Problem Solved! I didn't have my various ports set up correctly. Here is my configuration in case anyone else needs a secure connection for VNC or whatever else they might want. In my case, I'm using VNC viewers Tiger VNC on Linux and Real VNCviewer on Windows, and x11vnc server on the local Linux workstation. Although each of these viewers and the server do offer some kind of encryption, they don't seem compatible with each other, so up to now the connection has been unencrypted (not good). Hence the attempt to use stunnel.
I have a local Linux host acting as firewall/router. It routes requests on port 1234 to port 3389 on a local Linux workstation which is running x11vnc server listening on its local port 5900. I want to connect to this VNC server from a remote vnc viewer.
(Why does the router forward to port 3389? Because the workstaion can dual-boot Windows, so the forward works regardless of booted OS.)
Remote vnc viewer, stunnel client stunnel.conf:
Code:
verify = 2
pid = /home/mfoley/.stunnel/stunnel.pid
CAfile = /home/mfoley/.stunnel/certificate.pem
client = yes
[x11vnc]
accept = 5900
connect = router.obfuscate.org:1234
Local workstation vnc server, stunnel server stunnel.conf:
Code:
pid = /var/run/stunnel.pid
debug = 7
[x11vnc]
accept = 3389
key = /root/privatekey.pem
cert = /root/certificate.pem
connect = 127.0.0.1:5900
The certificate is self-signed and created on the stunnel/vnc server host using the following commands:
Code:
# openssl genrsa -out privatekey.pem 2048
# openssl req -new -x509 -days 365 -key privatekey.pem -out certificate.pem
The certificate.pem is copied to the stunnel client host.
With x11vnc listening on 5900 on the local workstation and with 'stunnel stunnel.conf' running on both stunnel client (as the normal user) and server hosts, I used the remote vnc viewer and connected as a normal user, with the connection 127.0.0.1:5900
I'm guessing I could configure my vnc viewers to connect to multiple clients with difference [service] sections, for example:
Code:
verify = 2
pid = /home/mfoley/.stunnel/stunnel.pid
CAfile = /home/mfoley/.stunnel/certificate.pem
client = yes
[remoteHost1]
accept = 5900
connect = router.obfuscate.org:1234
[remoteHost2]
accept = 5901
connect = router.obfuscate.org:4321
I haven't tried that, but I will.
I futher guess that I could have different CAfiles per server if I moved that directive to the respective service definitions, but I haven't tried that either.
Next steps are to get this running as a daemon and, more importantly, to implement the stunnel client on Windows. If I get the latter going, I'll post back the howto.