Unlike ssh, stunnel dosen’t support the reverse tunnel by it’s self.
With the help of tgcd ( TCP/IP Gender Changer Daemon ), we are able to setup a reverse tunnel by chain the tgcd and stunnel:
For example:
We try to access the corp server from home, but due to the NAT firewall of the corp, only out going 80/443 port are opened:
client ==> tgcd LL node (home server) ==> tgcd CC node (corp agent) ==> corp server:
Home Server:
Launching tgcd daemon in LL mode:
tgcd -L -q 2222 -p 22222
Listen on port 2222 for client access
Listen on port 22222 for tgcd CC access
Launching stunnel in server mode:
/usr/local/bin/stunnel /etc/stunnel/stunnel_server.conf
Listen on port 443 for incoming ssl connection
Forward link with sni=tgcd to port 2222
cat /etc/stunnel/stunnel_server.conf
[tls]
accept = 0.0.0.0:443
connect = 127.0.0.1:1080
[tgcd]
sni = tls:tgcd
connect = 127.0.0.1:2222
Corp Agent Server:
Launching tgcd daemon in CC mode:
tgcd -C -s 127.0.0.1:222 -c 127.0.0.227:2222
Connect to tgcd LL node at: 127.0.0.227:2222
Connect to sshd server at: 127.0.0.1:222
Launching stunnel in client mode:
/usr/local/bin/stunnel /etc/stunnel/stunnel_client.conf
Listen on port 127.0.0.227:2222 from tgcd CC, and
Access Home server via port 443 behind NAT and http proxy
cat /etc/stunnel/stunnel_client.conf
[ssh-tgcd-home]
accept = 127.0.0.227:2222
protocolHost = home.serverip:443
connect = http_proxy_ip:http_proxy_port
protocol = connect
sni = tgcd
******************************************
With such configuration, we can login into the corp server by means of:
ssh -p 22222 home.server.ip