stunnel

[razorseal]

So I realized my stunnel had frozen (became non responsive) in the severwl hours I had it running. I wasn't able to login.A restart made it work again (not the service but gui) how stable is it for you guys?

 

[Dasstrum]

The GUI seems to never work after restart but I've had it running now just fine for a few weeks.

 

[jmhmcse]

From STUNNEL's documentation page (stunnel TLS Proxy)

cert = CERT_FILE
certificate chain file name

The parameter specifies the file containing certificates used by stunnel to authenticate itself against the remote client or server. The file should contain the whole certificate chain starting from the actual server/client certificate, and ending with the self-signed root CA certificate. The file must be either in PEM or P12 format.

A certificate chain is required in server mode, and optional in client mode.
==

This would imply that a commercial (purchased) CA certificate or any SSC could be implemented. Most likely for home usage, either OpenSSL (unix) or
New-SelfSignedCertificate (windows) would be used to create a SSC and then export the certificate in P12 format and placed in the specified location and file name.

CApath = DIRECTORY
CAfile = CA_FILE

==

requireCert = yes | no

require a client certificate for verifyChain or verifyPeer


With requireCert set to no, the stunnel server accepts client connections that did not present a certificate.


Both verifyChain = yes and verifyPeer = yes imply requireCert = yes.


default: no

I'm guessing that the PEM file created by STUNNEL's SSC utility uses the default (no) for requireCert, verifyChain, and verifyPeer. If requireCert was changed to YES, then additional security would be added to the login process. A user's browser would be required to have the certificate installed to actually make the connection, even before providing username and password. Effectively locking out anyone without the cert on their device.

The problem with SSCs or even CA certs that are created by major corporations, the distribution and maintenance of client certs is a real pain.

 

[giomania]

I got it working. I am not a networking professional, so if you follow these instructions and end up with your camera feed playing on a billboard in times square, it's your own fault.
Some basics about Stunnel, as I know it: Let's say you previously would have used the ip address of 192.168.0.2:8290 to access the blue iris server internally. With stunnel, you use the ip address of 192.168.0.2:8291, then have stunnel redirect that traffic to 8290. During the redirect process, Stunnel makes the connection secure. This is a lot more simple than it at first seems.
1. Download stunnel. Use this site stunnel: Downloads and download the .exe file, if you're using Windows. If you're not using windows, don't follow these instructions.
2. Install stunnel. Keep all the defaults.
3. In your start menu, go to Stunnel>stunnel GUI Start.
4. Click Configuration at the top, then Edit Configuration.
5. Scroll to the bottom. Below "Example SSL client mode services" delete all of the lines that don't start with ;. You don't need these.
6. Insert this text where you just deleted the other code:
[blue-iris]
accept = 8344 *or whatever port you want to have your computer accept TCP
connect = 8347 *or whatever port you specified on the Blue Iris Webserver page at the top
7. Save the file, close it, then go to Configuration back on the GUI and select Reload Configuration. Close the GUI.
8. Start menu > stunnel Service Install
9. Start menu > stunnel Service Start
10. The address you will use to access Blue Iris will now be your IP address followed by :8344, or whatever port you used. On the blue iris app, you will also need to edit the server settings and select Server is HTTPS, or it won't work.
11. You also need to make sure that your router is properly forwarding requests to your computer. So when you type in your external IP followed by :8344, your router knows to forward that traffic to 192.168.0.2:443. Those numbers don't have to be the same. You could have your router accept on port 8342 and forward to port 8344 on your computer, then have stunnel forward traffic from 8344 to 8347 by using accept = 8344 and connect = 8347, then have the blueiris webserver be located at 8347. Using a random port rather than 443 or 80 or 81 is better, or so I've read. If you do this, you will have to use port 8344 for internal connections (over the same wifi) and port 8342 for external connections (from work or over cellular).
12. If you're getting errors, make sure that you've installed the service and then started it. Also make sure your blue iris app is set to use https, and you're using the proper port. The port on the app needs to be looking for the port on the router that will forward to the port on the computer, which will then forward to the port of blue iris. If you put in the port of the blue iris web server, you're going to have a bad time.

Its done:

I tried it again today. I did it exactly as video, down to using same ports... I am still getting WSAECONNREFUSED (10061)

I cannot figure out what that error is to fix it... Very unfortunate.

Anyone have an idea? I installed the latest (5.50 64bit) one...

edited to add -

I changed the config from just ports to the IP of computer... that worked! so pretty much
accept = 192.1.1.5:8080
connect = 192.1.1.5:81

now is there a way we can get stunnel.pem signed by maybe like let's encrypt?

I also had a difficult time getting this to work, but finally got it, so I figured I would share my experience and quote some key posts that helped me along.

I was up late last night frustratingly futzing around, and then decided to go to sleep and try again this morning. While it still wasn't working initially this morning, I realized one major thing was not occurring at all last night in the Stunnel GUI; it wasn't doing anything after loading the configuration.

This morning, when I would adjust the configuration, save it, and then "Reload Configuration" in the Stunnel GUI, it was actually taking action to start. This was not occurring last night, but I did not realize this was supposed to happen, so that wasted a bunch of time. I don't know what I did to fix it, but I rebooted several times last night and this morning in the various attempts to get this working.

Maybe the Stunnel GUI is temperamental?

Once the Stunnel GUI was working properly, I was able to see the error messages, search for solutions to try, make adjustments, and try again. I initially started out with accept port set at 8080, but when it wasn't working last night, I read that Comcast may have been blocking that port, so I switched to 1440. This morning, when the GUI was working, the error I was receiving was:

[.] Binding service [blue iris] to 10.10.2.70:1440: Permission denied (WSAEACCES) (10013)

The solutions I found on-line were that something was either using the port or the firewall was blocking it. I just switched back to 8080, adjusted my Stunnel configuration file, the router port forward rule, and Blue Iris "Web Server" settings. Then, boom, it worked. Argh!!!

I have a Ubiquiti UniFi Security Gateway router, so YMMV, but here is the Stunnel configuration file that is currently working for me:

[blue iris]
accept = 10.10.2.70:8080
connect = 10.10.2.70:81
cert = stunnel.pem

I hope this may help someone.

Mark

 

[mjessup44]

I'm having issues any help is appreciated.

2019.01.21 19:55:15 LOG5[main]: stunnel 5.50 on x64-pc-mingw32-gnu platform
2019.01.21 19:55:15 LOG5[main]: Compiled/running with OpenSSL 1.1.1a 20 Nov 2018
2019.01.21 19:55:15 LOG5[main]: Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,OCSP,PSK,SNI
2019.01.21 19:55:15 LOG5[main]: Reading configuration from file stunnel.conf
2019.01.21 19:55:15 LOG5[main]: UTF-8 byte order mark detected
2019.01.21 19:55:15 LOG5[main]: Configuration successful
2019.01.21 19:57:51 LOG5[main]: Reading configuration from file stunnel.conf
2019.01.21 19:57:51 LOG5[main]: UTF-8 byte order mark detected
2019.01.21 19:57:51 LOG5[main]: Configuration successful
2019.01.21 19:57:51 LOG5[main]: Binding service [blue iris] to xxx.xxx.xx.xx:8080: Address already in use (WSAEADDRINUSE) (10048)
2019.01.21 19:57:51 LOG3[main]: Binding service [blue iris] failed

config:

[blue iris]
accept = xxx.xxx.xx.xx:8080
connect = xxx.xxx.xx.xx:81
cert = stunnel.pem

(ip's are x's as I don't want to give away my blueiris lan ip)

If anyone has any guidance I also want to add blueiris to my domain as a subdomain such as cam.****.com

 

[razorseal]

Restart computer and quickly launch stunnel gui.

If you open cmd with admin and type in netstat -a

See what the port is listening to.

 

[crnel]

My Stunnel.conf file under "TLS Client Mode Services"

[blue iris]
accept = 8080
connect = 8081
cert = stunnel.pem

My Router is forwarding port 8080 to BI/Stunnel computer.

My BI Web server settings reads as follows "Enable the HTTP Web server on port 8081"

Check mark in "Stunnel is installed for HTTPS on Port: 8080"


I don't have HTTPS checked off in my BI app. I'm using no-ip as a ddns service and I switched it to https on the no-ip configuration page.

May I ask where you found the https toggle on No-IP? I'm trying to go this route as well, using a hostname under my owned domain.

 

[razorseal]

May I ask where you found the https toggle on No-IP? I'm trying to go this route as well, using a hostname under my owned domain.

I spoke to him regarding this. He no longer uses no ip.

Just go to your ddns but use https and it works

 

[smiticans]

Last time I used NO IP I was able to toggle to a classic view and change it to https. That was also close to two years ago

 

[vfrex]

I've been using ZeroTier lately. Could still run stunnel over it, although that seems redundant. But it obviates the need to open ports, self host a VPN, run ddns, etc. in most cases. I found it to be easier than configuring stunnel.

 

[OnePunch]

I thought I would post in case anyone has connectivity issues. My problem seemed to get fixed by using the absolute path to the certificate files.

cert = C:\Program Files (x86)\stunnel\config\mycert.pem

 

[Walrus]

@Dasstrum thanks for the video guide, I was able to setup stunnel last night. Stupid GUI craps out all the time and stops the service, saying the port is already in use. The exact problem @mjessup44 was having above. I had to stop the service and restart, and restart the computer countless times until it would finally work and the GUI would report the connections.

That said, I could only connect to the port(s) via the local machine. I couldn't remotely connect (had the ports forwarded correctly), or from another computer on my LAN.

Solution, I had to allow incoming connections for the port(s) in question in the Windows 10 firewall.

I keep saying port(s) because I am now using stunnel to https into multiple machines/different programs on my lan.

 

[mjessup44]

@Dasstrum thanks for the video guide, I was able to setup stunnel last night. Stupid GUI craps out all the time and stops the service, saying the port is already in use. The exact problem @mjessup44 was having above. I had to stop the service and restart, and restart the computer countless times until it would finally work and the GUI would report the connections.

That said, I could only connect to the port(s) via the local machine. I couldn't remotely connect (had the ports forwarded correctly), or from another computer on my LAN.

Solution, I had to allow incoming connections for the port(s) in question in the Windows 10 firewall.

I keep saying port(s) because I am now using stunnel to https into multiple machines/different programs on my lan.

Hmmm thanks, @Walrus I'll give this a shot again when I have an hour to spare!

 

[Walrus]

Anyone using Stunnel and Chrome, Chrome has been updated to remove the ability to turn of TLS 1.3 through chrome://flags. I now can't remotely access using Chrome.

Anyone know of a workaround/fix? How do we get TLS 1.3 working with Stunnel?

 

[Walrus]

After hours of frustration, finally solved it. I used the website Free SSL Certificate Wizard and other SSL Tools @ ZeroSSL to create a new self signed certificate, and put my no-ip domain as the domain. This generates key.txt and crt.txt files. You then open the old stunnel.pem file, and replace everything in the file using both the key.txt contents then the crt.txt contents in that order.

This includes replacing the -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- parts, as the new key from zerossl uses -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- instead.

It now works with both the updated version of chrome on my android phone, and chrome on my work computer.

 

[Matias G Labarrere]

After hours of frustration, finally solved it. I used the website Free SSL Certificate Wizard and other SSL Tools @ ZeroSSL to create a new self signed certificate, and put my no-ip domain as the domain. This generates key.txt and crt.txt files. You then open the old stunnel.pem file, and replace everything in the file using both the key.txt contents then the crt.txt contents in that order.

This includes replacing the -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- parts, as the new key from zerossl uses -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- instead.

It now works with both the updated version of chrome on my android phone, and chrome on my work computer.

Great find Walrus! Are you re-genearating the certificate every 90 days? The way I understand it, these expire in 3 months - forcing the user to generate a new at that time. Seems like it could be automated. Have you done this or are you manually generating a new CSR every 90 days?

 

[Walrus]

No idea since I just did this. Didn't realize it expires so soon.

 

[Matias G Labarrere]

No idea since I just did this. Didn't realize it expires so soon.

I found an alternative, in case you're interested. Tunnels https via proxy and there is no need to renew certs every 90 days.

ngrok - secure introspectable tunnels to localhost

When I have time I'll most likely set it up.

 

[bp2008]

A free ngrok license is barely sufficient for one person to view Blue Iris remotely. More than one, and you could very well end up with rate limiting causing apps or UI3 to fail. I wouldn't be surprised to see some problems with just one UI3 connection.

 

[Matias G Labarrere]

A free ngrok license is barely sufficient for one person to view Blue Iris remotely. More than one, and you could very well end up with rate limiting causing apps or UI3 to fail. I wouldn't be surprised to see some problems with just one UI3 connection.

A free ngrok license is barely sufficient for one person to view Blue Iris remotely. More than one, and you could very well end up with rate limiting causing apps or UI3 to fail. I wouldn't be surprised to see some problems with just one UI3 connection.

A free ngrok license is barely sufficient for one person to view Blue Iris remotely. More than one, and you could very well end up with rate limiting causing apps or UI3 to fail. I wouldn't be surprised to see some problems with just one UI3 connection.

Thanks for bringing this to my attention before I tested it out - only to come to that conclusion hours after tinkering. I think I misinterpreted the 4 tunnels/ngrok process for the free tier & 40 connections per minute to reflect 4 concurrent connections for viewing remotely. I was planning on using these for external access, and pointing to the internal BI url for internal viewing (which I didn't think would impact the quantity of devices viewing BI from the LAN).