Difference between revisions of "Stunnel configuration examples"

From Teltonika Networks Wiki
Line 1: Line 1:
=Introduction=
+
==Introduction==
  
'''Stunnel''' is an open-source multi-platform software application used to provide a TLS/SSL tunneling service for already existing clients and servers.
+
<b>Stunnel</b> is an open-source a proxy service that adds TLS encryption to clients and servers already existing on a VPN network. TLS encryption provided by Stunnel can be used as an additional layer of encryption for data sent by OpenVPN. This procedure increases the security of the established connection and provides higher chances of passing a Deep packet inspection (DPI) check.
  
This article contains Stunnel configuration examples that require more in-depth explanations. All examples involve 2 or more RUT routers. For a bedrock Stunnel WebUI explanation please visit '''[[VPN#Stunnel|VPN manual page]]'''.
+
This article contains instructions on how to configure an OpenVPN over Stunnel topology.
  
=Stunnel configuration specifics=
+
==Overview==
  
To establish an Stunnel connection, there have to be a client and a server instances set up and configured properly. Fields required for bare minimum configurations are:
+
<b>You will need</b>
  
* '''Stunnel Client'''
+
<ul>
** Listen Port
+
    <li>two routers of the RUTxxx series (except RUT850);</li>
** Connect IP's
+
    <li>at least one router (server) with a public IP;</li>
 +
    <li>TLS certificates for the server and the client (<i>for instructions on generating TLS certificates, [[How to generate TLS certificates (Windows)?|click here]]</i>).</li>
 +
</ul>
 +
----
 +
<b>Topology</b>
  
* '''Stunnel Server'''
+
[[File:Networking_device_vpn_stunnel_working_scheme_v3.png]]
** Listen Port
+
----
** Connect IP's
+
<b>Explanation</b>
** Certificate File
 
** Private Key ''if it is not appended to the Certificate File!''
 
  
Examples in this page cover the server-side set up of the Stunnel service, which requires knowledge about TLS certificates and keys. This example, however, will not cover the TLS certificate and key generation process. For detailed instructions on how to generate TLS certificates and keys please refer to our articles for '''[[How to generate TLS certificates (Windows)?|Windows]]''' users.
+
An OpenVPN client is connected to an OpenVPN server (both hosted on RUT routers) via a TLS encrypted Stunnel connection. This provides the possibility to transfer data between remote private networks (LAN A and LAN B) and adds an additional TLS security layer for the connection.
  
If you are not setting up a Stunnel server yourself and instead use a third-party Stunnel service, the provider should either provide you the certificate and key, or might not require them at all.
+
==Server configuration==
  
 +
First, configure the OpenVPN and Stunnel servers. The Stunnel server will listen for incoming client connections on the specified TCP port (<i>9999</i> in this example) and connect them to OpenVPN server running on the local host.
  
=OpenVPN over Stunnel=
+
The logic of the connection can be visualized like this:
  
TLS encryption provided by Stunnel can be used as an additional layer of encryption for data sent by OpenVPN. This procedure increases the security of the established connection and provides higher chances of passing a '''[[https://en.wikipedia.org/wiki/Deep_packet_inspection|Deep Packet Inspection (DPI)]]''' check without being detected.
+
[[File:Networking_device_vpn_stunnel_server_working_scheme_v1.png]]
  
For the following example we will be providing the configurations used for OpenVPN client and server. However, you are expected to set them up yourself. For more information on OpenVPN configuration please refer to our article '''[[OpenVPN configuration examples]]'''.
+
===OpenVPN server===
 +
----
 +
Navigate to the <b>Services → VPN → OpenVPN</b> page. Select <i>Role: Server</i>, enter a custom name and click the 'Add New' button. An OpenVPN server instance with the given name will appear in the "OpenVPN Configuration" list. To begin configuration, click the 'Edit' button next to the server instance.
  
You can imagine the visual representation of OpenVPN over Stunnel configuration for 2 routers with local networks to look similar to this:
+
The figure below displays the configuration used for our example. Take note of the comments that are provided next to fields that differ from the default value:
  
 +
[[File:Networking_rutxxx_configuration_examples_openvpn_over_stunnel_openvpn_server_configuration_v1.png]]
  
[[Image:draw_io_openvpn_stunnel.png]]
+
Don't forget to click the <b>Save</b> button located at the bottom-right side of the page.
  
 +
===Stunnel server===
 +
----
 +
Navigate to the <b>Services → VPN → Stunnel</b> page and enable the "Stunnel Globals" configuration:
  
==Router information==
+
[[File:Networking_rutxxx_configuration_examples_openvpn_over_stunnel_stunnel_globals_configuration_v1.png]]
  
We will be using 2 RUTxxx routers connected to the same Wide Area Network (WAN). One router will be used as the server, other one - as the client.
+
Click <b>Save</b>.
 +
----
 +
To create a new Stunnel instance, enter a custom name for it and click the 'Add' button. A new instance with the given name will appear in the "Stunnel Configuration" list. To begin configuration, click the 'Edit' button next to the instance.
  
In this example, WAN IP addresses for the routers are:
+
The figure below displays the configuration used for our example. Take note of the comments that are provided next to fields that differ from the default value:
  
* '''Server WAN IP address: 192.168.10.32'''
+
[[File:Networking_rutxxx_configuration_examples_openvpn_over_stunnel_stunnel_server_configuration_v1.png]]
  
* '''Client WAN IP address: 192.168.10.33'''
+
Don't forget to click the <b>Save</b> button located at the bottom-right side of the page.
  
 +
===Open Stunnel port===
 +
----
 +
The OpenVPN default port (<i>1194</i>) is opened by default. But you will have manually open the select Stunnel port (<i>9999</i> in this example).
  
Although it does not matter for Stunnel, for OpenVPN configurations it is usually better (more reliable) to configure and enable the server first. That is why we will start with the server configuration.
+
To do this, navigate to the <b>Network → Firewall → Traffic Rules</b> page and scroll down until you see the <b>Open Ports On Router</b> section. Fill out the configuration fields as indicated in the figure above and click the 'Add' button:
  
 +
[[File:Networking_rutxxx_configuration_examples_openvpn_over_stunnel_firewall_configuration_v1.png]]
  
This specific router configuration can be imagined to be like this:
+
==Client configuration==
  
 +
Configure the OpenVPN and Stunnel clients that will be connecting to the server. Unlike in the server, there is reason tu configure Stunnel client before the OpenVPN client (the other way around will also work but an OpenVPN service restart may be required) so it is recommended to start with that.
  
[[Image:draw_io_example_visual.png]]
+
The OpenVPN client will connect to <i>TCP port 1194</i> of the local host and the Stunnel client will connect to the WAN IP and Stunnel port (<i>192.168.10.1:9999</i> in this example) of the server router.
  
 +
The logic of the entire connection can be visualized like this:
  
==Basic server setup==
+
[[File:Networking_device_vpn_stunnel_complete_configuration_scheme_v2.png]]
 
 
On the router used as a server we have to set up OpenVPN and Stunnel server instances.
 
 
 
OpenVPN server configuration looks like this:
 
 
 
[[Image:demo_openvpn_server_config.png]]
 
 
 
Stunnel server configuration looks like this:
 
 
 
[[Image:demo_stunnel_server_config.png]]
 
 
 
After saving the Stunnel server configuration, do not forget to mark the global "Enabled" flag. To save the changed global settings you will need to click '''Save''':
 
 
 
[[Image:demo_stunnel_server_global_enabled.png]]
 
  
To check if both OpenVPN and Stunnel services started properly, go to the CLI section, login to the router and launch these two commands one after the other:
+
===Stunnel client===
 +
----
 +
Navigate to the <b>Services → VPN → Stunnel</b> page and enable the "Stunnel Globals" configuration:
  
* ''ps | grep stunnel | grep -v grep''
+
[[File:Networking_rutxxx_configuration_examples_openvpn_over_stunnel_stunnel_globals_configuration_v1.png]]
  
* ''ps | grep openvpn | grep -v grep''
+
Click <b>Save</b>.
 
+
----
If one of them does not return a result, there might be a mistake in the configurations or you forgot to enable the configured instances. More information on the probable causes can be found at the [[Stunnel configuration examples#Configuration mistakes|end of this page]].
+
To create a new Stunnel instance, enter a custom name for it and click the 'Add' button. A new instance with the given name will appear in the "Stunnel Configuration" list. To begin configuration, click the 'Edit' button next to the instance.
  
'''IMPORTANT NOTES:'''
+
The figure below displays the configuration used for our example. Take note of the comments that are provided next to fields that differ from the default value:
  
So far the server is configured this way:
+
[[File:Networking_rutxxx_configuration_examples_openvpn_over_stunnel_stunnel_client_configuration_v1.png]]
  
 +
Don't forget to click the <b>Save</b> button located at the bottom-right side of the page.
  
[[Image:draw_io_server_config_image.png]]
+
===OpenVPN client===
 +
----
 +
Navigate to the <b>Services → VPN → OpenVPN</b> page. Select <i>Role: Cerver</i>, enter a custom name and click the 'Add New' button. An OpenVPN client instance with the given name will appear in the "OpenVPN Configuration" list. To begin configuration, click the 'Edit' button next to the client instance.
  
 +
The figure below displays the configuration used for our example. Take note of the comments that are provided next to fields that differ from the default value:
  
* Take notice that the selected OpenVPN connection protocol is '''TCP''', not '''UDP'''! This is necessary, because TLS encryption (which is what Stunnel provides) only works over the TCP protocol.
+
[[File:Networking_rutxxx_configuration_examples_openvpn_over_stunnel_openvpn_client_configuration_v1.png]]
* Since OpenVPN server will receive packets from the '''localhost''', you don't have to open a firewall for the OpenVPN server port.
 
* However, Stunnel server will be receiving packets from the client over the internet (WAN), so you '''must open''' a firewall for the Stunnel server port. Otherwise, the client will not be able to connect to the server through the designated port.
 
  
Firewall rule creation can be found at the '''Network → Firewall''' section, '''Traffic Rules''' tab.
+
Don't forget to click the <b>Save</b> button located at the bottom-right side of the page.
  
The firewall rule creation for Stunnel server port looks like this:
+
==Testing and troubleshooting==
  
 +
If you have completed the steps presented above, your configuration is complete. This section provides tips on how to test and troubleshoot this <i>OpenVPN over Stunnel</i> connection.
  
[[Image:demo_firewall_stunnel.png]]
+
<ul>
 +
    <li>Check whether remote side is reachable by sending ICMP requests. To do that, go to the <b>Services → CLI</b> page. Login (username: <i>root</i>; password: <i>router's password</i>) and ping the opposite instance:
 +
        <pre>ping 10.8.0.6</pre>Is the response looks like this, then the connection was established successfully:
 +
        <pre>
 +
64 bytes from 10.8.0.6: seq=0 ttl=64 time=101.214 ms
 +
64 bytes from 10.8.0.6: seq=1 ttl=64 time=91.018 ms
 +
64 bytes from 10.8.0.6: seq=2 ttl=64 time=88.974 ms
 +
64 bytes from 10.8.0.6: seq=3 ttl=64 time=502.781 ms
 +
        </pre>
 +
    </li>
 +
    <li>If there is no response to the ping requests, check whether Stunnel and OpenVPN services are running on the device. For Stunnel use this command:
 +
        <pre>ps | grep stunnel | grep -v grep</pre>The output should look similar to this:
 +
        <pre>
 +
16122 root      2992 S    /usr/bin/stunnel /tmp/stunnel.conf
 +
16178 root      3096 S    /usr/bin/stunnel /tmp/stunnel.conf
 +
        </pre>For OpenVPN use this command:
 +
        <pre>ps | grep openvpn | grep -v grep</pre>The output should look similar to this:
 +
        <pre>13034 root      3428 S    /usr/sbin/openvpn --syslog openvpn(7365727665725F41)</pre>
 +
    </li>
 +
    <li></li>
 +
</ul>
 +
<!--
  
  
'''Make sure that the firewall rule is enabled!''' To do that, click the '''Edit''' button next to the rule and then click '''Save'''.
 
  
 +
* ''''
  
==Basic client setup==
+
* ''''
  
 
On the router used as a client we have to set up OpenVPN and Stunnel client instances.
 
On the router used as a client we have to set up OpenVPN and Stunnel client instances.
Line 129: Line 158:
  
 
To check if both OpenVPN and Stunnel services started properly, go to the CLI section, login to the router and launch these two commands one after the other:
 
To check if both OpenVPN and Stunnel services started properly, go to the CLI section, login to the router and launch these two commands one after the other:
 
* ''ps | grep stunnel | grep -v grep''
 
 
* ''ps | grep openvpn | grep -v grep''
 
  
 
If one of them does not return a result, there might be a mistake in the configurations or you forgot to enable the configured instances. More information on the probable causes can be found at the [[Stunnel configuration examples#Configuration mistakes|end of this page]].
 
If one of them does not return a result, there might be a mistake in the configurations or you forgot to enable the configured instances. More information on the probable causes can be found at the [[Stunnel configuration examples#Configuration mistakes|end of this page]].
Line 241: Line 266:
  
  
=Configuration mistakes=
+
==Configuration mistakes==
  
 
Improperly configured Stunnel instances will silently stop the Stunnel service and '''none''' of the Stunnel configurations will work, even though their "Enabled" flags might be marked. To check if the Stunnel service is working, connect to the router through CLI ('''Services → CLI''') and enter the line:
 
Improperly configured Stunnel instances will silently stop the Stunnel service and '''none''' of the Stunnel configurations will work, even though their "Enabled" flags might be marked. To check if the Stunnel service is working, connect to the router through CLI ('''Services → CLI''') and enter the line:
Line 255: Line 280:
 
* Incorrect file uploaded into one of the file fields (Verification file, Certificate file, Private Key);
 
* Incorrect file uploaded into one of the file fields (Verification file, Certificate file, Private Key);
 
* Sometimes certificates and private keys might not be accepted (even if they are properly signed and are currently valid) due to desynchronization of the router's clock. If you have problems with certificates, first try to sync current system time with your browser at section '''System → Setup Wizard → Step 1 - General''' (you don't need to go through all the sections/steps).
 
* Sometimes certificates and private keys might not be accepted (even if they are properly signed and are currently valid) due to desynchronization of the router's clock. If you have problems with certificates, first try to sync current system time with your browser at section '''System → Setup Wizard → Step 1 - General''' (you don't need to go through all the sections/steps).
 +
-->
 +
<!--
 +
==Basic server setup==
 +
 +
On the router used as a server we have to set up OpenVPN and Stunnel server instances.
 +
 +
OpenVPN server configuration looks like this:
 +
 +
[[Image:demo_openvpn_server_config.png]]
 +
 +
Stunnel server configuration looks like this:
 +
 +
[[Image:demo_stunnel_server_config.png]]
 +
 +
After saving the Stunnel server configuration, do not forget to mark the global "Enabled" flag. To save the changed global settings you will need to click '''Save''':
 +
 +
[[Image:demo_stunnel_server_global_enabled.png]]
 +
 +
To check if both OpenVPN and Stunnel services started properly, go to the CLI section, login to the router and launch these two commands one after the other:
 +
 +
* ''ps | grep stunnel | grep -v grep''
 +
 +
* ''ps | grep openvpn | grep -v grep''
 +
 +
If one of them does not return a result, there might be a mistake in the configurations or you forgot to enable the configured instances. More information on the probable causes can be found at the [[Stunnel configuration examples#Configuration mistakes|end of this page]].
 +
 +
'''IMPORTANT NOTES:'''
 +
 +
So far the server is configured this way:
 +
 +
 +
[[Image:draw_io_server_config_image.png]]
 +
 +
 +
* Take notice that the selected OpenVPN connection protocol is '''TCP''', not '''UDP'''! This is necessary, because TLS encryption (which is what Stunnel provides) only works over the TCP protocol.
 +
* Since OpenVPN server will receive packets from the '''localhost''', you don't have to open a firewall for the OpenVPN server port.
 +
* However, Stunnel server will be receiving packets from the client over the internet (WAN), so you '''must open''' a firewall for the Stunnel server port. Otherwise, the client will not be able to connect to the server through the designated port.
 +
 +
Firewall rule creation can be found at the '''Network → Firewall''' section, '''Traffic Rules''' tab.
 +
 +
The firewall rule creation for Stunnel server port looks like this:
 +
 +
 +
[[Image:demo_firewall_stunnel.png]]
 +
 +
 +
'''Make sure that the firewall rule is enabled!''' To do that, click the '''Edit''' button next to the rule and then click '''Save'''.
 +
-->

Revision as of 15:07, 5 July 2019

Main Page > RUT Routers > RUT955 > RUT955 Configuration Examples > Stunnel configuration examples

Introduction

Stunnel is an open-source a proxy service that adds TLS encryption to clients and servers already existing on a VPN network. TLS encryption provided by Stunnel can be used as an additional layer of encryption for data sent by OpenVPN. This procedure increases the security of the established connection and provides higher chances of passing a Deep packet inspection (DPI) check.

This article contains instructions on how to configure an OpenVPN over Stunnel topology.

Overview

You will need

  • two routers of the RUTxxx series (except RUT850);
  • at least one router (server) with a public IP;
  • TLS certificates for the server and the client (for instructions on generating TLS certificates, click here).

Topology

Networking device vpn stunnel working scheme v3.png

Explanation

An OpenVPN client is connected to an OpenVPN server (both hosted on RUT routers) via a TLS encrypted Stunnel connection. This provides the possibility to transfer data between remote private networks (LAN A and LAN B) and adds an additional TLS security layer for the connection.

Server configuration

First, configure the OpenVPN and Stunnel servers. The Stunnel server will listen for incoming client connections on the specified TCP port (9999 in this example) and connect them to OpenVPN server running on the local host.

The logic of the connection can be visualized like this:

Networking device vpn stunnel server working scheme v1.png

OpenVPN server

Navigate to the Services → VPN → OpenVPN page. Select Role: Server, enter a custom name and click the 'Add New' button. An OpenVPN server instance with the given name will appear in the "OpenVPN Configuration" list. To begin configuration, click the 'Edit' button next to the server instance.

The figure below displays the configuration used for our example. Take note of the comments that are provided next to fields that differ from the default value:

Networking rutxxx configuration examples openvpn over stunnel openvpn server configuration v1.png

Don't forget to click the Save button located at the bottom-right side of the page.

Stunnel server

Navigate to the Services → VPN → Stunnel page and enable the "Stunnel Globals" configuration:

Networking rutxxx configuration examples openvpn over stunnel stunnel globals configuration v1.png

Click Save.

To create a new Stunnel instance, enter a custom name for it and click the 'Add' button. A new instance with the given name will appear in the "Stunnel Configuration" list. To begin configuration, click the 'Edit' button next to the instance.

The figure below displays the configuration used for our example. Take note of the comments that are provided next to fields that differ from the default value:

Networking rutxxx configuration examples openvpn over stunnel stunnel server configuration v1.png

Don't forget to click the Save button located at the bottom-right side of the page.

Open Stunnel port

The OpenVPN default port (1194) is opened by default. But you will have manually open the select Stunnel port (9999 in this example).

To do this, navigate to the Network → Firewall → Traffic Rules page and scroll down until you see the Open Ports On Router section. Fill out the configuration fields as indicated in the figure above and click the 'Add' button:

Networking rutxxx configuration examples openvpn over stunnel firewall configuration v1.png

Client configuration

Configure the OpenVPN and Stunnel clients that will be connecting to the server. Unlike in the server, there is reason tu configure Stunnel client before the OpenVPN client (the other way around will also work but an OpenVPN service restart may be required) so it is recommended to start with that.

The OpenVPN client will connect to TCP port 1194 of the local host and the Stunnel client will connect to the WAN IP and Stunnel port (192.168.10.1:9999 in this example) of the server router.

The logic of the entire connection can be visualized like this:

Networking device vpn stunnel complete configuration scheme v2.png

Stunnel client

Navigate to the Services → VPN → Stunnel page and enable the "Stunnel Globals" configuration:

Networking rutxxx configuration examples openvpn over stunnel stunnel globals configuration v1.png

Click Save.

To create a new Stunnel instance, enter a custom name for it and click the 'Add' button. A new instance with the given name will appear in the "Stunnel Configuration" list. To begin configuration, click the 'Edit' button next to the instance.

The figure below displays the configuration used for our example. Take note of the comments that are provided next to fields that differ from the default value:

Networking rutxxx configuration examples openvpn over stunnel stunnel client configuration v1.png

Don't forget to click the Save button located at the bottom-right side of the page.

OpenVPN client

Navigate to the Services → VPN → OpenVPN page. Select Role: Cerver, enter a custom name and click the 'Add New' button. An OpenVPN client instance with the given name will appear in the "OpenVPN Configuration" list. To begin configuration, click the 'Edit' button next to the client instance.

The figure below displays the configuration used for our example. Take note of the comments that are provided next to fields that differ from the default value:

Networking rutxxx configuration examples openvpn over stunnel openvpn client configuration v1.png

Don't forget to click the Save button located at the bottom-right side of the page.

Testing and troubleshooting

If you have completed the steps presented above, your configuration is complete. This section provides tips on how to test and troubleshoot this OpenVPN over Stunnel connection.

  • Check whether remote side is reachable by sending ICMP requests. To do that, go to the Services → CLI page. Login (username: root; password: router's password) and ping the opposite instance: 
    ping 10.8.0.6
    Is the response looks like this, then the connection was established successfully: 
    64 bytes from 10.8.0.6: seq=0 ttl=64 time=101.214 ms
64 bytes from 10.8.0.6: seq=1 ttl=64 time=91.018 ms
64 bytes from 10.8.0.6: seq=2 ttl=64 time=88.974 ms
64 bytes from 10.8.0.6: seq=3 ttl=64 time=502.781 ms
  • If there is no response to the ping requests, check whether Stunnel and OpenVPN services are running on the device. For Stunnel use this command: 
    ps | grep stunnel | grep -v grep
    The output should look similar to this: 
    16122 root      2992 S    /usr/bin/stunnel /tmp/stunnel.conf
16178 root      3096 S    /usr/bin/stunnel /tmp/stunnel.conf
    For OpenVPN use this command: 
    ps | grep openvpn | grep -v grep
    The output should look similar to this: 
    13034 root      3428 S    /usr/sbin/openvpn --syslog openvpn(7365727665725F41)
Retrieved from "https://wiki.teltonika-networks.com/index.php?title=Stunnel_configuration_examples&oldid=39042"