SSL to SSH tunneling (stunnel)

Posted on January 25, 2009 by admin

Sometimes it can be handy to reach your home server even if you have all sorts of proxy servers and firewalls between you and your home server (e.g. from work). 

Stunnel to the rescue!. Compile it, install it or just download it from some repository (I used macports).

On the server:

  1. Create server configuration file for stunnel. Example below accepts ssl traffic on port 443 and forwards unencrypted traffic to the ssh port (22). Add your own certificate file for higher security.

    cert=stunnel.pem
    pid=/tmp/stunnel.pid
    [stunnel443]
    accept = 192.168.1.7:443
    connect = 192.168.1.7:22
  2. Run sudo stunnel <server-config-file>
  3. Test to connect with openssl, openssl s_client -connect 192.168.1.7:443. After all ssl handshake code you should probably get something like: SSH-1.99-OpenSSH_5.1
  4. And now you have a SSH over SSL!

On your client machine:

  1. Create a new client side configuration file. This will create a listener on port 21222 and all traffic will be sent ssl-encrypted to 192.168.1.7:443

    #cert = stunnel.pem
    pid=/tmp/stunnelclient.pid
    #foreground=yes
    client=yes
    [21222]
    accept=21222
    connect=192.168.1.7:443
  2. Run sudo stunnel <client-config-file>
  3. It should now be possible to run ssh -p 21222 localhost to create a connection to your server machine

Voilà, a SSL tunnel for transporting SSH!
All SSH traffic nicely hidden in a SSL tunnel.

  • Digg
  • del.icio.us
  • Facebook
  • StumbleUpon
  • Google Bookmarks
  • Reddit
This entry was posted in Development, Mac, Other and tagged , , , , , , . Bookmark the permalink.

13 Responses to SSL to SSH tunneling (stunnel)

  1. Ammon says:
    April 2, 2009 at 01:12

    For the love of… Why? Seriously. Why?

    SSH is already SSL encrypted. That’s kind of the entire point. You can even tunnel other apps through SSH just like you are doing with raw SSL here.

    If you want to be able to SSH to an alternate port on your home machine, just tell your sshd to listen to another port and save yourself the wasted complexity, cpu, and bandwidth.

  2. admin says:
    April 2, 2009 at 08:50

    Yes, SSH is very safe!
    And I am quite aware of how alternate ports for the sshd.

    Most of the time this guide is like reinvent the wheel. :-)

    I did not do the tunneling due to security issues in ssh but to pass through tightly secured proxies and firewalls. On larger companies, security department usually only allow internet traffic on http and https (ssl) through a forward proxy.

    Then you have two ways to go.

    1. Tunnel ssh over http; Then you must cope with all strange hacks a forward proxy might do. Adding headers etc.

    2. Or do some tricks over https proxy connect with ssl, one could be my solution above.

  3. Pants says:
    September 3, 2009 at 15:05

    Great post. I ‘get’ exactly why you need to tunnel SSH over stunnel as you’ve described here. I’m currently working with a very tricky proxy server that won’t allow a connection directly to an SSHD server because it requires SSL handshaking, otherwise it drops the connection. Using stunnel I can now get the correct SSL protocol and still use SSH too.

  4. nalply says:
    November 1, 2009 at 16:47

    It’s neccessary if you are limited by a stupid firewall not allowing outgoing SSH. With SSH over SSL you can trick out the firewall . :-)

  5. amaël says:
    November 13, 2009 at 18:01

    is there a way to use stunnel with a proxy that allow https (CONNECT)? The proxy needs the client to be authenticated. I ‘ve seen savvard patch but it doesn’t work with latest version (4.28) of stunnel.

  6. admin says:
    April 8, 2010 at 10:33

    My blog post explains how to run SSH in SSL, which I believe is the same as your SSH in HTTPS.

  7. Yoshito says:
    October 5, 2011 at 21:10

    I just have finished my configuration and it works very well. Here is the openssl PEM generator command for people who are a bit lost with SSL certs.

    openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem

    Vive l’Internet totalement libre.

  8. farshid says:
    January 3, 2012 at 14:45

    Thanks so much, that’s awesome. Some people may ask why to do this (@Ammon) . The answer is there are firewalls out there that can mangle SSH2_MSG_KEXINIT packet on ssh initiating a connection therefore fully block the ssh connection on any port!! That’s awesome way to go around that. Many thanks.

  9. JoeT says:
    January 21, 2012 at 19:12

    your post helped me, i was trying to setup stunnel and it wasn’t working; just kept hanging no matter what i tried doing with pem files and ports and iptables, grrr.
    turns out i needed to uncomment this line:
    client=yes
    thanks! :)

  10. AK says:
    January 11, 2013 at 18:29

    Thanks, this works for me too!

    You can skip the second stunnel on the client and connect directly with


    ssh 192.168.1.7

    if you add the following in your ~/.ssh/config:


    Host 192.168.1.7
    User ...
    Port 443
    ProxyCommand openssl s_client -connect %h:%p -quiet 2>/dev/null

  11. Brett says:
    February 8, 2013 at 05:03

    Got it to work, awesome post, thank you

  12. JC says:
    March 12, 2013 at 10:45

    Some tricky conditions may prevent the “server-side stunnel” plus “client-side stunnel” not working with the ssh on top of it.

    However, the “server-side stunnel” plus “ssh with ProxyCommand openssl” works well in these conditions.

    salute to all of you guys

  13. jaypi says:
    March 29, 2013 at 21:29

    Awesome tutorial, exactly what I was looking for, thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>