Sadly it’s fairly typical for corporate web filters to block ‘unusual’ ports, which means that if you’re trying to access a service that’s using anything other than port 80 for HTTP and port 443 for HTTPS then you might be in trouble.

CC image by Julian Schüngel

I recently came across a situation where somebody was trying to access an HTTPS service running on port 8000, which appeared to be blocked for them. Having previously used stunnel to connect and old POP3 client to gmail I thought it would be able to help, and indeed it did.

You will need

A box (VM) that you can install stuff on (with root access) beyond the firewall with an unblocked public IP that’s not already being used to host HTTPS – e.g. anything on a public cloud or VPS.

Installing stunnel

I used Ubuntu (12.04), so it was a simple matter of:

sudo apt-get install -y stunnel4

The installer doesn’t create any certificates, so you need to do this yourself:

sudo openssl req -new -out /etc/ssl/certs/stunnel.pem \
-keyout /etc/ssl/certs/stunnel.pem -nodes -x509 -days 365

Configuration file

Create a file /etc/stunnel/stunnel.conf with contents like this:

debug = debug
cert = /etc/ssl/certs/stunnel.pem

[Tunnel_in]
client = yes
accept = host_ip:443
connect = localhost:54321

[Tunnel_out]
client = no
accept = localhost:54321
connect = destination_server_ip:8000

host_ip should be the IP address of the server running stunnel

destination_server_ip is the IP address of the server running whatever it is on an unusual port that can’t be accessed (obviously if the unusual port isn’t 8000 then change that too).

What’s happening here?

stunnel is designed to go from HTTP-HTTPS or HTTPS-HTTP so to go from HTTPS-HTTPS we actually need two tunnels connected back to back: HTTPS-[Tunnel_in]-HTTP–HTTP-[Tunnel_out]-HTTPS

If I add in the port numbers then we have: HTTPS:443-HTTP:54321-HTTP:54321-HTTPS:8000

The choice of port 54321 for the intermediate tunnel is completely arbitrary.

Alternatives

There are plenty of HTTPS proxy services out there (e.g. myhttpsproxy) , but often these will be blocked by corporate web filters too. Also don’t trust these with anything – they are by design a man in the middle, so any passwords you type in could be scraped.

You could set up your own HTTPS proxy service using Glype, but that’s much more likely to lead to trouble with hosting providers (unless it’s very carefully locked down to prevent abuse) than a single point-point tunnel.

Update 10 Jan 20

Alexander Traud emailed me to note:

Tunnel_out has to be “client = yes”.
Tunnel_in has to be the server (default; “client = no” is possible).
“cert” should be in Tunnel_in.