Securing unencrypted traffic with stunnel

Stunnel can be used to provide secure encrypted connections for clients or servers that do not speak TLS or SSL natively. In this tutorial we’ll secure Samba connection but you could use this for other services like SMTP, IMAP, POP3 etc.

If you are securing a service where the client supports encrypting like SMTP, IMAP and POP3 you can skip the client step.

Server

1. Install stunnel

apt-get install stunnel


2. Configure Samba to only listen on localhost only (pico /etc/samba/smb.conf)

interfaces = 127.0.0.0/8
bind interfaces only = yes


3. Restart Samba

/etc/init.d/samba restart


4. Create SSL certificate and a key

openssl req -new -nodes -x509 -out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem


5. Configure stunnel to listen for secure connections on port 8139 and forward to port 139 on localhost (pico /etc/stunnel/stunnel.conf)

cert = /etc/stunnel/stunnel.pem
 
[smb]
accept = 8139
connect = 139


6. Enable stunnel (pico /etc/default/stunnel4)

ENABLED=1


7. Start stunnel

/etc/init.d/stunnel4 restart


Client

1. Install stunnel and smbclient

apt-get install smbclient stunnel


2. Configure stunnel to listen for connections on localhost:139 and forward to the server on port 8139 using a secure connection (pico /etc/stunnel/stunnel.conf)

client = yes
 
[smb]
accept = localhost:139
connect = {ip}:8139


Replace {ip} with the IP address of your server previously configured

3. Enable stunnel (pico /etc/default/stunnel4)

ENABLED=1


4. Start stunnel

/etc/init.d/stunnel4 restart


5. Test the connection using smbclient

smbclient -U user1 //localhost/sambashare