Hello list.
I am new to stunnel and do have some problems to get it running.
The server is a WinXPSP2 behind a router. The router has port forwarding enabled for port 9999 to the stunnel server (4.21). On the same box a vnc server is running on port 5900 which I like to tunnel. Firewall is opened. The netstat -a -n shows the server listening on the desired port (9999).
My server config looks like that:
cert = stunnel.pem ;key = stunnel.pem
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff ;verify = 2 ; Don't forget to c_rehash CApath ;CApath = certs ; It's often easier to use CAfile ;CAfile = certs.pem ; Don't forget to c_rehash CRLpath ;CRLpath = crls ; Alternatively you can use CRLfile ;CRLfile = crls.pem
; Some debugging stuff useful for troubleshooting ;debug = 7 ;output = stunnel.log
; Use it for client mode ;client = yes
[pop3s] accept = 995 connect = 110
[imaps] accept = 993 connect = 143
[ssmtp] accept = 465 connect = 25
[VNC Server] accept = 9999 connect = 5900
The client side is a linux box with config setting: client = yes
[VNC Server] accept = 5900 connect = 9999
I turned on debugging and stunnel.log seems to be okay - no error messages.
But I am not able to get an connection.
What am I doing wrong?
Stefan
Hello list.
Hello's :-)
I am new to stunnel and do have some problems to get it running.
Welcome to the list :-)
The server is a WinXPSP2 behind a router. The router has port forwarding enabled for port 9999 to the stunnel server (4.21). On the same box a vnc server is running on port 5900 which I like to tunnel. Firewall is opened. The netstat -a -n shows the server listening on the desired port (9999).
My server config looks like that:
cert = stunnel.pem ;key = stunnel.pem
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff ;verify = 2 ; Don't forget to c_rehash CApath ;CApath = certs ; It's often easier to use CAfile ;CAfile = certs.pem ; Don't forget to c_rehash CRLpath ;CRLpath = crls ; Alternatively you can use CRLfile ;CRLfile = crls.pem
; Some debugging stuff useful for troubleshooting ;debug = 7 ;output = stunnel.log
; Use it for client mode ;client = yes
[pop3s] accept = 995 connect = 110
[imaps] accept = 993 connect = 143
[ssmtp] accept = 465 connect = 25
Change on server
[VNC Server] accept = 9999 connect = 5900
to
[VNC Server] accept = 9999 connect = 127.0.0.1:5900
On the server you need to specify the place where the service needs to connect to. Thus you should specify the localhost ip so that when the server receives a connect on port 9999 it directs it to the server itself.
The client side is a linux box with config setting: client = yes
Change on client
[VNC Server] accept = 5900 connect = 9999
to
[VNC Server] accept = 5900 connect = your_router_ip:9999
When connecting to the service, you need to specify the servers IP address where the connection needs to go, if you don't then stunnel won't know where to direct the traffic to.
What should happen is that you specify your connection in VNC as 127.0.0.1:5900 and then VNC will connect to stunnel that will direct the traffic to the server which will in return direct it to the VNC service on itself
Let me know if you get stuck and I will generate a config file for you. Also it is recommended that you don't use the default stunnel.pem file. Please create a new certificate on the server and client and use verify = 3 to completely secure the connection. This will prevent someone else that also has the stunnel.pem file from connecting to your server.
Let me know if you need help with the creation of the certificates. It's pretty straight forward ;-)
Cheers,
Craig
I turned on debugging and stunnel.log seems to be okay - no error messages.
But I am not able to get an connection.
What am I doing wrong?
Stefan _______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Craig Retief schrieb:
Hello list.
Hello's :-)
I am new to stunnel and do have some problems to get it running.
Welcome to the list :-)
The server is a WinXPSP2 behind a router. The router has port forwarding enabled for port 9999 to the stunnel server (4.21). On the same box a vnc server is running on port 5900 which I like to tunnel. Firewall is opened. The netstat -a -n shows the server listening on the desired port (9999).
My server config looks like that:
cert = stunnel.pem ;key = stunnel.pem
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff ;verify = 2 ; Don't forget to c_rehash CApath ;CApath = certs ; It's often easier to use CAfile ;CAfile = certs.pem ; Don't forget to c_rehash CRLpath ;CRLpath = crls ; Alternatively you can use CRLfile ;CRLfile = crls.pem
; Some debugging stuff useful for troubleshooting ;debug = 7 ;output = stunnel.log
; Use it for client mode ;client = yes
[pop3s] accept = 995 connect = 110
[imaps] accept = 993 connect = 143
[ssmtp] accept = 465 connect = 25
Change on server
[VNC Server] accept = 9999 connect = 5900
to
[VNC Server] accept = 9999 connect = 127.0.0.1:5900
On the server you need to specify the place where the service needs to connect to. Thus you should specify the localhost ip so that when the server receives a connect on port 9999 it directs it to the server itself.
The client side is a linux box with config setting: client = yes
Change on client
[VNC Server] accept = 5900 connect = 9999
to
[VNC Server] accept = 5900 connect = your_router_ip:9999
When connecting to the service, you need to specify the servers IP address where the connection needs to go, if you don't then stunnel won't know where to direct the traffic to.
What should happen is that you specify your connection in VNC as 127.0.0.1:5900 and then VNC will connect to stunnel that will direct the traffic to the server which will in return direct it to the VNC service on itself
Let me know if you get stuck and I will generate a config file for you. Also it is recommended that you don't use the default stunnel.pem file. Please create a new certificate on the server and client and use verify = 3 to completely secure the connection. This will prevent someone else that also has the stunnel.pem file from connecting to your server.
Let me know if you need help with the creation of the certificates. It's pretty straight forward ;-)
Cheers,
Craig
Hello Craig.
Thanks a lot - this was exactly the information needed.
Communities are living because of people like you are! The perfect answer: Friendly, with some explainations where needed and the offer to help even further.
Thanks again. Stefan
P.S.: I think I can do the pem-file by myself - I ll try tomorrow.
I turned on debugging and stunnel.log seems to be okay - no error messages.
But I am not able to get an connection.
What am I doing wrong?
Stefan _______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
You Are most Welcome Stefan :-)
Thank you for the compliment. It is always nice to have someone respond and thank the list when the solution worked.
My offer still stands if you need help at any time.
Have a good one!
Cheers
Craig
-----Original Message----- From: fuzzy_4711 [mailto:fuzzy_4711@gmx.de] Sent: 02 November 2007 03:49 PM To: Craig Retief Cc: stunnel-users@mirt.net Subject: Re: [stunnel-users] newbie config not running
Craig Retief schrieb:
Hello list.
Hello's :-)
I am new to stunnel and do have some problems to get it running.
Welcome to the list :-)
The server is a WinXPSP2 behind a router. The router has port forwarding enabled for port 9999 to the stunnel server (4.21). On the same box
a
vnc server is running on port 5900 which I like to tunnel. Firewall
is
opened. The netstat -a -n shows the server listening on the desired port (9999).
My server config looks like that:
cert = stunnel.pem ;key = stunnel.pem
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff ;verify = 2 ; Don't forget to c_rehash CApath ;CApath = certs ; It's often easier to use CAfile ;CAfile = certs.pem ; Don't forget to c_rehash CRLpath ;CRLpath = crls ; Alternatively you can use CRLfile ;CRLfile = crls.pem
; Some debugging stuff useful for troubleshooting ;debug = 7 ;output = stunnel.log
; Use it for client mode ;client = yes
[pop3s] accept = 995 connect = 110
[imaps] accept = 993 connect = 143
[ssmtp] accept = 465 connect = 25
Change on server
[VNC Server] accept = 9999 connect = 5900
to
[VNC Server] accept = 9999 connect = 127.0.0.1:5900
On the server you need to specify the place where the service needs
to
connect to. Thus you should specify the localhost ip so that when the
server
receives a connect on port 9999 it directs it to the server itself.
The client side is a linux box with config setting: client = yes
Change on client
[VNC Server] accept = 5900 connect = 9999
to
[VNC Server] accept = 5900 connect = your_router_ip:9999
When connecting to the service, you need to specify the servers IP
address
where the connection needs to go, if you don't then stunnel won't
know where
to direct the traffic to.
What should happen is that you specify your connection in VNC as 127.0.0.1:5900 and then VNC will connect to stunnel that will direct
the
traffic to the server which will in return direct it to the VNC
service on
itself
Let me know if you get stuck and I will generate a config file for
you. Also
it is recommended that you don't use the default stunnel.pem file.
Please
create a new certificate on the server and client and use verify = 3
to
completely secure the connection. This will prevent someone else that
also
has the stunnel.pem file from connecting to your server.
Let me know if you need help with the creation of the certificates.
It's
pretty straight forward ;-)
Cheers,
Craig
Hello Craig.
Thanks a lot - this was exactly the information needed.
Communities are living because of people like you are! The perfect answer: Friendly, with some explainations where needed and the offer to help even further.
Thanks again. Stefan
P.S.: I think I can do the pem-file by myself - I ll try tomorrow.
I turned on debugging and stunnel.log seems to be okay - no error messages.
But I am not able to get an connection.
What am I doing wrong?
Stefan _______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Ladies and Gentlemen
I used vnc with stunnel and it seems working. but the stunnel log on the server side records the server's IP address instead of the client address. Any suggestion to fix this?
Thanks
J Z
----- Original Message ----- From: "Craig Retief" stunnel@rsw.co.za To: fuzzy_4711@gmx.de Cc: stunnel-users@mirt.net Sent: Wednesday, November 07, 2007 1:32 AM Subject: Re: [stunnel-users] newbie config not running
You Are most Welcome Stefan :-)
Thank you for the compliment. It is always nice to have someone respond and thank the list when the solution worked.
My offer still stands if you need help at any time.
Have a good one!
Cheers
Craig
-----Original Message----- From: fuzzy_4711 [mailto:fuzzy_4711@gmx.de] Sent: 02 November 2007 03:49 PM To: Craig Retief Cc: stunnel-users@mirt.net Subject: Re: [stunnel-users] newbie config not running
Craig Retief schrieb:
Hello list.
Hello's :-)
I am new to stunnel and do have some problems to get it running.
Welcome to the list :-)
The server is a WinXPSP2 behind a router. The router has port forwarding enabled for port 9999 to the stunnel server (4.21). On the same box
a
vnc server is running on port 5900 which I like to tunnel. Firewall
is
opened. The netstat -a -n shows the server listening on the desired port (9999).
My server config looks like that:
cert = stunnel.pem ;key = stunnel.pem
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff ;verify = 2 ; Don't forget to c_rehash CApath ;CApath = certs ; It's often easier to use CAfile ;CAfile = certs.pem ; Don't forget to c_rehash CRLpath ;CRLpath = crls ; Alternatively you can use CRLfile ;CRLfile = crls.pem
; Some debugging stuff useful for troubleshooting ;debug = 7 ;output = stunnel.log
; Use it for client mode ;client = yes
[pop3s] accept = 995 connect = 110
[imaps] accept = 993 connect = 143
[ssmtp] accept = 465 connect = 25
Change on server
[VNC Server] accept = 9999 connect = 5900
to
[VNC Server] accept = 9999 connect = 127.0.0.1:5900
On the server you need to specify the place where the service needs
to
connect to. Thus you should specify the localhost ip so that when the
server
receives a connect on port 9999 it directs it to the server itself.
The client side is a linux box with config setting: client = yes
Change on client
[VNC Server] accept = 5900 connect = 9999
to
[VNC Server] accept = 5900 connect = your_router_ip:9999
When connecting to the service, you need to specify the servers IP
address
where the connection needs to go, if you don't then stunnel won't
know where
to direct the traffic to.
What should happen is that you specify your connection in VNC as 127.0.0.1:5900 and then VNC will connect to stunnel that will direct
the
traffic to the server which will in return direct it to the VNC
service on
itself
Let me know if you get stuck and I will generate a config file for
you. Also
it is recommended that you don't use the default stunnel.pem file.
Please
create a new certificate on the server and client and use verify = 3
to
completely secure the connection. This will prevent someone else that
also
has the stunnel.pem file from connecting to your server.
Let me know if you need help with the creation of the certificates.
It's
pretty straight forward ;-)
Cheers,
Craig
Hello Craig.
Thanks a lot - this was exactly the information needed.
Communities are living because of people like you are! The perfect answer: Friendly, with some explainations where needed and the offer to help even further.
Thanks again. Stefan
P.S.: I think I can do the pem-file by myself - I ll try tomorrow.
I turned on debugging and stunnel.log seems to be okay - no error messages.
But I am not able to get an connection.
What am I doing wrong?
Stefan _______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Try playing around with the debug level and see what the difference is. You can read the included manual on what the different levels do.
From the manual:
debug = [facility.]level debugging level
Level is a one of the syslog level names or numbers emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), info (6), or debug (7). All logs for the specified level and all levels numerically less than it will be shown. Use debug = debug or debug = 7 for greatest debugging output. The default is notice (5).
The syslog facility 'daemon' will be used unless a facility name is supplied. (Facilities are not supported on Win32.)
Case is ignored for both facilities and levels.
If you are still having problems you can always post your config file here and the list can take a look at what you have done and make recommendations on it.
Cheers
Craig
-----Original Message----- From: jilin zhang [mailto:jz@ellingtongeologic.com] Sent: 08 November 2007 04:59 PM To: fuzzy_4711@gmx.de; Craig Retief Cc: stunnel-users@mirt.net Subject: Re: [stunnel-users] newbie config not running
Ladies and Gentlemen
I used vnc with stunnel and it seems working. but the stunnel log on the server side records the server's IP address instead of the client address. Any suggestion to fix this?
Thanks
J Z
----- Original Message ----- From: "Craig Retief" stunnel@rsw.co.za To: fuzzy_4711@gmx.de Cc: stunnel-users@mirt.net Sent: Wednesday, November 07, 2007 1:32 AM Subject: Re: [stunnel-users] newbie config not running
You Are most Welcome Stefan :-)
Thank you for the compliment. It is always nice to have someone
respond and
thank the list when the solution worked.
My offer still stands if you need help at any time.
Have a good one!
Cheers
Craig
-----Original Message----- From: fuzzy_4711 [mailto:fuzzy_4711@gmx.de] Sent: 02 November 2007 03:49 PM To: Craig Retief Cc: stunnel-users@mirt.net Subject: Re: [stunnel-users] newbie config not running
Craig Retief schrieb:
Hello list.
Hello's :-)
I am new to stunnel and do have some problems to get it running.
Welcome to the list :-)
The server is a WinXPSP2 behind a router. The router has port forwarding enabled for port 9999 to the stunnel server (4.21). On the same
box
a
vnc server is running on port 5900 which I like to tunnel.
Firewall
is
opened. The netstat -a -n shows the server listening on the
desired
port (9999).
My server config looks like that:
cert = stunnel.pem ;key = stunnel.pem
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff ;verify = 2 ; Don't forget to c_rehash CApath ;CApath = certs ; It's often easier to use CAfile ;CAfile = certs.pem ; Don't forget to c_rehash CRLpath ;CRLpath = crls ; Alternatively you can use CRLfile ;CRLfile = crls.pem
; Some debugging stuff useful for troubleshooting ;debug = 7 ;output = stunnel.log
; Use it for client mode ;client = yes
[pop3s] accept = 995 connect = 110
[imaps] accept = 993 connect = 143
[ssmtp] accept = 465 connect = 25
Change on server
[VNC Server] accept = 9999 connect = 5900
to
[VNC Server] accept = 9999 connect = 127.0.0.1:5900
On the server you need to specify the place where the service
needs
to
connect to. Thus you should specify the localhost ip so that when
the
server
receives a connect on port 9999 it directs it to the server
itself.
The client side is a linux box with config setting: client = yes
Change on client
[VNC Server] accept = 5900 connect = 9999
to
[VNC Server] accept = 5900 connect = your_router_ip:9999
When connecting to the service, you need to specify the servers IP
address
where the connection needs to go, if you don't then stunnel won't
know where
to direct the traffic to.
What should happen is that you specify your connection in VNC as 127.0.0.1:5900 and then VNC will connect to stunnel that will
direct
the
traffic to the server which will in return direct it to the VNC
service on
itself
Let me know if you get stuck and I will generate a config file for
you. Also
it is recommended that you don't use the default stunnel.pem file.
Please
create a new certificate on the server and client and use verify =
3
to
completely secure the connection. This will prevent someone else
that
also
has the stunnel.pem file from connecting to your server.
Let me know if you need help with the creation of the
certificates.
It's
pretty straight forward ;-)
Cheers,
Craig
Hello Craig.
Thanks a lot - this was exactly the information needed.
Communities are living because of people like you are! The perfect answer: Friendly, with some explainations where needed
and
the offer to help even further.
Thanks again. Stefan
P.S.: I think I can do the pem-file by myself - I ll try tomorrow.
I turned on debugging and stunnel.log seems to be okay - no error messages.
But I am not able to get an connection.
What am I doing wrong?
Stefan _______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
When some clock read 2007-11-08 08:59 -0600, jilin zhang conveighed:
I used vnc with stunnel and it seems working. but the stunnel log on the server side records the server's IP address instead of the client address. Any suggestion to fix this?
The connection to your VNC server *is* coming from the server's IP address. So VNC is telling you the truth. And Stunnel can't "hack" the network stack to make it look like the connection is actually coming from the real client IP.
The only way to get the information you need is to corrolate VNC login times with the stunnel logs.
Sorry.
Thanks. Brian.
It makes sense. I guess I have to open two logs side by side and see who's in at a certain time.
such a nice thing, wish I knew it better. now I wrap VNC, pc-anywhere, http, and ftp with stunnel. giving me a better sense of security (not so sure how secure it really is)
Thanks again.
J
----- Original Message ---------------
Return-Path: bri@stunnel.org Received: from drowsy.ifokr.org ([216.162.217.155]) by ellingtongeologic.com for jz@ellingtongeologic.com; Tue, 13 When some clock read 2007-11-08 08:59 -0600, jilin zhang conveighed:
I used vnc with stunnel and it seems working. but the stunnel log on the server side records the server's IP address instead of the client address. Any suggestion to fix this?
The connection to your VNC server *is* coming from the server's IP address. So VNC is telling you the truth. And Stunnel can't "hack" the network stack to make it look like the connection is actually coming from the real client IP.
The only way to get the information you need is to corrolate VNC login times with the stunnel logs.
Sorry.
--=20 Brian Hatch "I don't feel like a person. Systems and I feel like a large fetal Security Engineer container." http://www.ifokr.org/bri/ --Bree
Every message PGP signed
--EeQfGwPcQSOJBaQU Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFHOW2ZVkMj8/ymYEsRAjKnAKCQwKwjNJcZUaz3ouk2+PHHCktxBwCfY/my WxdH9qX5JOdwxbrRXrVcpqw= =7Dcb -----END PGP SIGNATURE-----
--EeQfGwPcQSOJBaQU--
Hello list.
I like to use stunnel to secure my vnc connection. Everything is fine, the connection can be made. The problem is that it is getting so slow that I can't use it. The time difference in displaying the remote screen is really huge.
Is this a known issue or is it my fault by using a wrong configuration?
My stunnel server is on winxpsp2 and the client is on suse 10.
Thanks for your help.
Stefan
-
"J Zhang"@ellington -
Brian Hatch -
Craig Retief -
fuzzy_4711 -
jilin zhang