{"id":10936,"date":"2025-06-16T06:00:48","date_gmt":"2025-06-16T06:00:48","guid":{"rendered":"https:\/\/cheapwindowsvps.com\/blog\/secure-your-client-server-application-traffic-on-windows-with-stunnel-a-comprehensive-guide\/"},"modified":"2025-07-15T12:02:24","modified_gmt":"2025-07-15T12:02:24","slug":"secure-your-client-server-application-traffic-on-windows-with-stunnel-a-comprehensive-guide","status":"publish","type":"post","link":"https:\/\/cheapwindowsvps.com\/blog\/secure-your-client-server-application-traffic-on-windows-with-stunnel-a-comprehensive-guide\/","title":{"rendered":"Secure Your Client-Server Application Traffic on Windows with Stunnel: A Comprehensive Guide"},"content":{"rendered":"

The Stunnel tool<\/strong><\/a> acts as a proxy service that enables the creation of a secure TLS tunnel for client-server applications lacking inherent encryption capabilities. It is often more efficient to use Stunnel for securing access to a specific application rather than deploying a comprehensive VPN solution.<\/p>\n

Stunnel can function in either server or client mode. In client mode, it captures traffic from the client application, encrypts it, and forwards it to the server, where decryption occurs before sending to the intended application. Importantly, this setup doesn\u2019t require any modifications to either the client or server application. Additionally, Stunnel supports client authentication through certificates and is available for both Windows and Linux platforms.<\/p>\n

Configuring Stunnel Server on Windows<\/h3>\n

To set up Stunnel on a Windows server<\/a><\/strong>, start by downloading the installer from Stunnel’s official website<\/a> and complete the installation using the default settings, which include openssl<\/code>.<\/p>\n

Next, generate the keys and certificates for the Certificate Authority (CA), server, and clients. Open a command prompt and navigate to the install directory:<\/p>\n

cd \"C:Program Files (x86)stunnelbin\"<\/code><\/pre>\n
Follow these steps to create the necessary keys and certificates:<\/p>\n
    \n
  1. Generate the CA key:\n
    openssl genpkey -algorithm RSA -out ca.key<\/code><\/pre>\n<\/li>\n
  2. Create the CA certificate:\n
    openssl req -new -x509 -key ca.key -out ca.crt -subj \"\/O=woshubLTD\/OU=IT\/CN=CA_webserver1.com\"<\/code><\/pre>\n<\/li>\n
  3. Create a private key for the server:\n
    openssl genpkey -algorithm RSA -out server.key<\/code><\/pre>\n<\/li>\n
  4. Generate a CSR for the server certificate:\n
    openssl req -key server.key -new -out server.csr<\/code><\/pre>\n<\/li>\n
  5. Sign the server certificate with the root CA:\n
    openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -subj \"\/O=woshubLTD\/OU=IT\/CN=server_webserver1.com\"<\/code><\/pre>\n<\/li>\n
  6. Generate the client’s private key:\n
    openssl genpkey -algorithm RSA -out client.key<\/code><\/pre>\n<\/li>\n
  7. Create a CSR for the client certificate:\n
    openssl req -key client.key -new -out client.csr<\/code><\/pre>\n<\/li>\n
  8. Sign the client certificate:\n
    openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365 -subj \"\/O=woshubLTD\/OU=IT\/CN=client1_webserver1.com\"<\/code><\/pre>\n<\/li>\n<\/ol>\n
    Now, move the ca.crt<\/code>, server.crt<\/code>, and server.key<\/code> files to the C:Program Files (x86)stunnelconfig<\/code> directory.<\/p>\n
    Edit the stunnel.conf<\/code> file, and include the following configuration settings:<\/p>\n
    ; Write logs to stunnel.logdebug = infooutput = stunnel.logoptions = CIPHER_SERVER_PREFERENCEoptions = NO_SSLv2options = NO_SSLv3options = NO_TLSv1sslVersion = TLSv1.2sslVersion = TLSv1.3ciphers = ECDHE-RSA-AES256-GCM-SHA384cert = server.crtkey = server.keyCAfile = ca.crt[ITPoral]accept = 192.168.158.144:443connect = 127.0.0.1:80verify=2<\/code><\/pre>\n
    Ensure the selected port in the accept<\/strong> line is free. Configure Windows Defender Firewall to allow incoming connections on this port:<\/p>\n
    New-NetFirewallRule -DisplayName \"ITPoral_stunnel_443\" -Direction Inbound -LocalPort 443 -Protocol TCP -Action Allow<\/code><\/pre>\n
    After that, run Stunnel.exe<\/code>, monitor the GUI logs for any configuration errors, and debug as necessary.<\/p>\n
    To run Stunnel service, execute:<\/p>\n
    \"C:Program Files (x86)stunnelbinstunnel.exe\" -install \"C:Program Files (x86)stunnelconfigstunnel.conf\"Start-Service wrapper<\/code><\/pre>\n
    Stunnel Client Configuration Example on Windows<\/h3>\n
    On the client-side, install Stunnel from the same distribution and transfer the ca.crt<\/code>, client.crt<\/code>, and client.key<\/code> files to the C:Program Files (x86)stunnelconfig<\/code> folder. Then, set up the configuration in stunnel.conf<\/code> as follows:<\/p>\n
    [ITPoral]client = yesaccept = localhost:8080connect = 192.168.158.144:443CAfile = ca.crtcert = client.crtkey = client.keyverify=2<\/code><\/pre>\n
    After saving the configuration file, run Stunnel manually to check for errors. Access the service via localhost:8080<\/code> on your browser, and Stunnel will securely redirect the connection.<\/p>\n
    To improve convenience, you can merge the client certificates and keys into a single file and update the configuration accordingly.<\/p>\n
    Certificate Management<\/h3>\n
    For revoking compromised certificates, utilize the CRLpath<\/code> option in the server configuration to indicate where the revoked certificates are stored. Similarly, use the CApath<\/code> option to specify the directory containing the allowed certificates.<\/p>\n","protected":false},"excerpt":{"rendered":"
    The Stunnel tool acts as a proxy service that enables the creation of a secure TLS tunnel for client-server applications lacking inherent encryption capabilities. It is often more efficient to use Stunnel for securing access to a specific application rather than deploying a comprehensive VPN solution. Stunnel can function in either server or client mode. […]<\/p>\n","protected":false},"author":1,"featured_media":10937,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[99,121],"tags":[],"class_list":["post-10936","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-windows-11","category-windows-server-2025"],"_links":{"self":[{"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/posts\/10936","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/comments?post=10936"}],"version-history":[{"count":2,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/posts\/10936\/revisions"}],"predecessor-version":[{"id":10978,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/posts\/10936\/revisions\/10978"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/media\/10937"}],"wp:attachment":[{"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/media?parent=10936"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/categories?post=10936"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/tags?post=10936"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}