2

I'm running legacy applications in which I do not have access to the source code. These components talk to each other using plaintext on a particular port. I would like to be able to secure the communications between the two or more nodes using something like stunnel to facilitate peer-to-peer communication rather than using a more traditional (and centralized) VPN package like OpenVPN, etc.

Ideally, the traffic flow would go like this:

  1. app@hostA:1234 tries to open a TCP connection to app@hostB:1234.
  2. iptables captures and redirects the traffic on port 1234 to stunnel running on hostA at port 5678.
  3. stunnel@hostA negotiates and establishes a connection with stunnel@hostB:4567.
  4. stunnel@hostB forwards any decrypted traffic to app@hostB:1234.

In essence, I'm trying to set this up to where any outbound traffic (generated on the local machine) to port N forwards through stunnel to port N+1, and the receiving side receives on port N+1, decrypts, and forwards to the local application at port N.

I'm not particularly concerned about losing the hostA origin IP address/machine identity when stunnel@hostB forwards to app@hostB because the communications payload contains identifying information.

The other trick in this is that normally with stunnel you have a client/server architecture. But this application is much more P2P because nodes can come and go dynamically and hard-coding some kind of "connection = hostN:port" in the stunnel configuration won't work.

EDIT: One other possibility might be configuring some kind of default route such that outbound traffic to port N is forwarded through stunnel configured as a gateway...

Jonathan Oliver
  • 319
  • 1
  • 3
  • 13

1 Answers1

1

I think iptables seems somewhat superfluous here.

appA is an instance of app on hostA (external IP A.A.A.A) appB is an instance of app on hostB (external IP B.B.B.B)

  1. appA is listen to 127.0.0.1:1234 on hostA

  2. stunnel on hostA configured to forward encrypted connection from A.A.A.A:1234 to 127.0.0.1:1234

    [appA]

    accept = A.A.A.A:1234

    connect = 127.0.0.1:1234

    client = no

  3. stunnel on hostB configured for create encryped tunnel and forward connection from 127.0.0.1:4321 to A.A.A.A:1234

    /usr/bin/stunnel -d 127.0.0.1:4321 -r A.A.A.A:1234

  4. appB establishes a connection with 127.0.0.1:4321

and vise versa for hostB

hostmaster
  • 533
  • 2
  • 6
  • By default, OpenVPN runs in p2p mode so IMO it is much more easier to create p2p encrypted tunnel and use IP from both sides of the tunnel for app interaction – hostmaster Jun 25 '13 at 06:59
  • I do have to fiddle with DNS and bind to multiple localhost IPs (127.0.1.1, 127.0.1.2--one for each peer). I was hoping for something where I could configure stunnel as the gateway address for certain outbound ports, but this does get the job done. – Jonathan Oliver Jun 25 '13 at 17:34