stunnel

[ipcamdude22]

I got it working. I am not a networking professional, so if you follow these instructions and end up with your camera feed playing on a billboard in times square, it's your own fault.
Some basics about Stunnel, as I know it: Let's say you previously would have used the ip address of 192.168.0.2:8290 to access the blue iris server internally. With stunnel, you use the ip address of 192.168.0.2:8291, then have stunnel redirect that traffic to 8290. During the redirect process, Stunnel makes the connection secure. This is a lot more simple than it at first seems.
1. Download stunnel. Use this site https://www.stunnel.org/downloads.html and download the .exe file, if you're using Windows. If you're not using windows, don't follow these instructions.
2. Install stunnel. Keep all the defaults.
3. In your start menu, go to Stunnel>stunnel GUI Start.
4. Click Configuration at the top, then Edit Configuration.
5. Scroll to the bottom. Below "Example SSL client mode services" delete all of the lines that don't start with ;. You don't need these.
6. Insert this text where you just deleted the other code:
[blue-iris]
accept = 8344 *or whatever port you want to have your computer accept TCP
connect = 8347 *or whatever port you specified on the Blue Iris Webserver page at the top
7. Save the file, close it, then go to Configuration back on the GUI and select Reload Configuration. Close the GUI.
8. Start menu > stunnel Service Install
9. Start menu > stunnel Service Start
10. The address you will use to access Blue Iris will now be your IP address followed by :8344, or whatever port you used. On the blue iris app, you will also need to edit the server settings and select Server is HTTPS, or it won't work.
11. You also need to make sure that your router is properly forwarding requests to your computer. So when you type in your external IP followed by :8344, your router knows to forward that traffic to 192.168.0.2:443. Those numbers don't have to be the same. You could have your router accept on port 8342 and forward to port 8344 on your computer, then have stunnel forward traffic from 8344 to 8347 by using accept = 8344 and connect = 8347, then have the blueiris webserver be located at 8347. Using a random port rather than 443 or 80 or 81 is better, or so I've read. If you do this, you will have to use port 8344 for internal connections (over the same wifi) and port 8342 for external connections (from work or over cellular).
12. If you're getting errors, make sure that you've installed the service and then started it. Also make sure your blue iris app is set to use https, and you're using the proper port. The port on the app needs to be looking for the port on the router that will forward to the port on the computer, which will then forward to the port of blue iris. If you put in the port of the blue iris web server, you're going to have a bad time.

I am trying to set up stunnel, i get to step 7 and get UTF-8 byte order mark detected FIPS mode disabled/Service [blue-iris] SSL server needs a certificate and failed to reload config file....any ideas what I am doing wrong?
Thanks

 

[ipcamdude22]

The other thing is when I go to stunnel service install, I click on "current user" and the "protect my computer" is checked, but when I click ok it gives me a error 5 access is denied...

 

[ipcamdude22]

Ok seems I am getting closer, have service installed and running,had to uncheck the "protect my computer" box, now when I load config it states SSL server needs cert...I did the build a self signed stunnel.pem but still no luck any ideas?

 

[ipcamdude22]

I think I have everything working now that I figured it out, had the settings in the wrong place and not in the "client" section but rather the "server" section. I am getting a message that blue iris needs authentication to prevent MITM attacks any ideas on how to address that?

 

[ipcamdude22]

Still is secure even with this warning righta? Just telling you it doesnt recognize cert.?

IE 11 has a button for you to ignore the certificate problem, doesn't it?

 

[mwatz]

Still is secure even with this warning righta? Just telling you it doesnt recognize cert.?

Correct. The cert that stunnel created is not recognized as a public valid cert. So most browsers will show this. The blue iris data steam is still encrypted though.
For sites that you shop on or have other sensitive info that would be a reason for concern.

 

[biggie]

Alright guys, I am stuck and need your help with stunnel. I have it set up and can access on https://192.168.1.200:8777 from that local machine. I can not access the login on the LAN nor from the outside. I have tried many variations of the port forwarding but must be missing something. Here are all of my settings:


Any help would be greatly appreciated.

 

[ipcamdude22]

Alright guys, I am stuck and need your help with stunnel. I have it set up and can access on https://192.168.1.200:8777 from that local machine. I can not access the login on the LAN nor from the outside. I have tried many variations of the port forwarding but must be missing something. Here are all of my settings:
View attachment 7899View attachment 7900View attachment 7901

Any help would be greatly appreciated.

For clarification, did you install stunnel, set it up and start the service? Your settings seem correct at first glance

 

[biggie]

@ipcamdude22, yes I did install it,setup and start the service. I ended up getting it to work by allowing Stunnel on both public/private on firewall settings. Thanks for responding!

 

[105437]

Having issues getting stunnel to work. I try and connect from a WAN connection using the phone app and I get this in the log on the PC where stunnel is installed. It appears my router is forwarding the request but something is being refused on the PC. Any ideas? Thanks

2016.03.11 10:16:50 LOG5[7]: Service [blue-iris] accepted connection from 70.210.X.XXX:3887
2016.03.11 10:16:51 LOG3[7]: s_connect: connect 127.0.0.1:8347: Connection refused (WSAECONNREFUSED) (10061)
2016.03.11 10:16:51 LOG5[7]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
2016.03.11 10:16:51 LOG5[8]: Service [blue-iris] accepted connection from 70.210.X.XXX:3887
2016.03.11 10:16:52 LOG3[8]: s_connect: connect 127.0.0.1:8347: Connection refused (WSAECONNREFUSED) (10061)
2016.03.11 10:16:52 LOG5[8]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
2016.03.11 10:16:53 LOG5[9]: Service [blue-iris] accepted connection from 70.210.X.XXX:3887
2016.03.11 10:16:54 LOG3[9]: s_connect: connect 127.0.0.1:8347: Connection refused (WSAECONNREFUSED) (10061)
2016.03.11 10:16:54 LOG5[9]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket

Here's how I have BI Web Server configured...

 

[johnmcc]

My setup may not be 100%, but here is how I set up stunnel.conf

[blue-iris]
accept = 1440
connect = 192.168.xx.xx:81

Blue iris mobile app establish secure connection to stunnel, stunnel directs to standard connection on the server.

In the Blue Iris Mobile app, set as follows

WAN https://
my_ipaddress:1440 set my_ipaddress to your address.

 

[biggie]

@105437 I have my LAN port set to the same as my WAN. So in your case, the :81 under LAN may need to be changed to :8344. Also, select HTTPS: LAN Also if you do this. Confirm your settings in stunnel and that you made adjustments to your firewall and forwarded the port on your router?

 

[105437]

I really appreciate the replies but even after carefully checking my settings I still am missing something.

If someone who is successfully using stunnel could provide screen shots of the BI Web Server tab settings, stunnel configuration (stunnel.conf) file, BI app LAN/WAN settings and router forwarding config I would be extremely grateful.

Perhaps after reviewing all of these I can find my problem with using stunnel. Thanks!

 

[johnmcc]

Have you tried directing the output from stunnel to port 81, as I described above. To be honest I don't know what the function of the BlueIris setting for stunnel. I successfully connect to Blue Iris from wan side through stunnel to port 81.

 

[smiticans]

I really appreciate the replies but even after carefully checking my settings I still am missing something.

If someone who is successfully using stunnel could provide screen shots of the BI Web Server tab settings, stunnel configuration (stunnel.conf) file, BI app LAN/WAN settings and router forwarding config I would be extremely grateful.

Perhaps after reviewing all of these I can find my problem with using stunnel. Thanks!

My Stunnel.conf file under "TLS Client Mode Services"

[blue iris]
accept = 8080
connect = 8081
cert = stunnel.pem

My Router is forwarding port 8080 to BI/Stunnel computer.

My BI Web server settings reads as follows "Enable the HTTP Web server on port 8081"

Check mark in "Stunnel is installed for HTTPS on Port: 8080"


I don't have HTTPS checked off in my BI app. I'm using no-ip as a ddns service and I switched it to https on the no-ip configuration page.

 

[105437]

My Stunnel.conf file under "TLS Client Mode Services"

[blue iris]
accept = 8080
connect = 8081
cert = stunnel.pem

My Router is forwarding port 8080 to BI/Stunnel computer.

My BI Web server settings reads as follows "Enable the HTTP Web server on port 8081"

Check mark in "Stunnel is installed for HTTPS on Port: 8080"


I don't have HTTPS checked off in my BI app. I'm using no-ip as a ddns service and I switched it to https on the no-ip configuration page.

Thanks! It's working now. I had the wrong port number for the Web Server.

 

[smiticans]

No Problem

 

[boogmeister1]

Sorry for opening up an older thread, but I'm having an issue with port forwarding. Do I forward both the accept and connect ports to my BI computer? I have the accept set to 8080 and the connect set to 81. the only way I could get it to work was forwarding both ports to my BI computer. My concern is that I can still access over the web via http. I thought stunnel would remove that ability.

Could someone please explain the port forwarding to me?

Thanks,
Eric

 

[smiticans]

Only Forward the Accept port. What are your settings in BI?

 

[boogmeister1]

Wow, looks like that worked! Seems like everything is working. I'm not sure how removing port 81 made everything work, because I had tried that numerous times already. I guess I just had to wait for a bit and try it again,

Thanks a ton, smiticans!

Eric