Skip to main content
Share:
Link is copied

Stunnel

Stunnel allows an application that does not provide encrypted traffic by default to tunnel its traffic through, and broadcast the traffic encrypted. Its main application is to provide an encrypted data exchange between sides when at least one of them does not support encrypted connections.

Stunnel can play both server or client roles. The client initiates encrypted connections, and the server expects and accepts them.

TNA devices start stunnel in the client mode and listen to the predefined port on all networking interfaces or the serial port depending on the configuration. If the configuration with a predefined local port is selected, any service in the network (Eth0 or Eth1 of the TNA) can connect to this port and forward data through a secure connection to evalink talos.

Stunnel encrypts the data between the alarm receiving equipment and evalink talos using TLS.

Stunnel over Ethernet

Stunnel via Ethernet

Stunnel over Serial

Stunnel via Serial

In case of the configuration with the serial port, the device connected to the TNA through this port can use a secure connection provided by stunnel to send and receive data.

On evalink talos, stunnel is started in server mode and any data received from stunnel clients is forwarded to the receiver expecting this data and vice versa.

info

In case of the configuration with the serial port, the TNA starts the stunnel client using the default local port 2771 and uses socat to forward data from the serial port to this port and vice versa. This requires the 2771 port to be available for use, with a secure server connection always being active.

In case of the configuration with RS-232, the TNA allocates the serial port for stunnel and any other TNA feature configured to use the serial port cannot be started. Stunnel configuration with the serial port is also impossible if any other TNA feature is already configured to use the serial port.

Enable Stunnel on the TNA Web Server

info

Access level 4 is required to enable or disable Stunnel integration.

To enable Stunnel integration, do the following:

  1. On the TNA Web Server, navigate to settings Settings > view_module Integrations from the top right corner of the page

  2. From the list of integrations, search for Stunnel and toggle it

Enable Stunnel Integration

Once Stunnel integration is enabled, you can find it under view_module Integrations on the top navigation menu.

The status is also reflected on the Integrations section of the Home page.

Stunnel Integration Status

Configure Stunnel

info

Access level 3 or above is required to configure Stunnel integration.

To configure Stunnel parameters, do the following:

  1. On the TNA Web Server, click on view_module Integrations from the top navigation menu and choose
    Stunnel Stunnel

  2. Under Dashboard, click on Add Rule and configure the following parameters under the new created tab:

info

You can set up a maximum of 20 stunnel connections simultaneously.

Stunnel Ethernet Configuration
Name
Description
Configuration NameThe name of the stunnel connection.
Maximum: 24 characters
InterfaceThe interface to use for the connection: Ethernet or Serial Port
Note: Only one connection can be configured using Serial Port.
Local Port
(Ethernet Interface)
The local port for the Stunnel connection through Eth0 or Eth1.
Port range: 1024 - 65535
Baudrate
(Serial Interface)
The Baudrate is the speed at which data bits are sent.
The values range from 300 up to 3000000
Default value: 9600
Data Bits
(Serial Interface)
The Data Bits is the number of bits of data in each frame.
Possible values are 7 and 8
Default value: 8
Parity
(Serial Interface)
The Parity bit can provide a simple form of error detection.
Possible values are:
None: no parity bit is added to the data.
Even: the parity bit is set to space 0 if the total number of data bits in the mark 1 state is even.
Odd: the parity bit is set to space 0 if the total number of data bits in the mark 1 state is odd.
Stop Bits
(Serial Interface)
The Stop Bits is the number of bits used to mark the end of a frame.
Possible values are 1 and 2
Default value: 1
PSK IdentityThe pre-shared key identity for the encrypted connection.
Note: If the same PKS identity is used for more than one connection, the following warning message will be prompted:
PSK Identity Message
PSKThe pre-shared key to be used for establishing the encrypted connection
  1. Click on Save

  2. (Optional) Click on Undo changes to reset the parameters to their previous values

  3. Under the Configuration tab, configure the following parameters for stunnel connections:

Stunnel Configuration
Name
Description
Primary IPThe IP address of the primary connection to stunnel server on evalink talos side
Primary PortThe port number of the primary connection to stunnel server on evalink talos side.
Port range: 1024 - 65535
Fallback IPThe IP address of the backup connection to stunnel server on evalink talos side
Fallback PortThe port number of the backup connection to stunnel server on evalink talos side.
Port range: 1024 - 65535
Mobile FailoverToggle to enable or disable the usage of the mobile interface as a backup for connections between the stunnel clients and the server.
Note: Eth0 is used by default.
info

Simultaneous connections to both primary and fallback hosts are not allowed.

  1. Click on Save

  2. (Optional) Click on Undo changes to reset the parameters to their previous values

  3. To test both Ethernet and Mobile connections to the Primary and Fallback IPs, click on the Test button next to their sections.

info

The Test button will be clickable only after saving the destination parameters.

If you change the IP and Port values without saving them, the test will be done using the previously saved values.

After saving all configuration parameters, you can see an overview of your connections under Dashboard:

Stunnel Dashboard

The state of each connection is monitored and displayed under Status. The different states are as follows:

Status
Description
radio_button_checked Not establishedThe stunnel connection is not started
radio_button_checked UnavailableThe stunnel connection cannot be started due to Ethernet interfaces (Eth0 and Eth1) unavailability
radio_button_checked AvailableThe stunnel connection is started and waiting for a receiver to connect
radio_button_checked ConnectedThe receiver is connected
  1. Click on Start to start stunnel connections on the TNA

  2. (Optional) Click on Stop to stop all stunnel connections

  3. (Optional) Click on Remove all to remove all stunnel connections

Connection States

The state of the stunnel connections both on the TNA and evalink talos sides is displayed at the top of the Dashboard tab.

radio_button_checked TNA (Ethernet)       close       radio_button_checked evalink

It consists of 3 parts as described bellow:

  1. The state of the stunnel client on the TNA side which indicates whether the stunnel client is
    Started - radio_button_checked or Not Started - radio_button_checked and which interface is used to connect (Ethernet or Mobile)

  2. The state of the stunnel connection between the TNA and evalink talos which indicates if the primary IP/Port or the fallback IP/Port are Available - horizontal_rule or Not Available - close

  3. The state of the stunnel server on evalink talos side which indicates if the connection between a receiver and evalink talos is Established - radio_button_checked or Not Established - radio_button_checked

Was this page helpful?