Remote printing over stunnel



  • Howdy all, I have a unique situation where I have a need to allow a distant computer to remotely print to a printer behind my pfSense firewall. I was hoping to use stunnel to encrypt the print traffic then run that as a service on the distant computer as a VPN is overly complicated for this scenario. Any tips on how this might be done? Much thanks!


  • LAYER 8 Global Moderator

    @TheQuank said in Remote printing over stunnel:

    Any tips on how this might be done?

    yeah use a vpn... its 1 min to setup, and 2 seconds for the client to click a button on their end when they "need" to print..



  • Hi @johnpoz,

    As I mentioned in the original post, a VPN is not a good fit for this application, that's why I was asking for assistance with STunnel. Not to mention that a VPN is SUBSTANTIALLY more than "1 minute to set up, and 2 seconds for the client".


  • LAYER 8 Global Moderator

    No setting up is not more than 1 minute - you run through the wizard, and export the config.. If it takes you all of 1 minute I would be surprised.

    You honestly think the configuration required to setup stunnel to work for something like this is going to be less work, then have at it.. And then creating the service to run for stunnel to connect?? Why are you here asking... I have used both for years and years and years... And I am telling you vpn is easier of the to 2 to setup, and is all gui based.

    And would also allow you for you to easy configure source natting and allow you to print to a printer even if the printer didn't have a gateway setup, etc.

    If you actually wanted help - where are the details. What printing protocol, what is the printer? Does the printer have a gateway setup.. What are the networks at both locations? Do the networks overlap? What is the OS of the client? Is the client beind a proxy or a firewall/nat?

    Sorry but while openvpn can all be done with a few gui clicks... stunnel is not like that to setup.



  • @johnpoz first off, I'm dismayed that you are belittling my request for support. If I wanted advice on how to best connect a remote printer, I would have asked that in the appropriate section of the forum.

    I've done the research and determined that a VPN is not the best solution. I don't (nor likely will) have any ability to change the network setup on the distant side of the solution. In most cases, they are built using off the shelf products that typically leverage one or two very common Class C network IP ranges. This would require a rather complicated split-tunneling VPN solution a user would need to manually start. I would also add that a proper VPN deployment is much more than running a wizard and dumping out a config file. As I received no such support, I spent hours researching solutions on my own. Here is what I've built, tested, and fielded, for folks out there actually looking for a solution:

    Most printers using standard IP printing use port 9100 and the RAW protocol over TCP.

    Local Side
    pfSense Firewall w/ stunnel add-on installed

    pfSense Stunnel Config:
    Listen On Port: 9100 (Can be whatever you like, as long as it matches the stunnel config file on the distant side.)
    Redirects to IP: XXX.XXX.XXX.XXX (Printer IP attached to the LAN (or better, a DMZ))
    Redirects to Port: 9100
    Custom Options: PSKsecrets = /conf/stunnel_psk.txt

    stunnel_psk.txt contains a list of identities and preshared keys in the format ID:Key. pfSense even provides a handy editor under Diagnostics once the file is created in the conf directory.

    Create WAN firewall rule to pass inbound TCP traffic on 9100. (Even better, only allow connections from specific public IPs you need to print from.)

    Distant Side
    Install standard stunnel from: www.stunnel.org then enable running as Windows service.
    Edit stunnel config file:

    ; encrypt outbound printing
    [Remote_Printing_9100]
    client = yes
    accept = 127.0.0.1:9100
    connect = XXX.XXX.XXX.XXX:9100 (Public IP and the "Listen on Port" of pfSense firewall.)
    PSKsecrets = psk.txt
    PSKidentity = ID

    Create psk.txt in the same folder as the config file and past the same ID:Key combination from stunnel_psk.txt and restart the stunnel service.

    Then simply change the IP port of the printer to the local host and enjoy!


Log in to reply