Stunnel in DAB appliances

From Proxmox VE
Jump to navigation Jump to search

Why stunnel

Sometimes it is necessary to use a SSH Wrapper - stunnel4 /

stunnel3 - for example if we have a server with a MySQL daemon on it that

needs to have some databases accessed from another server's MySQL client.

Pre-requisites and Asumptions

For the sake of simplicity, I assume that both are OpenVZ DAB generated appliances having host names Remote-DB-Host (SERVER) and Data-Accessing-Host (CLIENT). We further assume that each host has it's own MySQL daemon running on the normal port 3306. We need to enable a MySQL client on the Data-Accessing-Host to access a MySQL DB in the Remote-DB-Host in a secure manner (SSH Wrapped). Let us assume the following for reference:

Remote-DB-Host - SERVER

IP: 192.168.5.15
MySQL Server Port: 3306
To be configured Incoming SSH MySQL Port: 3320

Data-Accessing-Host - CLIENT

IP: 192.168.5.45
MySQL Server Port: 3306
To be configured MySQL Client Access Port: 3310
To be configured MySQL Client SSH Outgoing Port: 3320
(same as Remote-DB-Host's Incoming SSH Port)

Installation

On both hosts' (SERVER and CLIENT) console, execute:

apt-get install stunnel

If all goes well, you will get stunnel v4 installed.

The installed version of stunnel can be obtained from: # dpkg -l 'stunnel*'

Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Cfg-files/Unpacked/Failed-cfg/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name           Version        Description
+++-==============-==============-============================================
ii  stunnel        3:4.22-2       dummy upgrade package
ii  stunnel4       3:4.22-2       Universal SSL tunnel for network daemons

PEM Cerificate generation

The PEM certificate should by default exist as /etc/stunnel/stunnel.pem It must be generated on the SERVER and is optional on the CLIENT. The default certificate generation template (edit as needed) is at:

/usr/share/doc/stunnel4/examples/stunnel.cnf

The folowing normal method of certificate generation hangs (Ctrl-C to exit) on DAB appliances:

make-ssl-cert /usr/share/doc/stunnel4/examples/stunnel.cnf /etc/stunnel/stunnel.pem

Hence we will have to revert to it's equivalent:

openssl req -new -x509 -days 365 -nodes -config /usr/share/doc/stunnel4/examples/stunnel.cnf -out 

stunnel.pem -keyout /etc/stunnel/stunnel.pem In order to prevent hacking, the name of the stunnel.pem file is hashed using:

/usr/lib/ssl/misc/c_hash /etc/stunnel/stunnel.pem

This will result in some output like (yours will be different):

e56d2502.0 => /etc/stunnel/stunnel.pem

This should be the file name given to the link stored in /etc/ssl/certs/ folder or better still, if the /etc/stunnel/stunnel.pem file itself is renamed so.

On attempting to use stunnel, you will get the following error:

Wrong permissions on /etc/stunnel/stunnel.pem

This remedied by fixing the permission thus:

chmod 600 /etc/stunnel/stunnel.pem

A file named /etc/stunnel/stunnel.rnd will now have been created. This is the seed for the random number generator.

Server Configuration

We edit the /etc/stunnel/stunnel.conf file in the SERVER:

nano /etc/stunnel/stunnel.conf

and comment out or delete every line leaving only the following in it:

; Certificate/key is needed in server mode and optional in client mode
cert = /etc/stunnel/stunnel.pem
sslVersion = SSLv3
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside chroot jail
pid = /stunnel4.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

; Service-level configuration

[mysqld]
accept  = 3320
connect = 3306

Client Configuration

We edit the /etc/stunnel/stunnel.conf file in the SERVER:

nano /etc/stunnel/stunnel.conf

and comment out or delete every line leaving only the following in it:

; Certificate/key is needed in server mode and optional in client mode
cert = /etc/stunnel/stunnel.pem

sslVersion = SSLv3
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside chroot jail
pid = /stunnel4.pid
 
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
 
; Use it for client mode
client = yes

; Service-level configuration

[mysqld]
accept  = 3310
connect = 192.168.5.15:3320

Note the presence of the client = yes line in the client config above.

SERVER and CLIENT stunnel Usage

We now edit /etc/default/stunnel making:

ENABLED=1

so that we may run stunnel as a service with default parameters set in the /etc/stunnel/stunnel.conf

file..

We now start the stunnel with:

/etc/init.d/stunnel4 start

To stop it:

/etc/init.d/stunnel4 stop

The generic syntax is:

Usage: /etc/init.d/stunnel4 {start|stop|force-reload|restart}

We check the status with:

ps aux | grep stunnel

We should get something like this:

root     25454  0.0  0.0   3860   436 pts/0    S    08:13   0:00 stunnel4 stunnel.conf
root     25455  0.0  0.0   3860   436 pts/0    S    08:13   0:00 stunnel4 stunnel.conf
root     25456  0.0  0.0   3860   436 pts/0    S    08:13   0:00 stunnel4 stunnel.conf
root     25457  0.0  0.0   3860   436 pts/0    S    08:13   0:00 stunnel4 stunnel.conf
root     25458  0.0  0.0   3860   436 pts/0    S    08:13   0:00 stunnel4 stunnel.conf
stunnel4 25460  0.0  0.0   3936   988 ?        Ss   08:13   0:00 stunnel4 stunnel.conf
root     25464  0.0  0.0   1724   548 pts/0    S+   08:13   0:00 grep stunnel

SSH MySQL Client Access

Create a MySQL user (say remoteuser) in the SERVER machine with localhost access and a

password and permissions to the databases needed. On the CLIENT machine we can connect to the MySQL daemon on the SERVER, using:

mysql -h 192.168.5.45 --port=3310 -u remoteuser -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1005
Server version: 5.0.51a-24+lenny3 (Debian)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

and disconnect with:

mysql> exit
Bye

If we use localhost instead of the IP (192.168.5.45) in the above mysql connect string, we will get

an error like:

inetd mode must define a remote host or an executable

This is peculiar to the OpenVZ Debian template since the localhost is mapped to 127.0.0.1 and not

the LAN IP of 192.168.5.45 in the /etc/hosts file as the current LAN IP comes from the OpenVZ

template config file at boot time only.

Documentation and Links