On Sat, 24 Apr 2021 03:08:48 -0000 yfmao@seas.upenn.edu wrote:
Thanks for your help Javier. Your instructions really help me building the simple stunnel.
I am wondering whether it is possible to build a bi-directional stunnel.
Hi,
in every connection there is already a bi-directional connection, and, talking about stunnel, already encrypted.
Unless you mean that app on host 1 connects independently to app in host 2 and vice versa, when host 1 establishes a connection to host 2, host 2 can already reply back without opening a new connection to reply (is what I tried to say in the previous mail in parenthesis).
So, with the config example you show us, you are actually creating a loop.
Here I have two applications running on two seperate hosts. One of the application uses port 10 to send and receive packets, while another application uses port 11.
Until now, I try to modify the configuration like this: Host 1: [services] client = no accept = 100 connect = 10 (sending to app using port 10) TIMEOUTclose = 0 [services] client = yes accept = 10 (receiving from app using port 10) connect = ip_of_another_host_:100 TIMEOUTclose = 0
Host 2: [services] client = no accept = 100 connect = 11 (sending to app using port 11) TIMEOUTclose = 0 [services] client = yes accept = 11 (receiving from app using port 11) connect = ip_of_another_host_:100 TIMEOUTclose = 0
Is that the correct config settings?
Some app on host 1 connects to stunnel client on host 1 port 10, then connects to host 2 stunnel server port 100 (encrypted traffic), which connects to listening stunnel client on host 2 on port 11 (decrypted), that then connects to stunnel server on host 1 port 100 (encrypted), that, again, connects to stunnel client listening on port 10 (decrypted). And start over and over and over.
Note that the same port means nothing, but as you have stunnel listening on all addresses (you only specified a port, so means 0.0.0.0, or all addresses in the interface) you are actually creating a loop. There is no other app listening on 10 and 11 ports but stunnel clients.
To have a bi-directional communication, and by bi-directional I mean that one or the other can start the connection, the apps on both hosts must be client and a server. Or in other words an initiator and a receiver. On one port listen and on other talks (that is one given by the system).
Stunnel is just the secure tunnel. On client mode helps a non-secure app to establish a secure channel. As server mode helps a non-secure app to listen on a secure channel.
An example of bi-directional encrypted talk that does need only a server and a client are a mail client and the mail server. The mail server has the stunnel server. The mail client uses the stunnel client.
The server doesn't need to connect to the client. So there isn't the need of a server on the client.
An example of bi-directional app could be a LAN chat program.
It listens on port 10 for other people messages. It connects to other people to send message to their 10 ports.
Stunnel acts as servers on both sides at the port 10 (but different address than the app), as each program will establish an independent connection when needed.
Stunnel clients will help to connect to the other people stunnel servers to encrypt the connection.
Here you'll have 4 stunnel services, as you intend. Two on both sides (client+server).
Regards.