2016-07-11 07:14:59 +02:00
|
|
|
stunnel
|
|
|
|
=======
|
|
|
|
|
2016-07-11 07:57:48 +02:00
|
|
|
[Stunnel][1] is a proxy designed to add TLS encryption functionality to
|
|
|
|
existing clients and servers without any changes in the programs' code.
|
|
|
|
|
2016-07-11 07:14:59 +02:00
|
|
|
### Overview
|
|
|
|
|
|
|
|
domain | ip:port | country | services
|
|
|
|
-------| ------------ | ------- | ------------------------------
|
|
|
|
master | 1.2.3.4:4911 | Japan | openvpn-server, stunnel-server
|
|
|
|
bridge | 5.6.7.8:1194 | China | stunnel-client
|
|
|
|
N/A | 192.168/16 | China | openvpn-client
|
|
|
|
|
|
|
|
### Server Setup (Cloud)
|
|
|
|
|
|
|
|
```bash
|
|
|
|
# master server (Japan)
|
|
|
|
docker-compose up -d master
|
|
|
|
```
|
|
|
|
|
|
|
|
### Client Setup (Cloud)
|
|
|
|
|
|
|
|
```bash
|
|
|
|
# bridge server (China)
|
|
|
|
docker-compose up -d bridge
|
|
|
|
```
|
|
|
|
|
|
|
|
### Client Setup (Local)
|
|
|
|
|
|
|
|
File: /etc/stunnel/stunnel.conf
|
|
|
|
|
|
|
|
```ini
|
|
|
|
foreground = yes
|
|
|
|
client = yes
|
|
|
|
|
|
|
|
[openvpn]
|
|
|
|
accept = 127.0.0.1:1194
|
|
|
|
connect = 1.2.3.4:4911
|
|
|
|
```
|
|
|
|
|
|
|
|
> Pro Tip: Running stunnel locally is faster.
|
|
|
|
|
|
|
|
### OpenVPN Setup (Partial)
|
|
|
|
|
|
|
|
```ini
|
|
|
|
# For Cloud Setup
|
|
|
|
...
|
|
|
|
remote 5.6.7.8 1194 tcp
|
|
|
|
route 192.168.0.0 255.255.0.0 net_gateway
|
|
|
|
...
|
|
|
|
```
|
|
|
|
|
|
|
|
```ini
|
|
|
|
# For Local Setup
|
|
|
|
...
|
|
|
|
remote 127.0.0.1 1194 tcp
|
|
|
|
route 1.2.3.4 255.255.255.255 net_gateway
|
|
|
|
route 192.168.0.0 255.255.0.0 net_gateway
|
|
|
|
....
|
|
|
|
```
|
|
|
|
|
2024-05-08 05:46:59 +02:00
|
|
|
-----------------------------------------
|
|
|
|
|
|
|
|
### For Gmail Forwarding
|
|
|
|
|
|
|
|
```ini
|
|
|
|
;debug = info
|
|
|
|
;output = /var/log/stunnel.log
|
|
|
|
foreground = yes
|
|
|
|
setuid = stunnel
|
|
|
|
setgid = stunnel
|
|
|
|
socket = l:TCP_NODELAY=1
|
|
|
|
socket = r:TCP_NODELAY=1
|
|
|
|
|
|
|
|
[gmail-pop3]
|
|
|
|
client = yes
|
|
|
|
accept = 127.0.0.1:110
|
|
|
|
connect = pop.gmail.com:995
|
|
|
|
|
|
|
|
[gmail-imap]
|
|
|
|
client = yes
|
|
|
|
accept = 127.0.0.1:143
|
|
|
|
connect = imap.gmail.com:993
|
|
|
|
|
|
|
|
[gmail-smtp]
|
|
|
|
client = yes
|
|
|
|
accept = 127.0.0.1:25
|
|
|
|
connect = smtp.gmail.com:465
|
|
|
|
```
|
|
|
|
|
|
|
|
```nginx
|
|
|
|
stream {
|
|
|
|
server {
|
|
|
|
listen 995 ssl;
|
|
|
|
ssl_certificate ssl/easypi.crt;
|
|
|
|
ssl_certificate_key ssl/easypi.key;
|
|
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
|
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
|
|
|
proxy_pass 127.0.0.1:110;
|
|
|
|
proxy_buffer_size 16k;
|
|
|
|
}
|
|
|
|
server {
|
|
|
|
listen 993 ssl;
|
|
|
|
ssl_certificate ssl/easypi.crt;
|
|
|
|
ssl_certificate_key ssl/easypi.key;
|
|
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
|
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
|
|
|
proxy_pass 127.0.0.1:143;
|
|
|
|
proxy_buffer_size 16k;
|
|
|
|
}
|
|
|
|
server {
|
|
|
|
listen 465 ssl;
|
|
|
|
ssl_certificate ssl/easypi.crt;
|
|
|
|
ssl_certificate_key ssl/easypi.key;
|
|
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
|
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
|
|
|
proxy_pass 127.0.0.1:25;
|
|
|
|
proxy_buffer_size 16k;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
2016-07-11 07:57:48 +02:00
|
|
|
[1]: https://www.stunnel.org/index.html
|