laptop ssh -> laptop stunnel -> evil network -> internet -> your server -> your server ssh
Sets up a stunnel process listening externally on port 2443/tcp, forwards to localhost 22/tcp
- Install stunnel, e.g.
yum install stunnel - Install server config snippet to
/etc/stunnel/stunnel.conf - Create a TLS cert+key pair, save to
/etc/stunnel/stunnel.pem
Quick and dirty self signed cert, if you don't care about repudiation:
openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem
- Create the chroot directory:
mkdir /var/run/stunnel ; chown nobody.nobody /var/run/stunnel - Run the server:
stunnel /etc/stunnel/stunnel.confif there isn't an init script - Remember to open iptables to accept connections on 2443/tcp if you use it!
Sets up a stunnel process listening on the laptop on port 2443
- Install stunnel
- Install client config to your homedir as stunnel-client.conf
- Edit
connect=line to change to the name/address of your server, e.g.connect=myserver.example.com:2443 - Run the client:
stunnel stunnel-client.conf
From laptop, telnet to localhost port 2443. You should see the OpenSSH banner of your remote server
lapdance:~ bwann$ telnet localhost 2443
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SSH-2.0-OpenSSH_6.6.1
Testing ssh:
lapdance:~ bwann$ ssh -p 2443 localhost uname -n
my-server.wann.net
On your laptop, ssh to localhost port 443. This will connect you to the sshd running on your server. Done!
ssh -p 4443 localhost
What is the usage or benefit of this method compare with SSH Direct connect (VPN)?