Tunneling SSH over HTTPS with stunnel

0.00 avg. rating (0% score) - 0 votes

I was faced with a firewall denying access to the outside world using ssh. All I had was http/https access via a proxy server which required authentication. I had an Ubuntu jump host outside the network connected to the internet with a free 443 port. I tried accessing that with httptunnel and proxytunnel, but could get neither to work with this proxy server.

The solution that worked in this particular case was stunnel. It can wrap any TCP connection into an https session which was not rejected by the proxy server I was facing.

Client

Install stunnel on laptop (mine is Ubuntu 18.04), and use openssl to generate a key and a certificate:

The values you enter in the client certificate request do not matter.

Next, create stunnel configuration. You should replace the variables with your own values.

Stunnel should now be running on your laptop. It will forward any connection you make to localhost:2222 to your $JUMP_HOST port 443 and wrap it in an https request.

Jump host

The proxy server did not accept self-signed certificates, so I installed certbot to get a working certificate on the jump host (mine is Ubuntu 19.10):

Install stunnel on server and configure it:

Make sure the key and cert paths are pointing to correct certbot files.

Stunnel should now be running on the jump host as well. It will listen on port 443, unwrap the https and redirect the connection to localhost port 22, where sshd should be listening.

Test From Client

Now you should be able to ssh to your jump host by connecting to the local stunnel instance:

 

2 thoughts on “Tunneling SSH over HTTPS with stunnel”

  1. Good post! However you mixed connect host and protocolHost in the client config. But I learned the fact that stunnel can speak HTTP CONNECT, which is great. Tnx!

Leave a Reply to HH Cancel reply