Tunneling Windows services: stunnel solution

William Mark Smith suggested using stunnel (http://www.stunnel.org) as a solution. The binaries are already available, and SSL certainly is good enough crypto for this application. Also, one can restrict access to the server and clients bearing known keys. This prevents anonymous probing of the server's more delicate software, which is a strong plus.

The solution requires these steps:

  • Install the Microsoft loopback interface. It's considered a hardware device that you have to install. On this device (in Windows XP), disable all but TCP access. (you must disable file and print sharing, and also in the TCP/IP settings there's the option to disable NetBIOS, which you also must do. Thanks to James Lewis for the clarification.) Give it a fixed IP address. William suggests something in the private address space, but I think there is more of a chance of collision with something there. I used 222.222.222.222. It is easy to type, and not used at present.
  • Install the stunnel binary following package directions. William suggests FireDaemon Lite (http://www.firedaemon.com) to start the stunnel daemon automatically. (Yes, it appears that you need a program on Windows to put something in the equivalent of /etc/rc.local.) I have my family double click the binary when they want to reach home. stunnel.conf is: 
              client=yes
          #foreground=yes
          debug=4
          output=log.txt
          key=berferd.key
          RNDfile=RNDfile
          #verify=2
          CAfile=rshare.pem
          
          [pop3s]
          accept=222.222.222.222:110
          connect=(server host):995
          
          
          [rshare139]
          accept=222.222.222.222:139
          connect=(server host):(stunnel port)
    The directory also needs a key for the user (berferd.key) and a certificate for the server host (rshare.pem). Setting the debug level to 7 is useful to figure out what is going on. A usual, some assembly is required.

    This example also implements an SSL-based POP3 tunnel for this user. Eudora likes it.

  • At the server end, the stunnel installation is pretty standard. Incoming connections are relayed to the appropriate local host/port, which is not otherwise reachable.
  • The file service is accessed through map-network-drive to \\222.222.222.222\berferd in this case. I used the DOS window and netstat -an a lot to see who was listening to whom.