Subject: Re: Persistent tunnel
To: None <netbsd-users@NetBSD.org>
From: Stephen Borrill <netbsd@precedence.co.uk>
List: netbsd-users
Date: 12/15/2006 16:54:58
On Fri, 15 Dec 2006, Steven M. Bellovin wrote:
>>    I read up a bit on stunnel, and it seems a little messy, requiring
>> you to deal with SSL certificates for authentication.  (But I could
>> be wrong.)
>>
>
> I use stunnel to handle email tunneling.  I used to use ssh, but as
> noted ssh sessions sometimes end.  (My particular case was in hotels,
> where the @#$%^ NATs would time out, leaving email piling up on my
> machine without warning.)
>
> Stunnel sets up sessions on demand.  As best I recall, it does not have
> a persistent session option.  Of course, on-demand setup was perfect
> for my needs.
>
> There is indeed overhead for learning how to use the certificates.
> Briefly -- and Google for "openssl how-to" for details -- you need to
> create your own CA certificate, then create client and server
> certificates.  These can be shared among the different services, I
> might add.  It's at least as annoying figuring out how to configure
> stunnel to use these things....

And you'd have to learn the same for one of the mooted alternatives, 
OpenVPN (which would be my recommend solution). You can use password 
authentication with OpenVPN now, but it's more susceptible to attack.

-- 
Stephen