Installing and Configuring stunnel on CentOS 6
Here's how to get stunnel up and running on a CentOS 6 server, and configure your local stunnel client to work with it.
Server-side installation and configuration
First, install stunnel itself on the server:
[root@host ~]# yum -y install stunnel
Next, create a key and a self-signed certificate for stunnel to use:
[root@host ~]# cd /etc/pki/tls/certs/ && make stunnel.pem
Now, generate a set of Diffie-Hellman parameters using a 2048-bit group instead of the default 1024-bit size. A 2048-bit group is recommended by the discoverers of the Logjam attack.
[root@host certs]# dd if=/dev/urandom count=64 | openssl dhparam -rand - 2048 0 semi-random bytes loaded Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time 64+0 records in 64+0 records out 32768 bytes (33 kB) copied, 0.00312777 s, 10.5 MB/s ....................+..[snip lots of output]...++*++*++* -----BEGIN DH PARAMETERS----- MIGHAoGBAN1puC8VOxyqydITSDisVIpoFrwLS6yLqwykT/V5I96UPdgWFXwg96Kx L6yd5JnK4BK1aoJZiyoO+AVanwQs2BBCGXKEY5YTQJSErwe+vbnNmnQtzMIto2wj 0hkQHbqc4+Q2KTfjJpIhzVO/JL8WS5Ko6LDyEzKh7Se1Gg80wqyjAgEC -----END DH PARAMETERS-----
Append the resulting
DH PARAMETERS block, including the
END lines, to the
stunnel.pem file you created previously.
Next, create a directory for the pidfile to live in:
[root@host ~]# mkdir /var/run/stunnel && chown nobody /var/run/stunnel
Create a new file in
/etc/stunnel/stunnel.conf with the following contents, edited as needed for your requirements:
; stunnel configuration file debug = 3 output = /var/log/stunnel.log setuid = nobody setgid = nobody pid = /var/run/stunnel/stunnel.pid cert = /etc/pki/tls/certs/stunnel.pem options = NO_SSLv2 options = NO_SSLv3 options = SINGLE_ECDH_USE options = SINGLE_DH_USE ; This section creates a new tunnel. ; Incoming TLS connections to port 3307 will be decrypted and ; then forwarded to port 3306 on the localhost. [secure-mysql] accept = 3307 connect = 3306
Define a different tunnel for each service you want to protect. In the above example, the stunnel server listens on port 3307 for incoming client connections, decrypts the traffic, and forwards the raw data to port 3306 (mysql) on the same server.
stunnel to try it out:
[root@host ~]# stunnel
/var/log/stunnel.log to see if there are any errors. If things didn't work, set
debug = 7 in the config file and try again. Once stunnel starts properly, configure it to run automatically when the system boots. I just add it to
#Run stunnel /usr/bin/stunnel &
That's it for the server-side installation.
Client-side installation and configuration
Repeat all of the above steps on the client end (for example, your workstation or your home router) to get stunnel installed there. When you create the config file for the client side, the tunnel you define will look slightly different:
[mysql-remote] client = yes accept = 3306 connect = 126.96.36.199:3307
Note that here the
client = yes directive is added. The
connect command points at the server's IP address and the port where stunnel is listening there.
Now run stunnel on the client side and set your application to use it.
Continuing with the MySQL example, I tell my copy of HeidiSQL to connect to my router on port 3306. The stunnel running on my router encrypts the traffic and forwards it to port 3307 on the remote server, where stunnel decrypts the traffic and sends it to port 3306 on itself.