Stunnel configuration example using Telnet: Difference between revisions

From Teltonika Networks Wiki
No edit summary
No edit summary
Line 26: Line 26:


As mentioned earlier, here, in this configuration since telnet does not provide security, we are going to develop a Stunnel in between the router and the client, and then connect them using telnet protocol, so that there is encryption provided to the data. For this we will use Wireshark to capture the packets and verify if the data has been encrypted or not.
As mentioned earlier, here, in this configuration since telnet does not provide security, we are going to develop a Stunnel in between the router and the client, and then connect them using telnet protocol, so that there is encryption provided to the data. For this we will use Wireshark to capture the packets and verify if the data has been encrypted or not.


==Router Configuration==
==Router Configuration==
Line 67: Line 68:
==Stunnel Configuration==
==Stunnel Configuration==


For Windows:
'''For Windows:'''
Download Stunnel from https://www.stunnel.org/downloads.html.
Download Stunnel from https://www.stunnel.org/downloads.html.
Choose the latest win64 installer.exe and install.
Choose the latest win64 installer.exe and install.
Line 85: Line 86:
Connect IP depends on your configuration and write them accordingly. Here in this example, it is as above.
Connect IP depends on your configuration and write them accordingly. Here in this example, it is as above.


*  
* Navigate to C:\Program files (x86)\Stunnel\config and create new file ca-cert1.pem.
* Copy and paste client.cert.pem and client.key.pem to it and save the file. ('''Note:''' Download the client certificate from your Web-UI, '''System → Administration → certificate''')
* For example:
 
[[File:pic7.png|border]]
[[File:pic7.png|border]]
Once saved, go back to stunnel > configuration, and reload configuration.
[[File:pic8.png|border]]
[[File:pic8.png|border]]
If everything is working as expected, you should be able to see the log as above with successful configuration. Now you can try to telnet router.
'''For Linux:'''
==Testing Results==
==Testing Results==

Revision as of 05:52, 17 November 2022

Introduction

This article provides a guide on how to configure stunnel and use telnet protocol for devices to interact with each other securely. These configurations can be implemented on RUT9xx and RUTX series.

  • First you want to make sure that you have ADVANCED mode enabled. This will allow you to choose from a larger variety of settings.

( add image)

Stunnel is an open-source proxy service that adds TLS encryption to clients and Servers already existing on a VPN network. TLS encryption provided by Stunnel can be used as an additional layer of encryption for data sent by OpenVPN. This procedure increases the security of the established connection and provides higher chances of passing a Deep packet inspection (DPI) check.

Telnet is an application protocol used on the internet or LAN to provide a bidirectional interactive text-oriented communication using virtual terminal connection like Putty. However, due to serious security concerns of using Telnet over an open network, SSH became favorable.

This article provides an extensive configuration example with details on how to create a tunnel connection using stunnel instances and then connect them using telnet protocol, with the data encrypted


Configuration Overview and Prerequisites

Before we begin, let’s overview the configuration that we are attempting to achieve and the prerequisites that will make it possible. Prerequisites:

  • One RUTxxx router of any type with public IP.
  • Atleast one end device to configure the router
  • Wireshark in your end device
  • Stunnel application installation in your laptop: https://www.stunnel.org/downloads.html

(add image)

As mentioned earlier, here, in this configuration since telnet does not provide security, we are going to develop a Stunnel in between the router and the client, and then connect them using telnet protocol, so that there is encryption provided to the data. For this we will use Wireshark to capture the packets and verify if the data has been encrypted or not.


Router Configuration

Firstly, enable local telnet access at port 23, Go to System → Administration → Access Control

File:Pic1.bmp

Then, navigate to Services → VPN → Stunnel, and configure the router,

  • Enable Stunnel global settings,

File:Pic2.bmp

  • Add new instance, give any new configuration name,

File:Pic3.bmp

  • You will be directed to stunnel configuration,
 Do following configuration:
 Enable Stunnel
 Operating mode           : Server
 Listen IP                : 0.0.0.0
 Listen Port              : 2030
 Connect IP'S             : 127.0.0.1:23
 TLS Cipher               : Secure
 Insert Certificate File  : server.cert.pem and server.key.pem

File:Pic4.bmp

Note: You can download the certificate file from System → administration → Certificates.

https://wiki.teltonika-networks.com/wikibase/index.php?title=RUT955_Administration&mobileaction=toggle_view_desktop#Certificates

  • Then, navigate to the menu Network → Firewall → Traffic Rules and add new instance or edit telnet instance.

File:Pic5.bmp

You will be navigated to the configuration page, enable it and save and apply the rule.


Stunnel Configuration

For Windows: Download Stunnel from https://www.stunnel.org/downloads.html. Choose the latest win64 installer.exe and install.

File:Pic6.bmp

  • Install only Stunnel.exe deamon, you can skip openssl.exe.

Once the application is installed, open stunnel, go to configuration and select edit configuration. Remove all the content and paste as below:

Example TLS client mode services

[my-stunnel-conf] Client = yes Accept = 127.0.0.1:23 Connect =84.15.X.X:2030 Cert = ca-cert1.pem

Connect IP depends on your configuration and write them accordingly. Here in this example, it is as above.

  • Navigate to C:\Program files (x86)\Stunnel\config and create new file ca-cert1.pem.
  • Copy and paste client.cert.pem and client.key.pem to it and save the file. (Note: Download the client certificate from your Web-UI, System → Administration → certificate)
  • For example:

File:Pic7.png

Once saved, go back to stunnel > configuration, and reload configuration.

File:Pic8.png

If everything is working as expected, you should be able to see the log as above with successful configuration. Now you can try to telnet router.

For Linux:

Testing Results