Hi all
I was wondering if there is a way to connect multiple stunnel clients running on different machines to the same stunnel server service, also running on a different machine. All the clients must connect to the same server port. I have tried it with my current config but I haven't been able to make it work, is this even possible??
Thanks, Esteban.
On Tue, Dec 12, 2023 at 10:58:19AM -0000, egig@gmv.com wrote:
Hi all
I was wondering if there is a way to connect multiple stunnel clients running on different machines to the same stunnel server service, also running on a different machine. All the clients must connect to the same server port. I have tried it with my current config but I haven't been able to make it work, is this even possible??
If you want all the clients to really connect to the same service, i.e. provide different tunnels that all connect to the same server, then this should be completely possible. What kind of problems did you run into? (configuration and logs would be helpful)
G'luck, Peter
When I connect the first client it works as expected, my issue is with the second one.
In the server log everything seems fine, you can see that both clients connect succesfully: /------------------------------------------------------------------------------------------------------------/ 2023.12.12 13:48:21 LOG6[ui]: Initializing inetd mode configuration 2023.12.12 13:48:21 LOG5[ui]: stunnel 5.63 on x86_64-pc-linux-gnu platform 2023.12.12 13:48:21 LOG5[ui]: Compiled/running with OpenSSL 3.0.2 15 Mar 2022 2023.12.12 13:48:21 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,OCSP,PSK,SNI Auth:LIBWRAP 2023.12.12 13:48:21 LOG6[ui]: Initializing inetd mode configuration 2023.12.12 13:48:21 LOG5[ui]: Reading configuration from file /etc/stunnel/stunnel.conf 2023.12.12 13:48:21 LOG5[ui]: UTF-8 byte order mark detected 2023.12.12 13:48:21 LOG5[ui]: FIPS mode disabled 2023.12.12 13:48:21 LOG6[ui]: Compression enabled: 0 methods 2023.12.12 13:48:21 LOG6[ui]: Initializing service [checker] 2023.12.12 13:48:21 LOG6[ui]: OpenSSL security level is used: 2 2023.12.12 13:48:21 LOG6[ui]: Session resumption enabled 2023.12.12 13:48:21 LOG6[ui]: Loading certificate from file: /etc/stunnel/server-combined.pem 2023.12.12 13:48:21 LOG6[ui]: Certificate loaded from file: /etc/stunnel/server-combined.pem 2023.12.12 13:48:21 LOG6[ui]: Loading private key from file: /etc/stunnel/server-combined.pem 2023.12.12 13:48:21 LOG6[ui]: Private key loaded from file: /etc/stunnel/server-combined.pem 2023.12.12 13:48:21 LOG6[ui]: DH initialization skipped: no DH ciphersuites 2023.12.12 13:48:21 LOG5[ui]: Configuration successful 2023.12.12 13:48:21 LOG6[ui]: Service [checker] (FD=9) bound to 0.0.0.0:8050 2023.12.12 13:48:21 LOG5[ui]: Binding service [checker] to :::8050: Address already in use (98) 2023.12.12 13:48:21 LOG6[cron]: Executing cron jobs 2023.12.12 13:48:21 LOG6[cron]: Cron jobs completed in 0 seconds 2023.12.12 13:50:18 LOG5[0]: Service [checker] accepted connection from 192.168.100.99:49688 2023.12.12 13:50:18 LOG6[0]: Peer certificate not required 2023.12.12 13:50:18 LOG6[0]: No peer certificate received 2023.12.12 13:50:18 LOG6[0]: Session id: 41E5880BE80598613E482E5ACE1240298782E70B24B2D2B3C4DC869E5F985FF6 2023.12.12 13:50:18 LOG6[0]: No peer certificate received 2023.12.12 13:50:18 LOG6[0]: Session id: B573C15BD5CA6430EA84B362A31A6B87AB3B56DB06F8DFBC4BC6FA2828C64004 2023.12.12 13:50:18 LOG6[0]: TLS accepted: new session negotiated 2023.12.12 13:50:18 LOG6[0]: TLSv1.3 ciphersuite: TLS_AES_256_GCM_SHA384 (256-bit encryption) 2023.12.12 13:50:18 LOG6[0]: Peer temporary key: X25519, 253 bits 2023.12.12 13:50:18 LOG6[0]: failover: priority, starting at entry #0 2023.12.12 13:50:18 LOG6[0]: s_connect: connecting ::1:5999 2023.12.12 13:50:18 LOG3[0]: s_connect: connect ::1:5999: Connection refused (111) 2023.12.12 13:50:18 LOG6[0]: s_connect: connecting 127.0.0.1:5999 2023.12.12 13:50:18 LOG5[0]: s_connect: connected 127.0.0.1:5999 2023.12.12 13:50:18 LOG6[0]: persistence: 127.0.0.1:5999 cached 2023.12.12 13:50:18 LOG5[0]: Service [checker] connected remote server from 127.0.0.1:36492 <------------------------------------- 2023.12.12 13:50:29 LOG5[1]: Service [checker] accepted connection from 192.168.100.105:49692 2023.12.12 13:50:29 LOG6[1]: Peer certificate not required 2023.12.12 13:50:29 LOG6[1]: No peer certificate received 2023.12.12 13:50:29 LOG6[1]: Session id: FDF11DA3412912C0FD6B65D53E7DA18FF96D70CBFA705268B0215A41DE6C25C9 2023.12.12 13:50:29 LOG6[1]: No peer certificate received 2023.12.12 13:50:29 LOG6[1]: Session id: 4D4F8A99E869C9CC31BDE53EE63F8B09506E7ED113915C5E0A7CA0730FFD0C30 2023.12.12 13:50:29 LOG6[1]: TLS accepted: new session negotiated 2023.12.12 13:50:29 LOG6[1]: TLSv1.3 ciphersuite: TLS_AES_256_GCM_SHA384 (256-bit encryption) 2023.12.12 13:50:29 LOG6[1]: Peer temporary key: X25519, 253 bits 2023.12.12 13:50:29 LOG6[1]: failover: priority, starting at entry #0 2023.12.12 13:50:29 LOG6[1]: s_connect: connecting ::1:5999 2023.12.12 13:50:29 LOG3[1]: s_connect: connect ::1:5999: Connection refused (111) 2023.12.12 13:50:29 LOG6[1]: s_connect: connecting 127.0.0.1:5999 2023.12.12 13:50:29 LOG5[1]: s_connect: connected 127.0.0.1:5999 2023.12.12 13:50:29 LOG6[1]: persistence: 127.0.0.1:5999 cached 2023.12.12 13:50:29 LOG5[1]: Service [checker] connected remote server from 127.0.0.1:52356 <------------------------------------- /------------------------------------------------------------------------------------------------------------/
however when I try to send some data (using netcat) only the first connected client is able to send or recieve. I have netcat listening on the server target port and I can only see the messages sent from the first client.
This is my client config: [checker] client = yes accept = 127.0.0.1:8003 connect = 192.168.100.100:8050 verifyChain = yes CAfile = cacert.pem checkIP = 192.168.100.100
And here is my server config: [checker] accept = 8050 connect = 5999 cert = /etc/stunnel/server-combined.pem
Thanks for your help :)
On Tue, Dec 12, 2023 at 12:55:07PM -0000, Esteban Gil wrote:
When I connect the first client it works as expected, my issue is with the second one.
In the server log everything seems fine, you can see that both clients connect succesfully: /------------------------------------------------------------------------------------------------------------/
[snip]
2023.12.12 13:50:18 LOG5[0]: Service [checker] connected remote server from 127.0.0.1:36492 <------------------------------------- 2023.12.12 13:50:29 LOG5[1]: Service [checker] accepted connection from 192.168.100.105:49692 2023.12.12 13:50:29 LOG5[1]: Service [checker] connected remote server from 127.0.0.1:52356 <------------------------------------- /------------------------------------------------------------------------------------------------------------/
however when I try to send some data (using netcat) only the first connected client is able to send or recieve. I have netcat listening on the server target port and I can only see the messages sent from the first client.
Right. I think the use of netcat may be your problem. The netcat tool is not really as universal as we might want it to be :) It does *not* handle simultaneous connections; it waits for the first connection to end and only then will it pay any attention to the second one.
Can you try using another program, one that is designed to accept and process simultaneous connections, like e.g. something like this socat invocation that tells it to listen on port 8088, fork a new child process to handle each incoming connection, and then execute "cat" to echo stuff?
socat TCP4-LISTEN:8088,fork EXEC:cat
Hope this helps!
G'luck, Peter
You are totally right, netcat does not support simultaneous connections. I tried socat as you suggested and it works, thank you so much!
-Esteban.
-
egig@gmv.com -
Esteban Gil
-
Peter Pentchev