Linux HOWTOs

About | Home | Search


HOWTO: stunnel
Description: Encrypt TCP connections inside SSL
Click here for ChangeLog
NOTE: I use GNU tar >= 1.13.25 so it's -j for .tar.bz2 files,
it's safe to assume that make, gcc, binutils, fileutils/coreutils, gawk, sed, and grep are prerequisites for almost everything


# stunnel 5.04
# ============
# Slackware 11.0, 12.0, 12.1, 12.2, 13.0: stunnel 4.17
# Slackware 13.1: stunnel 4.31
# Slackware 13.37: stunnel 4.35
# Slackware 14.0, 14.1: stunnel 4.53

# Prerequisites (for both versions):
# OpenSSL
# tcp wrappers (optional; built-in by default if it's installed)

# As of version 4.15, the default paths of everything have changed to:
# (the default $prefix is /usr/local)
# config, certs: $prefix/etc/stunnel/
# binaries: $prefix/sbin/
# pid file: $prefix/var/run/stunnel.pid  (but if you use a chroot, it'll be
#  in there)
# manual: $prefix/man/man8/stunnel.8
# docs: $prefix/share/doc/stunnel/
# library: $prefix/lib
# chroot: $prefix/var/lib/stunnel/ (1770, group nogroup)
#
# Running 'stunnel -version' will output compile type defaults (but not
# what is set in the config file)
#
# You may want to uninstall older versions of stunnel to avoid duplicate
# files in multiple places.  Also, run 'locate stunnel' to make sure others
# aren't hiding.

# Get it
cd
test -f installed/stunnel-5.04.tar.gz && mv installed/stunnel-5.04.tar.gz .
test ! -f stunnel-5.04.tar.gz &&
 wget ftp://ftp.stunnel.org/stunnel/stunnel-5.04.tar.gz

# Verify tarball w/ sha1sum:
echo "0895d6c34e4c296c38f86922f4e9ff4f25f6371b  stunnel-5.04.tar.gz" | \
 sha1sum -c

# Verify tarball w/ sha256sum:
# ('openssl sha256 stunnel-5.04.tar.gz' works too)
echo "ee9702e073cb8d5940a1310ae171a38d3264f1ce3b087160728bbbcf5710cec1  \
stunnel-5.04.tar.gz" | sha256sum -c

# Verify tarball w/ gpg:
( gpg --list-keys 74C732D1 > /dev/null 2>&1 || gpg --recv-keys 74C732D1 ) &&
 wget -nc ftp://ftp.stunnel.org/stunnel/stunnel-5.04.tar.gz.asc &&
  gpg --verify stunnel-5.04.tar.gz.asc && rm stunnel-5.04.tar.gz.asc

# Extract the tarball
mkdir -p -m 0700 src
cd src
find -maxdepth 1 -type d -name "stunnel-*" -exec rm -r {} \;
tar xzvf ~/stunnel-5.04.tar.gz
cd stunnel-5.04
test $UID -eq 0 && chown -R root:root .

# If you don't have OpenSSL installed under the usual source-installed
# prefix of /usr/local/ssl, leave off the --with-ssl option if it's under
# /usr or /usr/local, or replace /usr/local/ssl if it's under some other
# prefix that isn't in your PATH.

# If you need IPv6 support, add --enable-ipv6
# If you have TCP wrappers, but don't want it compiled in, add
#  --disable-libwrap

# If you want yours to match up with the Slackware stunnel package,
# you'll need something like these to pass to configure:
# --prefix=/usr --sysconfdir=/etc --libdir=/usr/lib --datadir=/usr/share
# --mandir=/usr/man --sbindir=/usr/sbin --localstatedir=/var

# Configure the build for 64-bit
test $(uname -m) = 'x86_64' &&
 ./configure --with-ssl=/usr/local/ssl --libdir=/usr/local/lib64 \
  --docdir=/usr/local/doc/stunnel-5.04 --mandir=/usr/local/man

# Configure the build for anything else:
test $(uname -m) != 'x86_64' &&
 ./configure --with-ssl=/usr/local/ssl \
  --docdir=/usr/local/doc/stunnel-5.04 --mandir=/usr/local/man

# Build it
make

# Become root to install it
su

# For version 4.21, the stunnel binary was moved from /usr/local/sbin to
# /usr/local/bin to be FHS and LSB compliant.  Make sure you update any
# scripts you have that run stunnel (like my rc.syslog) to use the new
# PATH.

# Back up your existing stunnel configuration, if you have one:
test -f /etc/stunnel/stunnel.conf &&
 ( mkdir -p -m 0700 ~/backup ; cp /etc/stunnel/stunnel.conf ~/backup/ )
test -f /usr/local/etc/stunnel/stunnel.conf &&
 ( mkdir -p -m 0700 ~/backup
   cp /usr/local/etc/stunnel/stunnel.conf ~/backup/ )

# Uninstall the Slackware package, if there is one
test -x /sbin/removepkg && /sbin/removepkg stunnel

# If you did remove a Slackware package, you may have old /etc/stunnel and
# /var/lib/stunnel directories left over

# Remove old docs directories from previous versions
find /usr/local/doc -maxdepth 1 -type d -name "stunnel-*" -exec rm -r {} \;
find /usr/local/share/doc -maxdepth 1 -type d -name "stunnel-*" \
 -exec rm -r {} \;
test -d /usr/local/doc/stunnel && rm -r /usr/local/doc/stunnel
test -d /usr/local/share/doc/stunnel && rm -r /usr/local/share/doc/stunnel

# Install it
# (the docdir part is because the autoconf stuff is a little broken with
# that)
make docdir=/usr/local/doc/stunnel-5.04 install

# Run 'make cert' to create a self-signed SSL certificate.  Here's an
# example of what you might enter on each line that it prompts for info:
# US
# New Jersey
# Mytownville
# yourdomain.org
# root
# yourserver.yourdomain.org
#
# You can also just run OpenSSL's openssl binary to create yourself a
# self-signed certificate instead, or you can also go here:
# http://www.stunnel.org/pem/
# to create one.

# If you're upgrading stunnel and it's already configured, clean up old
# files and directories from old versions, and restart it (I restart it
# out of my rc.syslog):
test -d /etc/stunnel && rm -r /etc/stunnel
test -d /usr/local/var/stunnel && rm -r /usr/local/var/stunnel
test -x /usr/local/sbin/stunnel && rm -f /usr/local/sbin/stunnel
test -x /etc/rc.d/rc.syslog && /etc/rc.d/rc.syslog restart

# If you have "output = /var/log/stunnel.log" in your stunnel.conf, do
# something like this to have that log file rotated:
# (If you use chroot, use the path under the chroot, like this:
#  /usr/local/var/lib/stunnel/var/log/stunnel.log)
# (also, if you use setuid, make sure you update the logrotate.d file
#  to set the correct user/group or stunnel won't be able to write to
#  the log file after it gets rotated)
)
cat << EOF > /etc/logrotate.d/stunnel
/var/log/stunnel.log {
  rotate 6
  daily
  notifempty
  #compress
  create 0640 nobody wheel
  missingok
}
EOF

# Make sure your non-root user can remove the source later
chown -R $(logname) .
chmod -R u+w .

# Become yourself again
exit

# Save the source for later
cd
mkdir -p -m 0700 installed
rm -f installed/stunnel-*.tar.*
mv stunnel-5.04.tar.gz installed/

# stunnel (the daemon) is: /usr/local/bin/stunnel
# Docs are in: /usr/local/share/doc/stunnel
# Config file is: /usr/local/etc/stunnel/stunnel.conf
# SSL cert is: /usr/local/etc/stunnel/stunnel.pem

# =-=-=-=-=-

##
## How to set up stunnel for secure syslogging with syslog-ng:
## (do all of this as root)
##


## On both the client and the server:

# Remove the former pid location that we were using before 4.14:
# (you may have to kill a running stunnel before doing this)
rmdir /var/run/stunnel

# If you run it in a chroot, create this directory for stunnel.log to go
# in to:
mkdir -p /usr/local/var/lib/stunnel/var/log
chown nobody:root /usr/local/var/lib/stunnel/var/log 

## Open up the rc file that starts syslog-ng and add something like this
## to it after it starts syslog-ng:
# if [ -x /usr/local/bin/stunnel ]; then
#   echo "Starting stunnel..."
#   /usr/local/bin/stunnel
# fi
## If you installed my modified /etc/rc.d/rc.syslog from the syslog-ng howto,
## you can open that up and set USE_STUNNEL to 1 instead.

## Open up /etc/services and comment out shell 514/tcp if that's in there
## We need to add syslog in as 514/tcp (it should already be in there as
## 514/udp too for "regular" remote syslog).  Then add these:
#syslog		514/tcp
#syslogs	5140/tcp
#
# syslogs (syslog secure) is made up, it's not an official IANA port name
# (http://www.iana.org/assignments/port-numbers) or anything, so feel free
# to name it whatever you want.


## On the syslog server (who's IP is 192.168.0.2):

## /usr/local/etc/stunnel/stunnel.conf:
#cert = /usr/local/etc/stunnel/stunnel.pem
#chroot = /usr/local/var/lib/stunnel
#output = /var/log/stunnel.log
#pid = /stunnel.pid
#setgid = nogroup
#setuid = nobody
#
#[syslogs]
#accept = 192.168.0.2:5140
#connect = 127.0.0.1:514

## Set the server's syslog-ng to accept remote logging
## (/usr/local/etc/syslog-ng/syslog-ng.conf if installed from source,
## /etc/syslog-ng/syslog-ng.conf if installed from a package).
#@version 3.0
#
#options {
#        chain_hostnames(no);
#        time_reopen(10);
#        flush_lines(0);
#        log_fifo_size(1000);
#        long_hostnames(off);
#        keep_hostname(yes);
#        create_dirs(no);
#        use_dns(no);
#        use_fqdn(no);
#};
#
#source local {
#        file("/proc/kmsg" program_override("kernel"));
#        ## If klogd is running, use the next one instead of the one above
#        #unix-stream("/dev/klog");
#        unix-stream("/dev/log" max-connections(50));
#        internal();
#};
#source stunnel { tcp(ip("127.0.0.1") port(514) max-connections(15)); };
## If you want to accept udp logging, uncomment the next line
##source s_udp { udp(); };
#
#filter info { level(info .. emerg); };
#
#destination everything {
#        file("/var/log/everything"
#        owner(root) group(wheel) perm(0640));
#};
#destination splitemup {
#        file("/var/log/servers/$YEAR/$MONTH/$DAY/$HOST"
#        owner(root) group(wheel) perm(0640)
#        dir_owner(root) dir_group(wheel) dir_perm(0750)
#        create_dirs(yes));
#};
#destination tty9 { file("/dev/tty9"); };
#
## These will allow local, udp, and stunnel (tcp+SSL) connections
#log { source(local); source(s_udp); source(stunnel); destination(everything); }
#log { source(local); source(s_udp); source(stunnel); destination(splitemup); };
#log { source(local); filter(info); destination(tty9); };
#
## END of syslog-ng.conf

## Make sure all looks well so far:
#root@foo1:~# netstat -l | grep syslog
#tcp        0      0 localhost:syslog        *:*                     LISTEN
#tcp        0      0 foo1.foo.org:syslogs    *:*                     LISTEN


## On the client:

## /usr/local/etc/stunnel/stunnel.conf
#cert = /usr/local/etc/stunnel/stunnel.pem
#chroot = /usr/local/var/lib/stunnel
#output = /var/log/stunnel.log
#client = yes
#pid = /stunnel.pid
#setgid = nogroup
#setuid = nobody
#
#[syslogs]
#accept = 127.0.0.1:514
#connect = 192.168.0.2:5140

## Set the client syslog-ng to log everything to /var/log/everything
## and to the syslog server:
#options {
#	long_hostnames(off);
#	sync(0);
#};
#source local {
#	unix-stream("/dev/log");
#       ## If klogd is running, use the next one instead of the one after it
#	#unix-stream("/dev/klog");
#       file("/proc/kmsg" log_prefix("kernel: "));
#	internal();
#};
#destination everything { file("/var/log/everything"); };
#destination stunnel { tcp("127.0.0.1" port(514)); };
#log { source(local); destination(everything); };
#log { source(local); destination(stunnel); };

## Make sure all looks well
#root@foo2:~# netstat -l|grep syslog
#tcp        0      0 localhost:syslog        *:*                     LISTEN


## On both:

# On the server, start syslog-ng ("/etc/rc.d/rc.syslog start" if you're
# using that), then start stunnel, then on the client(s):
/usr/local/bin/stunnel

# HUP syslog-ng when you make configuration changes:
kill -HUP `cat /var/run/syslog-ng.pid`

# Now hopefully you can look at the client's logs on
# 192.168.0.2 in /var/log/servers/

Back to the list


Last updated: Tue, 07 Aug 2018 12:06:17 -0400
Jason Englander <jason at englanders dot us>