Lead Image © Petr Vaclavek, 123RF.com

Secure your data channel with stunnel

Confidential

Article from ADMIN 56/2020

By Thorsten Scherf

Stunnel provides a TLS wrapper with extensive configuration options to secure your data over insecure wireless networks.

Transmitting confidential data over an insecure connection is not a good idea and should always be avoided, but what do you do if a service does not offer a secure communication channel, and no VPN is available?

Everyone will be familiar with the following situation: You are sitting comfortably in a cafe or hotel, registered on the local WiFi network, and happily browsing the Internet. However, you might not want other users of the same wireless network to be able to track your Internet usage behavior. Worse still, you come across a service that requires you to enter sensitive data, such as login credentials, but does not provide data protection through a secure TLS connection. Unfortunately, such cases can still be found in 2020. So what now?

Most Linux distributions offer the stunnel package, a TLS wrapper that lets you build a tunnel between two endpoints. The tool can operate in both client and server modes.

Preparing the Tunnel

After you have downloaded and installed the stunnel package from the distribution repository [1], you need to install the /etc/stunnel/stunnel.conf configuration file. If this is not available, sample configurations can usually be found in the documentation directory, /usr/share/doc/stunnel*/. The example in Listing 1 shows a very simple configuration that uses stunnel as a plain vanilla TLS client.

Listing 1

Stunnel as a TLS Client

; global settings
sslVersion = TLSv1.2
chroot = /var/run/stunnel
setuid = nobody
setgid = nobody
pid = /stunnel.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
CAfile = /etc/pki/tls/certs/roots.pem
verifyChain = yes
   
[gmail-smtp]
client =

...

Use Express-Checkout link below to read the full article (PDF).