2018-04-24 01:53:27 +00:00
|
|
|
| Sponsored by [ppl](https://ppl.family) | **tunnel-server.js** | [tunnel-client.js](https://git.coolaj86.com/coolaj86/tunnel-client.js) |
|
2016-09-30 18:49:08 -04:00
|
|
|
# stunneld.js
|
|
|
|
|
|
2018-02-14 23:22:23 -07:00
|
|
|
A server that works in combination with [stunnel.js](https://git.coolaj86.com/coolaj86/tunnel-client.js)
|
2016-09-30 18:49:08 -04:00
|
|
|
to allow you to serve http and https from any computer, anywhere through a secure tunnel.
|
|
|
|
|
|
|
|
|
|
CLI
|
|
|
|
|
===
|
|
|
|
|
|
|
|
|
|
Installs as `stunnel.js` with the alias `jstunnel`
|
|
|
|
|
(for those that regularly use `stunnel` but still like commandline completion).
|
|
|
|
|
|
|
|
|
|
### Install
|
|
|
|
|
|
|
|
|
|
```bash
|
2017-05-25 14:50:51 -06:00
|
|
|
npm install -g stunneld
|
2016-09-30 18:49:08 -04:00
|
|
|
```
|
|
|
|
|
|
2017-10-04 17:37:07 -06:00
|
|
|
Then `dist/etc/systemd/system/stunneld.service` should be copied to `/etc/systemd/system/stunneld.service` and
|
|
|
|
|
the ARGUMENTS, such as SECRET, MUST BE CHANGED.
|
|
|
|
|
|
|
|
|
|
*TODO*: make `--config /path/to/config` the only argument (and have the secret auto-generated on first run?)
|
|
|
|
|
|
2018-04-24 01:49:56 +00:00
|
|
|
## Note: Use node.js v8.x
|
|
|
|
|
|
|
|
|
|
There is a bug in node v9.x that causes stunneld to crash.
|
|
|
|
|
|
|
|
|
|
https://github.com/nodejs/node/issues/20241
|
|
|
|
|
|
2016-09-30 18:49:08 -04:00
|
|
|
### Advanced Usage
|
|
|
|
|
|
|
|
|
|
How to use `stunnel.js` with your own instance of `stunneld.js`:
|
|
|
|
|
|
|
|
|
|
```bash
|
2016-10-01 02:39:20 -04:00
|
|
|
stunneld.js --servernames tunnel.example.com --protocols wss --secret abc123
|
2016-09-30 18:49:08 -04:00
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Options
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
--secret the same secret used by stunnel client (used for authentication)
|
|
|
|
|
--serve comma separated list of <proto>:<servername>:<port> to which
|
|
|
|
|
incoming http and https should be forwarded
|
|
|
|
|
```
|
|
|
|
|
|
2016-10-01 02:39:20 -04:00
|
|
|
### Privileged Ports without sudo
|
|
|
|
|
|
|
|
|
|
```bash
|
|
|
|
|
# Linux
|
|
|
|
|
sudo setcap 'cap_net_bind_service=+ep' $(which node)
|
|
|
|
|
```
|
|
|
|
|
|
2016-09-30 18:49:08 -04:00
|
|
|
### Alterntive Methods
|
|
|
|
|
|
|
|
|
|
**NOT YET IMPLEMENTED**
|
|
|
|
|
|
|
|
|
|
We created this for anyone to use on their own server or VPS,
|
|
|
|
|
but those generally cost $5 - $20 / month and so it's probably
|
|
|
|
|
cheaper to purchase data transfer (which we supply, obviously),
|
|
|
|
|
which is only $1/month for most people.
|
|
|
|
|
|
2018-02-14 23:22:23 -07:00
|
|
|
Just use the client ([stunnel.js](https://git.coolaj86.com/coolaj86/tunnel-client.js))
|
|
|
|
|
with this tunneling service (the default) and save yourself the monthly fee
|
2016-09-30 18:49:08 -04:00
|
|
|
by only paying for the data you need.
|
|
|
|
|
|
2018-02-14 23:22:23 -07:00
|
|
|
* Node WS Tunnel (zero setup)
|
2016-09-30 18:49:08 -04:00
|
|
|
* Heroku (zero cost)
|
|
|
|
|
* Chunk Host (best deal per TB/month)
|
|
|
|
|
|
|
|
|
|
Security
|
|
|
|
|
========
|
|
|
|
|
|
|
|
|
|
The bottom line: As with everything in life, there is no such thing as anonymity
|
|
|
|
|
or absolute security. Only use stunneld services that you trust. :D
|
|
|
|
|
|
|
|
|
|
Even though the traffic is encrypted end-to-end, you can't just trust any stunneld service
|
|
|
|
|
willy-nilly.
|
|
|
|
|
|
|
|
|
|
A man-in-the-middle attack is possible using Let's Encrypt since an evil stunneld service
|
|
|
|
|
would be able to complete the http-01 and tls-sni-01 challenges without a problem
|
|
|
|
|
(since that's where your DNS is pointed when you use the service).
|
|
|
|
|
|
|
|
|
|
Also, the traffic could still be copied and stored for decryption is some era when quantum
|
|
|
|
|
computers exist (probably never).
|
