inside the mind of a linux admin

Encrypting synergy traffic via OpenSSL and stunnel

I use synergy to control several different linux systems in my office using a single keyboard and mouse.

The only issue I have with this software is it does not (yet?) natively support SSL encryption for your traffic. This is problematic when transmitting plain-text passwords between systems, which I do often.

This HOWTO will explain how I encrypted my synergy traffic using basic OpenSSL and stunnel technology.

1) First, you’ll want to download all of the necessary packages to facilitate this. All of these can be found in nearly every distributions repositories, so fire up your apt-get/aptitude or yum and grab these:

  • synergy
  • stunnel
  • openssl


2) Next, configure stunnel on the synergy server. The synergy server is the system that your mouse/keyboard is physically attached to.

Edit /etc/stunnel/stunnel.conf:

output = stunnel.log
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
cert = /etc/stunnel/stunnel.pem
CAfile = /etc/stunnel/certs.pem
verify = 2
fips = no

[synergy]
accept = 25800
connect = 24800

Where synergy’s default port is 24800 and 25800 is the secure port you’ll be having stunnel talk over.


3) Now configure your synergy clients. Synergy clients are the machines you want to control using the synergy server.

Edit /etc/stunnel/stunnel.conf:

client = yes
CAfile = /etc/stunnel/certs.pem
output = stunnel.log
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
cert = /etc/stunnel/stunnel.pem
verify = 2
fips = no

[synergy]
accept = 24800
connect = 25800

Again, synergy’s default port is 24800 and 25800 is the secure port you’ll be having stunnel talk over.


4) Next you’ll want to create a certificate and encryption key using openssl. You need to do this from both your synergy server and all synergy clients:

cd /etc/stunnel
openssl req -nodes -x509 -newkey rsa:2048 -keyout stunnel.pem -out stunnel.pem -days 0

Enter in the information you are prompted for. Not all fields are required. You now have a certificate and private key in the file “stunnel.pem”.


5) Create a certificate authority file (CAfile) called /etc/stunnel/certs.pem and copy ALL of the certificates that you created into this file. Note: do not copy the private keys into the CAfile.


6) Now fire up your stunnel on all machines. This is done by simply running:

stunnel /etc/stunnel/stunnel.conf


7) Finally, fire up synergy.

On the synergy server:

synergys

On the synergy clients:

synergyc 127.0.0.1

You should now have an encrypted synergy session between your machines.


Did you encounter problems?

  • If you get an error complaining that your system does not support FIPS, remove the fips = no line from the configuration file of the system that is complaining. This is common on Ubuntu or Debian based systems.
  • If you receive an error about stunnel not being able to find your SSL certificate you may have a mismatch of openssl libraries in your stunnel. In which case, you will need to download the latest version’s source code from stunnel.org, then configure and compile it manually. You will need to install the libssl-dev package to do this.
  • If it is still not working, you will need to debug further. Check the stunnel.log file in /etc/stunnel. If there’s no useful information there, execute stunnel in the foreground to see debug information:
  • in /etc/stunnel/stunnel.conf

    foreground = yes
    debug = 7

Related Posts

Touchpad stops working after sleep + resume (Fedora 26 on Dell XPS)

After recently upgrading my Dell XPS 13 w/Touchscreen to Fedora 26, the touchpad suddenly stopped working upon resuming from sleep mode. It was reproduced 100% of the time, and required a complete restart in order to get the touchpad working again. There have been several forum posts and bug reports regarding others experiencing these exact […]

Read More

Fun with fsck on Fedora – avoiding mounted partitions and handling LUKS encrypted ones

I run Fedora on a few of my machines, and inevitably over the course of time the filesystem will need to be repaired because of orphaned inodes, wrong free byte counts, etc. Typically when EXT4 errors are detected during boot, Fedora will detect this and offer to drop you into “Emergency mode” or continue. example: […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

Twitter: kireguy

Tweeter button Facebook button Myspace button