HOWTO: Setting up STUNNEL in FreeBSD

techie

New Member

Reaction score: 3
Messages: 11

Say, there is a newsserver which offers additional to port 119 a secure connection on port 563. You have an account with your username and password on that newsserver and you would like to use a newsreader which is unable to handle secure connections (e.g. Knode).

For safety reasons stunnel shall run with its own user and its own group. Further a local jail shall be used and a log file shall be created. The last thing we'll need here is the new created port number. In this example we'll use port "12345" and our name of the newsserver is "news.t-online.de".

Install:
Code:
cd /usr/ports/security/stunnel
make install clean

Create stunnels own pid directory and set up name, group and flags:
Code:
cd /var/run
mkdir -p stunnel
chown stunnel:stunnel stunnel
chmod 0622 stunnel

Create stunnel configuration file: /usr/local/etc/stunnel/stunnel.conf and write into it:

Code:
; create local jail
chroot = /var/run/stunnel

; set own UID and GID
setuid = stunnel
setgid = stunnel

; some debugging stuff useful for troubleshooting
;;;; debug = 7
output = /var/log/stunnel.log

client = yes
;;;;foreground = yes    ; good for debugging
foreground = no     ; good for normal operation
pid = /stunnel.pid  ; root directory is the local jail

; localhost listening on port 12345
[news]
accept = 12345
connect = news.t-online.de:nntps ; nntps equals 563 in /etc/services

The following things may or may not be helpful for you. Because I had some problems in shutting down stunnel without creating a couple of zombies, I changed the init script in this way:

edit: /usr/local/etc/rc.d/stunnel
comment out: ${stunnel_pidfile="/var/run/${name}.pid"}
comment out: pidfile=${stunnel_pidfile}


Check out whether a stunnel-start/stop works:
/usr/local/etc/rc.d/stunnel forcestart
/usr/local/etc/rc.d/stunnel forcestop

Edit /etc/rc.conf and add:
Code:
stunnel_enable="YES"
stunnel_pid_file="/var/run/stunnel/stunnel.pid"

The last thing to do is to configure the newsreader client (here Knode).

Old:
Server: news.t-online.de
Port: 119
Username: <empty>
Password: <empty>

New:
Server: localhost (or 127.0.0.1)
Port: 12345
Username: <YourUserName>
Password: <YourPassWord>

stunnel is a powerful tool and there are much more applications possible than that simple newsreader configuration. For more information see http://www.stunnel.org/ . More advanced ideas using stunnel are appreciated.
 
Top