On Thu, 2016-03-31 09:39:49 -0400, Carter Browne wrote:
A single instance of stunnel can be a server or a client depending on the settings. For this configuration, you would want host3 to be a server not a client. Thus, you need the intermediate port on server2 to server as both a client and a server:
In your configuration files you would need:
Host1: [secure_telnet] accept = local:23 connect = host2:host2port1 client = yes
Host2: [incoming_telnet_relay] accept = host2:host2port1 connect = local:host2port2 client = no
[outgoing_telnet_relay] accept =local:host2port2 connect = host3:host3port1 client = yes
Host3: [incoming_telnet] accept = host3:host3port1 connect = local:23
Carter,
What's the advantage of this setup over a direct connection from Host1 to Host3?
Host1:
[secure_telnet] accept = local:23 connect = host3:host3port1 client = yes
Host3:
[incoming_telnet] accept = host3:host3port1 connect = local:23 client = no
If e.g. Host3 isn't directly reachable from Host1, a simple port forwarding (without decryption and re-encryption) on Host2 would suffice.
Ludolf
On 3/31/2016 10:26 AM, Ludolf Holzheid wrote:
On Thu, 2016-03-31 09:39:49 -0400, Carter Browne wrote:
A single instance of stunnel can be a server or a client depending on the settings. For this configuration, you would want host3 to be a server not a client. Thus, you need the intermediate port on server2 to server as both a client and a server:
In your configuration files you would need:
Host1: [secure_telnet] accept = local:23 connect = host2:host2port1 client = yes
Host2: [incoming_telnet_relay] accept = host2:host2port1 connect = local:host2port2 client = no
[outgoing_telnet_relay] accept =local:host2port2 connect = host3:host3port1 client = yes
Host3: [incoming_telnet] accept = host3:host3port1 connect = local:23
Carter,
What's the advantage of this setup over a direct connection from Host1 to Host3?
Host1:
[secure_telnet] accept = local:23 connect = host3:host3port1 client = yes
Host3:
[incoming_telnet] accept = host3:host3port1 connect = local:23 client = no
If e.g. Host3 isn't directly reachable from Host1, a simple port forwarding (without decryption and re-encryption) on Host2 would suffice.
Ludolf
Ludolf,
I didn't ask the reason why in this case - I have had instances where I wanted the communication to be encrypted, but I count not go directly from Host1 to Host3. If he can go directly from Host1 to Host3, then your configuration is correct. However, in these days of firewalls, network segmentation, etc. the direct path may not be available or desired.
Carter
On Thu, 2016-03-31 10:39:03 -0400, Carter Browne wrote:
[..]
I didn't ask the reason why in this case - I have had instances where I wanted the communication to be encrypted, but I count not go directly from Host1 to Host3. If he can go directly from Host1 to Host3, then your configuration is correct. However, in these days of firewalls, network segmentation, etc. the direct path may not be available or desired.
Carter,
I was wondering if there is a reason for the two separately encrypted connections. I had the impression, an end-to-end-encryption and a port forwarder on Host2 was easier to set up (and more resource conserving), but this may be a matter of taste ...
Ludolf
On 3/31/2016 11:21 AM, Ludolf Holzheid wrote:
On Thu, 2016-03-31 10:39:03 -0400, Carter Browne wrote:
[..]
I didn't ask the reason why in this case - I have had instances where I wanted the communication to be encrypted, but I count not go directly from Host1 to Host3. If he can go directly from Host1 to Host3, then your configuration is correct. However, in these days of firewalls, network segmentation, etc. the direct path may not be available or desired.
Carter,
I was wondering if there is a reason for the two separately encrypted connections. I had the impression, an end-to-end-encryption and a port forwarder on Host2 was easier to set up (and more resource conserving), but this may be a matter of taste ...
Ludolf
Ludolf,
You are correct, a simple port forwarder would work just as well. In my case, I have stunnel running for other reasons, so it was easier to use it rather than install another package to do the port forwarding. Using stunnel can provide more security by validating the individual point-to-point connects with the cost of the additional overhead of decrypting and re-encrypting the data.
Carter
-
Carter Browne -
Ludolf Holzheid