Here are the configs I've used. I must point out that I use certificates in both the client and server for authentication. Hence verify=3 in the config.
======= SERVER =======
;---------------------------------------------------- ;-- SERVER OPTIONS ;----------------------------------------------------
;select data compression algorithm compression = zlib
; Enable Taskbar icon taskbar = yes
; Some performance tunings ; turn off the Nagle algorithm for local sockets ; turn off the Nagle algorithm for remote sockets socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
[TServ]
;Certificate Authority file CAfile = CAcert.pem
;Certificate Authority directory CApath = certificates
;certificate chain PEM file name ;required in server mode cert = server.pem
;client mode - no (server mode) client = no
;level 3 - verify peer with locally installed certificate verify = 3
accept = 50000 connect = 127.0.0.1:3389
======= CLIENT =======
;---------------------------------------------------- ; GLOBAL OPTIONS ;----------------------------------------------------
;Logging Options debug = 7 output = stunnel.log
; Some performance tunings ; turn off the Nagle algorithm for local sockets ; turn off the Nagle algorithm for remote sockets socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
;---------------------------------------------------- ; SERVICE-LEVEL OPTIONS ;---------------------------------------------------- [tserver] accept = 127.0.0.1:50000 connect = <my_server_IP>:50000
;Server mode or Client mode ;Yes=Client mode client = yes
;Certificate Authority file CAfile = CAcert.pem
;Certificate Authority directory CApath = certificates
;certificate chain PEM file name cert = client.pem
;verify peer certificate ;level 3 - verify peer with locally installed certificate verify = 3
;Select permitted SSL ciphers ':' delimited list ciphers = AES256-SHA
--- Frank Garber garberfc@coolsite.net wrote:
I tried using the port you suggested and got the same result. I'm able to verify my firewall is letting the traffic through and that my ISP is not blocking the port by using www.canyouseeme.org . Again, all my settings work when I'm not going through the corporate firewall.
Can you send me your whole config file for both your client and server sides? I'm wondering if it has to do with my certificate settings.
Thanks,
Frank
----- Original Message ---- From: Carter Browne <xxxx> To: garberfc <xxxx> Sent: Monday, October 22, 2007 8:07:11 AM Subject: Re: [stunnel-users] Using stunnel for RDP / Proxy / Firewall
I do this all the time. The way I do it is to connect locally to RDP on a non-stardard port. In the RDP dialog box, I have 127.0.0.10:12121, then in stunnel on the local side is:
[xxx-rdp] accept = 127.0.0.10:12121 connect = server:12122 client = yes
on the remote side is
[rdp-incoming] accept = 12122 connect = 3389 client = no.
Normally RDP listens for any connection to port 3389, so I found it was easiest to get to to work by moving off that port. Note that you have to open port 12122 in the firewall on the remote side. On the other hand, you can close 3389 on the remote side which takes away an obvious port for hackers.
Carter
garberfc wrote:
Hi All
I'm a relative newbie to Stunnel, and am trying to
set up a tunnel so I can
Remote Desktop from work to my PC/server at home.
I'm using versions 4.20 of the Windows binaries.
I've tested the configuration and it works from
home using a laptop that is
going through my firewall when I enter my domain home (so my firewall is set
up correctly). I tried a
variety of common ports and got the same response
every time. I had to use
the 127.0.0.2 on the client because Remote Desktop
didn't want me connecting
to myself...
When I try if from work I get a dialog box: The client could not establish a connection to
the remote computer.
The most likely causes for this error are:
- Remote connections might not be enabled at
the remote computer.
2)The maximum number of connections was
exceeded at the remote computer.
- A network error occurred while establishing
the connection.
My config is as follows:
#Client ;cert = stunnel.pem ;key = stunnel.pem
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
; Some debugging stuff useful for troubleshooting debug = 7 output = stunnel.log
; Use it for client mode client = yes
; Service-level configuration [https-RDT] accept = 127.0.0.2:3389 connect = xx.xx.xx.xx:1494
#Server ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
; Some debugging stuff useful for troubleshooting debug = 7 output = stunnel.log
; Use it for client mode client = no
; Service-level configuration [https-RDT] accept = 1494 connect = localhost:3389
Is there something I need to do to traverse this
proxy? Any help would be
greatly appreciated!
stunnel-users mailing list stunnel-users@mirt.net
http://stunnel.mirt.net/mailman/listinfo/stunnel-users
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com