Unlike ssh,  stunnel dosen’t support the reverse tunnel by it’s self.

With the help of tgcd ( TCP/IP Gender Changer Daemon ), we are able to setup a reverse tunnel by chain the tgcd and stunnel:

For example:

We try to access the corp server from home,  but due to the NAT firewall of the corp, only out going 80/443 port are opened:

client  ==> tgcd LL node (home server)  ==> tgcd CC node (corp agent) ==> corp server:

Home Server:

Launching tgcd daemon in LL mode:

   tgcd -L -q 2222 -p 22222

Listen on port 2222 for client access

Listen on port 22222 for tgcd CC access

 

Launching stunnel in server mode:

       /usr/local/bin/stunnel /etc/stunnel/stunnel_server.conf

Listen on port 443 for incoming ssl connection

Forward link with sni=tgcd to port 2222

cat /etc/stunnel/stunnel_server.conf

[tls]
accept = 0.0.0.0:443
connect = 127.0.0.1:1080

[tgcd]
sni = tls:tgcd
connect = 127.0.0.1:2222

 

Corp Agent Server:

Launching tgcd daemon in CC mode:

tgcd -C -s 127.0.0.1:222 -c 127.0.0.227:2222

Connect to tgcd LL node at:   127.0.0.227:2222

Connect to sshd server at:     127.0.0.1:222

Launching stunnel in client mode:

/usr/local/bin/stunnel /etc/stunnel/stunnel_client.conf

Listen on port 127.0.0.227:2222 from tgcd CC, and

Access Home server via port 443 behind NAT and http proxy

cat /etc/stunnel/stunnel_client.conf

 

[ssh-tgcd-home]
accept = 127.0.0.227:2222
protocolHost = home.serverip:443

connect = http_proxy_ip:http_proxy_port
protocol = connect
sni = tgcd

 

******************************************

With such configuration, we can login into the corp server by means of:

ssh -p 22222   home.server.ip