Stunnel won`t start after pfsense restart!

Sifter

@nimamhd:

finally found the solution.

stunnel can`t create a folder in /var/tmp/stunnel /var/tmp/run/stunnel for chroot and .pid .

follow this:

1- mkdir /usr/local/etc/stunnel/run or /tmp

2- chown -R stunnel:stunnel /usr/local/etc/stunnel/run

3- ee /usr/local/pkg/stunnel.inc
 
  replace "/var/tmp/stunnel" to "/usr/local/etc/stunnel/run" on line : 120 , 206 , 217 ,234
 
  add " fwrite($fout, "pid = /stunnel.pid \n"); " to line 123

4- config stunnel and done.

Is this something that can get added to the package?

nimamhd

Yes, i think Stunnel package need some updates for PFsense 2.1

Rossi

Took me some time to find this thread and to solve the problem. Thx for the solution.

What about a stunnel update? Will there be a new version?

nimamhd

Thank you for your reply .  :)

yes the Stunnel version 5 is available.

https://www.stunnel.org/downloads.html

Rossi

I would really appreciate a new version. It's really endless simple to use it for enabling ssl support for ftp, webmail, etc…

dgcom

@Rossi:

It's really endless simple to use it for enabling ssl support for ftp, webmail, etc…

Stunnel does not support FTP as far as i know, but for most other Stunnel server functionality you should be able to use HAPoxy-devel package.

But I still vote for having new package for Stunnel 5 with all new functionality included!

Rossi

Well, you are right… never tried it with ftp but several other services and all of them were really quick and easy to setup.

Rossi

Looks like it is a bit urgent now. I guess I will dissable stunnel until it's patched.

nimamhd

As you know about Heartbleed, i can`t wait for Stunnel package new update, how can i manually update this?

The recently new version of Stunnel is available .

adamsteinhoff

We have the same problem here, and being a new PFSense user, I really don't want to be hacking around on it and expect that it will work long-term for our fairly critical environment.

Is there an alternative to what STunnel does on PFsense, or is it the only official package?

Based on prior history, do you all think that there will be a package that will fix this issue and get us to the new heartbleed-proof version?

Thanks!

nimamhd

I use Zebedee Package too. it`s simple and powerful.

you can visit http://www.winton.org.uk/zebedee/ for more info.

if you have any problem, don't be hesitate to post it.  :)

v0lZy

I just encountered this issue today.

I reinstalled the stunnel package and still was not able to launch stunnel.
I ssh-ed into my pfsense box and did

find / | grep stunnel

the result from the above command lead me to examine /usr/local/etc/rc.d/stunnel.sh

cat /usr/local/etc/rc.d/stunnel.sh

which returned

#!/bin/sh
# This file was automatically generated
# by the pfSense service handler.

rc_start() {
        /usr/local/bin/stunnel /usr/local/etc/stunnel/stunnel.conf

}

rc_stop() {
        killall stunnel

}

case $1 in
        start)
                rc_start
                ;;
        stop)
                rc_stop
                ;;
        restart)
                rc_stop
                rc_start
                ;;
esac

This suggested that /usr/local/etc/stunnel/stunnel.conf is used as the configuration file so I followed with

cat /usr/local/etc/stunnel/stunnel.conf

to examine the file, which in turn showed

cert = /usr/local/etc/stunnel/stunnel.pem
chroot = /var/tmp/stunnel
setuid = stunnel
setgid = stunnel

Manually running the following on the command line

/usr/local/bin/stunnel /usr/local/etc/stunnel/stunnel.conf

confirmed that stunnel was exiting because there was no actual tunnel endpoints set up.

So I went back to the WebGUI under Services > Stunnel, and took a look at the Tunnels tab where I had 3 tunnel endpoints configured. I figured that clicking the edit button on each entry and then clicking the save button would repopulate the /usr/local/etc/stunnel/stunnel.conf file so I clicked 'edit' and subsequently 'save' for each of my tunnel endpoints.

As a precaution I navigated to the Certificates tab and did the same edit-save procedure for each of my three certificates.

I then went back to the command line and made sure my clicking around had an effect. I ran

cat /usr/local/etc/stunnel/stunnel.conf

and was glad to see that my clicking around the GUI wasn't in vain; the file was populated with configuration parameters defining my endpoints.

I then manually started stunnel from the commmand line with

/usr/local/bin/stunnel /usr/local/etc/stunnel/stunnel.conf

and my stunnel is up and running again (also shows green on the Status > Services section).

I haven't yet restarted the firewall and don't know if the solution will persist or not.

Best regards,

V