[stunnel-users] "Reverse" tunneling with stunnel.

C. Petro petro at cpetro.us
Fri Jul 20 17:55:39 CEST 2018


​That's what I was afraid of. ​

Thanks.

This is going to be passing a lot of traffic and there's a lot more CPU
load from using SSH v.s. stunnel or something like OpenVPN.

We'll give the ssh thing a shot and monitor the loads.

On Fri, Jul 20, 2018 at 9:33 AM, Peter Pentchev <roam at ringlet.net> wrote:

> On Tue, Jul 17, 2018 at 10:51:07PM -0600, C. Petro wrote:
> > I have a client who is setting up a logging infrastructure involving a
> > couple of DMZs forwarding logs into central logging points.
> >
> > They have to pass compliance audits (SOX, PCI at least) and have some
> > rather specific desires in regards to how they want the log traffic to
> > move, and which servers *initiate* the connections.
> >
> > Which is to say they want the internal servers to set up tunnels to the
> DMZ
> > servers and then the forwarders use that tunnel to deliver logs back.
>
> ...oof.  I went back and reread your original message more carefully.
> The truth is, stunnel cannot really do what you want :(
>
> It seems to me that what you want could be accomplished with OpenSSH and
> its remote connection forwarding: set up an SSH server in the DMZ,
> generate a (possibly passphraseless) key pair on the central server,
> add the public key to an the authorized_keys file of an unprivileged
> account on the DMZ server, and then, on the central server (again, from
> an unprivileged account), run a command like:
>
>   ssh -N -R 3000:localhost:3000 accountname at dmz.server
>
> Then SSH will listen for incoming connections on 127.0.0.1:3000 on the DMZ
> server and, when a connection comes in, create a connection from 127.0.0.1
> to
> 127.0.0.1:3000 on the central server and start forwarding data.
>
> If needed, the OpenSSH server on the DMZ host may be configured so that it
> is
> very restricted: only public-key authentication, only certain users may
> connect, only certain commands may be executed, etc.
>
> Apologies for not reading your first message carefully enough!
>
> G'luck,
> Peter
>
> --
> Peter Pentchev  roam@{ringlet.net,debian.org,FreeBSD.org} pp at storpool.com
> PGP key:        http://people.FreeBSD.org/~roam/roam.key.asc
> Key fingerprint 2EE7 A7A5 17FC 124C F115  C354 651E EFB0 2527 DF13
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20180720/d08ec594/attachment.html>


More information about the stunnel-users mailing list