I think I'm confused here.
My objective is for requests sent to port 3389 on the Windows 10 machine to be "validated" by stunnel, then passed on to the service listening on that port. Am I mistaken about what stunnel is supposed to do?
If not, what would my config look like to accomplish this?
I don't see how changing the RDC port would help. Regardless of what port RDC listens on, it's still going to be used by RDC and therefore I don't see why the 'accept' wouldn't continue to fail.
Sorry to be so obtuse on this. I just don't get it and haven't found any examples for stunneling to RDC.
--Mark
-----Original Message----- From: Michael Curran mike_curran@hotmail.com To: Mark Foley mfoley@novatec-inc.com, "stunnel-users@stunnel.org" stunnel-users@stunnel.org Subject: Re: [stunnel-users] Re: Need help setting up new stunnel config Date: Fri, 1 Sep 2023 17:39:25 +0000
Mark --
Your full stanza should look like this
[dbserver] accept = <some port> connect = 3389 CAfile = stunnel.pem
The IP:PORT was a suggestion for the RDC connection string. If you cannot start RDC with an IP:PORT, then you can change the internal RDC port from 3389 to something else. I have not done this, you will have to review Microsofts site to find out how.
If RDC can be changed , but not the RDC connection string then your stanza might look like
[dbserver] accept = 3389 connect = <new rdc port> CAfile = stunnel.pem
Mike ________________________________ From: Mark Foley mfoley@novatec-inc.com Sent: Friday, September 1, 2023 1:28 PM To: stunnel-users@stunnel.org stunnel-users@stunnel.org Subject: [stunnel-users] Re: Need help setting up new stunnel config
Michael - thanks for your response.
I did not see the "ip:port" syntax you suggested in the stunnel doc, so I just use 'port'. Below is the config I tried:
[DBSERVER] connect = 3389 CAfile = stunnel.pem
When running I got the following errors:
[ ] Initializing inetd mode configuration [ ] Running on Windows 6.2 [ ] No limit detected for the number of clients [.] stunnel 5.70 on x64-pc-mingw32-gnu platform [.] Compiled/running with OpenSSL 3.0.9 30 May 2023 [.] Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI [ ] errno: (*_errno()) [ ] Initializing inetd mode configuration [ ] Running on Windows 6.2 [.] Reading configuration from file C:\Program Files (x86)\stunnel\config\stunnel.conf [.] UTF-8 byte order mark detected [.] FIPS mode disabled [ ] Compression disabled [ ] No PRNG seeding was required [ ] Initializing service [DBSERVER] [!] Service [DBSERVER]: TLS server needs a certificate [!] Configuration failed [ ] Deallocating temporary section defaults [ ] Deallocating section [DBSERVER]
Notice "TLS server needs a certificate". The installation dialog steps me through creating a certificate which it puts in stunnel.pem. So why this message? I also tried the full pathname to stunnel.pem.
--Mark
-----Original Message----- From: Michael Curran michael.curran@cosocloud.com To: Mark Foley mfoley@novatec-inc.com, "stunnel-users@stunnel.org" stunnel-users@stunnel.org Subject: Re: [stunnel-users] Need help setting up new stunnel config Date: Fri, 1 Sep 2023 13:12:30 +0000
accept is the port you want them to connect on remotely – which would have to be other than 3389 since it is open already connect would be 3389
I think in the connection string for RDC you can just specify ip:port to connect
If you cannot , you can also redesignate the port remote desktop answers on
-- Michael Curran Systems Architect| CoSo Cloud D 614.568.2285 | C 614.403.6320 | michael.curran@cosocloud.com
From: Mark Foley mfoley@novatec-inc.com Date: Thursday, August 31, 2023 at 11:33 AM To: stunnel-users@stunnel.org stunnel-users@stunnel.org Subject: [stunnel-users] Need help setting up new stunnel config I used stunnel about 5 years ago and now I want to use it again, but my notes are terrible and I'm having trouble getting started.
I want to create a connection between Windows computer on port 3389. The "client" will be some remote Windows computer, perhaps at someone's home office. The "server" will be a Windows workstation at the office.
I've installed stunnel 5.70 on a Windows 10 workstation at the office, hostname COMMONW10. I'm at a loss creating the config file on this machine. I have:
[COMMONW10] ;client = yes accept = 3389 ;connect = ???:xxxx CAfile = stunnel.pem
The stunnel.pem was create when I installed stunnel. I have no idea what the 'connect' line should have. When I run stunnel (clicking on desktop icon) I get:
[.] Configuration successful [ ] Deallocating deployed section defaults [ ] Binding service [COMMONW10] [ ] Listening file descriptor created (FD=724) [ ] Setting accept socket options (FD=724) [ ] Option SO_EXCLUSIVEADDRUSE set on accept socket [.] Binding service [COMMONW10] to 127.0.0.1:3389: Permission denied (WSAEACCES) (10013) [!] Binding service [COMMONW10] failed [ ] Unbinding service [COMMONW10] [ ] Service [COMMONW10] closed [ ] Deallocating deployed section defaults [ ] Deallocating section [COMMONW10] [ ] Initializing inetd mode configuration [ ] Running on Windows 6.2
Server is down
I'm assuming the "Permission denied" is because Remote Desktop is already listening on 3389. So, I'm stuck and feeling quite ignorant!
Help appreciated.
--Mark _______________________________________________ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-leave@stunnel.org This is an external email and may have suspicious content. Please take care when clicking links or opening attachments. When in doubt, contact your IT Department. _______________________________________________ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-leave@stunnel.org
When stunnel starts it needs to bind the connect port to stunnel
If the port is already in use elsewhere, it cannot bind the port to stunnel to allow the certificate to validate the connection.
You have to use 2 different ports for this.
You seem to be looking for a passthrough connection, which I do not think will work in stunnel. I could be wrong, I have never attempted to set it up to answer and forward to the same port on the same system.
You could put stunnel on another system and have it bind to port 3389 and forward to the machine you need to connect to by calling out IPs
[dbserver] accept = 3389 connect = x.x.x.x:3389 CAfile = stunnel.pem
________________________________ From: Mark Foley mfoley@novatec-inc.com Sent: Friday, September 1, 2023 1:58 PM To: stunnel-users@stunnel.org stunnel-users@stunnel.org Subject: [stunnel-users] Re: Need help setting up new stunnel config
I think I'm confused here.
My objective is for requests sent to port 3389 on the Windows 10 machine to be "validated" by stunnel, then passed on to the service listening on that port. Am I mistaken about what stunnel is supposed to do?
If not, what would my config look like to accomplish this?
I don't see how changing the RDC port would help. Regardless of what port RDC listens on, it's still going to be used by RDC and therefore I don't see why the 'accept' wouldn't continue to fail.
Sorry to be so obtuse on this. I just don't get it and haven't found any examples for stunneling to RDC.
--Mark
-----Original Message----- From: Michael Curran mike_curran@hotmail.com To: Mark Foley mfoley@novatec-inc.com, "stunnel-users@stunnel.org" stunnel-users@stunnel.org Subject: Re: [stunnel-users] Re: Need help setting up new stunnel config Date: Fri, 1 Sep 2023 17:39:25 +0000
Mark --
Your full stanza should look like this
[dbserver] accept = <some port> connect = 3389 CAfile = stunnel.pem
The IP:PORT was a suggestion for the RDC connection string. If you cannot start RDC with an IP:PORT, then you can change the internal RDC port from 3389 to something else. I have not done this, you will have to review Microsofts site to find out how.
If RDC can be changed , but not the RDC connection string then your stanza might look like
[dbserver] accept = 3389 connect = <new rdc port> CAfile = stunnel.pem
Mike ________________________________ From: Mark Foley mfoley@novatec-inc.com Sent: Friday, September 1, 2023 1:28 PM To: stunnel-users@stunnel.org stunnel-users@stunnel.org Subject: [stunnel-users] Re: Need help setting up new stunnel config
Michael - thanks for your response.
I did not see the "ip:port" syntax you suggested in the stunnel doc, so I just use 'port'. Below is the config I tried:
[DBSERVER] connect = 3389 CAfile = stunnel.pem
When running I got the following errors:
[ ] Initializing inetd mode configuration [ ] Running on Windows 6.2 [ ] No limit detected for the number of clients [.] stunnel 5.70 on x64-pc-mingw32-gnu platform [.] Compiled/running with OpenSSL 3.0.9 30 May 2023 [.] Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI [ ] errno: (*_errno()) [ ] Initializing inetd mode configuration [ ] Running on Windows 6.2 [.] Reading configuration from file C:\Program Files (x86)\stunnel\config\stunnel.conf [.] UTF-8 byte order mark detected [.] FIPS mode disabled [ ] Compression disabled [ ] No PRNG seeding was required [ ] Initializing service [DBSERVER] [!] Service [DBSERVER]: TLS server needs a certificate [!] Configuration failed [ ] Deallocating temporary section defaults [ ] Deallocating section [DBSERVER]
Notice "TLS server needs a certificate". The installation dialog steps me through creating a certificate which it puts in stunnel.pem. So why this message? I also tried the full pathname to stunnel.pem.
--Mark
-----Original Message----- From: Michael Curran michael.curran@cosocloud.com To: Mark Foley mfoley@novatec-inc.com, "stunnel-users@stunnel.org" stunnel-users@stunnel.org Subject: Re: [stunnel-users] Need help setting up new stunnel config Date: Fri, 1 Sep 2023 13:12:30 +0000
accept is the port you want them to connect on remotely – which would have to be other than 3389 since it is open already connect would be 3389
I think in the connection string for RDC you can just specify ip:port to connect
If you cannot , you can also redesignate the port remote desktop answers on
-- Michael Curran Systems Architect| CoSo Cloud D 614.568.2285 | C 614.403.6320 | michael.curran@cosocloud.com
From: Mark Foley mfoley@novatec-inc.com Date: Thursday, August 31, 2023 at 11:33 AM To: stunnel-users@stunnel.org stunnel-users@stunnel.org Subject: [stunnel-users] Need help setting up new stunnel config I used stunnel about 5 years ago and now I want to use it again, but my notes are terrible and I'm having trouble getting started.
I want to create a connection between Windows computer on port 3389. The "client" will be some remote Windows computer, perhaps at someone's home office. The "server" will be a Windows workstation at the office.
I've installed stunnel 5.70 on a Windows 10 workstation at the office, hostname COMMONW10. I'm at a loss creating the config file on this machine. I have:
[COMMONW10] ;client = yes accept = 3389 ;connect = ???:xxxx CAfile = stunnel.pem
The stunnel.pem was create when I installed stunnel. I have no idea what the 'connect' line should have. When I run stunnel (clicking on desktop icon) I get:
[.] Configuration successful [ ] Deallocating deployed section defaults [ ] Binding service [COMMONW10] [ ] Listening file descriptor created (FD=724) [ ] Setting accept socket options (FD=724) [ ] Option SO_EXCLUSIVEADDRUSE set on accept socket [.] Binding service [COMMONW10] to 127.0.0.1:3389: Permission denied (WSAEACCES) (10013) [!] Binding service [COMMONW10] failed [ ] Unbinding service [COMMONW10] [ ] Service [COMMONW10] closed [ ] Deallocating deployed section defaults [ ] Deallocating section [COMMONW10] [ ] Initializing inetd mode configuration [ ] Running on Windows 6.2
Server is down
I'm assuming the "Permission denied" is because Remote Desktop is already listening on 3389. So, I'm stuck and feeling quite ignorant!
Help appreciated.
--Mark _______________________________________________ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-leave@stunnel.org This is an external email and may have suspicious content. Please take care when clicking links or opening attachments. When in doubt, contact your IT Department. _______________________________________________ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-leave@stunnel.org _______________________________________________ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-leave@stunnel.org