omayanrey · June 18, 2018 06:12 · Dec 14, 2016 · Dec 14, 2016 · Dec 14, 2016
diff --git a/README.md b/README.md
@@ -1,4 +1,4 @@
-# How to tunnel SSH over SSL
+# How to tunnel SSH over SSL/TLS
 
 laptop ssh -> laptop stunnel -> evil network -> internet -> your server -> your server ssh
 

diff --git a/README.md b/README.md
@@ -7,8 +7,8 @@ laptop ssh -> laptop stunnel -> evil network -> internet -> your server -> your
 Sets up a stunnel process listening externally on port 2443/tcp, forwards to localhost 22/tcp
 
 - Install stunnel, e.g.  `yum install stunnel`
-- Install server config snippet to /etc/stunnel/stunnel.conf
-- Create a TLS cert+key pair, save to /etc/stunnel/stunnel.pem
+- Install server config snippet to `/etc/stunnel/stunnel.conf`
+- Create a TLS cert+key pair, save to `/etc/stunnel/stunnel.pem`
 
 Quick and dirty self signed cert, if you don't care about repudiation:
 `openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem`

diff --git a/README.md b/README.md
@@ -0,0 +1,53 @@
+# How to tunnel SSH over SSL
+
+laptop ssh -> laptop stunnel -> evil network -> internet -> your server -> your server ssh
+
+## Server (your shell server/home box/work box/whatever)
+
+Sets up a stunnel process listening externally on port 2443/tcp, forwards to localhost 22/tcp
+
+- Install stunnel, e.g.  `yum install stunnel`
+- Install server config snippet to /etc/stunnel/stunnel.conf
+- Create a TLS cert+key pair, save to /etc/stunnel/stunnel.pem
+
+Quick and dirty self signed cert, if you don't care about repudiation:
+`openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem`
+
+- Create the chroot directory: `mkdir /var/run/stunnel ; chown nobody.nobody /var/run/stunnel`
+- Run the server:  `stunnel /etc/stunnel/stunnel.conf`  if there isn't an init script
+- Remember to open iptables to accept connections on 2443/tcp if you use it!
+
+## Client/laptop
+
+Sets up a stunnel process listening on the laptop on port 2443
+
+- Install stunnel
+- Install client config to your homedir as stunnel-client.conf
+- Edit `connect=` line to change to the name/address of your server, e.g. `connect=myserver.example.com:2443`
+- Run the client:  `stunnel stunnel-client.conf`
+
+## Testing/verification
+
+From laptop, telnet to localhost port 2443. You should see the OpenSSH banner of your remote server
+
+```
+lapdance:~ bwann$ telnet localhost 2443
+Trying ::1...
+telnet: connect to address ::1: Connection refused
+Trying 127.0.0.1...
+Connected to localhost.
+Escape character is '^]'.
+SSH-2.0-OpenSSH_6.6.1
+```
+
+Testing ssh:
+```
+lapdance:~ bwann$ ssh -p 2443 localhost uname -n
+my-server.wann.net
+```
+
+## Usage
+
+On your laptop, ssh to localhost port 443.  This will connect you to the sshd running on your server. Done!
+
+`ssh -p 4443 localhost`
diff --git a/stunnel-client.conf b/stunnel-client.conf
@@ -0,0 +1,5 @@
+pid = /tmp/stunnel.pid
+client=yes
+[ssh]
+accept=2443
+connect=my-server.wann.net:2443
diff --git a/stunnel.conf b/stunnel.conf
@@ -0,0 +1,15 @@
+cert = /etc/stunnel/stunnel.pem
+sslVersion = TLSv1
+options = NO_SSLv2
+options = NO_SSLv3
+chroot = /var/run/stunnel
+setuid = nobody
+setgid = nobody
+pid = /stunnel.pid
+socket = l:TCP_NODELAY=1
+socket = r:TCP_NODELAY=1
+
+[sshd]
+accept = 2443
+connect = 22
+TIMEOUTclose = 0