I got it working. I am not a networking professional, so if you follow these instructions and end up with your camera feed playing on a billboard in times square, it's your own fault.
Some basics about Stunnel, as I know it: Let's say you previously would have used the ip address of 192.168.0.2:8290 to access the blue iris server internally. With stunnel, you use the ip address of 192.168.0.2:8291, then have stunnel redirect that traffic to 8290. During the redirect process, Stunnel makes the connection secure. This is a lot more simple than it at first seems.
1. Download stunnel. Use this site stunnel: Downloads and download the .exe file, if you're using Windows. If you're not using windows, don't follow these instructions.
2. Install stunnel. Keep all the defaults.
3. In your start menu, go to Stunnel>stunnel GUI Start.
4. Click Configuration at the top, then Edit Configuration.
5. Scroll to the bottom. Below "Example SSL client mode services" delete all of the lines that don't start with ;. You don't need these.
6. Insert this text where you just deleted the other code:
accept = 8344 *or whatever port you want to have your computer accept TCP
connect = 8347 *or whatever port you specified on the Blue Iris Webserver page at the top
7. Save the file, close it, then go to Configuration back on the GUI and select Reload Configuration. Close the GUI.
8. Start menu > stunnel Service Install
9. Start menu > stunnel Service Start
10. The address you will use to access Blue Iris will now be your IP address followed by :8344, or whatever port you used. On the blue iris app, you will also need to edit the server settings and select Server is HTTPS, or it won't work.
11. You also need to make sure that your router is properly forwarding requests to your computer. So when you type in your external IP followed by :8344, your router knows to forward that traffic to 192.168.0.2:443. Those numbers don't have to be the same. You could have your router accept on port 8342 and forward to port 8344 on your computer, then have stunnel forward traffic from 8344 to 8347 by using accept = 8344 and connect = 8347, then have the blueiris webserver be located at 8347. Using a random port rather than 443 or 80 or 81 is better, or so I've read. If you do this, you will have to use port 8344 for internal connections (over the same wifi) and port 8342 for external connections (from work or over cellular).
12. If you're getting errors, make sure that you've installed the service and then started it. Also make sure your blue iris app is set to use https, and you're using the proper port. The port on the app needs to be looking for the port on the router that will forward to the port on the computer, which will then forward to the port of blue iris. If you put in the port of the blue iris web server, you're going to have a bad time.
I also had a difficult time getting this to work, but finally got it, so I figured I would share my experience and quote some key posts that helped me along.I tried it again today. I did it exactly as video, down to using same ports... I am still getting WSAECONNREFUSED (10061)
I cannot figure out what that error is to fix it... Very unfortunate.
Anyone have an idea? I installed the latest (5.50 64bit) one...
edited to add -
I changed the config from just ports to the IP of computer... that worked! so pretty much
accept = 22.214.171.124:8080
connect = 126.96.36.199:81
now is there a way we can get stunnel.pem signed by maybe like let's encrypt?
May I ask where you found the https toggle on No-IP? I'm trying to go this route as well, using a hostname under my owned domain.My Stunnel.conf file under "TLS Client Mode Services"
accept = 8080
connect = 8081
cert = stunnel.pem
My Router is forwarding port 8080 to BI/Stunnel computer.
My BI Web server settings reads as follows "Enable the HTTP Web server on port 8081"
Check mark in "Stunnel is installed for HTTPS on Port: 8080"
I don't have HTTPS checked off in my BI app. I'm using no-ip as a ddns service and I switched it to https on the no-ip configuration page.
Hmmm thanks, @Walrus I'll give this a shot again when I have an hour to spare!@Dasstrum thanks for the video guide, I was able to setup stunnel last night. Stupid GUI craps out all the time and stops the service, saying the port is already in use. The exact problem @mjessup44 was having above. I had to stop the service and restart, and restart the computer countless times until it would finally work and the GUI would report the connections.
That said, I could only connect to the port(s) via the local machine. I couldn't remotely connect (had the ports forwarded correctly), or from another computer on my LAN.
Solution, I had to allow incoming connections for the port(s) in question in the Windows 10 firewall.
I keep saying port(s) because I am now using stunnel to https into multiple machines/different programs on my lan.
Great find Walrus! Are you re-genearating the certificate every 90 days? The way I understand it, these expire in 3 months - forcing the user to generate a new at that time. Seems like it could be automated. Have you done this or are you manually generating a new CSR every 90 days?After hours of frustration, finally solved it. I used the website Free SSL Certificate Wizard and other SSL Tools @ ZeroSSL to create a new self signed certificate, and put my no-ip domain as the domain. This generates key.txt and crt.txt files. You then open the old stunnel.pem file, and replace everything in the file using both the key.txt contents then the crt.txt contents in that order.
This includes replacing the -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- parts, as the new key from zerossl uses -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- instead.
It now works with both the updated version of chrome on my android phone, and chrome on my work computer.
I found an alternative, in case you're interested. Tunnels https via proxy and there is no need to renew certs every 90 days.No idea since I just did this. Didn't realize it expires so soon.
A free ngrok license is barely sufficient for one person to view Blue Iris remotely. More than one, and you could very well end up with rate limiting causing apps or UI3 to fail. I wouldn't be surprised to see some problems with just one UI3 connection.
Thanks for bringing this to my attention before I tested it out - only to come to that conclusion hours after tinkering. I think I misinterpreted the 4 tunnels/ngrok process for the free tier & 40 connections per minute to reflect 4 concurrent connections for viewing remotely. I was planning on using these for external access, and pointing to the internal BI url for internal viewing (which I didn't think would impact the quantity of devices viewing BI from the LAN).A free ngrok license is barely sufficient for one person to view Blue Iris remotely. More than one, and you could very well end up with rate limiting causing apps or UI3 to fail. I wouldn't be surprised to see some problems with just one UI3 connection.