Hi Mark, Great, I'm glad you've solved it.
Regards, Flo Rance On Sat, Mar 17, 2018 at 12:14 AM, Mark Foley <[email protected]> wrote: > Solved! I've fixed up the various ports and now I am able to connect. For > the > edification of other list readers I'll summarize. > > I have a local Linux host acting as firewall/router. It routes requests > on port > 1234 to port 3389 on a local Linux workstation which is running x11vnc > server > listening on its local port 5900. I want to connect to this VNC server > from a > remote vnc viewer. > > (Why does the router forward to port 3389? Because the workstaion can > dual-boot > Windows, so the forward works regardless of booted OS.) > > > Remote vnc viewer, stunnel client stunnel.conf: > > verify = 2 > pid = /home/mfoley/.stunnel/stunnel.pid > CAfile = /home/mfoley/.stunnel/certificate.pem > client = yes > [x11vnc] > accept = 5900 > connect = router.obfuscate.org:1234 > > > Local workstation vnc server, stunnel server stunnel.conf: > > pid = /var/run/stunnel.pid > debug = 7 > [x11vnc] > accept = 3389 > key = /root/privatekey.pem > cert = /root/certificate.pem > connect = 127.0.0.1:5900 > > > The certificate is self-signed and created on the stunnel/vnc server host > using > the following commands: > > openssl genrsa -out privatekey.pem 2048 > openssl req -new -x509 -days 365 -key privatekey.pem -out certificate.pem > > The certificate.pem is copied to the stunnel client host. > > With x11vnc listening on 5900 on the local workstation and with 'stunnel > stunnel.conf' running on both stunnel client (as the normal user) and > server > hosts, I use the remote vnc viewer, logged in as a normal user, with the > connection 127.0.0.1:5900 > > I'm guessing I could configure my vnc viewers to connect to multiple > clients with > difference [service] sections, for example: > > verify = 2 > pid = /home/mfoley/.stunnel/stunnel.pid > CAfile = /home/mfoley/.stunnel/certificate.pem > client = yes > > [remoteHost1] > accept = 5900 > connect = router.obfuscate.org:1234 > > [remoteHost2] > accept = 5901 > connect = router.obfuscate.org:4321 > > I haven't tried that, but I will. > > I futher guess that I could have different CAfiles per server if I moved > that > directive to the respective service defintions (can someone confirm?), but > I > haven't tried that either. > > Thanks especially to Flo Rance for helping me work through this. > > Now, I have to figure out how to do this from a Windows client! > > --Mark > _______________________________________________ > stunnel-users mailing list > [email protected] > https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users >
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
