Encrypting peer-to-peer application with iptables and stunnel

Posted by Jonathan Oliver on Server Fault See other posts from Server Fault or by Jonathan Oliver
Published on 2013-06-24T22:07:06Z Indexed on 2013/06/24 22:23 UTC
Read the original article Hit count: 261

Filed under:
|
|

I'm running legacy applications in which I do not have access to the source code. These components talk to each other using plaintext on a particular port. I would like to be able to secure the communications between the two or more nodes using something like stunnel to facilitate peer-to-peer communication rather than using a more traditional (and centralized) VPN package like OpenVPN, etc.

Ideally, the traffic flow would go like this:

  1. app@hostA:1234 tries to open a TCP connection to app@hostB:1234.
  2. iptables captures and redirects the traffic on port 1234 to stunnel running on hostA at port 5678.
  3. stunnel@hostA negotiates and establishes a connection with stunnel@hostB:4567.
  4. stunnel@hostB forwards any decrypted traffic to app@hostB:1234.

In essence, I'm trying to set this up to where any outbound traffic (generated on the local machine) to port N forwards through stunnel to port N+1, and the receiving side receives on port N+1, decrypts, and forwards to the local application at port N.

I'm not particularly concerned about losing the hostA origin IP address/machine identity when stunnel@hostB forwards to app@hostB because the communications payload contains identifying information.

The other trick in this is that normally with stunnel you have a client/server architecture. But this application is much more P2P because nodes can come and go dynamically and hard-coding some kind of "connection = hostN:port" in the stunnel configuration won't work.

© Server Fault or respective owner

Related posts about iptables

Related posts about encryption