Skip to content

Instantly share code, notes, and snippets.

Last active May 5, 2024 02:47
Show Gist options
  • Save bwann/82ed679e94972666808d97587d276677 to your computer and use it in GitHub Desktop.
Save bwann/82ed679e94972666808d97587d276677 to your computer and use it in GitHub Desktop.
Tunnelling SSH over SSL/TLS

How to tunnel SSH over SSL/TLS

laptop ssh -> laptop stunnel -> evil network -> internet -> your server -> your server ssh

Server (your shell server/home box/work box/whatever)

Sets up a stunnel process listening externally on port 2443/tcp, forwards to localhost 22/tcp

  • Install stunnel, e.g. yum install stunnel
  • Install server config snippet to /etc/stunnel/stunnel.conf
  • Create a TLS cert+key pair, save to /etc/stunnel/stunnel.pem

Quick and dirty self signed cert, if you don't care about repudiation: openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem

  • Create the chroot directory: mkdir /var/run/stunnel ; chown nobody.nobody /var/run/stunnel
  • Run the server: stunnel /etc/stunnel/stunnel.conf if there isn't an init script
  • Remember to open iptables to accept connections on 2443/tcp if you use it!


Sets up a stunnel process listening on the laptop on port 2443

  • Install stunnel
  • Install client config to your homedir as stunnel-client.conf
  • Edit connect= line to change to the name/address of your server, e.g.
  • Run the client: stunnel stunnel-client.conf


From laptop, telnet to localhost port 2443. You should see the OpenSSH banner of your remote server

lapdance:~ bwann$ telnet localhost 2443
Trying ::1...
telnet: connect to address ::1: Connection refused
Connected to localhost.
Escape character is '^]'.

Testing ssh:

lapdance:~ bwann$ ssh -p 2443 localhost uname -n


On your laptop, ssh to localhost port 443. This will connect you to the sshd running on your server. Done!

ssh -p 4443 localhost

pid = /tmp/
cert = /etc/stunnel/stunnel.pem
sslVersion = TLSv1
options = NO_SSLv2
options = NO_SSLv3
chroot = /var/run/stunnel
setuid = nobody
setgid = nobody
pid = /
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
accept = 2443
connect = 22
TIMEOUTclose = 0
Copy link

What is the usage or benefit of this method compare with SSH Direct connect (VPN)?

Copy link

bwann commented Apr 16, 2023

Some captive networks may block all access to anything but port 80 and 443, and even then do packet inspection to ensure only TLS is done over 443. VPNs may not work in these situations either. This is just one way to try to get SSH connections through in such an environment.

Copy link

Oya ni WhatsApp unifunze nitakulipia 0745283930

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment