[SOLVED] How to configure stunnel?

drwells123 · August 12, 2024, 12:44pm

Hello,

I installed the OpenVPN package in reforis and that’s working fine. However, I want to tunnel my OpenVPN connection through stunnel. Normally, I would just edit /etc/stunnel/(whatever).conf to point to my OpenVPN server, then create an OpenVPN configuration file that points to 127.0.0.1:(stunnel_port).

There is an /etc/stunnel/ folder on my Turris Omnia router, but stunnel seems to ignore configuration files there. For example, if I set the configuration file there to have stunnel listen on port 1413 and then restart stunnel, stunnel is still listening on port 6000 according to ss -lnpt.

Instead, when I restart the stunnel service, the following appears in /var/log/messages:

messages:Aug 11 11:19:40 turris stunnel: LOG5[ui]: Reading configuration from file /tmp/etc/stunnel.conf

I’m guessing I shouldn’t edit that file directly since, being in /tmp, it will be lost when the router restarts? I’m not sure how it is generated. It doesn’t seem to be copied from anything in /etc/stunnel.

I’ve googled and looked through the docs and this forum but I don’t see anything about how to configure stunnel. I looked through the UI (reforis and luci) and don’t see any way to configure it there either. Apologies if this is someplace obvious and I just overlooked it.

Edit 20240813: As an experiment, I tried changing /tmp/etc/stunnel.conf to listen on a different port, and then restarted the stunnel service. As expected, that caused /tmp/etc/stunnel.conf to be overwritten, and my changes were ignored.

Okay, I ran service stunnel info and that led me to /etc/init.d/stunnel which might shed some light on things. Looks like this might be an OpenWRT issue.

Found the real stunnel configuration, it’s in /etc/config/stunnel. I should be out of the woods now, but I haven’t quite gotten stunnel working yet, so I’ll mark this solved once I do.

Edit 20240814: That was it. stunnel is working now. I’m marking this solved. One last thing - I want to use tshark or wireshark to verify stunnel is working as expected, but opkg tells me it doesn’t know about either package. If anyone knows what package I should install for this I would appreciate it.

Thank you!

AreYouLoco · August 14, 2024, 8:48pm

opkg update
opkg install tcpdump

drwells123 · August 14, 2024, 10:23pm

Thank you for your reply! However, after running opkg update, I get the following:

root@turris:~# opkg install tcpdump
Package tcpdump (4.99.4-1) installed in root is up to date.

root@turris:~# tshark
-ash: tshark: not found
root@turris:~# wireshark
-ash: wireshark: not found

root@turris:~# opkg install tshark
Unknown package 'tshark'.
Collected errors:
 * opkg_install_cmd: Cannot install package tshark.
root@turris:~# opkg install wireshark
Unknown package 'wireshark'.
Collected errors:
 * opkg_install_cmd: Cannot install package wireshark.

I’m looking for tshark specifically because I want to verify my traffic is encrypted with TLS, e.g.

sudo tshark -i eth0 | more

# Without stunnel
1 0.000000000 (IP 1) → (IP 2) UDP 83 443 → 39627 Len=41
2 0.000224008 (IP 2) → (IP 1) UDP 83 39627 → 443 Len=41

#With stunnel
5 7.316491889 (IP 1) → (IP 2) TLSv1.2 138 Application Data
6 7.365448081 (IP 2) → (IP 1) TLSv1.2 138 Application Data

I’ve been looking to see how to do that with tcpdump but haven’t figured it out yet.

Thank you!

AreYouLoco · August 15, 2024, 5:17am

If you have tcpdump installed on your Turris router then you could use Remote capture session on your laptop’s wireshark gui: