SSL to SSH tunneling (stunnel)

Posted on January 25, 2009 by admin

Sometimes it can be handy to reach your home server even if you have all sorts of proxy servers and firewalls between you and your home server (e.g. from work). 

Stunnel to the rescue!. Compile it, install it or just download it from some repository (I used macports).

On the server:

  1. Create server configuration file for stunnel. Example below accepts ssl traffic on port 443 and forwards unencrypted traffic to the ssh port (22). Add your own certificate file for higher security.

    cert=stunnel.pem
    pid=/tmp/stunnel.pid
    [stunnel443]
    accept = 192.168.1.7:443
    connect = 192.168.1.7:22
  2. Run sudo stunnel <server-config-file>
  3. Test to connect with openssl, openssl s_client -connect 192.168.1.7:443. After all ssl handshake code you should probably get something like: SSH-1.99-OpenSSH_5.1
  4. And now you have a SSH over SSL!

On your client machine:

  1. Create a new client side configuration file. This will create a listener on port 21222 and all traffic will be sent ssl-encrypted to 192.168.1.7:443

    #cert = stunnel.pem
    pid=/tmp/stunnelclient.pid
    #foreground=yes
    client=yes
    [21222]
    accept=21222
    connect=192.168.1.7:443
  2. Run sudo stunnel <client-config-file>
  3. It should now be possible to run ssh -p 21222 localhost to create a connection to your server machine

Voilà, a SSL tunnel for transporting SSH!
All SSH traffic nicely hidden in a SSL tunnel.

  • Digg
  • del.icio.us
  • Facebook
  • StumbleUpon
  • Google Bookmarks
  • Reddit
This entry was posted in Development, Mac, Other and tagged , , , , , , . Bookmark the permalink.

11 Responses to SSL to SSH tunneling (stunnel)

  1. Ammon says:
    April 2, 2009 at 01:12

    For the love of… Why? Seriously. Why?

    SSH is already SSL encrypted. That’s kind of the entire point. You can even tunnel other apps through SSH just like you are doing with raw SSL here.

    If you want to be able to SSH to an alternate port on your home machine, just tell your sshd to listen to another port and save yourself the wasted complexity, cpu, and bandwidth.

  2. admin says:
    April 2, 2009 at 08:50

    Yes, SSH is very safe!
    And I am quite aware of how alternate ports for the sshd.

    Most of the time this guide is like reinvent the wheel. :-)

    I did not do the tunneling due to security issues in ssh but to pass through tightly secured proxies and firewalls. On larger companies, security department usually only allow internet traffic on http and https (ssl) through a forward proxy.

    Then you have two ways to go.

    1. Tunnel ssh over http; Then you must cope with all strange hacks a forward proxy might do. Adding headers etc.

    2. Or do some tricks over https proxy connect with ssl, one could be my solution above.

  3. Pants says:
    September 3, 2009 at 15:05

    Great post. I ‘get’ exactly why you need to tunnel SSH over stunnel as you’ve described here. I’m currently working with a very tricky proxy server that won’t allow a connection directly to an SSHD server because it requires SSL handshaking, otherwise it drops the connection. Using stunnel I can now get the correct SSL protocol and still use SSH too.

  4. nalply says:
    November 1, 2009 at 16:47

    It’s neccessary if you are limited by a stupid firewall not allowing outgoing SSH. With SSH over SSL you can trick out the firewall . :-)

  5. amaël says:
    November 13, 2009 at 18:01

    is there a way to use stunnel with a proxy that allow https (CONNECT)? The proxy needs the client to be authenticated. I ‘ve seen savvard patch but it doesn’t work with latest version (4.28) of stunnel.

  6. Jonas says:
    April 8, 2010 at 03:17

    This works but is a bit of a ‘middle-ground’ fudge and certainly won’t work in all environments. If you want to get your SSH through a web-proxy, it’s better to completely wrap your SSH in HTTPS – e.g.

    http://www.saulchristie.com/bypass-firewalls

    A little bit more effort but completely indetectable even by full network traffic analysis.

  7. admin says:
    April 8, 2010 at 10:33

    My blog post explains how to run SSH in SSL, which I believe is the same as your SSH in HTTPS.

  8. Cedric says:
    May 9, 2011 at 05:20

    And this post is all the more interesting that Saul Christie forgot to mention that Apache’s mod_proxy_connect has a bug, which may only be corrected by applying a patch to Apache at compile time, which prevents using proxytunnel over https.

    So the only way, without recompiling apache to do what you need is the way you very simply explained it above.

    Thanks.

  9. Yoshito says:
    October 5, 2011 at 21:10

    I just have finished my configuration and it works very well. Here is the openssl PEM generator command for people who are a bit lost with SSL certs.

    openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem

    Vive l’Internet totalement libre.

  10. farshid says:
    January 3, 2012 at 14:45

    Thanks so much, that’s awesome. Some people may ask why to do this (@Ammon) . The answer is there are firewalls out there that can mangle SSH2_MSG_KEXINIT packet on ssh initiating a connection therefore fully block the ssh connection on any port!! That’s awesome way to go around that. Many thanks.

  11. JoeT says:
    January 21, 2012 at 19:12

    your post helped me, i was trying to setup stunnel and it wasn’t working; just kept hanging no matter what i tried doing with pem files and ports and iptables, grrr.
    turns out i needed to uncomment this line:
    client=yes
    thanks! :)

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>