Encrypting peer-to-peer application with iptables and stunnel
- by Jonathan Oliver
I'm running legacy applications in which I do not have access to the source code. These components talk to each other using plaintext on a particular port. I would like to be able to secure the communications between the two or more nodes using something like stunnel to facilitate peer-to-peer communication rather than using a more traditional (and centralized) VPN package like OpenVPN, etc.
Ideally, the traffic flow would go like this:
app@hostA:1234 tries to open a TCP connection to app@hostB:1234.
iptables captures and redirects the traffic on port 1234 to stunnel running on hostA at port 5678.
stunnel@hostA negotiates and establishes a connection with stunnel@hostB:4567.
stunnel@hostB forwards any decrypted traffic to app@hostB:1234.
In essence, I'm trying to set this up to where any outbound traffic (generated on the local machine) to port N forwards through stunnel to port N+1, and the receiving side receives on port N+1, decrypts, and forwards to the local application at port N.
I'm not particularly concerned about losing the hostA origin IP address/machine identity when stunnel@hostB forwards to app@hostB because the communications payload contains identifying information.
The other trick in this is that normally with stunnel you have a client/server architecture. But this application is much more P2P because nodes can come and go dynamically and hard-coding some kind of "connection = hostN:port" in the stunnel configuration won't work.