The community-maintained documentation platform of IPFire

User Tools

Site Tools


stunnel - A SSL encryption wrapper

stunnel ( is a transparent encryption wrapper that can be used to tunnel unencrypted connections over an encrypted SSL tunnel.


You may install the package stunnel in the pakfire web interface or on command line by running:

pakfire install stunnel


stunnel can be configured on command line via its configuration file /etc/stunnel/stunnel.conf. You should also place your certificates in the /etc/stunnel directory.

stunnel can operate in two modes. The server mode works as a transparent proxy in front of a server, so that clients that connect to the server, need to negotiate an SSL and can then talk to the server (like POP3S). The client mode does the opposite thing. Clients connecting to stunnel running in client mode can establish a plain text connection and stunnel will create an SSL tunnel to a server.

Server Mode

To run stunnel in server mode, you will need to create a certificate. If you already have a certificate you want to use, you may copy the certificate and the private key into stunnel.pem in the PEM format and you are done. Otherwise, you may generate a self-signed certificate as shown further below.

The command name of the certificate should match the hostname of the server stunnel is running on.

Then you will need to add at least one service like this:

accept = 465
connect = 25

This service for example will make stunnel listen on port 465 and a client that connects to that port will need to negotiate a SSL tunnel and will then be automatically connected to port 25. This example enhances your locally running mail server to accept mails over SMTP-over-SSL.

Create a self-signed certificate

This section briefly shows the commands that need to be executed.

cd /etc/stunnel
openssl genrsa -out stunnel.key 2048
openssl req -new -key stunnel.key -out stunnel.csr
openssl x509 -req -days 365 -in stunnel.csr -signkey stunnel.key -out stunnel.crt
cat stunnel.crt stunnel.key > stunnel.pem
chmod 640 stunnel.key stunnel.pem

Client Mode

To enable the client mode, you will need to put client = yes into the global section of the stunnel configuration file.

Further below, you may add new services like the following:

accept = 25
connect =

In this example, you may connect to stunnel on port 25 and it will connect you over SSL to the IPFire mail server at on port 465, which is SMTP-over-SSL.


stunnel works in the background and can be started by running:

/etc/init.d/stunnel start

Likewise you can stop the service:

/etc/init.d/stunnel stop

To check if it running, you may run:

/etc/init.d/stunnel status
addons/stunnel/start.txt · Last modified: 2014/04/30 12:49 by MichaelTremer