setup reverse tunnel with stunnel


Unlike ssh,  stunnel dosen’t support the reverse tunnel by it’s self.

With the help of tgcd ( TCP/IP Gender Changer Daemon ), we are able to setup a reverse tunnel by chain the tgcd and stunnel:

For example:

We try to access the corp server from home,  but due to the NAT firewall of the corp, only out going 80/443 port are opened:

client  ==> tgcd LL node (home server)  ==> tgcd CC node (corp agent) ==> corp server:

Home Server:

Launching tgcd daemon in LL mode:

   tgcd -L -q 2222 -p 22222

Listen on port 2222 for client access

Listen on port 22222 for tgcd CC access


Launching stunnel in server mode:

       /usr/local/bin/stunnel /etc/stunnel/stunnel_server.conf

Listen on port 443 for incoming ssl connection

Forward link with sni=tgcd to port 2222

cat /etc/stunnel/stunnel_server.conf

accept =
connect =

sni = tls:tgcd
connect =


Corp Agent Server:

Launching tgcd daemon in CC mode:

tgcd -C -s -c

Connect to tgcd LL node at:

Connect to sshd server at:

Launching stunnel in client mode:

/usr/local/bin/stunnel /etc/stunnel/stunnel_client.conf

Listen on port from tgcd CC, and

Access Home server via port 443 behind NAT and http proxy

cat /etc/stunnel/stunnel_client.conf


accept =
protocolHost = home.serverip:443

connect = http_proxy_ip:http_proxy_port
protocol = connect
sni = tgcd



With such configuration, we can login into the corp server by means of:

ssh -p 22222   home.server.ip