[stunnel-users] Using stunnel for RDP / Proxy / Firewall

Algol Tradent tradent at yahoo.com
Fri Oct 26 06:06:29 CEST 2007


Here are the configs I've used. I must point out that
I use certificates in both the client and server for
authentication. Hence verify=3 in the config.

======= SERVER =======

;----------------------------------------------------
;--  SERVER OPTIONS
;----------------------------------------------------

;select data compression algorithm 
compression = zlib

; Enable Taskbar icon
taskbar = yes 

; Some performance tunings
; turn off the Nagle algorithm for local sockets
; turn off the Nagle algorithm for remote sockets
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

[TServ]

;Certificate Authority file
CAfile = CAcert.pem

;Certificate Authority directory 
CApath = certificates

;certificate chain PEM file name
;required in server mode
cert   = server.pem

;client mode - no (server mode)
client = no

;level 3 - verify peer with locally installed
certificate
verify = 3

accept = 50000
connect = 127.0.0.1:3389


======= CLIENT =======

;----------------------------------------------------
;                 GLOBAL OPTIONS
;----------------------------------------------------


;Logging Options
debug = 7
output = stunnel.log

; Some performance tunings
; turn off the Nagle algorithm for local sockets
; turn off the Nagle algorithm for remote sockets
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

;----------------------------------------------------
;        SERVICE-LEVEL OPTIONS
;----------------------------------------------------
[tserver]
accept = 127.0.0.1:50000
connect = <my_server_IP>:50000

;Server mode or Client mode
;Yes=Client mode
client = yes

;Certificate Authority file
CAfile = CAcert.pem

;Certificate Authority directory
CApath = certificates

;certificate chain PEM file name
cert = client.pem

;verify peer certificate
;level 3 - verify peer with locally installed
certificate
verify = 3

;Select permitted SSL ciphers ':' delimited list
ciphers = AES256-SHA 

--- Frank Garber <garberfc at coolsite.net> wrote:

> I tried using the port you suggested and got the
> same result. I'm able to verify my firewall is
> letting the traffic through and that my ISP is not
> blocking the port by using www.canyouseeme.org .
> Again, all my settings work when I'm not going
> through the corporate firewall.
> 
> Can you send me your whole config file for both your
> client and server sides? I'm wondering if it has to
> do with my certificate settings.
> 
> Thanks,
> 
> Frank
> 
> ----- Original Message ----
> From: Carter Browne <xxxx>
> To: garberfc <xxxx>
> Sent: Monday, October 22, 2007 8:07:11 AM
> Subject: Re: [stunnel-users]  Using stunnel for RDP
> / Proxy / Firewall
> 
> I do this all the time.  The way I do it is to
> connect locally to RDP
>  on
> a non-stardard port.  In the RDP dialog box, I have
> 127.0.0.10:12121,
> then in stunnel on the local side is:
> 
> [xxx-rdp]
> accept = 127.0.0.10:12121
> connect = server:12122
> client = yes
> 
> on the remote side is
> 
> [rdp-incoming]
> accept = 12122
> connect = 3389
> client = no.
> 
> Normally RDP listens for any connection to port
> 3389, so I found it was
> easiest to get to to work by moving off that port. 
> Note that you have
> to open port 12122 in the firewall on the remote
> side.  On the other
> hand, you can close 3389 on the remote side which
> takes away an obvious
> port for hackers.
> 
> Carter
> 
> garberfc wrote:
> > Hi All
> >
> > I'm a relative newbie to Stunnel, and am trying to
> set up a tunnel so
>  I can
> > Remote Desktop from work to my PC/server at home.
> >
> > I'm using versions 4.20 of the Windows binaries.
> >
> > I've tested the configuration and it works from
> home using a laptop
>  that is
> > going through my firewall 
> > when I enter my domain home (so my firewall is set
> up correctly). I
>  tried a
> > variety of common ports and got the same response
> every time.  I had
>  to use
> > the 127.0.0.2 on the client because Remote Desktop
> didn't want me
>  connecting
> > to myself...
> >
> > When I try if from work I get a dialog box:
> >   The client could not establish a connection to
> the remote computer.
> >    The most likely causes for this error are:
> >    1) Remote connections might not be enabled at
> the remote computer.
> >    2)The maximum number of connections was
> exceeded at the remote
>  computer.
> >    3) A network error occurred while establishing
> the connection.
> >
> > My config is as follows:
> >
> > #Client
> > ;cert = stunnel.pem
> > ;key = stunnel.pem
> >
> > ; Some performance tunings
> > socket = l:TCP_NODELAY=1
> > socket = r:TCP_NODELAY=1
> >
> > ; Some debugging stuff useful for troubleshooting
> > debug = 7
> > output = stunnel.log
> >
> > ; Use it for client mode
> > client = yes
> >
> > ; Service-level configuration
> > [https-RDT]
> > accept = 127.0.0.2:3389
> > connect = xx.xx.xx.xx:1494
> >
> >
> > #Server
> > ; Some performance tunings
> > socket = l:TCP_NODELAY=1
> > socket = r:TCP_NODELAY=1
> >
> > ; Some debugging stuff useful for troubleshooting
> > debug = 7
> > output = stunnel.log
> >
> > ; Use it for client mode
> > client = no
> >
> > ; Service-level configuration
> > [https-RDT]
> > accept = 1494
> > connect = localhost:3389
> >
> >
> > Is there something I need to do to traverse this
> proxy? Any help
>  would be
> > greatly appreciated!
> >
> >   
> 
> 
> 
> > _______________________________________________
> stunnel-users mailing list
> stunnel-users at mirt.net
>
http://stunnel.mirt.net/mailman/listinfo/stunnel-users
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 



More information about the stunnel-users mailing list