[stunnel-users] Using stunnel for RDP / Proxy / Firewall
Algol Tradent
tradent at yahoo.com
Fri Oct 26 06:06:29 CEST 2007
Here are the configs I've used. I must point out that
I use certificates in both the client and server for
authentication. Hence verify=3 in the config.
======= SERVER =======
;----------------------------------------------------
;-- SERVER OPTIONS
;----------------------------------------------------
;select data compression algorithm
compression = zlib
; Enable Taskbar icon
taskbar = yes
; Some performance tunings
; turn off the Nagle algorithm for local sockets
; turn off the Nagle algorithm for remote sockets
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
[TServ]
;Certificate Authority file
CAfile = CAcert.pem
;Certificate Authority directory
CApath = certificates
;certificate chain PEM file name
;required in server mode
cert = server.pem
;client mode - no (server mode)
client = no
;level 3 - verify peer with locally installed
certificate
verify = 3
accept = 50000
connect = 127.0.0.1:3389
======= CLIENT =======
;----------------------------------------------------
; GLOBAL OPTIONS
;----------------------------------------------------
;Logging Options
debug = 7
output = stunnel.log
; Some performance tunings
; turn off the Nagle algorithm for local sockets
; turn off the Nagle algorithm for remote sockets
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;----------------------------------------------------
; SERVICE-LEVEL OPTIONS
;----------------------------------------------------
[tserver]
accept = 127.0.0.1:50000
connect = <my_server_IP>:50000
;Server mode or Client mode
;Yes=Client mode
client = yes
;Certificate Authority file
CAfile = CAcert.pem
;Certificate Authority directory
CApath = certificates
;certificate chain PEM file name
cert = client.pem
;verify peer certificate
;level 3 - verify peer with locally installed
certificate
verify = 3
;Select permitted SSL ciphers ':' delimited list
ciphers = AES256-SHA
--- Frank Garber <garberfc at coolsite.net> wrote:
> I tried using the port you suggested and got the
> same result. I'm able to verify my firewall is
> letting the traffic through and that my ISP is not
> blocking the port by using www.canyouseeme.org .
> Again, all my settings work when I'm not going
> through the corporate firewall.
>
> Can you send me your whole config file for both your
> client and server sides? I'm wondering if it has to
> do with my certificate settings.
>
> Thanks,
>
> Frank
>
> ----- Original Message ----
> From: Carter Browne <xxxx>
> To: garberfc <xxxx>
> Sent: Monday, October 22, 2007 8:07:11 AM
> Subject: Re: [stunnel-users] Using stunnel for RDP
> / Proxy / Firewall
>
> I do this all the time. The way I do it is to
> connect locally to RDP
> on
> a non-stardard port. In the RDP dialog box, I have
> 127.0.0.10:12121,
> then in stunnel on the local side is:
>
> [xxx-rdp]
> accept = 127.0.0.10:12121
> connect = server:12122
> client = yes
>
> on the remote side is
>
> [rdp-incoming]
> accept = 12122
> connect = 3389
> client = no.
>
> Normally RDP listens for any connection to port
> 3389, so I found it was
> easiest to get to to work by moving off that port.
> Note that you have
> to open port 12122 in the firewall on the remote
> side. On the other
> hand, you can close 3389 on the remote side which
> takes away an obvious
> port for hackers.
>
> Carter
>
> garberfc wrote:
> > Hi All
> >
> > I'm a relative newbie to Stunnel, and am trying to
> set up a tunnel so
> I can
> > Remote Desktop from work to my PC/server at home.
> >
> > I'm using versions 4.20 of the Windows binaries.
> >
> > I've tested the configuration and it works from
> home using a laptop
> that is
> > going through my firewall
> > when I enter my domain home (so my firewall is set
> up correctly). I
> tried a
> > variety of common ports and got the same response
> every time. I had
> to use
> > the 127.0.0.2 on the client because Remote Desktop
> didn't want me
> connecting
> > to myself...
> >
> > When I try if from work I get a dialog box:
> > The client could not establish a connection to
> the remote computer.
> > The most likely causes for this error are:
> > 1) Remote connections might not be enabled at
> the remote computer.
> > 2)The maximum number of connections was
> exceeded at the remote
> computer.
> > 3) A network error occurred while establishing
> the connection.
> >
> > My config is as follows:
> >
> > #Client
> > ;cert = stunnel.pem
> > ;key = stunnel.pem
> >
> > ; Some performance tunings
> > socket = l:TCP_NODELAY=1
> > socket = r:TCP_NODELAY=1
> >
> > ; Some debugging stuff useful for troubleshooting
> > debug = 7
> > output = stunnel.log
> >
> > ; Use it for client mode
> > client = yes
> >
> > ; Service-level configuration
> > [https-RDT]
> > accept = 127.0.0.2:3389
> > connect = xx.xx.xx.xx:1494
> >
> >
> > #Server
> > ; Some performance tunings
> > socket = l:TCP_NODELAY=1
> > socket = r:TCP_NODELAY=1
> >
> > ; Some debugging stuff useful for troubleshooting
> > debug = 7
> > output = stunnel.log
> >
> > ; Use it for client mode
> > client = no
> >
> > ; Service-level configuration
> > [https-RDT]
> > accept = 1494
> > connect = localhost:3389
> >
> >
> > Is there something I need to do to traverse this
> proxy? Any help
> would be
> > greatly appreciated!
> >
> >
>
>
>
> > _______________________________________________
> stunnel-users mailing list
> stunnel-users at mirt.net
>
http://stunnel.mirt.net/mailman/listinfo/stunnel-users
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
More information about the stunnel-users
mailing list