stunnel

[nbstl68]

Just read through this thread. I have aeen stunnel mentioned in my BI program.
Went to the web site and it states, "Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs' code".

...Im no programmer so I still really do not understand exactly what stunnel does.
Could someone please hive me a brief "stunnel for dummies" explanation on what this is, does and why I would benefit from using it?

Does this make port forwarding safer?
Does it negate the security need for me to use a VPN?

Thanks

 

[Livin]

Just read through this thread. I have aeen stunnel mentioned in my BI program.
Went to the web site and it states, "Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs' code".

...Im no programmer so I still really do not understand exactly what stunnel does.
Could someone please hive me a brief "stunnel for dummies" explanation on what this is, does and why I would benefit from using it?

Does this make port forwarding safer?
Does it negate the security need for me to use a VPN?

Thanks

Now i could be wrong as i am no expert but my understanding is that this allows videos transmitted over the internet to be encrypted when remotely viewed or so i think. blue iris encrypts user and password with https but not the video transmitted i believe, and this requires a stunner service which does the encryption so no one can openly look at the transmitted content by intercepting.

May be someone who knows better will add to this or correct me if am mistaken.

Cheers

 

[johnmcc]

That is my understanding, as well no one can view the video stream, or rather makes it very difficult. I don't have any internal cameras, but it the video stream can be captured I would think this is cause for concern.
I am no expert on security!

 

[Livin]

Great glad to have helped.

Setting up the app, for access external to your local network

I take it you have port 8080 on your router forwarded to the pc running BlueIris?
Also the WAN address you have entered in the app should be yourexternalipaddress.co.uk:8080 the part after the ipaddress instruct the app to use port 8080

I setup a VPN connection on on my router, so my iPhone when the VPN connection is running has a local address, even when I am away from home, so in the WAN address I enter the address as a local address.

Got mine working finally with https! Thanks to you for that!

I just had to correct the IP address routed to the correct one and the remote viewing worked on https.

Now on to learning a bit more about alerts on blue iris and the best setting to go with.

 

[johnmcc]

I set up the email alerts on BlueIris etc to go through stunnel to ensure they are encrypted, as I attach clips and photos to the emails.

Glad you are up and running :}

 

[Livin]

I set up the email alerts on BlueIris etc to go through stunnel to ensure they are encrypted, as I attach clips and photos to the emails.

Glad you are up and running :}

I would probably be using a similar setup i think, let me dig in and see if i can figure this out, just waiting for a weekend to get this started.

Cheers

 

[MrFloppyXXL]

Hello from Germany.
My english is maybe not the best. But i got BI&Stunnel running fine. Only the following Info by testing (The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.) isn´t fixed. But i think it is combined with the own-certificate stunnel.pem which is not signed as trusted.

[blue iris]
accept = 8151
connect = 8141
cert = stunnel.pem.

[blue iris], here you can also take [https]
accept = 443 (https)
connect = 99 (htp)
cert = stunnel.pem

I have a windows10x64 system with an fritzbox7490 router with portforward and also a dns-site, connected from the router. Everything works fine and the wan refreshs automatically. Only the warning because of the certificate if i connect via browser isn´t fixed. But i have no dns with textchanges and no homepage. So i think, it is the best solution until now.

With an friend we tried to connect to the site without typing "https://xxxxxxx.xxdns.xx" and only type the url without https but i didn´t work.

Shoud we fix that, we call it luxusproblems, i would fresh you up. It would be great if the software could be in german. I would offer myself to translate it
There are so many and awesome posibilietes to use this software differently, that it seems, that no one without me got such ideas in this area. But as you know, germans are stupid :-D

If i can help anyone, i would do. Sometimes it is useful to work with Teamviewer to connect to each other to fix probs without travelling arround the world.

Mobile browser with firefox on android works, if you switch to desktop-site.

Best regards.

ME

 

[johnmcc]

To connect through http (not secure) you would need to check the http port set in BlueIris ->Options ->WebServer -> Enable HTTP server on Port (default port 81)

for example http://youripaddress.de your fritzbox would require to have port forward port 80 set to ipaddress port 81 (the http port described above) where BlueIris is running.

Your browser will not an HTTPS connection to a self signed certificate, or rather I don't know how to accomplish that.

For external HTTPS connections to BlueIris I use the iPhone BlueIris app, which should accept the tunnel self signed certificate

Mein Deutsch ist nicht gute. Ich kann einfaches Deutsch lessen

 

[johnmcc]

If I understand correctly your router direct https://youripaddress.de to to the pc running stunnel and stunnel connects to BlueIris on port 99. But you do not get an https connection, as the browser does not accept stunnel.pem certificate.
The setup you describe sounds correct.

On my setup I purchased a certificate, and can HTTPS connect from an external ip, without any warnings. To purchase a certificate, you require a registered domain name.

The way my setup external connection is port forwarded to stunnel accept 443 connect xx

 

[MrFloppyXXL]

No. My router is connected to the dns url. My router is p-forwarded with the https port for my system and that is the https port in stunnel. And stunnel is the bridge between https and the http-port in blue iris which have to be activated in the software, but not forwarded in the router.
Yes, with an own Homepage the Site-warning will stop if CA and so on. But the self made CA with stunnel works. After one site-warning (which also can be cleared lokal if you download an integrate that CA into windows). Only Firefox still don´t save it continuesly and tells something with "you don´t have the passphrase or right key". But i should say that i bought the license last friday and got a full system-work in the same day/night.
Now i will only try more or all posibilities to make this kind of suveilance attractive for my friends or shop-owners. Because it is possible to get an amazing suveilance-system under 150$ included 1 or 2 cams.
I turned regular gadget cams with bad options (only jpeg-picture-safe-mode 1 a second at max) to full motionsensor-cams with voice input and can decide or divide suveilance and/or webcast anyway. That´s cool

 

[MrFloppyXXL]

And now i think, that other Users got enough informations to fix their problems with this great solution bundle here

 

[vwsplitty]

Hi I tried adding the address to trusted sites, no joy. Still got the warning about the certificate. Blue Iris is running on WHS 2011. While searching for info on certificates and stunnel I came across the following at

[HOWTO] WHS homeserver.com Certificate in Jetty...and Others - SageTV Community
Describing how to export a windows certificate. It is with regard to sage tv, but the export direction allowed me to export whs 2011 certificate. I then found how to convert the certificate format, to a type suitable for stunnel, see second paragraph

Open Server Manager by clicking on the link in the task bar that WHS
supplies by default. You may also get there other ways like pressing WINDOWS-R
on the keyboard and entering servermanager.msc.

• On the menu on the left, expand Roles, then Web Server (IIS), and then click
  on IIS Manager.
• Expand the server name then Sites, and click on Default Web Site.
• Click Bindings, scroll down to HTTPS, highlight and click Edit.
• Select the myserver.homeserver.com certificate from the drop-down and click
  on the View button.
• Go to the Details tab and click on Copy to File.
• Follow the wizard making sure to export the private key, save as PFX, and
  include all certificates and export extended properties.
• Enter a password, (you may use 123456 to match the Jetty for SageTV Wiki),
  and select to save somewhere, (I use D:\ServerFolders\Documents as that’s where
  I moved that default WHS share), with the name myserver_homeserver_com.pfx.
• Now the certificate needs to be converted, this can accomplished using openssl.exe bundled with stunnel see the following link

SSL Converter - Convert SSL Certificates to different formats

I converted the certificate loaded into stunnel, deleted the line cert = stunnel.pem and put in the new cert file name cert = newcert.pem

open ie and went thro no problem to the secure web page. Also tested mobile app and made secure connection

Only problem now, when blue iris web page opens, shows jpg picture, history, if I click on a file to open it, windows just sits showing connecting.

All of the above info is that gleaned from other authors.

Now all I have to do is solve why can't play the video files.

just wondered if you had any more info on the actual conversion. i have everything up and running ok but get the warning when using https.
running server 2012r2 and have managed to extract the .pfx cert.

only problem im lost how to convert it?

edit managed to follow this guide Exporting a Certificate from PFX to PEM

to do it.

 

[Josh-n-droid]

Right,

So ill highlight some things that I used that enabled me to get stunnel working for me for blueiris. As someone who had the http tunnel working just fine I realised that video encryption is vastly important. Anyway;

1. Use a service like no-ip to set up your ip redirection/updating. (This is pretty easy to do)

2. Ensure you have the web server activated in blue iris and have a port set for it. Lets say port 6158. This number will go in the both the box for ‘Enable the HTTP web server on port’ box as well as the ‘Stunnel is installed for HTTPS on port’ box. Also tick the HTTPS LAN also checkbox.

3. Install stunnell from the website.

4. Answer the questions to assist in creating a certificate during installation. Anything that doesn’t apply you can use a period ‘.’

5. This will save the certificate to (if you installed to default directory) – C:\Program Files (x86)\stunnel\config

The file is named stunnel.pem

6. Ensure within your router that you have port forwarding enabled and forwarding an appropriate port. My suggestion is to use something that is not always common. Let’s say for this example port 7528

7. Open up stunnel and click configuration and open up edit configuration

8. As suggested in a previous comment, remove the rules already in the file without a ; infront of it.

9. Scroll to the bottom of the file.

10. Add in;

[blue iris]

accept = 7528

connect = 6158

cert = stunnel.pem


So the accept port is the port that you have forwarded from your router. This will be device connecting from the internet to the router and it comes through the 7528 port. This will then hit the Stunnel. The stunnel will associate the outside internet port 7528 to the local LAN port of 6158, the port that the web server/remote access of blue iris is accepting requests from.

11. Save the file and ensure your reload the configuration. If the server is not install or crashed, have a look in your program files for the stunnel installer or to the stop and start the service.

12. Make sure when you close out of the stunnel use the File->close and NOT the File->exit as the exit will kill the stunnel server and you will be scratching your head as to why its not connecting. Make sure within the blue iris app you have your local blue iris “server-ip:7528” as well as the remote ip “no-ip.dns:7528”

13. Profit????

 

[VorlonFrog]

My stunnel stopped working yesterday. It seems the Blue Iris web server is rejecting the incoming connection.
Currently running BI version 4.6.2.0 x64, as a service. Here's a bit of the stunnel log.

2017.10.22 20:45:35 LOG5[6]: Service [https] accepted connection from xxx.yyy.49.9:31381
2017.10.22 20:45:36 LOG3[6]: s_connect: connect 192.168.1.20:8899: Connection refused (WSAECONNREFUSED) (10061)
2017.10.22 20:45:36 LOG3[6]: No more addresses to connect
2017.10.22 20:45:36 LOG5[6]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket

 

[Josh-n-droid]

My stunnel stopped working yesterday. It seems the Blue Iris web server is rejecting the incoming connection.
Currently running BI version 4.6.2.0 x64, as a service. Here's a bit of the stunnel log.

2017.10.22 20:45:35 LOG5[6]: Service [https] accepted connection from xxx.yyy.49.9:31381
2017.10.22 20:45:36 LOG3[6]: s_connect: connect 192.168.1.20:8899: Connection refused (WSAECONNREFUSED) (10061)
2017.10.22 20:45:36 LOG3[6]: No more addresses to connect
2017.10.22 20:45:36 LOG5[6]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket

what does your edit config options look like for blue iris in stunnel?

 

[VorlonFrog]

Here's the relevant portion of the stunnel config file. It hasn't changed since I first set it up successfully, several months ago. Connection comes in from my phone, and the log above is what appears. Blue Iris doesn't even log a connection attempt.

; TLS front-end to a web server
[https]
accept  = 192.168.1.20:xyzx
connect = 192.168.1.20:8899
cert = stunnel.pem

I see there's an x64 update available for BI. I'm applying it, right now.
Yup. That fixed it. Working as expected, again.

 

[Josh-n-droid]

Here's the relevant portion of the stunnel config file. It hasn't changed since I first set it up successfully, several months ago. Connection comes in from my phone, and the log above is what appears. Blue Iris doesn't even log a connection attempt.

; TLS front-end to a web server
[https]
accept  = 192.168.1.20:xyzx
connect = 192.168.1.20:8899
cert = stunnel.pem

I see there's an x64 update available for BI. I'm applying it, right now.
Yup. That fixed it. Working as expected, again.

lol good to hear it was that simple a fix for you.

 

[gtj]

Hello

I installed stunnel, edited the configuration file filling there my desired port, installed the service and started it, however can get it to work. I'm only able to reach my server on http both locally and remotely. Therefore, the port forwarding works but stunnel doesn't.

I have a pfSense router and have only forwarded the external port I want my server to respond to requets under the NAT settings . The relevant rule within LAn settings is generated automatically by the firewall. Do I have to create any other rules associated with stunnel? Has anyone operated stunnel with pfSense? Is there anything special that has to be set under the specific firewall platform?

 

[tygger]

Check your firewall log and application rules. Make sure youre not blocking stunnel.

 

[gtj]

I wll. I haven't done anything, so if it blocks stunnel it does by default.

Thanks for your quick answer.