# stunnel - A SSL encryption wrapper |
|
stunnel (https://www.stunnel.org/) is a transparent encryption wrapper that can be used to tunnel unencrypted connections over an encrypted SSL tunnel. |
|
## Installation |
|
You may install the package `stunnel` in the pakfire web interface or on command line by running: |
|
`pakfire install stunnel` |
|
## Configuration |
|
stunnel can be configured on command line via its configuration file `/etc/stunnel/stunnel.conf`. You should also place your certificates in the `/etc/stunnel` directory. |
|
stunnel can operate in two modes. The **server mode** works as a transparent proxy in front of a server, so that clients that connect to the server, need to negotiate an SSL and can then talk to the server (like POP3S). The **client mode** does the opposite thing. Clients connecting to stunnel running in client mode can establish a plain text connection and stunnel will create an SSL tunnel to a server. |
|
### Server Mode |
|
To run stunnel in server mode, you will need to create a certificate. If you already have a certificate you want to use, you may copy the certificate and the private key into `stunnel.pem` in the PEM format and you are done. Otherwise, you may generate a self-signed certificate as shown further below. |
|
The command name of the certificate should match the hostname of the server stunnel is running on. |
|
Then you will need to add at least one service like this: |
|
[ipfire-smtp] |
`accept = 465` |
`connect = 25` |
|
This service for example will make stunnel listen on port 465 and a client that connects to that port will need to negotiate a SSL tunnel and will then be automatically connected to port 25. This example enhances your locally running mail server to accept mails over SMTP-over-SSL. |
|
#### Create a self-signed certificate |
|
This section briefly shows the commands that need to be executed. |
|
`cd /etc/stunnel` |
`openssl genrsa -out stunnel.key 2048` |
`openssl req -new -key stunnel.key -out stunnel.csr` |
`openssl x509 -req -days 365 -in stunnel.csr -signkey stunnel.key -out stunnel.crt` |
`cat stunnel.crt stunnel.key > stunnel.pem` |
`chmod 640 stunnel.key stunnel.pem` |
|
|
### Client Mode |
|
To enable the client mode, you will need to put `client = yes` into the global section of the stunnel configuration file. |
|
Further below, you may add new services like the following: |
|
[ipfire-smtps] |
`accept = 25` |
`connect = mail01.ipfire.org:465` |
|
In this example, you may connect to stunnel on port 25 and it will connect you over SSL to the IPFire mail server at `mail01.ipfire.org` on port 465, which is SMTP-over-SSL. |
|
## Operation |
|
stunnel works in the background and can be started by running: |
|
`/etc/init.d/stunnel start` |
|
Likewise you can stop the service: |
|
`/etc/init.d/stunnel stop` |
|
To check if it running, you may run: |
|
`/etc/init.d/stunnel status` |