stunnel (https://www.stunnel.org/) is a transparent encryption wrapper that can be used to tunnel unencrypted connections over an encrypted SSL tunnel.
You may install the package
stunnel in the pakfire web interface or on command line by running:
pakfire install stunnel
stunnel can be configured on command line via its configuration file
/etc/stunnel/stunnel.conf. You should also place your certificates in the
stunnel can operate in two modes. The server mode works as a transparent proxy in front of a server, so that clients that connect to the server, need to negotiate an SSL and can then talk to the server (like POP3S). The client mode does the opposite thing. Clients connecting to stunnel running in client mode can establish a plain text connection and stunnel will create an SSL tunnel to a server.
To run stunnel in server mode, you will need to create a certificate. If you already have a certificate you want to use, you may copy the certificate and the private key into
stunnel.pem in the PEM format and you are done. Otherwise, you may generate a self-signed certificate as shown further below.
The command name of the certificate should match the hostname of the server stunnel is running on.
Then you will need to add at least one service like this:
accept = 465
connect = 25
This service for example will make stunnel listen on port 465 and a client that connects to that port will need to negotiate a SSL tunnel and will then be automatically connected to port 25. This example enhances your locally running mail server to accept mails over SMTP-over-SSL.
This section briefly shows the commands that need to be executed.
cd /etc/stunnel openssl genrsa -out stunnel.key 2048 openssl req -new -key stunnel.key -out stunnel.csr openssl x509 -req -days 365 -in stunnel.csr -signkey stunnel.key -out stunnel.crt cat stunnel.crt stunnel.key > stunnel.pem chmod 640 stunnel.key stunnel.pem
To enable the client mode, you will need to put
client = yes into the global section of the stunnel configuration file.
Further below, you may add new services like the following:
accept = 25
connect = mail01.ipfire.org:465
In this example, you may connect to stunnel on port 25 and it will connect you over SSL to the IPFire mail server at
mail01.ipfire.org on port 465, which is SMTP-over-SSL.
stunnel works in the background and can be started by running:
Likewise you can stop the service:
To check if it is running, you may run: