Tunnel that TCP stuff with Stunnel (in 4 quick command line entries)

Submitted by tim ribaric on Mon, 09/19/2011 - 13:56

One sure fire way to get in trouble on the net these days is to use plaintext instead of SSH. We've all learned that with Firesheep someone in Starbucks can assume your identity on Facebook while you drink an over priced coffee.

Installing HTTPS Everywhere is a great easy way to alleviate the threat. Go ahead download it and install it... I'll wait. Checking to make sure you are on a secure connection is good habit to get into. It is easy to do: just add a 's' to go from http://somesite to https://somesite. This especially true on pages you need to login to.

Yikes, login form but no https. This is an easy precaution to overlook.

Sometime you'll need to use web services that don't rely on http. In those situations getting an ssh connection requires a tiny bit of work. Say for instance I want to make sure my News reader is always using a secure connection. In that case you'll need to install stunnel and give it some very brief config changes. I'm working from Ubuntu Natty Narwhal but this translates easily to almost every other recent version. Now you might be thinking why not just use SSL options built into the program? Yes, for sure do that, but that is not always possible. I love PAN but it doesn't have any SSL options. Begin with:

sudo apt-get install stunnel4

After the installation is done you need to edit the conf file:

sudo pico /etc/default/stunnel4

switch:

ENABLED=0

ENABLED=1

to start it automatically at boot.

sudo pico /etc/stunnel/stunnel.conf

You'll need to add a ';' in front of a few lines to comment them out:

; Certificate/key is needed in server mode and optional in client mode
;cert = /etc/ssl/certs/stunnel.pem
;key = /etc/ssl/certs/stunnel.pem

; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = SSLv3

; Some security enhancements for UNIX systems - comment them out on Win32

chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside the chroot jail
pid = /stunnel4.pid


; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = zlib


; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS


; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
;CAfile = /etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively you can use CRLfile
;CRLfile = /etc/stunnel/crls.pem

; Some debugging stuff useful for troubleshooting
;debug = 7
;output = /var/log/stunnel4/stunnel.log

; Use it for client mode
client = yes

.
.
.

Under the Service-level configuration block of the config file add your new definition along the following template:

accept = localhost:PORT
connect = news.server.name:PORT

Or specifically something like this:

[nntp]
accept = localhost:119
connect = news.newserver.org:563

You'll notice that the connection line is the SSL address of the server. Some news servers now have 443 as an option, which makes it look like regular old https. Save,exit and on the command line for the last time:

sudo /etc/init.d/stunnel4 start

Jump to your news client and change the server location to localhost instead of news.server.name that you had before. Now every time your News reader tries to download more messages it will make use of the newly created ssl tunnel that stunnel has created. Neato. The great thing about stunnel is that you can use if for a bunch of other applications as well: IMAP, SMTP... any TCP service really. Be safe out there kids.

Look for the 's' feel safe... Well safer...