Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Remote printing over stunnel

    Scheduled Pinned Locked Moved pfSense Packages
    5 Posts 2 Posters 895 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      TheQuank
      last edited by

      Howdy all, I have a unique situation where I have a need to allow a distant computer to remotely print to a printer behind my pfSense firewall. I was hoping to use stunnel to encrypt the print traffic then run that as a service on the distant computer as a VPN is overly complicated for this scenario. Any tips on how this might be done? Much thanks!

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        @TheQuank said in Remote printing over stunnel:

        Any tips on how this might be done?

        yeah use a vpn... its 1 min to setup, and 2 seconds for the client to click a button on their end when they "need" to print..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        T 1 Reply Last reply Reply Quote 1
        • T
          TheQuank @johnpoz
          last edited by

          Hi @johnpoz,

          As I mentioned in the original post, a VPN is not a good fit for this application, that's why I was asking for assistance with STunnel. Not to mention that a VPN is SUBSTANTIALLY more than "1 minute to set up, and 2 seconds for the client".

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by johnpoz

            No setting up is not more than 1 minute - you run through the wizard, and export the config.. If it takes you all of 1 minute I would be surprised.

            You honestly think the configuration required to setup stunnel to work for something like this is going to be less work, then have at it.. And then creating the service to run for stunnel to connect?? Why are you here asking... I have used both for years and years and years... And I am telling you vpn is easier of the to 2 to setup, and is all gui based.

            And would also allow you for you to easy configure source natting and allow you to print to a printer even if the printer didn't have a gateway setup, etc.

            If you actually wanted help - where are the details. What printing protocol, what is the printer? Does the printer have a gateway setup.. What are the networks at both locations? Do the networks overlap? What is the OS of the client? Is the client beind a proxy or a firewall/nat?

            Sorry but while openvpn can all be done with a few gui clicks... stunnel is not like that to setup.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            T 1 Reply Last reply Reply Quote 1
            • T
              TheQuank @johnpoz
              last edited by

              @johnpoz first off, I'm dismayed that you are belittling my request for support. If I wanted advice on how to best connect a remote printer, I would have asked that in the appropriate section of the forum.

              I've done the research and determined that a VPN is not the best solution. I don't (nor likely will) have any ability to change the network setup on the distant side of the solution. In most cases, they are built using off the shelf products that typically leverage one or two very common Class C network IP ranges. This would require a rather complicated split-tunneling VPN solution a user would need to manually start. I would also add that a proper VPN deployment is much more than running a wizard and dumping out a config file. As I received no such support, I spent hours researching solutions on my own. Here is what I've built, tested, and fielded, for folks out there actually looking for a solution:

              Most printers using standard IP printing use port 9100 and the RAW protocol over TCP.

              Local Side
              pfSense Firewall w/ stunnel add-on installed

              pfSense Stunnel Config:
              Listen On Port: 9100 (Can be whatever you like, as long as it matches the stunnel config file on the distant side.)
              Redirects to IP: XXX.XXX.XXX.XXX (Printer IP attached to the LAN (or better, a DMZ))
              Redirects to Port: 9100
              Custom Options: PSKsecrets = /conf/stunnel_psk.txt

              stunnel_psk.txt contains a list of identities and preshared keys in the format ID:Key. pfSense even provides a handy editor under Diagnostics once the file is created in the conf directory.

              Create WAN firewall rule to pass inbound TCP traffic on 9100. (Even better, only allow connections from specific public IPs you need to print from.)

              Distant Side
              Install standard stunnel from: www.stunnel.org then enable running as Windows service.
              Edit stunnel config file:

              ; encrypt outbound printing
              [Remote_Printing_9100]
              client = yes
              accept = 127.0.0.1:9100
              connect = XXX.XXX.XXX.XXX:9100 (Public IP and the "Listen on Port" of pfSense firewall.)
              PSKsecrets = psk.txt
              PSKidentity = ID

              Create psk.txt in the same folder as the config file and past the same ID:Key combination from stunnel_psk.txt and restart the stunnel service.

              Then simply change the IP port of the printer to the local host and enjoy!

              1 Reply Last reply Reply Quote 2
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.