Hi
I use stunnel on a DMZ server for tunnelling/forwarding/proxying... (whatever term is correct).
The situation is as follows: Hardware : External PC <==> DMZ server <==> company-internal server Operational : https://xxx.yy.zz (443) <==> (443) stunnel (80) <==> (80) SVN Server listening on port 80 NEW/NEED HELP : plink (22) <==> (22) stunnel (22) <==> (22) sshd listening on port 22
stunnel.conf (on the DMZ server) looks like this:
cert = my_tunnel.pem key = my_tunnel.pem socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 socket = a:SO_REUSEADDR=0 debug = 7 output = C:\Program Files (x86)\stunnel\stunnel.log ;client = yes [forward_443_to_80] accept = 443 connect = my.company-server.net:80 [forward_22] accept = 22 connect = my.company-server.net:22
NOTE: Forwarding 443 to my.company-server.net:80 => WORKS FINE!
NOW I try SSH with my PC connected to the company's network (without hopping at the DMZ): "plink -A -v -l username -i cert_file -P 22 dmz-server-name.net" => THIS WORKS FINE!
NOW I try SSH with my PC from external network (which needs hopping at the DMZ): "plink -A -v -l username -i cert_file -P 22 dmz-server-name.net"
Firewalls and ports seem to be open. The stunnel.log looks like this: <<starting stunnel service>> 2011.03.17 15:27:09 LOG5[4772:3852]: Reading configuration from file stunnel.conf 2011.03.17 15:27:09 LOG7[4772:3852]: Snagged 64 random bytes from C:/.rnd 2011.03.17 15:27:09 LOG7[4772:3852]: Wrote 1024 new random bytes to C:/.rnd 2011.03.17 15:27:09 LOG7[4772:3852]: PRNG seeded successfully 2011.03.17 15:27:09 LOG6[4772:3852]: Could not load DH parameters from my_tunnel.pem 2011.03.17 15:27:09 LOG7[4772:3852]: ECDH initialized 2011.03.17 15:27:09 LOG7[4772:3852]: Certificate: my_tunnel.pem 2011.03.17 15:27:09 LOG7[4772:3852]: Certificate loaded 2011.03.17 15:27:09 LOG7[4772:3852]: Key file: my_tunnel.pem 2011.03.17 15:27:09 LOG7[4772:3852]: Private key loaded 2011.03.17 15:27:09 LOG7[4772:3852]: SSL context initialized for service forward_443_to_80 2011.03.17 15:27:09 LOG6[4772:3852]: Could not load DH parameters from my_tunnel.pem 2011.03.17 15:27:09 LOG7[4772:3852]: ECDH initialized 2011.03.17 15:27:09 LOG7[4772:3852]: Certificate: my_tunnel.pem 2011.03.17 15:27:09 LOG7[4772:3852]: Certificate loaded 2011.03.17 15:27:09 LOG7[4772:3852]: Key file: my_tunnel.pem 2011.03.17 15:27:09 LOG7[4772:3852]: Private key loaded 2011.03.17 15:27:09 LOG7[4772:3852]: SSL context initialized for service forward_22 2011.03.17 15:27:09 LOG5[4772:3852]: Configuration successful 2011.03.17 15:27:09 LOG5[4772:3852]: No limit detected for the number of clients 2011.03.17 15:27:09 LOG7[4772:3852]: accept socket: FD=168 allocated (non-blocking mode) 2011.03.17 15:27:09 LOG7[4772:3852]: Option SO_REUSEADDR set on accept socket 2011.03.17 15:27:09 LOG7[4772:3852]: Service forward_443_to_80 bound to 0.0.0.0:443 2011.03.17 15:27:09 LOG7[4772:3852]: Service forward_443_to_80 opened FD=168 2011.03.17 15:27:09 LOG7[4772:3852]: accept socket: FD=280 allocated (non-blocking mode) 2011.03.17 15:27:09 LOG7[4772:3852]: Option SO_REUSEADDR set on accept socket 2011.03.17 15:27:09 LOG7[4772:3852]: Service forward_22 bound to 0.0.0.0:22 2011.03.17 15:27:09 LOG7[4772:3852]: Service forward_22 opened FD=280 2011.03.17 15:27:09 LOG5[4772:3852]: stunnel 4.35 on x86-pc-mingw32-gnu with OpenSSL 1.0.0c 2 Dec 2010 2011.03.17 15:27:09 LOG5[4772:3852]: Threading:WIN32 SSL:ENGINE Sockets:SELECT,IPv6 <<calling plink...>> 2011.03.17 15:27:26 LOG7[4772:4208]: local socket: FD=320 allocated (non-blocking mode) 2011.03.17 15:27:26 LOG7[4772:4208]: Service forward_22 accepted FD=320 from 123.4.5.6:2950 2011.03.17 15:27:26 LOG7[4772:4208]: Creating a new thread 2011.03.17 15:27:26 LOG7[4772:4208]: New thread created 2011.03.17 15:27:26 LOG7[4772:4756]: Service forward_22 started 2011.03.17 15:27:26 LOG7[4772:4756]: Option TCP_NODELAY set on local socket 2011.03.17 15:27:26 LOG5[4772:4756]: Service forward_22 accepted connection from 123.4.5.6:2950 2011.03.17 15:27:26 LOG7[4772:4756]: SSL state (accept): before/accept initialization <<and here it gets stuck!!!!!!!>>
plink says: Looking up host "dmz-server-name.net" Connecting to 123.12.1.1 port 22 <<and here it gets stuck!!!!!!!>>
PLEASE HELP!!!
On Thu, 2011-03-17 15:48:27 +0100, Bernhard.Baeumle@mt.com wrote:
Hi
I use stunnel on a DMZ server for tunnelling/forwarding/proxying... (whatever term is correct).
The situation is as follows: Hardware : External PC <==> DMZ server <==> company-internal server Operational : https://xxx.yy.zz (443) <==> (443) stunnel (80) <==> (80) SVN Server listening on port 80 NEW/NEED HELP : plink (22) <==> (22) stunnel (22) <==> (22) sshd listening on port 22
I don't think the clients bind() to the ports they connect() to. i.e. your picture should look like this:
external PC DMZ server internal server
https://xxx.yy.zz (p1) ==> (443) stunnel (p2) --> (80) SVN Server plink (p3) ==> (22) stunnel (p4) --> (22) sshd
p1 through p4 are arbitrary port numbers. ==> and --> are encrypted and clear-text connections, respectively.
Does sshd cope with clear-text connections?
If yes, "telnet dmz-server-name.net 22" (or the rlogin equivalent) should work on an internal workstation.
Ludolf
-
Bernhard.Baeumle@mt.com -
Ludolf Holzheid