I tried using the port you suggested and got the same result. I'm able to verify my firewall is letting the traffic through and that my ISP is not blocking the port by using www.canyouseeme.org . Again, all my settings work when I'm not going through the corporate firewall.
Can you send me your whole config file for both your client and server sides? I'm wondering if it has to do with my certificate settings.
Thanks,
Frank
----- Original Message ---- From: Carter Browne <xxxx> To: garberfc <xxxx> Sent: Monday, October 22, 2007 8:07:11 AM Subject: Re: [stunnel-users] Using stunnel for RDP / Proxy / Firewall
I do this all the time. The way I do it is to connect locally to RDP on a non-stardard port. In the RDP dialog box, I have 127.0.0.10:12121, then in stunnel on the local side is:
[xxx-rdp] accept = 127.0.0.10:12121 connect = server:12122 client = yes
on the remote side is
[rdp-incoming] accept = 12122 connect = 3389 client = no.
Normally RDP listens for any connection to port 3389, so I found it was easiest to get to to work by moving off that port. Note that you have to open port 12122 in the firewall on the remote side. On the other hand, you can close 3389 on the remote side which takes away an obvious port for hackers.
Carter
garberfc wrote:
Hi All
I'm a relative newbie to Stunnel, and am trying to set up a tunnel so
I can
Remote Desktop from work to my PC/server at home.
I'm using versions 4.20 of the Windows binaries.
I've tested the configuration and it works from home using a laptop
that is
going through my firewall when I enter my domain home (so my firewall is set up correctly). I
tried a
variety of common ports and got the same response every time. I had
to use
the 127.0.0.2 on the client because Remote Desktop didn't want me
connecting
to myself...
When I try if from work I get a dialog box: The client could not establish a connection to the remote computer. The most likely causes for this error are:
- Remote connections might not be enabled at the remote computer.
2)The maximum number of connections was exceeded at the remote
computer.
- A network error occurred while establishing the connection.
My config is as follows:
#Client ;cert = stunnel.pem ;key = stunnel.pem
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
; Some debugging stuff useful for troubleshooting debug = 7 output = stunnel.log
; Use it for client mode client = yes
; Service-level configuration [https-RDT] accept = 127.0.0.2:3389 connect = xx.xx.xx.xx:1494
#Server ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
; Some debugging stuff useful for troubleshooting debug = 7 output = stunnel.log
; Use it for client mode client = no
; Service-level configuration [https-RDT] accept = 1494 connect = localhost:3389
Is there something I need to do to traverse this proxy? Any help
would be
greatly appreciated!
Here are the configs I've used. I must point out that I use certificates in both the client and server for authentication. Hence verify=3 in the config.
======= SERVER =======
;---------------------------------------------------- ;-- SERVER OPTIONS ;----------------------------------------------------
;select data compression algorithm compression = zlib
; Enable Taskbar icon taskbar = yes
; Some performance tunings ; turn off the Nagle algorithm for local sockets ; turn off the Nagle algorithm for remote sockets socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
[TServ]
;Certificate Authority file CAfile = CAcert.pem
;Certificate Authority directory CApath = certificates
;certificate chain PEM file name ;required in server mode cert = server.pem
;client mode - no (server mode) client = no
;level 3 - verify peer with locally installed certificate verify = 3
accept = 50000 connect = 127.0.0.1:3389
======= CLIENT =======
;---------------------------------------------------- ; GLOBAL OPTIONS ;----------------------------------------------------
;Logging Options debug = 7 output = stunnel.log
; Some performance tunings ; turn off the Nagle algorithm for local sockets ; turn off the Nagle algorithm for remote sockets socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
;---------------------------------------------------- ; SERVICE-LEVEL OPTIONS ;---------------------------------------------------- [tserver] accept = 127.0.0.1:50000 connect = <my_server_IP>:50000
;Server mode or Client mode ;Yes=Client mode client = yes
;Certificate Authority file CAfile = CAcert.pem
;Certificate Authority directory CApath = certificates
;certificate chain PEM file name cert = client.pem
;verify peer certificate ;level 3 - verify peer with locally installed certificate verify = 3
;Select permitted SSL ciphers ':' delimited list ciphers = AES256-SHA
--- Frank Garber garberfc@coolsite.net wrote:
I tried using the port you suggested and got the same result. I'm able to verify my firewall is letting the traffic through and that my ISP is not blocking the port by using www.canyouseeme.org . Again, all my settings work when I'm not going through the corporate firewall.
Can you send me your whole config file for both your client and server sides? I'm wondering if it has to do with my certificate settings.
Thanks,
Frank
----- Original Message ---- From: Carter Browne <xxxx> To: garberfc <xxxx> Sent: Monday, October 22, 2007 8:07:11 AM Subject: Re: [stunnel-users] Using stunnel for RDP / Proxy / Firewall
I do this all the time. The way I do it is to connect locally to RDP on a non-stardard port. In the RDP dialog box, I have 127.0.0.10:12121, then in stunnel on the local side is:
[xxx-rdp] accept = 127.0.0.10:12121 connect = server:12122 client = yes
on the remote side is
[rdp-incoming] accept = 12122 connect = 3389 client = no.
Normally RDP listens for any connection to port 3389, so I found it was easiest to get to to work by moving off that port. Note that you have to open port 12122 in the firewall on the remote side. On the other hand, you can close 3389 on the remote side which takes away an obvious port for hackers.
Carter
garberfc wrote:
Hi All
I'm a relative newbie to Stunnel, and am trying to
set up a tunnel so I can
Remote Desktop from work to my PC/server at home.
I'm using versions 4.20 of the Windows binaries.
I've tested the configuration and it works from
home using a laptop that is
going through my firewall when I enter my domain home (so my firewall is set
up correctly). I tried a
variety of common ports and got the same response
every time. I had to use
the 127.0.0.2 on the client because Remote Desktop
didn't want me connecting
to myself...
When I try if from work I get a dialog box: The client could not establish a connection to
the remote computer.
The most likely causes for this error are:
- Remote connections might not be enabled at
the remote computer.
2)The maximum number of connections was
exceeded at the remote computer.
- A network error occurred while establishing
the connection.
My config is as follows:
#Client ;cert = stunnel.pem ;key = stunnel.pem
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
; Some debugging stuff useful for troubleshooting debug = 7 output = stunnel.log
; Use it for client mode client = yes
; Service-level configuration [https-RDT] accept = 127.0.0.2:3389 connect = xx.xx.xx.xx:1494
#Server ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
; Some debugging stuff useful for troubleshooting debug = 7 output = stunnel.log
; Use it for client mode client = no
; Service-level configuration [https-RDT] accept = 1494 connect = localhost:3389
Is there something I need to do to traverse this
proxy? Any help would be
greatly appreciated!
stunnel-users mailing list stunnel-users@mirt.net
http://stunnel.mirt.net/mailman/listinfo/stunnel-users
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Algol Tradent wrote:
Here are the configs I've used. I must point out that I use certificates in both the client and server for authentication. Hence verify=3 in the config.
======= SERVER =======
;---------------------------------------------------- ;-- SERVER OPTIONS ;----------------------------------------------------
;select data compression algorithm compression = zlib
; Enable Taskbar icon taskbar = yes
; Some performance tunings ; turn off the Nagle algorithm for local sockets ; turn off the Nagle algorithm for remote sockets socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
[TServ]
;Certificate Authority file CAfile = CAcert.pem
;Certificate Authority directory CApath = certificates
;certificate chain PEM file name ;required in server mode cert = server.pem
;client mode - no (server mode) client = no
;level 3 - verify peer with locally installed certificate verify = 3
accept = 50000 connect = 127.0.0.1:3389
======= CLIENT =======
;---------------------------------------------------- ; GLOBAL OPTIONS ;----------------------------------------------------
;Logging Options debug = 7 output = stunnel.log
; Some performance tunings ; turn off the Nagle algorithm for local sockets ; turn off the Nagle algorithm for remote sockets socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
;---------------------------------------------------- ; SERVICE-LEVEL OPTIONS ;---------------------------------------------------- [tserver] accept = 127.0.0.1:50000 connect = <my_server_IP>:50000
;Server mode or Client mode ;Yes=Client mode client = yes
;Certificate Authority file CAfile = CAcert.pem
;Certificate Authority directory CApath = certificates
;certificate chain PEM file name cert = client.pem
;verify peer certificate ;level 3 - verify peer with locally installed certificate verify = 3
;Select permitted SSL ciphers ':' delimited list ciphers = AES256-SHA
--- Frank Garber garberfc@coolsite.net wrote:
<snip />
I had a question about your setting: ;Certificate Authority directory CApath = certificates
Where does your 'certificates' directory live in relation to the stunnel.conf file?
Did you create the server.pem, client.pem and CAcert.pem file your self? Are any of these files the same files or all different?
Thanks for the help,
Frank
Greetings,
To answer your questions: "Where does your 'certificates' directory live in relation to the stunnel.conf file?"
The 'certificates' directory in my configuration is in the same directory as the stunnel.conf file.
"Did you create the server.pem, client.pem and CAcert.pem file your self?"
Yes, I did. I created my own Self-Signed Certificates. Here is a link I found very useful for this http://sial.org/howto/openssl/
CAcert.pem is the Certificate Authority's Certificate Server.pem is the server's certificate Client.pem is the client's certificate
Notice that Stunnel requires key + certificate in the .pem files (see man page)
"Are any of these files the same files or all different?"
I'm not sure I understand your question 100% but, The CAcert.pem is the same in both server and client. Then the server.pem and client.pem are different files.
Here is another link with an example that you can adapt for RDP http://www.securityfocus.com/infocus/1677
I hope this helps
Best Regards
--- garberfc garberfc@coolsite.net wrote:
Algol Tradent wrote:
Here are the configs I've used. I must point out
that
I use certificates in both the client and server
for
authentication. Hence verify=3 in the config.
======= SERVER =======
;----------------------------------------------------
;-- SERVER OPTIONS
;----------------------------------------------------
;select data compression algorithm compression = zlib
; Enable Taskbar icon taskbar = yes
; Some performance tunings ; turn off the Nagle algorithm for local sockets ; turn off the Nagle algorithm for remote sockets socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
[TServ]
;Certificate Authority file CAfile = CAcert.pem
;Certificate Authority directory CApath = certificates
;certificate chain PEM file name ;required in server mode cert = server.pem
;client mode - no (server mode) client = no
;level 3 - verify peer with locally installed certificate verify = 3
accept = 50000 connect = 127.0.0.1:3389
======= CLIENT =======
;----------------------------------------------------
; GLOBAL OPTIONS
;----------------------------------------------------
;Logging Options debug = 7 output = stunnel.log
; Some performance tunings ; turn off the Nagle algorithm for local sockets ; turn off the Nagle algorithm for remote sockets socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
;----------------------------------------------------
; SERVICE-LEVEL OPTIONS
;----------------------------------------------------
[tserver] accept = 127.0.0.1:50000 connect = <my_server_IP>:50000
;Server mode or Client mode ;Yes=Client mode client = yes
;Certificate Authority file CAfile = CAcert.pem
;Certificate Authority directory CApath = certificates
;certificate chain PEM file name cert = client.pem
;verify peer certificate ;level 3 - verify peer with locally installed certificate verify = 3
;Select permitted SSL ciphers ':' delimited list ciphers = AES256-SHA
--- Frank Garber garberfc@coolsite.net wrote:
<snip />
I had a question about your setting: ;Certificate Authority directory CApath = certificates
Where does your 'certificates' directory live in relation to the stunnel.conf file?
Did you create the server.pem, client.pem and CAcert.pem file your self? Are any of these files the same files or all different?
Thanks for the help,
Frank
-- View this message in context:
http://www.nabble.com/Using-stunnel-for-RDP---Proxy---Firewall-tf4654985.htm...
Sent from the Stunnel - Users mailing list archive at Nabble.com.
stunnel-users mailing list stunnel-users@mirt.net
http://stunnel.mirt.net/mailman/listinfo/stunnel-users
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Thanks for all the information, it's been a big help. I had a problem generating the server key / certificate. I posted my question/problem on the openssl.org mailing list.
Frank
Algol Tradent wrote:
Greetings,
To answer your questions: "Where does your 'certificates' directory live in relation to the stunnel.conf file?"
The 'certificates' directory in my configuration is in the same directory as the stunnel.conf file.
"Did you create the server.pem, client.pem and CAcert.pem file your self?"
Yes, I did. I created my own Self-Signed Certificates. Here is a link I found very useful for this http://sial.org/howto/openssl/
CAcert.pem is the Certificate Authority's Certificate Server.pem is the server's certificate Client.pem is the client's certificate
Notice that Stunnel requires key + certificate in the .pem files (see man page)
"Are any of these files the same files or all different?"
I'm not sure I understand your question 100% but, The CAcert.pem is the same in both server and client. Then the server.pem and client.pem are different files.
Here is another link with an example that you can adapt for RDP http://www.securityfocus.com/infocus/1677
I hope this helps
Best Regards
--- garberfc garberfc@coolsite.net wrote:
Algol Tradent wrote:
Here are the configs I've used. I must point out
that
I use certificates in both the client and server
for
authentication. Hence verify=3 in the config.
======= SERVER =======
;----------------------------------------------------
;-- SERVER OPTIONS
;----------------------------------------------------
;select data compression algorithm compression = zlib
; Enable Taskbar icon taskbar = yes
; Some performance tunings ; turn off the Nagle algorithm for local sockets ; turn off the Nagle algorithm for remote sockets socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
[TServ]
;Certificate Authority file CAfile = CAcert.pem
;Certificate Authority directory CApath = certificates
;certificate chain PEM file name ;required in server mode cert = server.pem
;client mode - no (server mode) client = no
;level 3 - verify peer with locally installed certificate verify = 3
accept = 50000 connect = 127.0.0.1:3389
======= CLIENT =======
;----------------------------------------------------
; GLOBAL OPTIONS
;----------------------------------------------------
;Logging Options debug = 7 output = stunnel.log
; Some performance tunings ; turn off the Nagle algorithm for local sockets ; turn off the Nagle algorithm for remote sockets socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
;----------------------------------------------------
; SERVICE-LEVEL OPTIONS
;----------------------------------------------------
[tserver] accept = 127.0.0.1:50000 connect = <my_server_IP>:50000
;Server mode or Client mode ;Yes=Client mode client = yes
;Certificate Authority file CAfile = CAcert.pem
;Certificate Authority directory CApath = certificates
;certificate chain PEM file name cert = client.pem
;verify peer certificate ;level 3 - verify peer with locally installed certificate verify = 3
;Select permitted SSL ciphers ':' delimited list ciphers = AES256-SHA
--- Frank Garber garberfc@coolsite.net wrote:
<snip />
I had a question about your setting: ;Certificate Authority directory CApath = certificates
Where does your 'certificates' directory live in relation to the stunnel.conf file?
Did you create the server.pem, client.pem and CAcert.pem file your self? Are any of these files the same files or all different?
Thanks for the help,
Frank
-- View this message in context:
http://www.nabble.com/Using-stunnel-for-RDP---Proxy---Firewall-tf4654985.htm...
Sent from the Stunnel - Users mailing list archive at Nabble.com.
stunnel-users mailing list stunnel-users@mirt.net
http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
-
Algol Tradent -
Frank Garber -
garberfc