SSH Over SSL with Stunnel on Debian Ubuntu

SSH Over SSL with Stunnel on Linux

Published on 2025-10-11

Summary:

Introduction
Server-side Configuration
Client-side Configuration
Proxy SOCKS

Encapsulate SSH in SSL/TLS with stunnel on Debian / Ubuntu

Access SSH over port 443 with stunnel4!

Introduction

Some networks (countries, companies, universities, public Wi-Fi) block outgoing SSH connections on port 22 while allowing HTTPS traffic on port 443.

stunnel allows you to encapsulate an SSH connection within an SSL/TLS layer, making it indistinguishable from regular HTTPS traffic.

Typical use cases

Access your servers from restrictive networks.
Maintain SSH access from filtered public Wi-Fi.
Bypass restrictions imposed by certain ISPs.
Add an extra layer of security to SSH with SSL encryption.

Advantages

Bypasses firewalls that block SSH port 22.
Uses port 443 (HTTPS), which is usually allowed.
Double encryption: SSL + SSH, for enhanced security.
Simple and quick to set up (no need to modify your existing SSH setup).

🔄 Flow diagram


┌─────────────────┐          ┌─────────────────┐
│  Client         │          │  Server         │
│  (localhost)    │          │  (VPS)          │
└────────┬────────┘          └────────┬────────┘
         │                            │
         │  1. SSH → localhost:2200   │
         │     ↓                      │
         │  stunnel client            │
         │     ↓                      │
         │  2. SSL/TLS → VPS:443 ────→│
         │                            │
         │                     stunnel server
         │                            ↓
         │                     3. SSH → localhost:22
         │                            │
         │  ←──────────────────────────
         │     Connection established

SSH Tunnel via SSL with stunnel — Linux Tutorial

This tutorial covers the complete installation and configuration of stunnel4 on both the server and client sides for Debian / Ubuntu systems.

Notes:

The remote server will also be nicknamed VPS.
In this tutorial, we will use the root user for the remote server (VPS).

Server-side Configuration (Remote VPS)

1. Install stunnel


sudo apt install stunnel4

2. Create an SSL certificate


# Create a certificate with a 2048-bit RSA key and fill in the requested fields.
cd ~
openssl genrsa -out stunnel.key 2048
openssl req -new -x509 -key stunnel.key -out stunnel.crt -days 3650

# Suggested answers:
# Country Name: FR
# Common Name: your server's public IP or domain name (optional)

# Merge the key and certificate:
cat stunnel.crt stunnel.key > stunnel.pem
sudo mv stunnel.pem /etc/stunnel/stunnel.pem

# Secure the permissions:
sudo chmod 600 /etc/stunnel/stunnel.pem
sudo chown root:root /etc/stunnel/stunnel.pem

You now have the file: /etc/stunnel/stunnel.pem

3. Configure stunnel to tunnel port 443 (HTTPS) to SSH port 22

Create the configuration file:


sudo nano /etc/stunnel/stunnel.conf

Insert the following content:


pid = /var/run/stunnel.pid
cert = /etc/stunnel/stunnel.pem

[ssh]
accept = 443
connect = 127.0.0.1:22

Explanation:

accept = 443: stunnel listens on port 443 (HTTPS).
connect = 127.0.0.1:22: when an SSL connection is received, it is redirected to the local SSH port (22).

4. Enable stunnel

Edit the file:


sudo nano /etc/default/stunnel4

Add or modify ENABLED to:


ENABLED=1

5. Start the stunnel service


# Start the service:
sudo systemctl start stunnel4.service

# Enable it to start on boot:
sudo systemctl enable stunnel4

# Check its status:
sudo systemctl status stunnel4.service

6. Verify that stunnel is listening on port 443

Use the following command:


sudo lsof -i :443

It should return something like this:


COMMAND  PID USER FD   TYPE DEVICE SIZE/OFF NODE NAME
stunnel4 771 root 9u  IPv4   5542      0t0  TCP *:https (LISTEN)

Client-side Configuration (Local Machine)

1. Install stunnel


sudo apt install stunnel4

2. Create the client configuration


# If the `~/.config/stunnel` folder does not exist yet, create it:
mkdir ~/.config/stunnel

# Create the file:
nano ~/.config/stunnel/ssh-client.conf

Insert the following content:


client = yes
foreground = yes

[ssh]
accept = 127.0.0.1:2200
connect = SERVER_PUBLIC_IP:443

Important: Replace SERVER_PUBLIC_IP with your server's public IP address.

3. Enable stunnel

Edit the file:


sudo nano /etc/default/stunnel4

Add or modify ENABLED to:


ENABLED=1

4. Launch the SSL tunnel

In a terminal:


sudo stunnel ~/.config/stunnel/ssh-client.conf

5. Connect via SSH through the tunnel

And in another terminal:


ssh -p 2200 root@localhost

Note: If password authentication is disabled on your server, use your SSH private key (with the -i option):


ssh -p 2200 -i /YOUR_PATH/.ssh/id_rsa_YOUR_FILE root@localhost

SOCKS Proxy (Dynamic SSH Tunnel)

This section is intended for users who want to use a SOCKS proxy.

Use SSH to create a SOCKS5 proxy through the SSL tunnel !

Once the SSL/TLS tunnel is established, you can create a SOCKS5 proxy to route all your Internet traffic (web browsing, apps) through your remote server (VPS).

Step 1: Start stunnel in a terminal (if not already running).
Step 2: Create the SSH tunnel with SOCKS proxy support:


ssh -D 1040 -C -q -p 2200 -i /YOUR_PATH/.ssh/id_rsa_YOUR_FILE root@localhost

Explanation of the options:

-D 1040: Creates a local SOCKS5 proxy on port 1040.
-C: Enables SSH data compression (to save bandwidth).
-q: Quiet mode (suppresses local messages).
-p 2200: Connects to the local stunnel tunnel on port 2200.
-i ...: Specifies the SSH private key to use.
root@localhost: User and host (the tunnel listens on localhost).

Important: Both terminals must remain open while using the proxy.

Step 3: Configure your browser (e.g. Firefox) to use the SOCKS5 proxy at 127.0.0.1:1040.

GitHub Repository

✨ If you found this tutorial useful, please give me a star on my GitHub repository (article in French 🇫🇷):

@s-damian - Tunnel SSH Connections Over SSL Using Stunnel