With the increasing number of regimes worldwide cracking down on VPNs using deep packet inspection, it was good to see the recent return of stunnel to the maintained package list. To improve the security for our particular application, we hacked the package .xml and .inc files so that we can add a pre-shared key to implement client authentication using the GUI. This prevents anyone opening a tunnel on the stunnel server end without a secret key. It works like this https://www.stunnel.org/auth.html
If the maintainer of the stunnel package happens to be reading this, you're welcome to our code which simply adds a PSK field at the bottom of the stunnel add page and then sticks that into the relevant files on the firewall. Works well for us.
p.s. If anyone thinks this is a massive security mistake, please say why! Thanks.