITSDisVIpoFrwLS6yLqwykT/V5I96UPdgWFXwg96Kx
    L6yd5JnK4BK1aoJZiyoO+AVanwQs2BBCGXKEY5YTQJSErwe+vbnNmnQtzMIto2wj
    0hkQHbqc4+Q2KTfjJpIhzVO/JL8WS5Ko6LDyEzKh7Se1Gg80wqyjAgEC
    -----END DH PARAMETERS-----

Append the resulting DH PARAMETERS block, including the BEGIN and END lines, to the stunnel.pem file you created previously.

Next, create a directory for the pidfile to live in:

    [root@host ~]# mkdir /var/run/stunnel && chown nobody /var/run/stunnel

Create a new file in /etc/stunnel/stunnel.conf with the following contents, edited as needed for your requirements:

; stunnel configuration file
debug = 3
output = /var/log/stunnel.log
setuid = nobody
setgid = nobody
pid = /var/run/stunnel/stunnel.pid
cert = /etc/pki/tls/certs/stunnel.pem

options = NO_SSLv2
options = NO_SSLv3
options = SINGLE_ECDH_USE
options = SINGLE_DH_USE

; This section creates a new tunnel.
; Incoming TLS connections to port 3307 will be decrypted and
; then forwarded to port 3306 on the localhost.
[secure-mysql]
accept  = 3307
connect = 3306

Define a different tunnel for each service you want to protect. In the above example, the stunnel server listens on port 3307 for incoming client connections, decrypts the traffic, and forwards the raw data to port 3306 (mysql) on the same server.

Run stunnel to try it out:

    [root@host ~]# stunnel

Now inspect /var/log/stunnel.log to see if there are any errors. If things didn't work, set debug = 7 in the config file and try again. Once stunnel starts properly, configure it to run automatically when the system boots. I just add it to /etc/rc.local:

    #Run stunnel
    /usr/bin/stunnel &

That's it for the server-side installation.

Client-side installation and configuration

Repeat all of the above steps on the client end (for example, your workstation or your home router) to get stunnel installed there. When you create the config file for the client side, the tunnel you define will look slightly different:

[mysql-remote]
client = yes
accept = 3306
connect = 5.6.7.8:3307

Note that here the client = yes directive is added. The connect command points at the server's IP address and the port where stunnel is listening there.

Now run stunnel on the client side and set your application to use it.

Continuing with the MySQL example, I tell my copy of HeidiSQL to connect to my router on port 3306. The stunnel running on my router encrypts the traffic and forwards it to port 3307 on the remote server, where stunnel decrypts the traffic and sends it to port 3306 on itself.

0 (0)
Article Rating (No Votes)
Rate this article
Attachments
There are no attachments for this article.
Comments
There are no comments for this article. Be the first to post a comment.
Full Name
Email Address
Security Code Security Code
Related Articles RSS Feed
ZPOOL: Create a new zpool for zfs filesystems
Viewed 1122 times since Sun, Jun 3, 2018
Linux – How to check the exit status of several piped commands
Viewed 1892 times since Wed, Jul 25, 2018
RHEL: Rename a network interface on RHEL 7
Viewed 6877 times since Sat, Jun 2, 2018
A tcpdump Tutorial and Primer with Examples
Viewed 2763 times since Sun, Jun 17, 2018
LVM: Extend an existing Volume Group by adding a new disk
Viewed 1016 times since Sat, Jun 2, 2018
systemd Auto-restart a crashed service in systemd
Viewed 1088 times since Fri, Jan 17, 2020
debian Install a newer kernel in Debian 9 (stretch) stable
Viewed 827 times since Sun, Sep 23, 2018
12 Tcpdump Commands – A Network Sniffer Tool
Viewed 7400 times since Fri, Jul 27, 2018
RHEL: Enabling standard ftp/telnet
Viewed 1601 times since Sun, May 27, 2018
YUM CRON Enabling automatic updates in Centos 7 and RHEL 7
Viewed 10738 times since Fri, Oct 26, 2018