Re: [stunnel-users] Using stunnel for RDP / Proxy / Firewall
I tried using the port you suggested and got the same result. I'm able to verify my firewall is letting the traffic through and that my ISP is not blocking the port by using www.canyouseeme.org . Again, all my settings work when I'm not going through the corporate firewall. Can you send me your whole config file for both your client and server sides? I'm wondering if it has to do with my certificate settings. Thanks, Frank ----- Original Message ---- From: Carter Browne <xxxx> To: garberfc <xxxx> Sent: Monday, October 22, 2007 8:07:11 AM Subject: Re: [stunnel-users] Using stunnel for RDP / Proxy / Firewall I do this all the time. The way I do it is to connect locally to RDP on a non-stardard port. In the RDP dialog box, I have 127.0.0.10:12121, then in stunnel on the local side is: [xxx-rdp] accept = 127.0.0.10:12121 connect = server:12122 client = yes on the remote side is [rdp-incoming] accept = 12122 connect = 3389 client = no. Normally RDP listens for any connection to port 3389, so I found it was easiest to get to to work by moving off that port. Note that you have to open port 12122 in the firewall on the remote side. On the other hand, you can close 3389 on the remote side which takes away an obvious port for hackers. Carter garberfc wrote:
Hi All
I'm a relative newbie to Stunnel, and am trying to set up a tunnel so I can Remote Desktop from work to my PC/server at home.
I'm using versions 4.20 of the Windows binaries.
I've tested the configuration and it works from home using a laptop that is going through my firewall when I enter my domain home (so my firewall is set up correctly). I tried a variety of common ports and got the same response every time. I had to use the 127.0.0.2 on the client because Remote Desktop didn't want me connecting to myself...
When I try if from work I get a dialog box: The client could not establish a connection to the remote computer. The most likely causes for this error are: 1) Remote connections might not be enabled at the remote computer. 2)The maximum number of connections was exceeded at the remote computer. 3) A network error occurred while establishing the connection.
My config is as follows:
#Client ;cert = stunnel.pem ;key = stunnel.pem
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
; Some debugging stuff useful for troubleshooting debug = 7 output = stunnel.log
; Use it for client mode client = yes
; Service-level configuration [https-RDT] accept = 127.0.0.2:3389 connect = xx.xx.xx.xx:1494
#Server ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
; Some debugging stuff useful for troubleshooting debug = 7 output = stunnel.log
; Use it for client mode client = no
; Service-level configuration [https-RDT] accept = 1494 connect = localhost:3389
Is there something I need to do to traverse this proxy? Any help would be greatly appreciated!
Here are the configs I've used. I must point out that I use certificates in both the client and server for authentication. Hence verify=3 in the config. ======= SERVER ======= ;---------------------------------------------------- ;-- SERVER OPTIONS ;---------------------------------------------------- ;select data compression algorithm compression = zlib ; Enable Taskbar icon taskbar = yes ; Some performance tunings ; turn off the Nagle algorithm for local sockets ; turn off the Nagle algorithm for remote sockets socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 [TServ] ;Certificate Authority file CAfile = CAcert.pem ;Certificate Authority directory CApath = certificates ;certificate chain PEM file name ;required in server mode cert = server.pem ;client mode - no (server mode) client = no ;level 3 - verify peer with locally installed certificate verify = 3 accept = 50000 connect = 127.0.0.1:3389 ======= CLIENT ======= ;---------------------------------------------------- ; GLOBAL OPTIONS ;---------------------------------------------------- ;Logging Options debug = 7 output = stunnel.log ; Some performance tunings ; turn off the Nagle algorithm for local sockets ; turn off the Nagle algorithm for remote sockets socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ;---------------------------------------------------- ; SERVICE-LEVEL OPTIONS ;---------------------------------------------------- [tserver] accept = 127.0.0.1:50000 connect = <my_server_IP>:50000 ;Server mode or Client mode ;Yes=Client mode client = yes ;Certificate Authority file CAfile = CAcert.pem ;Certificate Authority directory CApath = certificates ;certificate chain PEM file name cert = client.pem ;verify peer certificate ;level 3 - verify peer with locally installed certificate verify = 3 ;Select permitted SSL ciphers ':' delimited list ciphers = AES256-SHA --- Frank Garber <garberfc@coolsite.net> wrote:
I tried using the port you suggested and got the same result. I'm able to verify my firewall is letting the traffic through and that my ISP is not blocking the port by using www.canyouseeme.org . Again, all my settings work when I'm not going through the corporate firewall.
Can you send me your whole config file for both your client and server sides? I'm wondering if it has to do with my certificate settings.
Thanks,
Frank
----- Original Message ---- From: Carter Browne <xxxx> To: garberfc <xxxx> Sent: Monday, October 22, 2007 8:07:11 AM Subject: Re: [stunnel-users] Using stunnel for RDP / Proxy / Firewall
I do this all the time. The way I do it is to connect locally to RDP on a non-stardard port. In the RDP dialog box, I have 127.0.0.10:12121, then in stunnel on the local side is:
[xxx-rdp] accept = 127.0.0.10:12121 connect = server:12122 client = yes
on the remote side is
[rdp-incoming] accept = 12122 connect = 3389 client = no.
Normally RDP listens for any connection to port 3389, so I found it was easiest to get to to work by moving off that port. Note that you have to open port 12122 in the firewall on the remote side. On the other hand, you can close 3389 on the remote side which takes away an obvious port for hackers.
Carter
garberfc wrote:
Hi All
I'm a relative newbie to Stunnel, and am trying to set up a tunnel so I can Remote Desktop from work to my PC/server at home.
I'm using versions 4.20 of the Windows binaries.
I've tested the configuration and it works from home using a laptop that is going through my firewall when I enter my domain home (so my firewall is set up correctly). I tried a variety of common ports and got the same response every time. I had to use the 127.0.0.2 on the client because Remote Desktop didn't want me connecting to myself...
When I try if from work I get a dialog box: The client could not establish a connection to the remote computer. The most likely causes for this error are: 1) Remote connections might not be enabled at the remote computer. 2)The maximum number of connections was exceeded at the remote computer. 3) A network error occurred while establishing the connection.
My config is as follows:
#Client ;cert = stunnel.pem ;key = stunnel.pem
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
; Some debugging stuff useful for troubleshooting debug = 7 output = stunnel.log
; Use it for client mode client = yes
; Service-level configuration [https-RDT] accept = 127.0.0.2:3389 connect = xx.xx.xx.xx:1494
#Server ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
; Some debugging stuff useful for troubleshooting debug = 7 output = stunnel.log
; Use it for client mode client = no
; Service-level configuration [https-RDT] accept = 1494 connect = localhost:3389
Is there something I need to do to traverse this proxy? Any help would be greatly appreciated!
_______________________________________________ stunnel-users mailing list stunnel-users@mirt.net
http://stunnel.mirt.net/mailman/listinfo/stunnel-users
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Algol Tradent wrote:
Here are the configs I've used. I must point out that I use certificates in both the client and server for authentication. Hence verify=3 in the config.
======= SERVER =======
;---------------------------------------------------- ;-- SERVER OPTIONS ;----------------------------------------------------
;select data compression algorithm compression = zlib
; Enable Taskbar icon taskbar = yes
; Some performance tunings ; turn off the Nagle algorithm for local sockets ; turn off the Nagle algorithm for remote sockets socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
[TServ]
;Certificate Authority file CAfile = CAcert.pem
;Certificate Authority directory CApath = certificates
;certificate chain PEM file name ;required in server mode cert = server.pem
;client mode - no (server mode) client = no
;level 3 - verify peer with locally installed certificate verify = 3
accept = 50000 connect = 127.0.0.1:3389
======= CLIENT =======
;---------------------------------------------------- ; GLOBAL OPTIONS ;----------------------------------------------------
;Logging Options debug = 7 output = stunnel.log
; Some performance tunings ; turn off the Nagle algorithm for local sockets ; turn off the Nagle algorithm for remote sockets socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
;---------------------------------------------------- ; SERVICE-LEVEL OPTIONS ;---------------------------------------------------- [tserver] accept = 127.0.0.1:50000 connect = <my_server_IP>:50000
;Server mode or Client mode ;Yes=Client mode client = yes
;Certificate Authority file CAfile = CAcert.pem
;Certificate Authority directory CApath = certificates
;certificate chain PEM file name cert = client.pem
;verify peer certificate ;level 3 - verify peer with locally installed certificate verify = 3
;Select permitted SSL ciphers ':' delimited list ciphers = AES256-SHA
--- Frank Garber <garberfc@coolsite.net> wrote: <snip />
I had a question about your setting: ;Certificate Authority directory CApath = certificates Where does your 'certificates' directory live in relation to the stunnel.conf file? Did you create the server.pem, client.pem and CAcert.pem file your self? Are any of these files the same files or all different? Thanks for the help, Frank -- View this message in context: http://www.nabble.com/Using-stunnel-for-RDP---Proxy---Firewall-tf4654985.htm... Sent from the Stunnel - Users mailing list archive at Nabble.com.
Greetings, To answer your questions: "Where does your 'certificates' directory live in relation to the stunnel.conf file?" The 'certificates' directory in my configuration is in the same directory as the stunnel.conf file. "Did you create the server.pem, client.pem and CAcert.pem file your self?" Yes, I did. I created my own Self-Signed Certificates. Here is a link I found very useful for this http://sial.org/howto/openssl/ CAcert.pem is the Certificate Authority's Certificate Server.pem is the server's certificate Client.pem is the client's certificate Notice that Stunnel requires key + certificate in the .pem files (see man page) "Are any of these files the same files or all different?" I'm not sure I understand your question 100% but, The CAcert.pem is the same in both server and client. Then the server.pem and client.pem are different files. Here is another link with an example that you can adapt for RDP http://www.securityfocus.com/infocus/1677 I hope this helps Best Regards --- garberfc <garberfc@coolsite.net> wrote:
Algol Tradent wrote:
Here are the configs I've used. I must point out
that
I use certificates in both the client and server for authentication. Hence verify=3 in the config.
======= SERVER =======
;----------------------------------------------------
;-- SERVER OPTIONS
;----------------------------------------------------
;select data compression algorithm compression = zlib
; Enable Taskbar icon taskbar = yes
; Some performance tunings ; turn off the Nagle algorithm for local sockets ; turn off the Nagle algorithm for remote sockets socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
[TServ]
;Certificate Authority file CAfile = CAcert.pem
;Certificate Authority directory CApath = certificates
;certificate chain PEM file name ;required in server mode cert = server.pem
;client mode - no (server mode) client = no
;level 3 - verify peer with locally installed certificate verify = 3
accept = 50000 connect = 127.0.0.1:3389
======= CLIENT =======
;----------------------------------------------------
; GLOBAL OPTIONS
;----------------------------------------------------
;Logging Options debug = 7 output = stunnel.log
; Some performance tunings ; turn off the Nagle algorithm for local sockets ; turn off the Nagle algorithm for remote sockets socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
;----------------------------------------------------
; SERVICE-LEVEL OPTIONS
;----------------------------------------------------
[tserver] accept = 127.0.0.1:50000 connect = <my_server_IP>:50000
;Server mode or Client mode ;Yes=Client mode client = yes
;Certificate Authority file CAfile = CAcert.pem
;Certificate Authority directory CApath = certificates
;certificate chain PEM file name cert = client.pem
;verify peer certificate ;level 3 - verify peer with locally installed certificate verify = 3
;Select permitted SSL ciphers ':' delimited list ciphers = AES256-SHA
--- Frank Garber <garberfc@coolsite.net> wrote: <snip />
I had a question about your setting: ;Certificate Authority directory CApath = certificates
Where does your 'certificates' directory live in relation to the stunnel.conf file?
Did you create the server.pem, client.pem and CAcert.pem file your self? Are any of these files the same files or all different?
Thanks for the help,
Frank
-- View this message in context:
http://www.nabble.com/Using-stunnel-for-RDP---Proxy---Firewall-tf4654985.htm...
Sent from the Stunnel - Users mailing list archive at Nabble.com.
_______________________________________________ stunnel-users mailing list stunnel-users@mirt.net
http://stunnel.mirt.net/mailman/listinfo/stunnel-users
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Thanks for all the information, it's been a big help. I had a problem generating the server key / certificate. I posted my question/problem on the openssl.org mailing list. Frank Algol Tradent wrote:
Greetings,
To answer your questions: "Where does your 'certificates' directory live in relation to the stunnel.conf file?"
The 'certificates' directory in my configuration is in the same directory as the stunnel.conf file.
"Did you create the server.pem, client.pem and CAcert.pem file your self?"
Yes, I did. I created my own Self-Signed Certificates. Here is a link I found very useful for this http://sial.org/howto/openssl/
CAcert.pem is the Certificate Authority's Certificate Server.pem is the server's certificate Client.pem is the client's certificate
Notice that Stunnel requires key + certificate in the .pem files (see man page)
"Are any of these files the same files or all different?"
I'm not sure I understand your question 100% but, The CAcert.pem is the same in both server and client. Then the server.pem and client.pem are different files.
Here is another link with an example that you can adapt for RDP http://www.securityfocus.com/infocus/1677
I hope this helps
Best Regards
--- garberfc <garberfc@coolsite.net> wrote:
Algol Tradent wrote:
Here are the configs I've used. I must point out
that
I use certificates in both the client and server for authentication. Hence verify=3 in the config.
======= SERVER =======
;----------------------------------------------------
;-- SERVER OPTIONS
;----------------------------------------------------
;select data compression algorithm compression = zlib
; Enable Taskbar icon taskbar = yes
; Some performance tunings ; turn off the Nagle algorithm for local sockets ; turn off the Nagle algorithm for remote sockets socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
[TServ]
;Certificate Authority file CAfile = CAcert.pem
;Certificate Authority directory CApath = certificates
;certificate chain PEM file name ;required in server mode cert = server.pem
;client mode - no (server mode) client = no
;level 3 - verify peer with locally installed certificate verify = 3
accept = 50000 connect = 127.0.0.1:3389
======= CLIENT =======
;----------------------------------------------------
; GLOBAL OPTIONS
;----------------------------------------------------
;Logging Options debug = 7 output = stunnel.log
; Some performance tunings ; turn off the Nagle algorithm for local sockets ; turn off the Nagle algorithm for remote sockets socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
;----------------------------------------------------
; SERVICE-LEVEL OPTIONS
;----------------------------------------------------
[tserver] accept = 127.0.0.1:50000 connect = <my_server_IP>:50000
;Server mode or Client mode ;Yes=Client mode client = yes
;Certificate Authority file CAfile = CAcert.pem
;Certificate Authority directory CApath = certificates
;certificate chain PEM file name cert = client.pem
;verify peer certificate ;level 3 - verify peer with locally installed certificate verify = 3
;Select permitted SSL ciphers ':' delimited list ciphers = AES256-SHA
--- Frank Garber <garberfc@coolsite.net> wrote: <snip />
I had a question about your setting: ;Certificate Authority directory CApath = certificates
Where does your 'certificates' directory live in relation to the stunnel.conf file?
Did you create the server.pem, client.pem and CAcert.pem file your self? Are any of these files the same files or all different?
Thanks for the help,
Frank
-- View this message in context:
http://www.nabble.com/Using-stunnel-for-RDP---Proxy---Firewall-tf4654985.htm...
Sent from the Stunnel - Users mailing list archive at Nabble.com.
_______________________________________________ stunnel-users mailing list stunnel-users@mirt.net
http://stunnel.mirt.net/mailman/listinfo/stunnel-users
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
-- View this message in context: http://www.nabble.com/Using-stunnel-for-RDP---Proxy---Firewall-tf4654985.htm... Sent from the Stunnel - Users mailing list archive at Nabble.com.
participants (3)
-
Algol Tradent -
Frank Garber -
garberfc